Best BYOD management: Containment is your friend

Emerging containerization technologies create a separate, protected workspace on employees' personal smartphones.

Anthony Perkins wants employees at BNY Mellon to bring their personal smartphones to work and use those instead of company-issued BlackBerries to access business email, applications and data.

But there's a catch: Not all employees are comfortable with the prospect of having their personal phones locked down and controlled as tightly as the BlackBerries that Perkins would like to phase out. That's where the notion of containerization comes in.

A bring your own device (BYOD) strategy is good business, says Perkins, managing director and CIO at the bank. It reduces the time and expense involved with maintaining and managing company-owned BlackBerries. "We'd like to be in the business of managing software, not hardware. In the RIM world you manage hardware," he says, referring to Research in Motion, the BlackBerry's manufacturer.

On the down side, today's popular mobile devices were developed for the consumer market, and third-party management tools don't have the same management hooks that RIM can offer, since it designed and controls the BlackBerry client architecture and has been especially responsive to the needs of corporate customers.

Managing mobile from the cloud

Mobile device management typically involves installing agent software on each user's device and setting up a server-based management console. Don't want to do it yourself? Service providers that help IT manage mobile devices and software are plentiful.

For example, integrator Vox Mobile offers a "managed mobility" service that includes comprehensive monitoring and reporting, Fiberlink offers MaaS360 for corporate email and documents, and mobile carrier AT&T introduced its cloud-based Toggle mobile management service last year.

With Toggle, AT&T installs a "work container" on each smartphone, which the user logs into with a password. Administrators can then manage container policies by way of a cloud-based portal and app store called Toggle Hub. In the third quarter AT&T plans to add the ability to run antivirus scans on all managed devices, as well as to lock or wipe the container.

"More and more of this will move into the cloud. But today it's still a small percentage," says Phil Redman, an analyst at Gartner.

"Where this is leading is dual data plans on the same device," says Mobeen Khan, executive director of advanced mobility solutions at AT&T. "You will have a phone number for the container and one for your personal device."

Anthony Perkins, managing director and CIO at BNY Mellon, is excited about that prospect. "We're talking with Verizon and AT&T on phones with a SIM that has two phone numbers," products that are currently in development, he says. Perkins says that carriers are telling him those products are just a few years out -- AT&T declined to comment on availability -- but whether it's two years or ten, he says, "That's probably the direction we'll go."

But Perkins says those advantages are outweighed by users who are generally more productive due to the multitude of productivity apps available in the Android and iOS worlds. And most importantly, having a BYOD policy is "a great way to recruit and retain young talent."

Because corporate apps and data tend to be mixed in with the user's personal content, mobile device management (MDM) tools tend to be very conservative when it comes to managing corporate resources on users' phones, with policies often applying to the entire device, including both personal and professional apps and data. Users may not be willing to give up control of their smartphones in exchange for receiving access to corporate apps and data.

To get around that user resistance, Perkins is turning to containerization -- an emerging class of management tools that carve out a separate, encrypted zone or policy bubble on the user's smartphone within which some corporate apps and data can reside. In this way, policy controls apply only to what's in the container, rather than to the entire device.

Mostly, containerization tools are complementary to MDM software, with increasing numbers of MDM vendors incorporating containerization techniques.

That said, as great as containment is for limiting corporate liability, it doesn't help any personal data that may be lost due to a wipe if the phone is lost or stolen. Some IT departments are recognizing that users may need help backing up their personal data and apps, and some, like Jacobs Engineering, are helping their end-users get set up with backup systems.

Ryan Terry, division CIO and CSO at University Hospitals Health System in Shaker Heights, Ohio, turned to containerization because he sees the use of traditional MDM tools to control the entire device as a liability issue. The hospital needs to have apps or data delivered securely to clinicians without interfering with the users' ability to access their personal apps and data. "We can't afford to delete things of a personal nature or impede their ability to use their personal asset," he says.

Alex Yohn, assistant director of technology at West Virginia University, is also wary. "I don't want my guys doing settings on the personal side that could come back to haunt us," such as accidentally deleting data or making configuration changes that affect how the users' personal apps run.

For businesses that need strict security policy and compliance controls, such as the highly regulated healthcare and financial services industries, containerization can be especially helpful in making the BYOD experience more palatable for users, IT leaders say.

Choose your container

Existing vendors offer, in essence, three different containerization approaches:

  • Creating an encrypted space, or folder, into which applications and data may be poured
  • Creating a protective "app wrapper" that creates a secure bubble around each corporate application and its associated data
  • Using mobile hypervisors, which create an entire virtual mobile phone on the user's device that's strictly for business use

All of these technologies offer more granular control over corporate applications and data on users' devices than whatever security comes standard with smartphones currently. And users' devices no longer need to be on a list of smartphones that has been certified and tested by IT, because corporate apps and data reside inside a secure, encrypted shell.

However, the need to switch back and forth between the business and personal environments may be perceived as inconvenient and affect overall user satisfaction, says Phil Redman, an analyst at Gartner.

