November 2014 M T W T F S S « Oct 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30
As discussion surrounding the multi-browser enterprise heats up, our development efforts on Browsium Catalyst continue at full speed. Since the Catalyst Beta 1 release in October, we’ve had great feedback from customers around the world. They’ve told us that the ability to control which browser opens each website on every PC in the organization is critical to their IT operations. Some are moved by Catalyst’s ability to mitigate zero-day exploits. Others love zone management of Chrome and Firefox. And everyone agrees the multi-browser enterprise is here to stay.
Today we’re excited to deliver Browsium Catalyst Beta 2, the next critical milestone on our path to enabling IT to control their multi-browser enterprise.
There are a number of significant improvements in Browsium Catalyst Beta 2, including:
We truly value product feedback and feature requests and we encourage everyone to try this latest software release. There are two ways to get Catalyst Beta 2:
If you’ve been testing Catalyst Beta 1, you’re on our list and should have received an email from Browsium Sales today with a custom Beta 2 download link. Contact us if you can’t find it.
If you’re new to Catalyst, simply fill out our Catalyst Beta request form, verify your email address, and you’ll be directed to the Catalyst Beta 2 download page.
Let us know what you think after you’ve installed Catalyst Beta 2. We’re working quickly to finalize Catalyst for its production release in early 2013. Thanks for checking out the final beta!
For many years, the enterprise browser standard has been Internet Explorer. In fact, despite the increasing popularity of browsers like Firefox and Chrome in recent years, you’d be hard pressed to find a CIO today who claims any browser other than Internet Explorer is the organization’s default and preferred browser.
This homogeneity began around the time Internet Explorer usage peaked in 2004, with roughly 95% share on consumer and business PCs. As enterprises built and deployed their first web applications, they based them on (or more accurately “tied them to”) the popular browser of the day – Internet Explorer. It didn’t hurt that Internet Explorer was highly manageable via Group Policy, or that it contained a very powerful application development platform that allowed native Windows code to run inside the browser (aka, ActiveX). The net effect was that enterprise IT had the browser it needed to run the business, so there was no reason to look at any other options.
How times have changed. Since then, Internet Explorer’s overall usage share has dropped by nearly 50 basis points, while Chrome and Firefox have risen to become mainstream browsers on consumer PCs. By some measures, combined usage of Chrome and Firefox even dwarfs Internet Explorer. In the enterprise, Internet Explorer is still the most-likely standard, but alternative browsers are increasing in usage, with a clear trend under way – the enterprise (like the consumer market) is becoming a multi-browser environment.
In this post, we’ll look at why this change is happening. What scenarios drive a second browser into the typical Internet Explorer-dominated enterprise and who is driving this change?
Turns out there are three key scenarios that create the multi-browser enterprise, and end-users and IT are equally responsible for the change. So let’s take a look at the scenarios:
Scenario 1: Legacy browser still used for legacy apps. In this scenario, legacy applications dependent on legacy browsers (typically IE6 or IE7) are still in use and IT has not yet implemented a remediation plan. These legacy apps might be upgraded, they might be retired or replaced, or they might be remediated to run on IE8 or IE9 using Browsium Ion. But the fact remains, IE6 or IE7 are still being used on the organization’s PCs and that’s a problem. Not only are those old versions lacking modern browser security features, but they’re also largely incompatible with modern business applications and the web. Have you tried running SharePoint in IE6 or visiting YouTube with IE7? They not only look horrible, they’re non-functional.
So what does IT do? IT takes control and begrudgingly installs an unmanaged, alternative browser (usually Chrome or Firefox) to handle everything but the legacy IE6 and IE7-dependent applications. And then end users are expected to make the right browser choice, depending on the application or website they’re using. That’s a problem. At best, the wrong choice means a work stoppage or a helpdesk call. At worst, the wrong choice means a security catastrophe and organization-wide downtime.
Scenario 2: Legacy apps remediated via virtualization. In this scenario, IT has implemented a remediation strategy for those legacy IE6 and IE7-dependent web applications – via virtualization. Whether IT has chosen to use Terminal Servers, VDI, client-side OS virtualization, or even the Microsoft-frowned-upon application virtualization, the end result is the same. End users are faced with a confusing choice of multiple browsers, where the wrong choice may have dire consequences.
