Best BYOD management: Containment is your

friend
Emerging containerization technologies create a
separate, protected workspace on employees'
personal smartphones.
By Robert L. Mitchell

FOLLOW

Computerworld | August 29, 2012

Anthony Perkins wants employees at BNY Mellon to bring their

personal smartphones to work and use those instead of companyissued BlackBerries to access business email, applications and data.
But there's a catch: Not all employees are comfortable with the
prospect of having their personal phones locked down and controlled
as tightly as the BlackBerries that Perkins would like to phase out.
That's where the notion of containerization comes in.
A bring your own device (BYOD) strategy is good business, says
Perkins, managing director and CIO at the bank. It reduces the time
and expense involved with maintaining and managing company-owned
BlackBerries. "We'd like to be in the business of managing software,
not hardware. In the RIM world you manage hardware," he says,
referring to Research in Motion, the BlackBerry's manufacturer.
On the down side, today's popular mobile devices were developed for
the consumer market, and third-party management tools don't have
the same management hooks that RIM can offer, since it designed and
controls the BlackBerry client architecture and has been especially
responsive to the needs of corporate customers.
Managing mobile from the cloud
Mobile device management typically involves installing agent software
on each user's device and setting up a server-based management
console. Don't want to do it yourself? Service providers that help IT
manage mobile devices and software are plentiful.

For example, integrator Vox Mobile offers a "managed mobility"

For example, integrator Vox Mobile offers a "managed mobility"

service that includes comprehensive monitoring and reporting,
Fiberlink offers MaaS360 for corporate email and documents, and
mobile carrier AT&T introduced its cloud-based Toggle mobile
management service last year.
With Toggle, AT&T installs a "work container" on each smartphone,
which the user logs into with a password. Administrators can then
manage container policies by way of a cloud-based portal and app store
called Toggle Hub. In the third quarter AT&T plans to add the ability to
run antivirus scans on all managed devices, as well as to lock or wipe
the container.
"More and more of this will move into the cloud. But today it's still a
small percentage," says Phil Redman, an analyst at Gartner.
"Where this is leading is dual data plans on the same device," says
Mobeen Khan, executive director of advanced mobility solutions at
AT&T. "You will have a phone number for the container and one for
your personal device."
Anthony Perkins, managing director and CIO at BNY Mellon, is excited
about that prospect. "We're talking with Verizon and AT&T on phones
with a SIM that has two phone numbers," products that are currently
in development, he says. Perkins says that carriers are telling him
those products are just a few years out -- AT&T declined to comment
on availability -- but whether it's two years or ten, he says, "That's
probably the direction we'll go."
But Perkins says those advantages are outweighed by users who are
generally more productive due to the multitude of productivity apps
available in the Android and iOS worlds. And most importantly, having
a BYOD policy is "a great way to recruit and retain young talent."
Because corporate apps and data tend to be mixed in with the user's
personal content, mobile device management (MDM) tools tend to be
very conservative when it comes to managing corporate resources on
users' phones, with policies often applying to the entire device,
including both personal and professional apps and data. Users may not
be willing to give up control of their smartphones in exchange for
receiving access to corporate apps and data.
To get around that user resistance, Perkins is turning to
containerization -- an emerging class of management tools that carve
out a separate, encrypted zone or policy bubble on the user's
smartphone within which some corporate apps and data can reside. In
this way, policy controls apply only to what's in the container, rather
than to the entire device.

