Skip the navigation

Best BYOD management: Containment is your friend

August 29, 2012 06:00 AM ET

For its part, RIM is working on adding this capability to its BlackBerry Mobile Fusion MDM software, possibly as soon as May 2013. (Mobile Fusion runs on Android and iPhone devices as well as on the BlackBerry.) Peter Devenyi, senior vice president of enterprise software, says RIM's offering will be "a containerized solution where one can wrap an application without the need to modify source code so you can run it as a corporate application and manage it as a corporate asset."

"Using these tools you can put together a pretty complete, fully wrapped productivity suite that's encrypted and controllable," says Jeff Fugitt, vice president of marketing at mobile integrator Vox Mobile. So far, however, the customer base for the technology is relatively small.

Forrester analyst Christian Kane describes app wrapping as an "application-level VPN" that lets administrators set policies to determine what the app can interact with on the user's device or on the Web, and what access the app has to back-end resources. It also allows for remote wiping of the container, including the app and any associated data.

Application wrapping is not mature.
Phil Redman, Gartner analyst

"Application wrapping is not mature," says Gartner's Redman, and the existence of competing architectures in this nascent market is holding back growth. But the adoption of app wrapping for enterprise and third-party apps will increase, he says, as the technology is eventually integrated into the larger and more established MDM platforms.

The downside to app wrapping is that each application must be modified, which means administrators need access to the app's binary code. That means some apps that come preinstalled on Android or iOS phones may not be supported. Also, implementations may work more smoothly with Android devices than with iOS because of problems getting binary code for apps sold via Apple's App store. For this reason, wrapping tools tend not to work with iPhone apps. For example, Mocana's Mobile App Protection product doesn't support the email client on the iPhone, or other built-in apps for that matter.

Users can get access to the binary for free iOS apps, but for paid App Store wares, IT needs an agreement to buy direct from the provider and bypass Apple's store.

"Apple overlooks the issue of app wrapping today and changing apps [bought] from their store, but by their rules you're not supposed to do that. They could clamp down and not allow that, although so far they haven't," says Redman. Apple declined to comment. (See "Where Apple and Google stand.")

Mobile hypervisors

The third approach to containment is to create a virtual machine that includes its own instance of the mobile operating system -- a virtual phone within a phone. This requires that the vendor work with smartphone makers and carriers to embed and support a hypervisor on the phone. The technology isn't generally available as yet, but devices that support a hypervisor may eventually allow users to separate personal and business voice and data.

VMware's offering, VMware Horizon, is still in development. It will support Android and iOS, and functions as a type 2 hypervisor, which means the virtual machine runs as a guest on top of the native installation of the device's operating system.

Having a guest OS run on top of a host OS tends to consume more resources than a type 1 "bare metal" hypervisor that's installed directly on the mobile device hardware. It's also considered less secure, since the underlying host OS could be compromised, creating a path of attack into the virtual machine.

Another vendor, Open Kernel Labs, offers a type 1 hypervisor, which it calls "defense-grade virtualization." Today the technology is used mostly by mobile chipset and smartphone manufacturers that serve the military. The company has yet to break into the commercial market, says Redman.

Mobile management

Developing a type 1 hypervisor that interacts directly with the hardware is impractical, argues Ben Goodman, lead evangelist for VMware Horizon. "We moved to a type 2 hypervisor because the speed at which mobile devices are being revised makes it nearly impossible to keep up."

As to security, VMware is working on an encryption approach similar to the Trusted Computing Group's Trusted Platform Module standard as well as jail-break detection.

Performance won't be a problem, Goodman promises. "VMware Horizon is optimized to run extremely well, and performance is exceptional." However, VMware declined to provide the names of any of early adopters who might speak publicly about the product.

Israeli startup Cellrox Ltd. offers its own twist on virtualization for Android devices. The technology, called ThinVisor and developed at Columbia University, is neither a type 1 nor type 2 hypervisor but "a different level of virtualization that resides in the OS and allows multiple instances of the OS using the same kernel," says CEO Omer Eiferman. It offers the product to cellular service providers and smartphone manufacturers, as well as to large enterprise customers.

Problems and promise

Not all containerization products support iOS, which powers the iPhone and iPad, the smartphones most commonly found in enterprises. While Apple has 22% market share worldwide compared to 50% for Android, in the enterprise those numbers are reversed: The iPhone commands a 60% market share versus just 10% for Android, according to Gartner.

Our Commenting Policies
Consumerization of IT: Be in the know
consumer tech

Our new weekly Consumerization of IT newsletter covers a wide range of trends including BYOD, smartphones, tablets, MDM, cloud, social and what it all means for IT. Subscribe now and stay up to date!