Scenario 3: End users install their alternative browser of choice. In this scenario, IT may have declared Internet Explorer as the organization standard, and may even have locked down the desktops in an attempt to prevent new browsers from being installed. But IT policies are no match for the computer scientists at Google and Mozilla who have figured out how to install their respective browsers directly into the user’s profile (not in c:\program files and the HK Local Machine registry hive).
So whether IT says okay to BYOB (Bring Your Own Browser), looks the other way when it happens, or is helpless to defend against it, Chrome and Firefox are showing up on enterprise PCs in increasing numbers. And once again, IT must bear the brunt of the confusion and incompatibility this will cause.
Once you come to grips with the fact that the multi-browser enterprise is inevitable, you turn your attention to strategies to tame it. Leaving end users responsible for using the most compatible or secure browser is asking for trouble. No amount of training will ensure they make the right choice. After all, they’ve been trained their whole IT lives that browsers “just work” with the web, and each user’s choice is simply a matter of personal taste.
That’s why we’ve built Browsium Catalyst. Catalyst puts IT in control of the chaos, ensuring that the right browser opens the right website on every PC in the organization. Need Internet Explorer for a line-of-business application that uses ActiveX? Done. Want your end users to browse the web with the latest version of Firefox? Done. Need Chrome to handle that nifty new HTML-5 application or for Google Apps? Done. And all of this “just works” automatically, as users have come to expect.
Catalyst provides centralized management, with distribution of Catalyst configurations via Group Policy (or flat files for those who have eschewed Active Directory). And Catalyst provides many additional layers of security protection, from simple mitigation of zero-day exploits, to the ability to add zones to Chrome and Firefox.
We invite you to try out Catalyst Beta today. We’re gearing up to release early in 2013 and value your feedback. The days of the homogeneous, Internet Explorer-dominated enterprise are over. It’s a multi-browser world now. With a better understanding of how we got here, you can turn your attention to managing it. We’re here to help.
The other day we got a recall notice in the mail for our car. We’re a one car family – trying to be eco-friendly – so taking in our car for service isn’t something we want to rush to do. But this notice was about a potentially (fairly) serious issue and the notice said we shouldn’t drive the car until it was fixed. While my wife and I were debating how to deal with this, it dawned on me how this issue is strikingly similar to dealing with browser security around zero-day exploits.
Many years ago when I managed IT organizations, we would get vendor notices concerning zero-day browser exploits and I’d convene our security, desktop, helpdesk, networking and administration teams to discuss how we should handle it. Invariably, the vendor suggestion was to stop using the product until the fix was available. That’s easy enough for them to say, but what about our business? Working with our finance team, we calculated that one minute of end user desktop downtime cost us nearly $1M in lost revenue processing. Intentionally taking any kind of productivity loss was unthinkable, but continuing to run this exposed software was risky. The web browser was mission critical to our business, so turning it off for all 500 employees was not a viable option and there was no reasonable alternative mitigation.
In the end we would make a decision based on risk tolerance, and that decision was always to keep the browser running and watch for security issues. Browsium Catalyst gives you a better option – limit use of the vulnerable browser AND keep the business running with an alternative browser. It does this by giving IT central control over multi-browser PCs. Before Catalyst, there was no good way to manage user behavior with multiple browsers on the desktop. Users could choose which browser to use, often making the wrong choice – breaking compatibility or putting network security at risk.
We’ve already blogged about a variety of Catalyst features (with more to come), including last week’s post about Zone Management in Chrome and Firefox. Today the topic is managing security incidents, and Catalyst has several options that you can invoke to better deal with a zero-day browser crisis. You can use Catalyst to restrict which browser is allowed to access content for a given URL, website, keyword, or Security Zone. That means you can have Catalyst ensure a vulnerable browser isn’t exposed to external threats – for example you can restrict IE6 or IE7 (yes, we know you’re still running them…talk to us about Browsium Ion) to only the Intranet Zone and use Chrome or Firefox to access the Internet.
Another cool feature in Catalyst is the ability to ‘Close Tab’ when Rule conditions are met. Even if you want to remain a single browser shop, you can use Catalyst to mitigate the issue in the case of a zero-day. Simply set up a Rule to trigger on conditions you’re concerned about (like accessing the Internet) and users can’t browse anywhere during the crisis. Another option would be to use the ‘Redirect’ feature to stop the navigation and display a page explaining why users can’t see the content they are trying to access. Stop the users in their tracks and prevent any exposure before some rogue website has a chance to attack.
