Jack Madden

What you may have missed from the Apple WWDC: There are MAJOR enterprise enhancements coming with iOS 7.

Jack Madden — Tue, 11 Jun 2013 06:00:00 GMT

Apple’s Worldwide Developer Conference (WWDC) kicked off yesterday, and one of the big announcements was a major update to iOS—the OS that powers iPhones and iPads. While most of the traditional media and fan blogs focused on the new “flat” styling and the faux-3D home screen, there were actually quite a few major enhancements that are relevant for the world of enterprise IT.

The only “catch” is that many of yesterday’s announcements are a bit vague at this point. While the iOS 7 beta has been released to people who have iOS Developer accounts, accessing that beta means you’re bound to a non-disclosure agreement. (The only place you’re allowed to talk about it is in the official Apple Developer forums.) That means that the rest of us can look forward to a couple of months of speculation, rumors, and leaks.

That said, let’s kick off our iOS 7 coverage with some speculation! (Seriously, we did learn a lot yesterday to get us started, and we know already that enterprise IT has a lot to be excited about for iOS 7.)

How do we even know enough to make educated guesses about new iOS features?

So if the iOS 7 beta is protected by an NDA, how’s it possible for us to have an article today talking about the new features? It turns out there are already a lot of public features mentioned if you look close enough. Apple directly mentioned some of them in the keynote, they mentioned others in a press release, and still others are referenced on Apple.com. There were also a few features that were listed on a slide in the keynote but not mentioned anywhere else. (Yay for screenshots!)

Once we have a list of feature names, we have to figure out how they work, which we can do by making educated guesses based on precedents set by existing MDM functionality. So here are some baseline things to consider:

First, remember that most existing iOS MDM functions get applied to the entire device. For example, if you turn off the camera, none of the apps can use it. If you want a long password, you have to use it for the entire device. With the existing versions of iOS, if you want to apply a policy to just a work app but not a personal app, you’re out of luck. That’s part of what makes MDM so frustrating today—there’s just not enough granularity. That’s also one of the reasons why we have MAM (mobile app management).

That said, back in iOS 5 Apple introduced the concept of using MDM to do some app-level tasks with its “Managed App” functionality, where an admin can use an MDM connection to remotely install any app. This works for both in-house apps and apps from public app. (By the way, we also have to be careful not to confuse “MDM-managed apps”—which is what we’re talking about here—with “MAM-compatible apps,” which is what we talk about most of the time.)

There are only a few controls available for MDM-managed apps today: The MDM server can install and remove them (user confirmation is required for installation but not for removal), they can be uninstalled automatically under certain circumstances, and they can be prevented from using iCloud. While this isn’t very much, it does set the precedent for app-specific policies. This would be a great way to implement many of the new iOS 7 management features.

On the other hand, there’s also the possibility that instead of being available for MDM-managed apps, some of the new iOS 7 features might simply be APIs or frameworks that are incorporated into the OS, meaning that an app would have to be specially built to use them.

One final thing to remember is that certain existing MDM features require the Apple Configurator to set up. In order to get these features, the device has to be connected via USB to a Mac OS X computer running the Apple Configurator. If any of the new iOS 7 features require the Apple Configurator, then they will be less appealing, so just consider that another warning to temper your excitement about all the new stuff.

New enterprise features in iOS 7

Now that we’re refreshed with the various ways that Apple has provided previous MDM features, let’s look at the new ones and make educated guesses about how they might work. This will also help us gauge how important these are to the EMM field. Keep in mind that some of the items on this list were only mentioned in passing, and in a lot of cases we have absolutely no details to go on.

With that, let’s go down the list:

Notification Center and Control Center available from the lock screen

Users can now see content in the Notification Center and change settings in the Control Center (a new feature that gives quick access to basic settings like airplane mode, Bluetooth, and WiFi) without even unlocking the device. You can imagine the security issues when email previews and calendar items show up in the Notification Center. Unfortunately iOS MDM has never had the ability to control a user’s notification settings. Hopefully now that there’s even more information that’s readily accessible on locked devices, there will be corresponding MDM features to keep it in control.

Multitasking and app actions based on push notifications

In the past, multitasking (apps running in the background) was limited to a few specific types of activities (such as playing music or tracking the GPS), but now in iOS 7 any app can run in the background. Also related to this is that in iOS 7, push notifications will be able to automatically “wake up” background apps—something that was only possible with manual user intervention before.

These two improvements would have a huge impact in the EMM space because now third party email apps will finally be able to download mail and synchronize calendars in the background. (Many EMM vendors use third-party email apps to keep users’ random personal apps from accessing corporate data, which is easily accessible when corporate email is synced to a device’s built-in email client.)

Quite honestly this has been one of the biggest drawbacks to EMM on iOS and an area where Android has excelled, so this is huge. Just huge!

