Zephyr Cloud is a Virginia-based MSP that offers fully managed IT support for private and hosted cloud and virtual desktop networking services using Entra ID (formerly Azure AD).
The Challenge
Implement MFA for all multi-session Windows VDI users to meet security and compliance requirements without adding complexity and cost
It all started when a Zephyr Cloud client moved its 40-person on-premise CAD/CAM engineering applications to a multi-session (shared) Windows virtual desktop infrastructure (VDI) network. The goal was to improve team collaboration while avoiding the device management and security issues that arise when running applications and sensitive data on individual laptops and workstations.
Given the security risk of multiple employees accessing a shared VDI, the client and Zephyr both agreed they needed to adopt MFA in addition to Windows credentials. This was essential to ensure that only authorized personnel could access sensitive documents.
It was also important that the VDI networks met annual compliance and reporting standards necessary to fulfill U.S. government contracts. While the client’s domain identity provider is Entra ID, they use AD DS to authenticate to legacy systems as well as VDI.
For Zephyr Cloud, the project was an example of how small networks running specialized applications increasingly demand the extra security of MFA. As an MSP, Zephyr Cloud needed to meet this requirement without creating complexity for itself or expense for its client.
The main reason clients opt for VDI is the need to run legacy applications. Engineering applications such as AutoCAD, MATLAB, and Design Studio must be installed on a PC. The obvious solution for the client was to run them on a VDI and make them available to multiple users.
Zephyr Cloud Managing Partner, Salim Khouri.
The client was already using MFA for email, SharePoint, and Teams. However, extending that to VDI turned out to be more complex than Zephyr Cloud had anticipated.
We looked at many different solutions, but they didn’t offer the right functionality. For example, Azure AD offered MFA, but it was designed to work with web services rather than a more traditional VDI implementation.
Zephyr Cloud Managing Partner, Salim Khouri.
The Solution
UserLock simplifies MFA implementation for an on-premise VDI network
Because of the client’s need to keep and authenticate access to legacy applications that don’t run in the cloud, it made sense to continue using AD DS running in Entra ID for authentication.
The client also wanted a solution that would implement MFA consistently, regardless of how users logged into the VDI (via desktop or browser) or from devices such as smartphones.
But when Zephyr Cloud assessed how MFA could be implemented to meet these requirements, every solution added a lot of complexity in terms of hardware and software, not to mention cost.
Azure AD was the obvious option, but this required changes to the underlying VDI implementation to run MFA with Microsoft’s Remote Desktop Services (RDS) terminal services.
UserLock, by contrast, was incredibly simple to configure and used existing Active Directory infrastructure without the need for additional plug-ins or services to get VDI working.
The alternatives to UserLock we looked at were more complex solutions requiring extra hardware and extra software elements such as SAML. This added up to more pieces that could break in a network where the client demanded uptime and reliability.
UserLock is so simple. Running everything on one AD DS server also makes it easier to backup, restore, and replicate.
Zephyr Cloud Managing Partner, Salim Khouri.
The Benefits
UserLock allows Zephyr Cloud’s client to implement MFA on its VDI network without unnecessary complexity or expense
Zephyr Cloud’s client migrated to a multi-session VDI secured with MFA using the same Microsoft Authenticator app employees were already using for email and Microsoft 365 access. UserLock makes this possible without the need for additional servers or software.
On average we have around 30 active users logged in at a time on a remote desktop session based VDI, each with their own files, profiles and applications. Importantly, with UserLock MFA each user is separate and gets their own authentication prompt.
Zephyr Cloud Managing Partner, Salim Khouri.
A big advantage of UserLock is that it makes the user experience simple. Users receive an MFA prompt just after their usual Windows desktop login dialog. This is true regardless of whether they access the VDI through a browser or a VDI agent. UserLock works seamlessly with any client.
With UserLock, MFA is implemented at the login screen as you log into the desktop. The beauty of UserLock is it works every way. They can use any client or their browser.
If another client wants to use MFA for VDI, we wouldn’t do it any other way.
Zephyr Cloud Managing Partner, Salim Khouri.