If you haven’t downloaded Catalyst yet, I invite you to test it out. Try the security approaches I covered here and give us feedback. Are there other scenarios we should add? Your input helps us deliver better products so this is your chance to get involved.
Back to my car issue, if you were wondering, my wife and I took the other approach with the car and had it towed in for service. We were limited to using only the Metro for a few days, but now every time we load the kids in the car, we’re very glad we made that call.
Founder & CEO
During our years working with Microsoft, we were always struck by the value of Zone behaviors available in Internet Explorer. The idea just makes sense – not all content is the same, so why treat it the same way? The ability to define a set of application configuration parameters to suit specific scenarios is both logical for application compatibility (you can avoid conflicting settings) as well as security (don’t expose more surface area than needed).
Neither Firefox nor Chrome has offered this feature. They have always supported one configuration and that’s it. They can’t differentiate content location for websites, meaning they can’t use different profiles in various scenarios. We’ve been baffled by the lack of support for Zones in Firefox and Chrome and we’re not alone in wanting to see this capability added. Rather than wait around for someone at those companies to build support for Zones, we went ahead and did it for them. Instead of bolting Zone support onto Chrome and Firefox specifically, we designed Catalyst with a more flexible model where Zone behavior can be extended to nearly any type of application, let alone various browsers.
As Gabe Knuth pointed out in his article, Catalyst enables you to control a multiple browser scenario such that Internet Explorer is used for the Intranet Zone and use Chrome for accessing the Internet. When we designed Catalyst this was a core scenario, especially for organizations still on Windows XP, where they are limited to legacy versions of Internet Explorer.
In the case of IE6, it’s all about security – no one should browse the web with IE6. Ever. In the case where organizations have upgraded and are running IE8, it’s less about security and more about compatibility. However, security remains a factor given that IE8 is several years old and lacks the critical improvements in the SmartScreen Filter and the anti-malware features found in modern versions of Internet Explorer. But compatibility is a real concern given Google’s recently announced plan to drop support for IE8. This is just the beginning of the end for IE8. Once a major site drops support for a particular browser, others quickly follow to help control web development costs.
Given these issues, organizations need the ability to control browser behaviors at the Zone level. Catalyst Zone support is based on Windows Security Zone determination, so organizations that have already invested in using those controls can easily leverage what they have in place today. Simply create a Catalyst Rule to match that Zone determination and load the browser of your choice.
We’ll have more blog posts coming about Catalyst, including one on how to not only load the browser of your choice for a given Security Zone, but how to use Catalyst to load a specific configuration (or browser profile) to give even more granular control over the browser configuration being used to load specific content.
If you haven’t already tried Catalyst Beta, you can get it today by filling out our web form and verifying your email address. Then send us your feedback. We’d love to hear from you.
REDMOND, WA — October 24, 2012 — Browsium Inc.’s latest enterprise browser management solution, Browsium Catalyst, is available for beta download today. The multi-browser management utility will reduce helpdesk calls and improve IT security by putting enterprise IT in control. With Catalyst, IT can specify the most compatible and secure browser for each website on every PC in the organization, regardless of default settings and user behavior.
As browser choice has broadened for the enterprise and end-users, many IT organizations are faced with multi-browser environments. Whether IT installs a second browser, or end users install and use the alternative browsers of their choice, this multi-browser trend is becoming increasingly common.
While multi-browser environments are often needed to address compatibility and security problems, they come with several management challenges. When end users switch between legacy and modern business applications or access consumer sites on the Internet, multiple browsers pose compatibility risks. In addition, using old versions of Internet Explorer on the Internet can compromise network security. These problems are solved with Catalyst.
Catalyst puts IT in control by letting them configure which browser opens each website on every PC in their organization. The Catalyst Configuration Manager makes it easy for IT to build Browser Rules and deploy them throughout the enterprise. For end users, the process of using the most compatible browser is transparent. The right browser opens automatically, reducing helpdesk calls and lost productivity from browser incompatibility and security issues.
