Why Apps (Not MDM) Are The Future Of iPhone Management [Feature]


Mobile management means securing apps and content as well as locking down devices.
Mobile management means securing apps and content as well as locking down devices.

There are plenty of stories out there about the explosive growth of mobile technology in the workplace. The trend towards bring your on device (BYOD) models in which employees are allowed or encouraged to bring their own iPhones, iPads, and other devices into the office is driving a massive expansion of the number of mobile devices used for work tasks. At the same time, the annual (or even more frequent) device an OS release cycles that have become common are driving up diversity of devices and resetting the mobile technology playing field every few months.

That constant change is forcing the IT professionals to adapt to new devices, apps, use cases, network models, and security threats faster than anything the IT industry has ever seen.

This is particularly visible in the mobile management space. A year ago, the primary method for handling mobile device and data security was to manage and lock down the device itself using one of dozens of mobile device management (MDM) suites on the market. Over the past six to nine months, however, MDM has been replaced by mobile app management (MAM) as the best way to secure business data. That’s a warp-speed transition in the mindset and goals of IT professionals.

The MDM Story

MDM was the first approach that IT experts indentified when it came to securing mobile devices. It was a natural extension of the way IT departments secure Macs and PCs in a business or school. Lock down the user experience and only provide users access to the software and network resources that they absolutely need. The first and clearest example of this approach was RIM’s BlackBerry and BlackBerry Enterprise Server (BES) that offers IT staff 500+ security policies that can be applied to lock down virtually every component, hardware and software, of a BlackBerry device.

The iPhone earned real enterprise credibility with the introduction of MDM functionality in iOS 4.

That PC-like model extended to the now defunct Windows Mobile platform, which was arguably RIM’s biggest enterprise competitor before the release of the iPhone.

The iPhone didn’t launch with any real enterprise functionality at all. At launch, the iPhone had no support for Microsoft Exchange functionality (beyond basic email access), no way to set security policies, and no apps beyond those that Apple provided. A year later, iOS 2 opened a new chapter for the iPhone in business and the mobile industry as a whole. The App Store made it possible to find work-related apps. More important for businesses was that Apple added Exchange integration. That integration delivered a range of benefits with passcode policies and remote wipe being the big-ticket items for IT professionals.

Apple did introduce the concept of configuration profiles to pre-configure and apply some basic security beyond Exchange policies to iPhones using the iPhone Configuration Utility, but the process was cumbersome and didn’t offer true over-the-air setup and management.

It wasn’t until two years later that the iPhone earned real enterprise credibility with the introduction of MDM functionality in iOS 4. That advancement opened the door for the iPhone in the business world and it focused the attention of the IT industry onto MDM as a security and management framework. Although Apple delivered only about 10% of the policies that RIM’s BES offered, the focus was still clear – securing an iPhone (or iPad) in business was about locking down the device itself, limiting users from making changes, and using a battery or monitoring capabilities to ensure compliance with mobile policies.

Apple also helped usher in the era of mobile management vendors by not developing its own management console out of the gate. Instead Apple let third-party vendors create iOS management tools and/or add iOS management to tools that already offered multi-platform support (typically that has meant iOS, Android, and BlackBerry support).

BYOD Changes The Game

The BYOD movement was a major catalyst for reshaping the mobile management landscape. The movement, which started to gain real momentum and traction during the last couple of months of 2010 and continued to grow by leaps and bounds throughout 2011, changed the discussion about mobile management. With users and executives demanding both a wider range of tools and the option to use the devices that most appealed to them, the IT mindset had to move beyond simple device management. One reason being that employees who spent $200+ on a new iPhone and/or $500+ on a new iPad weren’t keen on giving up control of the device and cutting out major features like the built-in camera(s), voice dialing (with or without Siri), and the ability to buy music and other content from the iTunes Store.

The IT mindset has had to move beyond simple device management

It was also becoming clear to IT professionals managing mobile devices that even with device security established, it was possible to compromise the security of the data stored on a mobile device. Specific apps might link to unsecure services, business data could be stored on a device and become accessible if the device was lost of stolen, and users connecting to unsecured Wi-Fi hotspots (like those in Starbucks) could be compromising data in transit if the use of a secure solution wasn’t being enforced.

MAM and the Enterprise App Stores

As the concept of device management began to show holes in its ability to completely secure devices, another mobility trend began to emerge: the need to develop some type of coherent and consistent strategy around business apps. There are thousands, if not tens of thousands, of business and productivity apps in the App Store.

