Best BYOD management: Containment is your friend

Emerging containerization technologies create a separate, protected workspace on employees' personal smartphones.

"Application wrapping is not mature," says Gartner's Redman, and the existence of competing architectures in this nascent market is holding back growth. But the adoption of app wrapping for enterprise and third-party apps will increase, he says, as the technology is eventually integrated into the larger and more established MDM platforms.

The downside to app wrapping is that each application must be modified, which means administrators need access to the app's binary code. That means some apps that come preinstalled on Android or iOS phones may not be supported. Also, implementations may work more smoothly with Android devices than with iOS because of problems getting binary code for apps sold via Apple's App store. For this reason, wrapping tools tend not to work with iPhone apps. For example, Mocana's Mobile App Protection product doesn't support the email client on the iPhone, or other built-in apps for that matter.

Users can get access to the binary for free iOS apps, but for paid App Store wares, IT needs an agreement to buy direct from the provider and bypass Apple's store.

"Apple overlooks the issue of app wrapping today and changing apps [bought] from their store, but by their rules you're not supposed to do that. They could clamp down and not allow that, although so far they haven't," says Redman. Apple declined to comment. (See "Where Apple and Google stand.")

Mobile hypervisors

The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. The technology isn't generally available as yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.

VMware's offering, VMware Horizon, is still in development. It will support Android and iOS, and functions as a type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.

Having a guest OS run on top of a host OS tends to consume more resources than a type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered less secure, since the underlying host OS could be compromised, creating a path of attack into the virtual machine.

Another vendor, Open Kernel Labs, offers a type 1 hypervisor, which it calls "defense-grade virtualization." Today the technology is used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.

Developing a type 1 hypervisor that interacts directly with the hardware is impractical, argues Ben Goodman, lead evangelist for VMware Horizon. "We moved to a type 2 hypervisor because the speed at which mobile devices are being revised makes it nearly impossible to keep up."

As to security, VMware is working on an encryption approach similar to the Trusted Computing Group's Trusted Platform Module standard as well as jail-break detection.

Performance won't be a problem, Goodman promises. "VMware Horizon is optimized to run extremely well, and performance is exceptional." However, VMware declined to provide the names of any of early adopters who might speak publicly about the product.

Israeli startup Cellrox Ltd. offers its own twist on virtualization for Android devices. The technology, called ThinVisor and developed at Columbia University, is neither a type 1 nor type 2 hypervisor but "a different level of virtualization that resides in the OS and allows multiple instances of the OS using the same kernel," says CEO Omer Eiferman. It offers the product to cellular service providers and smartphone manufacturers, as well as to large enterprise customers.

Problems and promise

Not all containerization products support iOS, which powers the iPhone and iPad, the smartphones most commonly found in enterprises. While Apple has 22% market share worldwide compared to 50% for Android, in the enterprise those numbers are reversed: The iPhone commands a 60% market share versus just 10% for Android, according to Gartner.

For the products that do support iOS, Apple's legendary secrecy about OS enhancements means containerization vendors receive no advance notice and must scramble every time Apple releases an update. The bottom line: Users may have trouble accessing corporate resources if they upgrade their personal iPhone too quickly or frequently. "iOS changes often cause service interruptions while Good Technology's products are modified, tested, then released for our end users," says Terry at University Hospitals.

"We can't afford to delete things of a personal nature or impede [end-users'] ability to use their personal asset," says Ryan Terry, division CIO and CSO at University Hospitals Health System.

Directory integration is another area where tools are still evolving. "We'd like to see more integration with Active Directory and with PeopleSoft or whatever the source of record is to control user profiles," Terry says. "Ideally, tighter integration that would disable access automatically or restrict access to published applications based on a user's role." Today businesses may need to turn to integrators such as Vox Mobile to provide that level of integration.

Containerization is also limited in terms of troubleshooting and general support issues if the enterprise doesn't have visibility into the performance of the total device, argues Steve Chong, manager of messaging and collaboration at Union Bank, which uses Good for Enterprise. Is the problem related to signal strength? Has the user run out of storage space? Is there a way for IT to remotely access the phone to diagnose issues?

"We need all of that without having to have multiple agents installed on the phone," he says, because each agent adds complexity and uses up resources.