“The days of a single browser dominating the enterprise are over,” said Matt Heller, Browsium Founder and CEO. “IT now must maximize compatibility and security in a multi-browser enterprise and Browsium Catalyst delivers the tools they need to manage and secure the changing browser landscape.”
The Browsium Catalyst Beta is now available to the public. A free download can be found at www.browsium.com Pricing for Catalyst will be announced when Catalyst v1 is released, which is expected in the first quarter of 2013.
Founded in 2010 by a team of browser experts from Microsoft, Browsium creates enterprise-ready software solutions that enable organizations to cost-effectively deploy, manage, and operate web browsers on a global scale. Browsium’s flagship product, Ion, revolutionized browser compatibility by allowing legacy IE6- and IE7-dependent web applications to run natively on Windows 7 without modifying a single line of server code.
Our mission at Browsium has always been to provide enterprise IT with the tools needed to deploy, manage, and operate browsers on a global scale. Browsium Ion has been our flagship product for remediating Internet Explorer-dependent web applications. Now we’re extending our product line with a brand new tool to help you manage multi-browser environments.
Today we announced Browsium Catalyst Beta, a multi-browser management utility, which is now available for download. Catalyst makes deploying multiple browsers in the enterprise a manageable reality. It will reduce helpdesk calls and improve IT security by putting you in control of all browsers in your enterprise. With Catalyst, you can specify the most compatible and secure browser for each website on every PC in the organization, regardless of default settings and user behavior.
We all have watched as browser choice has broadened for the enterprise and end-users. Today, many IT organizations are faced with multi-browser environments. Whether IT installs a second browser, or end users install and use the alternative browsers of their choice, this multi-browser trend is becoming increasingly common.
These multi-browser environments come with their own set of management challenges and there is often a need to address compatibility and security issues. When end users switch between legacy and modern business applications or access consumer sites on the Internet, multiple browsers pose compatibility risks. Also, using old versions of Internet Explorer on the Internet can compromise network security. These problems are solved with Catalyst.
Catalyst puts IT in control by letting you configure which browser opens each website on every PC in your organization. The Catalyst Configuration Manager makes it easy to build Browser Rules and deploy them throughout your enterprise. For end users, the process of using the most compatible browser is transparent. The right browser opens automatically, reducing helpdesk calls and lost productivity from browser incompatibility.
You can read more about Catalyst here on the Browsium site. We have a new Catalyst overview, frequently asked questions, and a comparison of Ion and Catalyst so you’ll understand when to use either tool – or both, depending on your specific needs. But you don’t need to spend all day reading about Catalyst. You can try it today by downloading the beta.
As usual, we need you to provide some basic information and a valid email to download our software. If you’ve already registered with us in the past, you don’t need to fill out the online form again. Check your email for a custom link for easy access to your copy of Browsium Catalyst Beta. Then send your feedback and feature requests. We’re going to work quickly to finalize Catalyst v1 so you can use “the right browser on every site” on every PC in your organization.
[Updated 18 December 2012: Browsium Catalyst Beta 2 is now available.]
The Browsium Catalyst Beta release notes provide specific details on what’s new and known issues for this version.
ActiveX controls pose a dilemma for IT administrators. While they provide robust capabilities for line-of-business web applications, their mere existence increases the security footprint of applications and can leave systems extremely vulnerable to attack. The latest example of this is Oracle’s Java 7 (1.7.x) series of plugins. A 0-day flaw in this class of plugins has opened up machines to potential exploit (and, in this case, it affects other browsers in addition to Internet Explorer).
The solution to this problem is simple: don’t install binary browser plugins (a la ActiveX controls) onto client machines. No ActiveX controls means no increased footprint, leaving the browser and its built-in functionality as the mainline vector into the machine (aside from other applications). Unfortunately, that doesn’t really work for companies dependent on controls for their day-to-day workflows.
Prior posts have addressed using Browsium Ion to override individual files and registry entries within a single browser session. Custom registry and file system entries can be added to an Ion Profile. Those entries override “real” entries in the Windows registry and file system so these custom registry and file entries are accessed by a web page or control running within an Ion Profile during runtime rather than using the default system values.