Mostly, containerization tools are complementary to MDM software,

with increasing numbers of MDM vendors incorporating
containerization techniques.
That said, as great as containment is for limiting corporate liability, it
doesn't help any personal data that may be lost due to a wipe if the
phone is lost or stolen. Some IT departments are recognizing that
users may need help backing up their personal data and apps, and
some, like Jacobs Engineering, are helping their end-users get set up
with backup systems.
Ryan Terry, division CIO and CSO at University Hospitals Health
System in Shaker Heights, Ohio, turned to containerization because he
sees the use of traditional MDM tools to control the entire device as a
liability issue. The hospital needs to have apps or data delivered
securely to clinicians without interfering with the users' ability to
access their personal apps and data. "We can't afford to delete things of
a personal nature or impede their ability to use their personal asset,"
he says.
Alex Yohn, assistant director of technology at West Virginia University,
is also wary. "I don't want my guys doing settings on the personal side
that could come back to haunt us," such as accidentally deleting data or
making configuration changes that affect how the users' personal apps
run.
For businesses that need strict security policy and compliance
controls, such as the highly regulated healthcare and financial services
industries, containerization can be especially helpful in making the
BYOD experience more palatable for users, IT leaders say.
Choose your container
Existing vendors offer, in essence, three different containerization
approaches:
Creating an encrypted space, or folder, into which applications
and data may be poured
Creating a protective "app wrapper" that creates a secure
bubble around each corporate application and its associated data
Using mobile hypervisors, which create an entire virtual
mobile phone on the user's device that's strictly for business use
All of these technologies offer more granular control over corporate
applications and data on users' devices than whatever security comes
standard with smartphones currently. And users' devices no longer

need to be on a list of smartphones that has been certified and tested

by IT, because corporate apps and data reside inside a secure,
encrypted shell.
However, the need to switch back and forth between the business and
personal environments may be perceived as inconvenient and affect
overall user satisfaction, says Phil Redman, an analyst at Gartner.
Neither Apple nor Google offer containerization technology, and
neither would comment for this story, but their respective spokesmen
did point out some resources that might be helpful. (See sidebar,
below.)
Encrypted folders
The most mature containerization approach is the encrypted, folderbased container, Redman explains. AirWatch has an offering in this
space, and Good Technology is an early leader in terms of enterprise
adoption of containerization, particularly among regulated businesses.
For basic mobile access, BNY Mellon uses Good for Enterprise to create
an encrypted space on smartphones within which users can run Good's
email and calendar client and use a secured browser. "It's a secure
container with an app that can send and receive corporate email that's
encrypted," says Perkins. All communications are routed through
Good's network operations center, which authenticates mobile users.
Where Apple and Google stand
Spokesmen for Apple and Google would not comment for attribution
but both pointed Computerworld to documents and offered
clarifications by email. Here's a summary.
Google
Google Apps for Business, Government and Education administrators
can use the Google Apps Control Panel to manage end users' Android,
iOS and Windows Mobile devices at the system level. The panel enables
the device to sync with Google Apps, encrypts data and configures
password settings.
Another tool, called Google Apps Device Policy, enforces security
policies such as device encryption and strong passwords and can also
locate, lock and wipe a device. It can also block use of the camera and
enforce email retention policies. However, partial wipes of just
corporate data are not supported.
MDM vendors can use Google's Android Device Administration API to
provide similar controls outside of Google Apps.

As to Google's position on the use of containerization/app wrapping

technologies that require access to binaries to create a policy wrapper
around apps that are enterprise-specific, Google does not offer such a
tool itself and declined to comment further.
For more information:
Visit Google's blog:
http://googleenterprise.blogspot.com/2012/08/make-mobile-moremanageable.html
Android Application Security:
http://source.android.com/tech/security/index.html#androidapplication-security
Apple
Apple says it supports third party MDM tools. It allows MDM servers to
manage in-house apps and third-party apps from the App Store and
supports the removal of any or all apps and data managed by the MDM
server.
In practice, however, MDM servers are limited. While most tools allow
for selective deleting or blocking of specific enterprise apps, there's no
automated way to identify and erase all of the associated data. "No IT
manager can sit around and go through thousands of files that may be
on each user's phone," says Phillip Redman, an analyst at Gartner Inc.
As to Apple's position on the use of containerization/app wrapping
technologies that require access to app binaries to create a policy
wrapper around apps that are enterprise-specific, Apple does not offer
such a tool itself and declined to comment.
For more information:
Visit Apple's iPad in Business Web page:
http://www.apple.com/ipad/business/resources/
Download the MDM deployment scenario document:
http://images.apple.com/ipad/business/docs/iOS_MDM_Mar12.pdf
(PDF)
For its part, Good's basic email and calendaring capability has been
available for several years. Late last year it added the capability for
other apps to run within its protected space using the Good Dynamics
Platform, but each app must be modified to run in Good's proprietary
environment. So far, about a dozen commercial apps are available,
including QuickOffice, which is typically used for reading and editing
downloaded Microsoft Office file attachments.

