In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner Inc.
As to Apple's position on the use of containerization/app wrapping technologies that require access to app binaries to create a policy wrapper around apps that are enterprise-specific, Apple does not offer such a tool itself and declined to comment.
For more information:
Download the MDM deployment scenario document: http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf (PDF)
For its part, Good's basic email and calendaring capability has been available for several years. Late last year it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloaded Microsoft Office file attachments.
Perkins is using Good only for email and calendar -- the "killer apps" for most employees, he says -- and for accessing internal, browser-based apps using Good's browser.
For full-on access to the corporate network, SharePoint and other services, BNY Mellon relies on Fiberlink's MaaS360, a cloud-based MDM system it has configured to take complete control of the user's device. MaaS360 monitors what gets written to and from the operating system, and blocks access to some personal apps, such as Yahoo Mail and Gmail, when the device is accessing corporate resources.
"When it's on our network we own it and control it," says Perkins. When used in personal mode, individuals have control over which apps they can use.
What's more, BNY Mellon may wipe the device -- including all of the user's personal apps and data -- if it is lost or stolen, although MaaS360 and most other major MDM tools do allow selective wipes. Citing security concerns, Perkins declined to say how many times the company has had to wipe phones that have been lost or stolen.