"Having agents on the phone means that it needs to be constantly on all the time for data gathering, but that means that it will consume phone resources," Chong says. Also, it's "software that now needs to be managed and updated on users' phones."

Today many businesses, if they have a BYOD program at all, either aren't using MDM or are using a very basic tool such as Microsoft's Exchange ActiveSync, which allows mobile access to the user's Exchange email and calendar. "The next phase is getting to MDM. Then [IT staffers] can look at application security and management," Redman says.

Containerization is limited in terms of troubleshooting and general support issues if the enterprise doesn't have visibility into the performance of the total device, argues Steve Chong, manager of messaging and collaboration at Union Bank.

At West Virginia University, the cost of tools outweighs the risks -- at least for now. Yohn says the school uses only ActiveSync to support its 4,500 faculty and staff. He'd like to do more, but says licensing costs for the containerization tools he researched would have exceeded $100,000 annually. "We'll wait until prices fall, or something happens and we determine that we need to make this investment," he says.

At CareerBuilder, a jobs website and staffing firm, individuals who want to use their own phones can connect by way of ActiveSync, but downloaded data is not encrypted unless the user chooses to do so at the device level. Further, IT doesn't offer any support for users connecting with their own smartphones.

Users can also install, on their own, apps to access SaaS applications such as Concur and Salesforce.com. "We defaulted to that," says senior vice president of information technology Roger Fugett. But with nearly half of CareerBuilder's 2,600 employees now bringing their own devices, Fugett says he's taking a hard look at the potential risks and how to mitigate those. Containerization and general MDM tools are on his radar.

The coming consolidation

Containerization is rapidly becoming a necessity for supporting BYOD, and the technology is evolving rapidly, says Stephen Singh, director for infrastructure practice at professional services firm PwC. "It works relatively efficiently and meets the regulatory compliance needs for many of the customers we speak with."

In most shops, containerization is -- or should be -- one part of an overall MDM strategy. Going forward it should be possible, for example, to apply one set of policies to the entire device, another to a protected container where app stores deposit applications, and a third to specific corporate apps, with variations depending on the user's role or group.

Indeed, Symantec says its Odyssey MDM tool can be used to enforce a device-level password while Nukona applies application-specific controls.

Containerization is already starting to be absorbed into the major MDM platforms. Symantec plans to merge into its Nukona containerization and Odyssey MDM acquisitions into its Altiris offering for managing servers, desktops and laptops; and Mobile Iron now offers its own APIs for application integration. "In the next six months we'll see more application security and management integrated into MDM systems," says Redman.

Eventually, he says, MDM will broaden into a "systems management platform for the enterprise" that includes security, content management, application management and application development, and it will extend to laptops and desktops as well as tablets and smartphones.

That's high on the wish list at Union Bank, which relies on two different consoles to manage BlackBerry and other mobile devices. "I want a universal dashboard. There's no technology that does that today," Chong says.

BNY Mellon has already started down that road. "We chose MaaS360 because we can run it across our full mobility network, whether a laptop, phone or tablet," Perkins says. "I can provision access to all of those devices at once, knowing that each has a different graphical paradigm. That's the way we think people will be moving."

Singh sees an even broader convergence of management tools that provides ubiquitous access for any end user device over any medium, including desktops, laptops, desktop and application virtualization, remote access and unified communications as well as mobile devices. "We're not that far off from a universal console. We see convergence occurring in three to five years," he says.

That may seem like a ways off, but it's important to plan for that vision now so that containerization, MDM and other tools acquired today don't end up overlapping or becoming redundant over time. "Look at the big picture. Solving the problem for mobile device management isn't just about selecting a vendor," Singh says. "It's about applying a solution across multiple platforms and instances."

Robert L. Mitchell is a national correspondent for Computerworld. Follow him on Twitter at twitter.com/rmitch, or email him at rmitchell@computerworld.com.

Read more about bring your own device (byod) in Computerworld's Bring Your Own Device (BYOD) Topic Center.

This story, "Best BYOD management: Containment is your friend" was originally published by Computerworld.

| 1 2 Page 4
ITWorld DealPost: The best in tech deals and discounts.
Shop Tech Products at Amazon