Custom registry and file system entries can be used to create zero- and limited-footprint installs of controls. This means that you can install an ActiveX control on a system without actually installing it. You can “install” a control by adding its registry settings and files in a Profile. This Profile will effectively emulate the control installation by overriding file and registry accesses to such a control when the Profile’s process is loaded. When a webpage matching an Ion Rule opens a Profile with the required control “installed,” the control will run as if it was truly present on the system. When a webpage loads that does not match a Rule, the webpage will never be able to load the requested control because it is not actually present on the system.
Zero-footprint installs (ZFIs) allow users to access applications (or, in this case, ActiveX controls) without that application or control being installed on a system. Virtualization solutions typically allow for the packaging of large applications into a file that is passed onto a client and run in a specific context. Ion not only allows for ZFIs but offers an innovative, granular approach to them, allowing you to target ZFIs to specific tabs and webpages using Ion’s Rule-based approach.
To use ZFIs, administrators can gather the files and registry settings needed for a control to run, place them in a location that is accessible over a network (or push them down to a local machine), add them to an Ion Profile, and push that Profile to clients.
An administrator can define an Ion Profile such that the Profile contains all the files and registry settings of a specific ActiveX control. For instance, you can enumerate all the files and registry settings required by Java 1.4.2 update 19, add them into the Custom Files and Custom Registry portions of a Profile, save that Profile, and create a Rule to that Profile for only that specific instance. When that Profile is saved to a system, the Profile’s process starts and loads all the necessary Java 1.4.2 update 19 files into memory. Any webpage loaded using that Profile will be able to use that version of Java because, from the point-of-view of that page, Java is installed on the system. You can find a video example of running multiple versions of Java side-by-side in one IE window on our demos & resources page.
In the case of both Browsium Ion and virtualization solutions, the contents of the package (the payload, consisting of files and registry entries) are pushed to machines. In both cases they are not “installed,” meaning the applications and controls are not registered with the operating system nor are they placed in “well-known” locations. This restrictions means, for instance, that an ActiveX control is “unknown” to a malicious script on a page because that control cannot be instantiated through its GUID or ProgID.
The ZFI approach in Browsium Ion differs from ZFI in virtualization products in that usage of a ZFI can be controlled on a granular level. In virtualization products, ZFI affects the whole process being virtualized; this means that if you enable a specific Java version for a virtualized instance of Internet Explorer, it affects all the web applications and tabs loaded in that instance. With Browsium Ion, you can create rule sets to restrict where a ZFI will be loaded down to an individual web application or set of applications. Such a restriction prevents less-secure controls from bleeding over into applications that weren’t intended to use such controls.
Limited-footprint installs (LFIs) are similar to ZFIs in that both store applications and controls for a limited time in memory. LFIs differ in that they only perform this action for important, “well-known” parts of a payload.
Applications and controls can be broken up into two distinct parts: well-known application files and data, and supporting application files and data. Well-known files and data are the core portions of an application or control: DLLs or EXEs residing in well-known file locations (e.g., those locations present in the environment PATH variables, startup locations, etc.) and well-known registry locations (e.g., COM registration points in the Classes key of HKEY_LOCAL_MACHINE and HKEY_CURRENT_USER, path points in Windows startup locations, MIME type references, etc.). Supporting application files and data are “everything else,” resources that the core functionality of an application or control need to run that cannot be instantiated on their own.
Limited-footprint installs can be achieved in Browsium Ion in the same way that zero-footprint installs can—through the Custom Files and Custom Registry interfaces in the Browsium Ion Manager. An administrator can gather the necessary files and registry settings, add them to a Browsium Ion Profile, and deploy that Profile. In this specific case, only the well-known data is added to a Profile, and the supporting data is deployed to machines and laid out in the normal file and registry locations that it would have been if the application or control was installed on the machine in a traditional sense.
When LFIs are defined and run within an Ion Profile, the well-known portions of the application files and data are loaded into a Browsium Ion process during runtime. When these settings are loaded, the modules in the Ion process load the supporting files and data as they would normally from the file system.
LFIs have a significant advantage over ZFIs when it comes to load time of an Ion process. Since LFIs are a subset of all the files and registry settings in a payload, a smaller amount of data is placed into memory during process start. The key to LFIs though is getting it right—an administrator needs to perform due diligence to separate out the well-known versus supporting files and data.