Perkins is using Good only for email and calendar -- the "killer apps" for
most employees, he says -- and for accessing internal, browser-based
apps using Good's browser.
For full-on access to the corporate network, SharePoint and other
services, BNY Mellon relies on Fiberlink's MaaS360, a cloud-based
MDM system it has configured to take complete control of the user's
device. MaaS360 monitors what gets written to and from the operating
system, and blocks access to some personal apps, such as Yahoo Mail
and Gmail, when the device is accessing corporate resources.
"When it's on our network we own it and control it," says Perkins.
When used in personal mode, individuals have control over which apps
they can use.
What's more, BNY Mellon may wipe the device -- including all of the
user's personal apps and data -- if it is lost or stolen, although MaaS360
and most other major MDM tools do allow selective wipes. Citing
security concerns, Perkins declined to say how many times the
company has had to wipe phones that have been lost or stolen.
In comparison, if the Good-based units are lost or stolen, only the
corporate container is wiped.
It's not surprising, then, that some employees are concerned about
turning their personal smartphones over to "Big Brother." The Good
alternative, Perkins says, is more palatable for users who want access
to just the basics: email, calendar and a secure browser.
App wrapping
This is a newer, more granular approach in which each app is enclosed
in its own encrypted policy wrapper, or container. This allows
administrators to tailor policies to each app. Small vendors with
proprietary approaches dominate the market, including Mocana,
Bitzer Mobile, OpenPeak and Nukona (recently acquired by Symantec).
For its part, RIM is working on adding this capability to its BlackBerry
Mobile Fusion MDM software, possibly as soon as May 2013. (Mobile
Fusion runs on Android and iPhone devices as well as on the
BlackBerry.) Peter Devenyi, senior vice president of enterprise
software, says RIM's offering will be "a containerized solution where
one can wrap an application without the need to modify source code so
you can run it as a corporate application and manage it as a corporate
asset."

"Using these tools you can put together a pretty complete, fully

"Using these tools you can put together a pretty complete, fully
wrapped productivity suite that's encrypted and controllable," says
Jeff Fugitt, vice president of marketing at mobile integrator Vox
Mobile. So far, however, the customer base for the technology is
relatively small.
Forrester analyst Christian Kane describes app wrapping as an
"application-level VPN" that lets administrators set policies to
determine what the app can interact with on the user's device or on the
Web, and what access the app has to back-end resources. It also allows
for remote wiping of the container, including the app and any
associated data.
Application wrapping is not mature. Phil Redman, Gartner analyst
"Application wrapping is not mature," says Gartner's Redman, and the
existence of competing architectures in this nascent market is holding
back growth. But the adoption of app wrapping for enterprise and
third-party apps will increase, he says, as the technology is eventually
integrated into the larger and more established MDM platforms.
The downside to app wrapping is that each application must be
modified, which means administrators need access to the app's binary
code. That means some apps that come preinstalled on Android or iOS
phones may not be supported. Also, implementations may work more
smoothly with Android devices than with iOS because of problems
getting binary code for apps sold via Apple's App store. For this reason,
wrapping tools tend not to work with iPhone apps. For example,
Mocana's Mobile App Protection product doesn't support the email
client on the iPhone, or other built-in apps for that matter.
Users can get access to the binary for free iOS apps, but for paid App
Store wares, IT needs an agreement to buy direct from the provider
and bypass Apple's store.
"Apple overlooks the issue of app wrapping today and changing apps
[bought] from their store, but by their rules you're not supposed to do
that. They could clamp down and not allow that, although so far they
haven't," says Redman. Apple declined to comment. (See "Where Apple
and Google stand.")
Mobile hypervisors
The third approach to containment is to create a virtual machine that
includes its own instance of the mobile operating system -- a virtual
phone within a phone. This requires that the vendor work with
smartphone makers and carriers to embed and support a hypervisor

