Skip the navigation

Best BYOD management: Containment is your friend

August 29, 2012 06:00 AM ET

However, the need to switch back and forth between the business and personal environments may be perceived as inconvenient and affect overall user satisfaction, says Phil Redman, an analyst at Gartner.

Neither Apple nor Google offer containerization technology, and neither would comment for this story, but their respective spokesmen did point out some resources that might be helpful. (See sidebar, below.)

Encrypted folders

The most mature containerization approach is the encrypted, folder-based container, Redman explains. AirWatch has an offering in this space, and Good Technology is an early leader in terms of enterprise adoption of containerization, particularly among regulated businesses.

For basic mobile access, BNY Mellon uses Good for Enterprise to create an encrypted space on smartphones within which users can run Good's email and calendar client and use a secured browser. "It's a secure container with an app that can send and receive corporate email that's encrypted," says Perkins. All communications are routed through Good's network operations center, which authenticates mobile users.

Where Apple and Google stand

Spokesmen for Apple and Google would not comment for attribution but both pointed Computerworld to documents and offered clarifications by email. Here's a summary.


Google Apps for Business, Government and Education administrators can use the Google Apps Control Panel to manage end users' Android, iOS and Windows Mobile devices at the system level. The panel enables the device to sync with Google Apps, encrypts data and configures password settings.

Another tool, called Google Apps Device Policy, enforces security policies such as device encryption and strong passwords and can also locate, lock and wipe a device. It can also block use of the camera and enforce email retention policies. However, partial wipes of just corporate data are not supported.

MDM vendors can use Google's Android Device Administration API to provide similar controls outside of Google Apps.

As to Google's position on the use of containerization/app wrapping technologies that require access to binaries to create a policy wrapper around apps that are enterprise-specific, Google does not offer such a tool itself and declined to comment further.

For more information:

Visit Google's blog:

Android Application Security:


Apple says it supports third party MDM tools. It allows MDM servers to manage in-house apps and third-party apps from the App Store and supports the removal of any or all apps and data managed by the MDM server.

In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner Inc.

As to Apple's position on the use of containerization/app wrapping technologies that require access to app binaries to create a policy wrapper around apps that are enterprise-specific, Apple does not offer such a tool itself and declined to comment.

For more information:

Visit Apple's iPad in Business Web page:

Download the MDM deployment scenario document: (PDF)

For its part, Good's basic email and calendaring capability has been available for several years. Late last year it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloaded Microsoft Office file attachments.

Perkins is using Good only for email and calendar -- the "killer apps" for most employees, he says -- and for accessing internal, browser-based apps using Good's browser.

For full-on access to the corporate network, SharePoint and other services, BNY Mellon relies on Fiberlink's MaaS360, a cloud-based MDM system it has configured to take complete control of the user's device. MaaS360 monitors what gets written to and from the operating system, and blocks access to some personal apps, such as Yahoo Mail and Gmail, when the device is accessing corporate resources.

"When it's on our network we own it and control it," says Perkins. When used in personal mode, individuals have control over which apps they can use.

What's more, BNY Mellon may wipe the device -- including all of the user's personal apps and data -- if it is lost or stolen, although MaaS360 and most other major MDM tools do allow selective wipes. Citing security concerns, Perkins declined to say how many times the company has had to wipe phones that have been lost or stolen.

In comparison, if the Good-based units are lost or stolen, only the corporate container is wiped.

It's not surprising, then, that some employees are concerned about turning their personal smartphones over to "Big Brother." The Good alternative, Perkins says, is more palatable for users who want access to just the basics: email, calendar and a secure browser.

App wrapping

This is a newer, more granular approach in which each app is enclosed in its own encrypted policy wrapper, or container. This allows administrators to tailor policies to each app. Small vendors with proprietary approaches dominate the market, including Mocana, Bitzer Mobile, OpenPeak and Nukona (recently acquired by Symantec).

Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!