Like ZFIs, LFIs in Browsium Ion can be controlled at the per-tab, per-web page level, providing a more granular experience over similar features offered by virtualization solutions. LFIs can also be used to quickly mitigate new and fast-moving threats like the latest Java 1.7 0-day. Using the LFI approach, you can simply remove the Java 1.7 registration entries from the registry, remove the core Java DLLs from Windows, and turn them into Custom Files and Custom Registry entries in a Profile. Browsium Ion can significantly reduce your security footprint by only loading Java 1.7 (or any at-risk control) on the web pages that you specify.
The concept around implementing ZFIs and LFIs is relatively simple: list the files and registry entries you want to use, add those to an Ion Profile, and deploy. The hard part is the analysis – gathering all the files and registry entries that an application needs to run and, in the case of LFIs, breaking down well-known files and data versus supporting files and data.
Controls and applications with smaller-sized payloads (in the tens of files and registry settings) are best-suited for ZFI implementations. A relatively small number of Custom File and Custom Registry settings will not impact startup times of an Ion process. The Microsoft JVM and DHTML Editor Controls are good examples of ActiveX implementations that could be fully implemented in an Ion profile without causing significant system delay when loading such a profile.
Java is a good example of a control that is better suited for LFI than ZFI. A typical Java install has hundreds of files and registry settings that are required for it to run properly on a system. Adding all these files and settings into an Ion profile would result in low startup times. There are a handful of well-known Java registry entries (the COM registration keys, the HKLM\Software\JavaSoft keys, etc.) and well-known files (the jpi2exp.dll file, the Java SSV loader, the deployment.properties file, etc.) that need to be set as Custom Files and Custom Registry Entries, however the rest can be deployed to systems and installed without applications and webpages ever “seeing” that Java is actually installed. Since the well-known files are only present in Ion processes, the only webpages that can load Java are those loaded within an Ion process and using an Ion profile defining those well-known files and registry entries.
Browsium does not provide software to enumerate all the files and registry entries that an application uses. However, there are a number of free and low-cost solutions to do so. Internally, we use Total Uninstall to enumerate the installed files and registry entries of an installation. Packaging tools for virtualization solutions can also be used to achieve the same result.
Browsium Ion implements ZFI and LFI in a way that gives you granular management of when and where ActiveX controls can be run. When important security flaws are exposed and your organization is at risk, you can use these features to quickly protect against security threats and restrict the loading of vulnerable controls to only the most important line-of-business pages.
If you’d like to give this a try, contact us and we’ll work with you to evaluate Ion in your organization. If you are already a customer, please try this approach out in your own test environments. If you have any questions, email our support team at firstname.lastname@example.org.
I like to think of myself as being browser agnostic. I’ve been technologically agnostic since back in the days when I was a software developer (not a good one, mind you). We always took the approach to pick the right platform for a given project rather than figure out how to do the project in our ‘standard’ platform. It was great for the customer and great for learning new skills.
That concept has stayed with me in every tech position I’ve held over the past 18 or so years, and was a large part of the driving force behind starting Browsium. I firmly believe web applications should be built for the browser you want, not the browser you have to run. If you are stuck on IE6, you shouldn’t have to be limited to building IE6-dependent applications. The web is so much more powerful than that. Browsium Ion is designed to free you to embrace web capabilities based on business need and ‘future proof’ your legacy applications.
Along those lines I applaud the Google Chrome team for building Chrome Frame. It’s an impressive technical accomplishment (as we well know) to put one browser inside another. Yes, Chrome Frame isn’t new by any stretch, but given a recent spate of questions we’ve fielded recently it seemed like a good time to talk about it.
While I like the idea of what Chrome Frame can offer, it’s not a solution to the problem that Browsium solves – making legacy web applications work in modern browsers. Chrome Frame does the opposite. It’s designed to enable Google services, and other modern web applications, in legacy browsers (or at least just inside old versions of IE).
The goal here is to get rid of IE6 (and IE7) completely. Even being browser agnostic doesn’t make me want to keep them around. I spent a fair amount of my time working with Microsoft trying to get customers off IE6. It was really difficult because customers needed to keep their business-critical applications running after a browser upgrade. Chrome Frame doesn’t do that, and other solutions that attempt to do this are insanely expensive and complex. That’s why I started Browsium – to make this migration cost effective and easy.
