I’ve been doing the bulk of my development work over SSH for … I guess over a decade now with a few breaks, and I gotta say it’s been fantastic (with the caveat that 90% of the time I’m on the same LAN as the machine I’m SSHing into), but the idea that someone could actually think it’s a good idea to run their browser on a remote system is utterly baffling to me. All these downsides listed are searingly obvious and I’ve never even tried it.
(I’ve been doing this for compliance reasons, not cost reasons; the source code I work on has to be on a machine that has certain corporate remote-wipe capability that requires mac/windows and I can’t stand using those operating systems but they are perfectly capable of running a virtualbox that I can connect to from a machine with a better window manager.)
During the worst bit of the pandemic, it was very hard to get laptops to new starters for remote work and so there was a big push to get people to use a personal device for work. This is a security nightmare, so the solution was to run a Windows VM with remote desktop and assume that the client is not running any malware that’s sufficiently clever that it will spot the RDP client, inspect the screen, and inject key presses and mouse movements without the user noticing.
I don’t really buy the GPU argument and the reason that I don’t is Xbox Cloud Gaming. I have a cheap Xbox One S at home. Most of the time, I play games running in an Azure datacenter on an rack-mounted variant of the Xbox Series X (I think - I’m not 100% sure what the hardware is). I can play games that my local GPU is not powerful enough to run. It needs about a 20 Mb/s downstream connection, which is pretty slow by modern standards, and that’s sufficient to play games like Halo Infinite and Serious Sam 4 without noticing any lag. If I can play FPS games via remote desktop, I don’t know what desktop applications would be a problem.
From trying our (Microsoft’s) cloud desktop product on a colleague’s personal MacBook, the one thing that I have seen is that there’s a bit more lag when he joins a Teams meeting using it, because there’s an extra hop via the data center for his camera output. I think that’s unavoidable unless the Teams server happens to be in the same datacenter as the virtual desktop.
The accessibility things are a problem only if you want to run those tools locally and not on the remote system. Again, for the Azure offering all of the normal Windows accessibility features work.
The WebAuthn thing is interesting. I thought that the Azure virtual desktop used a vTPM on the cloud machine for this, but I could be wrong. Given that part of the threat model here is to not trust the client device, I’m not sure that the forwarding of USB is a good idea.
I think it’s hit or miss and while I can totally accept your point as valid, I think this would’ve worked only in about 4/10 jobs I’ve had in the past. Which in turn means in several other jobs, accessing internal resources via for example a web browser was equally important.
I don’t know, I’m surely not a huge proponent of this cloud desktop stuff, or your solution, it’s always a bit of a tradeoff between corp security, some regulation, and security theater on the one hand and usability for the actual user on the other hand.
The point that resonated most with me was the “I click on a link and then it opens on the wrong machine”, which is why I’m mostly enjoying my linux machine with a corp VPN connection.
I’ve been doing the bulk of my development work over SSH for … I guess over a decade now with a few breaks, and I gotta say it’s been fantastic (with the caveat that 90% of the time I’m on the same LAN as the machine I’m SSHing into), but the idea that someone could actually think it’s a good idea to run their browser on a remote system is utterly baffling to me. All these downsides listed are searingly obvious and I’ve never even tried it.
(I’ve been doing this for compliance reasons, not cost reasons; the source code I work on has to be on a machine that has certain corporate remote-wipe capability that requires mac/windows and I can’t stand using those operating systems but they are perfectly capable of running a virtualbox that I can connect to from a machine with a better window manager.)
During the worst bit of the pandemic, it was very hard to get laptops to new starters for remote work and so there was a big push to get people to use a personal device for work. This is a security nightmare, so the solution was to run a Windows VM with remote desktop and assume that the client is not running any malware that’s sufficiently clever that it will spot the RDP client, inspect the screen, and inject key presses and mouse movements without the user noticing.
I don’t really buy the GPU argument and the reason that I don’t is Xbox Cloud Gaming. I have a cheap Xbox One S at home. Most of the time, I play games running in an Azure datacenter on an rack-mounted variant of the Xbox Series X (I think - I’m not 100% sure what the hardware is). I can play games that my local GPU is not powerful enough to run. It needs about a 20 Mb/s downstream connection, which is pretty slow by modern standards, and that’s sufficient to play games like Halo Infinite and Serious Sam 4 without noticing any lag. If I can play FPS games via remote desktop, I don’t know what desktop applications would be a problem.
From trying our (Microsoft’s) cloud desktop product on a colleague’s personal MacBook, the one thing that I have seen is that there’s a bit more lag when he joins a Teams meeting using it, because there’s an extra hop via the data center for his camera output. I think that’s unavoidable unless the Teams server happens to be in the same datacenter as the virtual desktop.
The accessibility things are a problem only if you want to run those tools locally and not on the remote system. Again, for the Azure offering all of the normal Windows accessibility features work.
The WebAuthn thing is interesting. I thought that the Azure virtual desktop used a vTPM on the cloud machine for this, but I could be wrong. Given that part of the threat model here is to not trust the client device, I’m not sure that the forwarding of USB is a good idea.
I think it’s hit or miss and while I can totally accept your point as valid, I think this would’ve worked only in about 4/10 jobs I’ve had in the past. Which in turn means in several other jobs, accessing internal resources via for example a web browser was equally important.
I don’t know, I’m surely not a huge proponent of this cloud desktop stuff, or your solution, it’s always a bit of a tradeoff between corp security, some regulation, and security theater on the one hand and usability for the actual user on the other hand.
The point that resonated most with me was the “I click on a link and then it opens on the wrong machine”, which is why I’m mostly enjoying my linux machine with a corp VPN connection.