App wrapping
A stricter and newer method is to enclose personal apps in encrypted
policy wrapper or container. It allows administrator to change policy for each
app. Market tools supporting app-wrapping is dominated by small companies which
exclusive products including Mocana, Bitzer Mobile, OpenPeak and Nukona (now
acquired by Symantec).
App wrapping
For its part, RIM is adding this ability to BlackBerry
Mobile Fusion MDM (Mobile Fusion works with Android and iPhone, beside
BlackBerry). Peter Devenyi, senior vice president of enterprise software at
RIM, says the company’s product will be a “container solution where it can wrap
apps without change source code for you to run it as corporate apps and manage
it as corporate assets”.
With app-wrapping tools, “you can combine productivity suite
that is fully wrapped, quite completed, encrypted and controllable”, says Jeff
Fugitt, vice president of marketing at mobile integrator Vox Mobile. However, the
technology has been widely adopted.
Gartner’s analyst Christian Kane describes app wrapping as an
“app-level VPN” allowing administrator to set up policy to decide which app can
be interacted with on user’s device or on web, and what access that app has to supplementary
resources. It also allows for remote-erasing container, including the app and
any associated apps.
“App-wrapping technology hasn’t grown up yet” and the
presence of competitive structures in this emerging market is pulling down the
development, Gartner’s Redman judges. But he adds that app-wrapping will
finally be adopted widely when the technology is integrated into more
prestigious and bigger MDN platforms.
It is app-wrapping’s downside that each app must be edited,
meaning that administrators have to access the app’s binary code. This means some
preinstalled apps on Android or iOS phones cannot be supported. Implementations
can work with Androids more fluently than with iOS devices due to the
difficulty of getting binary code from apps sold via Apple’s App Store. Because
of this, wrapping tools often don’t work with iPhone apps. For instance, Mocana’s
Mobile App Protection doesn’t support email client on the iPhone – or other preinstalled
apps.
User can access binary code of free iOS apps, but with App
Store’s purchasable apps, IT department needs an agreement to buy directly from
provider and bypass App Store.
Apple is pretending not to see users launching app-wrapping or
changing apps bought from App Store, “but with reference to their rule, you
can’t do that”. Redman says. “They may impose stricter control and not allow
that, though they haven’t done so far”. Apple refused to comment.
Mobile hypervisor
The third approach to containment is to create a virtual
machine that includes separate cases of mobile operating system – a virtual
inside a phone. This requires the provider to work with phone manufacturers and
network providers to embed and support a hypervisor on the phone. In general, such
technology is not available, but hypervisor-supported devices can enable user
to separate personal and business voice and data.
Mobile hypervisor
VMare is developing a product dubbed VMware Horizon. It will
support Android and iOS, and work as a Type 2 hypervisor, meaning that the
virtual machine runs as a guest on specific setting of the device’s operating
system.
Having a guest running on top of a host operating system often
consumes more resources than the Type 1 “bare metal” hypervisor which is
directly installed onto mobile hardware. It can be considered as an unsafe
solution, because the host operating system will be damaged, creating a hole for
attack into the virtual machine.
Another provider, Open Kernel Labs, offers Type 1 hypervisor
which the firm calls “defense-grade virtualization”. Open Kernel’s technology is
now mainly used by manufacturers of smartphones and chipsets for the military. The
firm hasn’t attacked commercial market yet, Redman says.
Developing a Type 1 hypervisor that is directly interactive
with hardware is impractical, according to Ben Goodman, lead evangelist for
VMware Horizon. “We moved to Type 2 hypervisor as the speed of regulated mobile
devices made it almost unreachable”.
As for security, WMware is making an encryption method that
is similar to the standard of Trusted Platform Module của Trusted Computing
Group. The firm is also researching jail-break detection.
According to Goodman, performance will not be a problem. He
claim: “WMware Horizon is optimized to run fastest”. But WMware refused to talk
about the name of early adopters who could discuss the product.