Sorting through those apps for a handful of business tools can be a daunting prospect. Many organizations began to see the need to curate the selection of apps available to employees. Doing so ensures most people are using the same handful of apps with the same feature sets. It also ensures that at least some of the apps being used in conjunction with business data are as secure as possible. For organizations building their own internal enterprise apps, an app strategy also needs to ensure that employees have access to those tools.

For all those benefits, there are a limited number of ways to approach the problem. One is to provide a list of apps with links to the App Store such as in an email or page on an internal corporate website. Another is to use push notifications to send iOS users a prompt about a specific app and ask if they want to install it, a capability that Apple introduced in iOS 5. The third option is to create an enterprise app store that includes both internal and public apps and which borrows the look and feel of iOS App Store app. Users can browse and select apps from within an enterprise app store directly from their device in a comfortable and simple fashion.

MAM and Security

Getting business apps that are vetted to meet business needs onto employee iPhones and iPads is only part of the app management concept. There are two other ways that MAM can help IT secure devices and business data: denying access to apps and ensuring that apps that provide access to business content have increased security features.

Getting business apps that are vetted to meet business needs onto employee iPhones and iPads is only part of the app management concept. There are two other ways that MAM can help IT secure devices and business data.

Denying access apps is easier to do in a traditional mobile device model where an organization buys the phone or device, configures it, and hands it to an employee to use. In that scenario, IT can decide what apps should be on the device, ensure that they are installed, and disallow access to the App Store. Being a bit more lenient, IT departments can create a whitelist of approved apps and use a mobile management tool to allow users to download/install those apps but not any other apps.

The flip side of that is to create a blacklist of apps that are known to present some danger to corporate data or that you don’t want your users to install. That could mean apps that push confidential data to an private could beyond the company, apps that don’t store data in a secure fashion, apps that report confidential location data, or just productivity killers like games.. Blacklisting apps is a more user-friendly option than whitelisting because it’s less restrictive and gives the user access to many apps. The challenge, of course, is maintaining that blacklist. It’s also worth noting that not all mobile management products support blacklisting apps.

Secure Storage

The second way that app management secures business data is to create a secure data container on an iPhone or iPad. Good Technology is one prominent company that has been focused on this containerized approach for a number of years. Good’s first iOS solution was a secure replacement for Apple’s Mail, Contacts, and Calendar apps. That approach gave businesses the ability to require additional authentication when a user wanted to read/send and email or access a shared calendar as well as to encrypt any associated data.

Good and other companies have expanded this approach to creating on-device containers for all kinds of data including files and documents. These containers offer enterprise-grade encryption, require users to authenticate using credentials other than the passcode that unlocks their iPhones or iPads, can be selectively wiped via a remote command from IT that leaves personal content in place, and can prevent users from moving content out of the container using the iOS copy and paste feature and/or file managers.

This market is becoming one of mobile content management ecosystems rather than limited individual tools.

Earlier this year, Good launched its Good Dynamics platform that gives other developers access to Good’s secure container system. That allows them to easily build apps that leverage Good’s security and container system.

Other companies have also followed the secure container approach. In addition to Good, there’s Bitzer Mobile (which recently launched Office file editing as part its secure container system), Accelion, and Group Logic’s mobilEcho. All the players in this space are developing partnerships with each other, with other business app developers, and with enterprise mobile management vendors. As a result, this market is becoming one of mobile content management ecosystems rather than limited individual tools.

The End of the Road for MDM?

Despite the shift in mobile management to a focus on app and content management, this isn’t the end of the road for MDM. The ability to secure and manage hardware and OS features of iPhones, iPads, and other devices should still be a part of any organization’s approach to mobility. Layering as much security as possible is always an advantage and, because MDM and MAM come at mobile management and security from such different angles, the two approaches complement each other. Neither really functions as a replacement for the other and both should be part of a plan for BYOD programs as well as traditional company-owned mobility models.

Ultimately, the journey from MDM to MAM shows how quickly enterprise mobility is changing and that keeping up with those changes will continue to create challenges and opportunities for employees and IT professionals alike.


Daily round-ups or a weekly refresher, straight from Cult of Mac to your inbox.

  • The Weekender

    The week's best Apple news, reviews and how-tos from Cult of Mac, every Saturday morning. Our readers say: "Thank you guys for always posting cool stuff" -- Vaughn Nevins. "Very informative" -- Kenly Xavier.