Sign in Subscribe
Infrastructure

Enterprise Browser, VDI or Both

When is VDI too much? What if users just need browser access to applications? Should you have only one solution or should you have two? Michelin is dealing with that right now.

Scott Hughes

6 min read
Enterprise Browser, VDI or Both

Like many companies Michelin has a virtual desktop (VDI) product that is used by both Michelin and non-Michelin users. It has proven valuable for external users as a way to access our internal applications from their Bring Your Own (BYO) type device as well as for subsidiaries on their devices. What if all that is really needed is just browser access to the application(s) and not an entire desktop? What if there was a solution where these external users could download a configured, managed browser and then access only the Michelin applications that they needed from a browser. From any device, anywhere, anytime, all while ensuring data safety?

Background

We successfully deployed a VDI product some time ago in the cloud. As I previously mentioned it is used by both Michelin and non-Michelin users. It's a good solution but, it comes at a cost, like everything. The question I began asking myself is, 'Is this the right solution for all our use cases at the right cost or are there now other solutions that we should look at that could complement our VDI solution?'. By asking myself this question I began looking and discovered an option that is being called Enterprise Browser. This is not the Edge or Firefox browsers that you might be thinking of but rather a cloud-based solution of a managed Chromium instance. Some examples are Island and Prisma Access Browser, and there are others.

I did some research and reached out to some vendors to better understand the offerings. Once I had what I felt was a good enough understanding I began to see some opportunities where this Enterprise Browser solution could be a good fit in Michelin. In fact, it could challenge some of our known VDI use cases (specifically Published Applications) and possibly bring a competitive cost savings based on usage. A big potential gain is the promise of 'last mile controls' on an unmanged device! The real unknown and potential gain would be on the end user experience. Would this provide a better experience for the end users while providing last mile controls that we don't have today on unmanaged devices?

Today we deploy VDI for users who need a complete desktop experience. We also deploy a published browser for those users who don't require an entire desktop and only require browser access to a host. The initial use case I could envision Enterprise Browser targeting is those who only need a browser. This would become my focus.

Components

Looking at a couple different vendors, the components are generally the same. You have a management plane hosted in a cloud environment and then you have a managed chromium based instance that is downloaded from the management plane to the end user's unmanged endpoint. You will also need a connection to an Identity Provider of some sort for user management.

Use Cases, Devices and Controls

In order to have a valid Proof of Concept I needed to have some valid use cases that I wanted to test with. I had to be careful here as it's easy to overextend and try all use cases possible instead of focusing some specific use cases. Since my initial target was on unmanged (BYO) type devices I needed to ensure that the use cases and devices represented that. That being said, the specific use cases I tested were:

  • External User with unmanaged device accessing O365 and other SaaS environments
  • External User with unmanged device accessing internal WEB host and SaaS environments

Devices that were used for testing:

  • iPad (18.3)
  • MacBook (15.3)
  • Windows PC (with WIN 11 Home)
  • iPhone 16 Pro (18.3)

Some critical controls that needed to be tested:

  • Control of Copy & Paste (Only let data be copied in to, or out of specific applications)
  • Session timeout (Ensuring that the browser session times out after a period of inactivity)
  • Flushing of browser data after a specified period of time
  • Ensuring no data leakage in or out of browser
  • Ensuring that users can only 'see' what is needed for their job
  • Lightweight and easy to install
  • Installs and runs locally

Most importantly, this solution had to provide a good user experience that was equal to or better than what we are providing with our VDI platform while ensuring data integrity and security.

Testing

In testing I was able to test (read play ;-) ) with two different Enterprise Browser solutions. I will refer to them as SolutionA and SolutionB below.

For testing, the first thing I did was baseline the time that it took to login and get a 'vanilla' Edge instance. In general...

  • Login: Logging in to the Enterprise Browser was 50% faster than VDI
  • Loading a 'vanilla' Edge: Enterprise Browser was 84% faster

From a user perspective, the Enterprise Browser allows the user to be up and working more quickly than VDI. That makes sense as it's running on the local endpoint. Once each platform had a browser window open application access times were fairly equal.

Results of testing some of the controls that needed to be tested:

  • Control of Copy & Paste
    Through the management platform I was easily able to control Copy & Paste. I was also able to control differently depending on the web site being accessed. When this feature was blocked the user received what I feel is a clear message of why.

    PASS

  • Session timeout
    The ability to manage session timeout was important as this ensures that the user can't just leave the enterprise browser open and logged in indefinitely. This was proven to work quite well on the desktop (mobile app isn't quite there yet but I'm told it's coming). The user also gets a notification that their session will be timing out soon and has an opportunity to reauthenticate.

    PARTIAL PASS (Due to lack of maturity on mobile app on some platforms)

  • Flushing of browser data after a specified period of time
    This was a critical control related to data managment for me. This was achieved by setting a time period where all data was deleted (History, cookies, browser cache, etc.)

    PARTIAL PASS (Due to lack of maturity on mobile app on some platforms)

  • Ensuring no data leakage in or out of browser
    This was only validated in a limited manner via Copy & Paste and Download controls. To get a valid Yes or No answer I need to have our security team engaged and let them evaluate and test.

    PARTIAL PASS (What I could see was valid but I really need our Security team to give a thorough testing before this gets a 'Pass')

  • Ensuring that users can only 'see' what is needed for their job
    This was quite simple to achieve by putting 'tiles' on the browser home page of the user. The tiles showed them what they could access. Trying anything else would get a 'Page Blocked by Corporate Policy' type of message.

    PASS

  • Lightweight and easy to install
    The Enterprise Browser needs to be lightweight and easy to install. It should not be complicated with many screens for the user to navigate through.

    PASS


  • Installs and runs locally
    The application has to install and run locally. This is one of the key peices in my mind for Enterprise Browser is that it is a locally run instance which will enhance the user experience.

    PASS

Conclusion

This testing supports what I suspected, and that is, the Enterprise Browser has a place in the Michelin ecosystem complimenting VDI. It is not to replace our VDI platform but rather compliment specific use cases that don't require a full, managed virtual desktop and possibly reduce some operating costs.

Enterprise Browser has a sweet spot for usage, and that is for users who only access web hosts and only need a managed browser. It also adds value by enabling the usage of unmanaged devices with it's ability to perform some last mile controls to control the data. Some platforms have some maturing to do on the mobile side but on for the desktop it seems more than adequate. Can it do more? For sure it appears that it can but that was outside the scope of what I initially wanted to test against.

Each product has its strengths and weakness and that became apparent during my simple testing. It is important to know this up front if you go down this path. Most work as expected on a desktop/laptop but they can differ when deployed on a mobile device (phone or tablet) and that could cause you headaches from a support perspective. You will have to know your use cases and device types to be sure you land on the product that meets all your needs up front.

Now that I have done this small set of tests, drawn my conclusions and convinced management that Enterprise Browser has a place in the Michelin ecosystem what's next? We need to deploy an instance in Production and more thoroughly test the security features, which we are starting now. Again, just to reiterate, it is not to replace our VDI platform but rather compliment specific use cases that don't require a full, managed virtual desktop and gives a better user experience than a published browser application.