Best BYOD management: Work zones for smartphones

Emerging containerization technologies create a separate, protected workspace on employees' personal smartphones.

Anthony Perkins, CIO for BNY Mellon's Wealth Management business, is excited about that prospect. "We're talking with Verizon and AT&T about phones with a SIM that has two phone numbers," he says. Those devices are currently in development, and Perkins says that carriers are telling him they will be available in just a few years -- AT&T declined to comment on availability. But whether the time frame is two years or 10, he says, "that's probably the direction we'll go."

- Robert L. Mitchell

Mobile Hypervisors

The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. Such technology isn't generally available yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.

VMware is developing an offering called VMware Horizon. It will support Android and iOS, and function as a Type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.

Having a guest OS run on top of a host operating system tends to consume more resources than a Type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered a less secure approach, since the host operating system could be compromised, creating a path of attack into the virtual machine.

Another vendor, Open Kernel Labs, offers a Type 1 hypervisor that it calls "defense-grade virtualization." Open Kernel's technology is currently used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.

Developing a Type 1 hypervisor that interacts directly with the hardware is impractical, says Ben Goodman, lead evangelist for VMware Horizon. "We moved to a Type 2 hypervisor because the speed at which mobile devices are being revised makes it nearly impossible to keep up," he says.

As for security, VMware is working on an encryption approach similar to the Trusted Computing Group's Trusted Platform Module standard. It's also researching jail-break detection.

Performance won't be a problem, says Goodman, vowing that "VMware Horizon is optimized to run extremely well." But VMware declined to provide the names of early adopters who could discuss the product.

Israeli startup Cellrox offers its own twist on virtualization for Android devices. The technology, called ThinVisor, was developed at Columbia University. It's neither a Type 1 nor a Type 2 hypervisor, but "a different level of virtualization that resides in the OS and allows multiple instances of the OS using the same kernel," says Cellrox CEO Omer Eiferman. The vendor offers ThinVisor to cellular service providers, smartphone manufacturers and large enterprise customers.

Problems and Promise

One problem with containerization is that not all products support iOS, which powers iPhones, the smartphones most commonly found in enterprises. While Apple has a 22% share of the worldwide smartphone market, compared with 50% for Android devices, those figures are reversed in the enterprise: The iPhone has 60% of that market, versus 10% for Android devices, according to Gartner.

Apple's legendary secrecy about operating system enhancements means containerization vendors receive no advance notice and must scramble every time the vendor releases an update. The bottom line: Users may have trouble accessing corporate systems if they upgrade their personal iPhones too quickly. At University Hospitals, says Terry, "iOS changes often cause service interruptions while Good Technology's products are modified, tested, then released."

Directory integration is another area where tools are still evolving. "We'd like to see more integration with Active Directory and with PeopleSoft or whatever the source of record is to control user profiles -- ideally, tighter integration that would disable access automatically or restrict access to published applications based on a user's role," Terry says. Today, businesses may need to turn to integrators such as Vox Mobile to provide that level of integration.

Containerization can also make it difficult to provide tech support for users' personal devices if IT doesn't have visibility into the performance of the total device, says Steve Chong, manager of messaging and collaboration at Union Bank, which uses Good for Enterprise. He notes that there are a number of questions that are difficult to answer with containerization: Is the problem related to signal strength? Has the user run out of storage space? Is there a way for IT to remotely access the phone to diagnose issues?

"Having agents on the phone means that it needs to be constantly on all the time for data gathering, but that means that it will consume phone resources," Chong says. Also, it's "software that now needs to be managed and updated on users' phones."

Today, organizations with BYOD programs either aren't using MDM or are using basic tools like Microsoft's Exchange ActiveSync, which allows mobile access to users' Exchange email and calendars. "The next phase is getting to MDM. Then [IT] can look at application security and management," Redman says.

At CareerBuilder, a jobs website and staffing firm, employees who want to use their own phones can connect to the enterprise via ActiveSync, but downloaded data is not encrypted unless the user does so at the device level. Further, IT doesn't offer support for users connecting with their own smartphones.

CareerBuilder users can also install, on their own, apps to access SaaS applications such as Concur and Salesforce.com. "We defaulted to that," says Roger Fugett, senior vice president of IT. But with nearly half of the company's 2,600 employees now bringing their own devices, Fugett says he's taking a hard look at the potential risks and how to mitigate them. Containerization and general MDM tools are on his radar.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about mobile/wireless in Computerworld's Mobile/Wireless Topic Center.

This story, "Best BYOD management: Work zones for smartphones" was originally published by Computerworld.

| 1 2 Page 5
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon