The tendency for staff to demand access to corporate applications from mobile devices running Apple’s iOS and Android has proved a challenge for IT shops.
The pace of innovation in mobile has bewildered IT management solution vendors accustomed to the more predictable and stable Wintel platforms they’ve wrangled with in the past.
Neither Apple nor those organisations releasing Android devices have been especially forthcoming with rich device management tools for corporate IT administrators, or a clear roadmap for CIOs to plan to.
The challenge for CIOs is to provide for a new generation of employee that wishes to access corporate applications from their personal devices without compromising on security or the quality of the end-user experience.
MDM and MAM
Over the past five years, a new breed of software application has emerged to tackle the first of those concerns — secure access.
Organisations like Good Technology, AirWatch and MobileIron came to the attention of the industry by promising a similar architecture and security posture as Blackberry Enterprise Server, but applying it to multiple flavours of device.
Their solutions came to be known as ‘mobile device management’ as the primary feature tended to enforce security policy (such as forced password and remote wipe) at the firmware level. Over time, the features made available under ‘MDM’ suites have broadened to aid the deployment of secure enterprise mobile apps, hence the occasional use of the term “mobile application management”.
But for the sake of simplicity, let’s stick to using the term MDM when describing these solutions.
Approaches to MDM
Today’s MDM packages tend to offer a fairly consistent set of features, regardless of which vendor you choose to buy from. But the way those features are deployed has a big impact on user experience.
Listed below are three common approaches:
- Native MDM solutions provide a management layer that hooks into the firmware MDM features increasingly on offer by device manufacturers (Samsung, Apple etc).
- Container solutions are mobile applications hosted either in the cloud or behind the firewall that operate in an isolated ‘container’ on a user’s device, with native features of the device (such as copy and paste) locked down for data within the contained environment.
- Virtual machine solutions create a virtual machine or “identity” for corporate applications and data, which is kept isolated from the personal apps running on the native OS. Again the corporate OS acts as a ‘container’ from which corporate data can’t be copied onto personal applications.
Each of these three approaches has its pros and cons.
Using native MDM solutions, users enjoy the experience of the native applications of their preferred devices, but IT administrators find it difficult to create a policy that is consistent across every type of device on the market. The problem is one of consistency.
Using container MDM solutions, CSOs can feel confident that corporate data can’t find its way out of the locked down environment, but users similarly don’t get the benefit of using native applications, and are often frustrated at the limits applied to use of their choice of device.
Using virtual machine solutions, users get the advantage of using the native applications of their devices and can clearly distinguish between their “personal” apps and their “work” apps from the same device. But these solutions require cooperation between the MDM vendor, device manufacturers and carriers which has to date rarely been forthcoming. Apple in particular doesn't allow virtual machines to be dropped over its interface, whilst Samsung has been working on its own secure container. Further, two operating systems on one smartphone has a performance overhead, and can also be clunky for users to switch between during the course of the working day.
MDM vendors tend to sell their wares in modules and differentiate themselves according to the various ways in which features can be bundled together.
Common features include:
- A secure mail gateway (essentially a two-way proxy server), either hosted or deployed on-premise.
- Over-the-air device management (to remotely configure, patch or enforce security policies such as passcodes on the device).
- Containerisation of common applications - native mobile applications like email, calendaring and contacts provided by the device/OS vendor are swapped out for versions provided by the MDM vendor, which are isolated from other applications on the device.
- Containerisation of data - a corporate version of a ‘DropBox’ file store/share service, deployed either behind the firewall or in a cloud of your choice.
- Secure, encrypted communication between containerised applications and data store and the device.
- Software Development Kits and proprietary APIs for customers to extend MDM functionality to their new applications (usually an advanced feature at additional cost).
- Application wrapping - organisations can take the export files from Apple (IPA) or Android apps (APK), and run it through a post-compiler provided by the MDM vendor, which is basically a software translator that replaces API calls with new API calls that conform to the organisation’s policies. API calls for storing data, for example, would be replaced with API calls that insist on the data being stored in a specific file store. API calls to open the application might insist on invoking authentication first.
The most basic functions relate to the device itself – enforcing policies around passwords, remote wipe in case you misplace your device, determining whether a device can connect to corporate Wi-Fi networks according to whether its software is up to date, perhaps blocking it if its been jailbroken etc. Some solutions avoid controls at firmware-level, however, as in BYOD deployments IT should not have the right to lock down, wipe or disable personal applications and data.
MDM suites have expanded to offer containerisation of applications and the data within them — the native email client, contacts list, calendar is swapped out for one in which data cannot be copy and pasted to another app on the device unless it is within the container. From a privacy perspective, internal IT can monitor and manage all that exists within that container but have no visibility of the personal apps and data on the device.
These solutions can be configured to ensure data within these containerised apps can only talk to approved data stores, again encrypted between the device and your cloud or on-premise storage.
Some of the more advanced customers are using the MDM vendor’s SDK and APIs for creating their own containerised mobile apps, or taking existing applications and securing them via App-wrapping.
App-wrapping is where you take a file from the Apple or Android app you’ve developed, the Android application package file (APK) files or the iPhone application archive file (IPA), run it through a post compiler — a software translator, if you will — which replaces any API call for functions like authenticating a user, communicating through the public internet to a server or storing data.
It replaces those calls with new calls that conform to your enterprise mobility policy.
It might tell the application, for example, when I authenticate I look for this address, when I connect I apply a Micro-VPN, when I store data it has to be in this secure container and not anywhere else.
Today’s premium, tomorrow’s base
While there are all kinds of subtle variations in approach, there are relatively few features on which the discrete MDM vendors can differentiate themselves.
You’ll find that most vendors have different names for the same features, and mimic the release strategy of their peers, guising this by mimicry by bundling features slightly differently and pricing them via different metrics.
So closely did MobileIron and AirWatch mimic the features offered by Good Technology, for example. the latter is currently suing the former two for alleged IP infringement. Good did that — in my opinion —because the company was running out of new features it could charge a premium for, and its competitors were being very aggressive on price.
If a feature is today offered at a premium above and beyond the base package, history suggests that the MDM market is evolving fast enough that you can expect that feature to be part of the base within 12 months.
MDM vendors are finding competition to their solutions coming from new quarters — virtualisation vendors such as VMware, Microsoft and Citrix; IT security vendors such as Symantec and Sophos.
But more concerning would be the MDM hooks being built directly into the mobile operating system. Apple’s iOS7 and Samsung’s flavour of Android both present interesting challenges. The degree to which the solutions offered by MDM vendors are complementary to these new changes will be telling over the coming months.
This chapter forms part of iTnews’ forthcoming study, ‘The True Cost of BYOD’.
Stay tuned for tomorrow’s post on MDM costs.