Israel’s latest company, Cellrox, provides its own correction
for virtualization of Android devices. The technology, named ThinVisor, is
developed at Comlumbia University. It is not either Type 1 or Type 2
environment, but “another level of virtualization inside the OS and allows
multiple instances of the OS using the same kernel”, says Omer Eiferman, CEO of
Cellrox. The company offers ThinVisor tech to mobile service providers,
smartphone manufacturers and large business customers.
Problems and promises
A big issue with containerization is that not of all product
supports iOS, which powers iPhone, the best known smartphone in business. While
Apple takes 22% of smartphone market shares and Android has 50% over the world,
these figures are reversed in the enterprises: iPhone takes 60% while Android
gets 10%, Gartner tells.
Apple’s legendary secrecy about improvements in the OS means
that containerization providers don’t receive any advance notice and have to
struggle when the firm releases any updates. The key point: users can encounter
problem accessing enterprise systems if they upgrade their own iPhone too fast.
At University Hospitals, Terry says "iOS changes often cause service interruptions
while Good Technology’s products must be first modified then released”.
Directory integration is another field where tools are still
developing. “We want to see more integration with Active Directory and
PeopleSoft or any record source to control user profile – ideally, stricter integration
will disable auto access or limit access to published apps based on user role”
Terry explains. Nowadays, enterprises may need to move to integrators such as
Vox Mobile to provide such level of integration.
Containerization also makes you hard to provide tech support
for user’s own devices if IT department doesn’t look into the device’s overall
performance, says Steve Chong, manager of messaging and collaboration at Union
Bank, which uses Good for Enterprise. He notes that there’re many difficult questions
with containerization: Is the problem related to signal strength? Does user run
out of storage? Is there any way for IT department to gain remote-access to
phone for analysis?
“Having phone factors means that it needs to be constantly
on all the time to collect data, but that also mean it will consume phone
resources”, Chong explains. It also means “The software needs managing and
updating on user’s phone”.
Now, organizations with BYOD programs don’t use MDM or do
use basic tools such as Microsoft’s Exchange ActiveSync which allows mobile access
to user’s Exchange email and calendar. “The next phase is MDM. Then, IT can
consider security and app management”, says Redman.
At CareerBuilder, a job website and head-hunter, employees who
want to use own phones can connect with the firm via ActiveSync, but download
is not encrypted unless user performs that under device-level. Moreover, IT
doesn’t provide support for users connecting to their smartphone.
CareerBuilder also can install apps to enter SaaS apps such
as Concur and Salesfore.com. “We default to that," says Roger Fugett,
senior vice president of IT. However, for nearly half of the firm’s 2600
employees who are carrying their own device, Fugett says he is carefully considering
potential risks and how to get rid of them. Containerization and general MDM
tools are in his observation.
Viewpoints from Apple and Google
Spokesmen for Apple and Google don’t give any comment to
this article but both can provide useful sources and clear explanations via
email.
Viewpoints from
Apple and Google
Google
Google Apps for Business, Government and Education
administrators can use Google Apps Control Panel to manage Android, iOS
and Windows Mobile devices of users under system level. The panel allows the
device to sync with Google Apps, encrypt data and configure password settings.
Another tool, named Google Apps Device Policy, enforces security
policies such as device encryption and strong password, as well as locates,
locks and removes the device. It also can lock camera using and enforces policy
of retaining emails. However, partial wipe of corporate data is not supported.
MDM providers can use Google’s Android Device Administration
API to provide similar controls outside of Google Apps.
As to Google’s viewpoint about containerization/app-wrapping
that require access to binary code to create a policy wrapper around business-aimed
apps, Google doesn’t such tool and refuse to comment.
Apple
Apple says the vendor supported third-party MDM tools. It lets
MDM servers manage local apps and third-party apps from App Store and support
any or all apps and data that are managed by MDM server.
However, in fact, MDM servers are limited. While most tools
allows for selective wiping or preventing special corporate apps, there’s no
automatized way to define and erase associated data. “No IT manager is able to
sit down and look through thousands of files that can be on each user’s phone”,
Phillips Redman, analyst at Gartner confirms.
As to Apple’s viewpoint about containerization/app-wrapping
that require access to binary code to create a policy wrapper around
business-aimed apps, Apple doesn’t such tool and refuse to comment.