Neither Apple nor Google offer containerization technology, and neither would comment for this story, but their respective spokesmen did point out some resources that might be helpful. (See sidebar, below.)

Encrypted folders

The most mature containerization approach is the encrypted, folder-based container, Redman explains. AirWatch has an offering in this space, and Good Technology is an early leader in terms of enterprise adoption of containerization, particularly among regulated businesses.

For basic mobile access, BNY Mellon uses Good for Enterprise to create an encrypted space on smartphones within which users can run Good's email and calendar client and use a secured browser. "It's a secure container with an app that can send and receive corporate email that's encrypted," says Perkins. All communications are routed through Good's network operations center, which authenticates mobile users.

Where Apple and Google stand

Spokesmen for Apple and Google would not comment for attribution but both pointed Computerworld to documents and offered clarifications by email. Here's a summary.

Google

Google Apps for Business, Government and Education administrators can use the Google Apps Control Panel to manage end users' Android, iOS and Windows Mobile devices at the system level. The panel enables the device to sync with Google Apps, encrypts data and configures password settings.

Another tool, called Google Apps Device Policy, enforces security policies such as device encryption and strong passwords and can also locate, lock and wipe a device. It can also block use of the camera and enforce email retention policies. However, partial wipes of just corporate data are not supported.

MDM vendors can use Google's Android Device Administration API to provide similar controls outside of Google Apps.

As to Google's position on the use of containerization/app wrapping technologies that require access to binaries to create a policy wrapper around apps that are enterprise-specific, Google does not offer such a tool itself and declined to comment further.

For more information:

Visit Google's blog: http://googleenterprise.blogspot.com/2012/08/make-mobile-more-manageable.html

Android Application Security: http://source.android.com/tech/security/index.html#android-application-security

Apple

Apple says it supports third party MDM tools. It allows MDM servers to manage in-house apps and third-party apps from the App Store and supports the removal of any or all apps and data managed by the MDM server.

In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner Inc.

As to Apple's position on the use of containerization/app wrapping technologies that require access to app binaries to create a policy wrapper around apps that are enterprise-specific, Apple does not offer such a tool itself and declined to comment.

For more information:

Visit Apple's iPad in Business Web page: http://www.apple.com/ipad/business/resources/

Download the MDM deployment scenario document: http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf (PDF)

For its part, Good's basic email and calendaring capability has been available for several years. Late last year it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloaded Microsoft Office file attachments.

Perkins is using Good only for email and calendar -- the "killer apps" for most employees, he says -- and for accessing internal, browser-based apps using Good's browser.

For full-on access to the corporate network, SharePoint and other services, BNY Mellon relies on Fiberlink's MaaS360, a cloud-based MDM system it has configured to take complete control of the user's device. MaaS360 monitors what gets written to and from the operating system, and blocks access to some personal apps, such as Yahoo Mail and Gmail, when the device is accessing corporate resources.

"When it's on our network we own it and control it," says Perkins. When used in personal mode, individuals have control over which apps they can use.

What's more, BNY Mellon may wipe the device -- including all of the user's personal apps and data -- if it is lost or stolen, although MaaS360 and most other major MDM tools do allow selective wipes. Citing security concerns, Perkins declined to say how many times the company has had to wipe phones that have been lost or stolen.

In comparison, if the Good-based units are lost or stolen, only the corporate container is wiped.

It's not surprising, then, that some employees are concerned about turning their personal smartphones over to "Big Brother." The Good alternative, Perkins says, is more palatable for users who want access to just the basics: email, calendar and a secure browser.

App wrapping

This is a newer, more granular approach in which each app is enclosed in its own encrypted policy wrapper, or container. This allows administrators to tailor policies to each app. Small vendors with proprietary approaches dominate the market, including Mocana, Bitzer Mobile, OpenPeak and Nukona (recently acquired by Symantec).

For its part, RIM is working on adding this capability to its BlackBerry Mobile Fusion MDM software, possibly as soon as May 2013. (Mobile Fusion runs on Android and iPhone devices as well as on the BlackBerry.) Peter Devenyi, senior vice president of enterprise software, says RIM's offering will be "a containerized solution where one can wrap an application without the need to modify source code so you can run it as a corporate application and manage it as a corporate asset."

"Using these tools you can put together a pretty complete, fully wrapped productivity suite that's encrypted and controllable," says Jeff Fugitt, vice president of marketing at mobile integrator Vox Mobile. So far, however, the customer base for the technology is relatively small.

Forrester analyst Christian Kane describes app wrapping as an "application-level VPN" that lets administrators set policies to determine what the app can interact with on the user's device or on the Web, and what access the app has to back-end resources. It also allows for remote wiping of the container, including the app and any associated data.

Application wrapping is not mature. Phil Redman, Gartner analyst

1 2 Page
Insider: How the basic tech behind the Internet works
Join the discussion
Be the first to comment on this article. Our Commenting Policies