This week’s post is going to be on another cool Desktop Virtualization vendor, MokaFive. I got around to spending some time with the MokaFive team. Purnima Padmanabhan (VP Marketing), Burt Toma (Director Marketing) and John Whaley (Co-Founder and CTO) who were nice enough to spend an afternoon walking me through the product and giving an insight into the technology.
At a high level, MokaFive is an innovative Desktop Virtualization company that is evangelizing and enabling Virtualized Desktop solutions for the client side rather than on the server (unlike VDI). The product does a nice job of adding some key features that enable a type II hypervisor to be used as a fully managed virtualized desktop within the enterprise. Key differentiators from VDI are ability to run offline (untethered), being able to exploit the end-point’s resources and ability to enable a portable desktop that can be brought along and even run-off a on a portable storage device such as a USB stick.
Other products in this space are vThere (Sentillion) and RingCube who I had reviewed earlier. You can read the review here.
I also wrote some posts earlier about some of the use cases where client side Desktop Virtualization technologies make a lot of sense. Some key uses are: Bring Your Own Computer (BYOC), Mobile users, reducing support costs, Windows 7 migrations and supporting outsourcing or contract workers.
Feature drill down:
AD Integration: Unlike some other products that require a first time initialization to join the AD Domain (e.g. vThere from Sentillion), MokaFive allows the adminstrator to configure it such that the VM is pre-joined to the domain. This should make the first time initialization much easier.
VPN support: MokaFive can integrate with the corporate VPN and since the product replaces the GINA, they can invoke the corporate VPN for a seamless logon process from outside the corporate Firewall.
Provisioning of VMs: The product comes with a server side management console called the creator. The management console can create new images for deployment and for targeting images to users or groups.
Image Updates: An impressive feature of the product is the ability to update the base image in the Creator console and being able to push the update to the end-user seamlessly. The client technology checks periodically for updates to the base image and downloads the delta if a new version is detected. Subsequent boot of the image automatically uses the updated image.
Separation of Base Image, Applications and User Data: The product stores Base Image, Applications and User Data in separate layers but creates a consolidated view of all 3 on the fly. This allows for the base image to be updated while still preserving the user data and Applications. This is a great feature because one of the biggest issues that IT shops struggle with is image proliferation as new images need to be created for each variation of the base image.
Rejuvenation: Since there’s an ability to separate Applications and User Data from the base OS as mentioned. It is possible to reset the VM to the state of the base image without losing the user data. This is a great feature for reducing Support costs.
ACL and policy control of the images: MokaFive allows the Administrator to set a multitude of fine grained policies that can control the behavior of the virtualized desktop. Types of policies that can be set for example are: USB enablement, Print enablement, offline use, portable use. remote disabling etc. These are really important for the corporate Admin especially to define access for a contractor workforce with respect to what the user can do with the VM.
Storage Innovations: I wanted to talk about some innovations at the storage layer that gives the product some great advantages over using vanilla vmdks. The product implements a file system based on ZFS that gives it the following advantages:
- Compression: The product compresses the images that are distributed. This can lead to a 2~3x saving over a vanilla image. In addition to compression, De-Duping also happens on the image leading to a further reduction of size.
- Performance: USB drives are optimized for storage rather than to be used as a random access disk for the purposes of running a VM. The company has had to some optimizations at the file-system level to significantly enhance the performance when running off a USB drive.
Security Features: I had pointed out earlier that any technology that is based on a type II hypervisor can perhaps be compromised from the host. However, for many use cases and scenarios, this level of security should be perfectly adequate. Here are some of MokaFive’s security features:
- Encryption: The Admin can specify if the image and all it’s content should be encrypted. This is particularly useful if the the laptop containing the image is misplaced or the the USB stick from where the product is being run is misplaced.
- SSL: The product can be configured to communicate with the server over SSL including for authentication so no credentials are sent over the wire in clear-text.
- Signed images and installers: To prevent tampering with the product’s images, the image is signed. This way, any tampering with the security policy of the image would render the VM not bootable. Similarly, the prouduct’s installers are signed as well.
- Host Check: MokaFive host-check can be easily enhanced to check for the presence of an AV or and also execute customer specific custom code. Currently, it checks for the capability of the host system to run the guest VM with respect to resources but not for AVs and other security requirements out of the box. I think this is a security feature that should have been out-of-the-box in a product of this type but is not there (yet — it’s on their roadmap). This basically refers to the capability, where an Admin can specify the security profile of a host on which the MokaFive VM should be able to run. For example, does the host have an approved AV which was run in the last x days.
- Encrypted I/O: The product is capable of managing the VM from outside the image. As a result all I/O between the image and the system is encrypted. This also makes the product less vulnerable to attacks from within the image.
Recent comments