on the phone. The technology isn't generally available as yet, but

devices that support a hypervisor may eventually allow users to
separate personal and business voice and data.
VMware's offering, VMware Horizon, is still in development. It will
support Android and iOS, and functions as a type 2 hypervisor, which
means the virtual machine runs as a guest on top of the native
installation of the device's operating system.
Having a guest OS run on top of a host OS tends to consume more
resources than a type 1 "bare metal" hypervisor that's installed directly
on the mobile device hardware. It's also considered less secure, since
the underlying host OS could be compromised, creating a path of
attack into the virtual machine.
Another vendor, Open Kernel Labs, offers a type 1 hypervisor, which it
calls "defense-grade virtualization." Today the technology is used
mostly by mobile chipset and smartphone manufacturers that serve
the military. The company has yet to break into the commercial
market, says Redman.
Developing a type 1 hypervisor that interacts directly with the
hardware is impractical, argues Ben Goodman, lead evangelist for
VMware Horizon. "We moved to a type 2 hypervisor because the speed
at which mobile devices are being revised makes it nearly impossible to
keep up."
As to security, VMware is working on an encryption approach similar
to the Trusted Computing Group's Trusted Platform Module standard
as well as jail-break detection.
Performance won't be a problem, Goodman promises. "VMware
Horizon is optimized to run extremely well, and performance is
exceptional." However, VMware declined to provide the names of any
of early adopters who might speak publicly about the product.
Israeli startup Cellrox Ltd. offers its own twist on virtualization for
Android devices. The technology, called ThinVisor and developed at
Columbia University, is neither a type 1 nor type 2 hypervisor but "a
different level of virtualization that resides in the OS and allows
multiple instances of the OS using the same kernel," says CEO Omer
Eiferman. It offers the product to cellular service providers and
smartphone manufacturers, as well as to large enterprise customers.
Problems and promise

Not all containerization products support iOS, which powers the

Not all containerization products support iOS, which powers the

iPhone and iPad, the smartphones most commonly found in
enterprises. While Apple has 22% market share worldwide compared
to 50% for Android, in the enterprise those numbers are reversed: The
iPhone commands a 60% market share versus just 10% for Android,
according to Gartner.
For the products that do support iOS, Apple's legendary secrecy about
OS enhancements means containerization vendors receive no advance
notice and must scramble every time Apple releases an update. The
bottom line: Users may have trouble accessing corporate resources if
they upgrade their personal iPhone too quickly or frequently. "iOS
changes often cause service interruptions while Good Technology's
products are modified, tested, then released for our end users," says
Terry at University Hospitals.
"We can't afford to delete things of a personal nature or impede [endusers'] ability to use their personal asset," says Ryan Terry, division
CIO and CSO at University Hospitals Health System.
Directory integration is another area where tools are still evolving.
"We'd like to see more integration with Active Directory and with
PeopleSoft or whatever the source of record is to control user profiles,"
Terry says. "Ideally, tighter integration that would disable access
automatically or restrict access to published applications based on a
user's role." Today businesses may need to turn to integrators such as
Vox Mobile to provide that level of integration.
Containerization is also limited in terms of troubleshooting and
general support issues if the enterprise doesn't have visibility into the
performance of the total device, argues Steve Chong, manager of
messaging and collaboration at Union Bank, which uses Good for
Enterprise. Is the problem related to signal strength? Has the user run
out of storage space? Is there a way for IT to remotely access the phone
to diagnose issues?
"We need all of that without having to have multiple agents installed on
the phone," he says, because each agent adds complexity and uses up
resources.
"Having agents on the phone means that it needs to be constantly on all
the time for data gathering, but that means that it will consume phone
resources," Chong says. Also, it's "software that now needs to be
managed and updated on users' phones."
Today many businesses, if they have a BYOD program at all, either
aren't using MDM or are using a very basic tool such as Microsoft's
Exchange ActiveSync, which allows mobile access to the user's