In addition to not moving companies off IE6, Chrome Frame is really not geared for an enterprise deployment. Is has some Group Policy settings, but nothing compared to the 1500+ you can get in IE. One of the things you can’t control is how Chrome Frame is invoked. By design, you invoke Chrome Frame through a META tag and there is no way to lock down that option to a specific site. Many customers have asked about using Chrome Frame for some new application they want to run. Without the ability to prevent ANY site on the Internet from invoking it, their security teams have shut down the effort. I’m not saying that Chrome Frame is insecure; I’ll leave that to Microsoft and Google to fight out. Lacking a mechanism to prevent it from being invoked doesn’t seem like a good idea. We took that into account when developing Ion to be invoked only based on preconfigured and defined Rules.
A related issue is the lack of Zone-like functionality, but that’s not just an issue with Chrome Frame. Only IE has the Zone concept and I think it’s great. The idea that web applications were all created equally is silly. Maybe the consumer web has the same settings requirements, but certainly the enterprise web has different needs. That’s why Zones make sense. If you can only load applications using one settings configuration, then you’ll be faced with the least common denominator problem as you build out new applications.
And again, with Chrome Frame you’ll still be running IE6. Which means you’ll still be on Windows XP. It’s late 2012 and Windows 8 is already here – if XP didn’t feel old before it certainly does now. XP was a great operating system in its day and was a workhorse for enterprise for a long time. But it’s about to go out of support (in 592 days if you’re watching the clock). Why would you make a move that doesn’t get you off XP? You don’t need to go to Windows 8 (sorry Microsoft) but Windows 7 should be the real goal here.
If you want to solve your IE6 compatibility problems, let’s solve them. Don’t sweep them under the rug and deal with the lump later. Ion is designed to help you get off IE6 today and deploy IE8 or IE9 so that you can innovate properly and deliver the new applications services that your business needs. Don’t be caught watching the clock as time expires on Windows XP.
P.S. I meant what I said about being browser agnostic. My marketing people will scream bloody murder at me now, but I’ll have more to say on that in the coming months … watch this space.
With Windows 8 hitting its RTM milestone on August 1st, we’re now starting to field questions about when Ion will support IE10. To support a new version of Internet Explorer and a new version of Windows, we first need the final code to deal with any changes that have been made since the previous public release. With MSDN availability of Windows 8 slated for this week, we will use that build to begin our final integration work with a planned release of Ion for Windows 8 and IE10 some time after the Windows 8 GA launch in late October.
Another related question we often get is whether enterprise will deploy Windows 8 in large volume or whether they’re likely to stick with Windows 7 – assuming they’ve even made it that far. While we aren’t in the business of predicting the adoption of any new operating system, we can say Windows 8 appears to currently be below radar for most of our customers. The IT managers we talk with have yet to craft even a basic Windows 8 strategy, much less begin thinking about Windows 8’s impact on their business-critical web applications.
But when Windows 8 does land in these organizations – whether through a structured IT deployment or via end users who bring their own Windows 8 laptop or tablet to work – we know some web applications will have issues. It’s likely IT will first learn about these issues when some poor Windows 8 early adopters call their helpdesk because they can’t process an invoice or submit an expense report. While the number and magnitude of the changes between IE9 and IE10 pale in comparison with the changes from IE6 to any newer version, there are still many significant breaking changes. That’s why delivering Ion for IE10 is a critical milestone on our product roadmap.
Given that neither “Modern IE10” (formerly known as “Metro IE10”) nor the desktop version of IE10 on Windows RT (the ARM version of Windows 8) support browser plug-ins, the approach we currently use for Ion will not work on these platforms. Of course neither can the ActiveX controls found in many enterprise line-of-business applications, so the compatibility problems in these environments run very deep. We are looking into solutions to fit the limited extensibility model of Modern and ARM IE10 but it’s too soon to commit to a specific product plan or release timeline.
Lastly, we’re all wondering when we’ll see IE10 on Windows 7. Microsoft has not made any public announcements about IE10 on Windows 7 since the platform preview release in June of 2011 (14 months ago). Once Microsoft delivers their final release (or even another developer release), we’ll have a better idea of when Ion can support it. A safe bet is that we’ll provide support for IE10 on Windows 7 within a few months of Microsoft’s release of the final version.