Exchange email and calendar. "The next phase is getting to MDM. Then
[IT staffers] can look at application security and management,"
Redman says.
Containerization is limited in terms of troubleshooting and general
support issues if the enterprise doesn't have visibility into the
performance of the total device, argues Steve Chong, manager of
messaging and collaboration at Union Bank.
At West Virginia University, the cost of tools outweighs the risks -- at
least for now. Yohn says the school uses only ActiveSync to support its
4,500 faculty and staff. He'd like to do more, but says licensing costs for
the containerization tools he researched would have exceeded
$100,000 annually. "We'll wait until prices fall, or something happens
and we determine that we need to make this investment," he says.
At CareerBuilder, a jobs website and staffing firm, individuals who
want to use their own phones can connect by way of ActiveSync, but
downloaded data is not encrypted unless the user chooses to do so at
the device level. Further, IT doesn't offer any support for users
connecting with their own smartphones.
Users can also install, on their own, apps to access SaaS applications
such as Concur and Salesforce.com. "We defaulted to that," says senior
vice president of information technology Roger Fugett. But with nearly
half of CareerBuilder's 2,600 employees now bringing their own
devices, Fugett says he's taking a hard look at the potential risks and
how to mitigate those. Containerization and general MDM tools are on
his radar.
The coming consolidation
Containerization is rapidly becoming a necessity for supporting BYOD,
and the technology is evolving rapidly, says Stephen Singh, director for
infrastructure practice at professional services firm PwC. "It works
relatively efficiently and meets the regulatory compliance needs for
many of the customers we speak with."
In most shops, containerization is -- or should be -- one part of an
overall MDM strategy. Going forward it should be possible, for
example, to apply one set of policies to the entire device, another to a
protected container where app stores deposit applications, and a third
to specific corporate apps, with variations depending on the user's role
or group.
Indeed, Symantec says its Odyssey MDM tool can be used to enforce a
device-level password while Nukona applies application-specific
controls.

Containerization is already starting to be absorbed into the major

MDM platforms. Symantec plans to merge into its Nukona
containerization and Odyssey MDM acquisitions into its Altiris
offering for managing servers, desktops and laptops; and Mobile Iron
now offers its own APIs for application integration. "In the next six
months we'll see more application security and management
integrated into MDM systems," says Redman.
Eventually, he says, MDM will broaden into a "systems management
platform for the enterprise" that includes security, content
management, application management and application development,
and it will extend to laptops and desktops as well as tablets and
smartphones.
That's high on the wish list at Union Bank, which relies on two
different consoles to manage BlackBerry and other mobile devices. "I
want a universal dashboard. There's no technology that does that
today," Chong says.
BNY Mellon has already started down that road. "We chose MaaS360
because we can run it across our full mobility network, whether a
laptop, phone or tablet," Perkins says. "I can provision access to all of
those devices at once, knowing that each has a different graphical
paradigm. That's the way we think people will be moving."
Singh sees an even broader convergence of management tools that
provides ubiquitous access for any end user device over any medium,
including desktops, laptops, desktop and application virtualization,
remote access and unified communications as well as mobile devices.
"We're not that far off from a universal console. We see convergence
occurring in three to five years," he says.
That may seem like a ways off, but it's important to plan for that vision
now so that containerization, MDM and other tools acquired today
don't end up overlapping or becoming redundant over time. "Look at
the big picture. Solving the problem for mobile device management
isn't just about selecting a vendor," Singh says. "It's about applying a
solution across multiple platforms and instances."
Robert L. Mitchell is a national correspondent for Computerworld.
Follow him on Twitter at twitter.com/rmitch, or email him at
rmitchell@computerworld.com.
Read more about bring your own device (byod) in Computerworld's
Bring Your Own Device (BYOD) Topic Center.
This story, "Best BYOD management: Containment is your friend" was
originally published by Computerworld.

Robert L. Mitchell
Robert L. Mitchell writes on a wide range of topics, including analytics,
emerging technologies, green IT and data centers.

From CIO: 8 Free Online Courses to Grow Your Tech Skills

Copyright 2014 IDG Enterprise. All rights reserved.