AirDrop

AirDrop allows users to wirelessly share content from one device to another over an ad hoc local network. iOS MDM has a poor track record of being able to restrict sharing—pretty much MDM products can do is restrict the use of iCloud. We’ll see what happens here, but unless some robust controls are put in place MDM, we’ll still need MAM to make sure that corporate apps can’t use AirDrop to share (i.e. "leak") data with personal apps.

iCloud Keychain

The new iCloud Keychain is integrated with Safari. It stores passwords and credit card info; it can auto fill forms; and it includes a password generator. Saving and syncing passwords in the cloud could be an issue, but like so many of the current iOS frameworks, MAM-compatible apps could just disregard it.

Automatic app updates

This caused a lot of grumbling on Twitter, with everybody hoping it could be disabled either by the user or with MDM. There’s always a chance that a buggy update could really mess things up if an app is vital to your company, so hopefully Apple will allow MDM products to shut it off (or MAM products to restrict automatic updates for managed apps while allowing it for personal apps).

Activation Lock

If an iPhone is lost and a remote wipe is performed, in iOS 7 it won’t be possible to reactivate the device without using the previous owner’s Apple ID. The idea is that it makes stealing iPhones less attractive. (So somebody just go tell all the iPhone thieves out there to not bother anymore :) It’s nice to have, though probably won’t have a huge impact in the EMM world.

It is interesting though from the corporate perspective to think about employees who could “lock” corporate-owned iOS device with their own personal Apple accounts. We’ll see how secure this is and if the original owner can unlock a device with proof of purchase somehow, but I could see an employee leaving an “F You!” to their employer on the way out the door by locking their phones with their own personal Apple IDs.

App-level VPN

This is a major feature for third-party MAM vendors, and it would be great if IT could apply it to any MDM-managed app. Again, however, we just have to wait and see how it’s actually implemented.

"Better protection of work and personal data"

This is mentioned at the bottom of the iOS 7 features page at Apple.com, but we have no idea what it means. Is Apple implying that iOS 7 will have some sort of dual-persona framework like Samsung KNOX or BlackBerry Balance? It’s always possible, but I’m not placing any bets on it. It could just refer collectively to all of the other new features.

Management of app licenses

The Volume Purchase Program (VPP) has been around for awhile, but the current program does not allow a corporation to reclaim app licenses once they’re used unless the app was installed using the Apple Configurator. So our hope is that "management of app licenses" means that VPP licenses can be reclaimed from normal devices over the air.

Wireless app configuration / managed app configuration

This is a total mystery. My guess (or hope?) is that Apple is referring to MDM-managed app features (like I described above). If this brings a lot of MAM-like controls to any app, this will be huge.

There’s also the possibility that it just means centrally configuring settings that apps already expose to users. (Scroll down to the very bottom section in the Settings app to see what I’m talking about.) While that would still be useful, it's not as big as full MAM-style app control.

Enterprise single sign-on

Again, another mystery. Does this mean you can put passwords around individual managed apps? Is it password management using the Keychain? Does it involve corporate directory services? Who knows?

Default data protection for third-party apps

The iOS data protection API has been around for awhile now, but previously third-party apps had to opt in. With data protection enabled by default, things will be a little bit more secure.

New smart mailboxes / improved Mail search

The OS X desktop Mail app already has a feature called Smart Mailboxes, so we can probably expect something similar here. This probably isn’t some sort of crazy built-in email sandboxing thing.

Streamlined MDM enrollment

This could be cool. I don’t want to sound like a broken record, but what are they talking about? We have no idea here. With most MDM solutions, enrolling a device already only takes a few taps, so I'm not sure how much simpler it could be.

How do these new iOS 7 features affect EMM?

One day after the initial iOS 7 announcement, many people have the same questions:

Will the iOS 7 improvements be enough to keep work and personal apps and data separated (or enable dual-persona) without using a separate MAM solution?
Will this mean that we don’t have to use third-party email apps anymore?

There’s nothing from the iOS 7 announcement that conclusively indicate that iOS will be able to fully enable dual-persona without using MAM—there are just too many holes to fill. Sure, there will probably be places where the new features mean that iOS’s built-in MDM is “good enough” where it might not have been in the past. However, there will still be many more situations where mobile app management will be needed to go beyond what’s provided by MDM. The new app-level options mentioned today will be great, but what’s needed is extensive control over inter-app sharing and app access to device-wide frameworks. Nothing I saw today suggests that to me. Or what about all the devices for which we don’t want or need device-level management? We’ll need MAM for those, too. And all the device management in the world can’t do anything around delivering enterprise apps and data to users. We need apps and mobile app management for that.

Some people might be thinking that building better management into the device means there’s less of a need for EMM solutions, but that’s true at all. Whether a feature is enabled by the OS or built into an app, there still needs to be a back-end EMM solution to do it. Also keep in mind that most EMM vendors these days have both MDM and MAM. The point is that a few new features in iOS probably won’t put any companies out of business.

Whether working with device management features or working with apps, the changes announced for iOS 7 will bring a lot of new options. In the meantime, we’ll have to grit our teeth and wait for the public release to really know what the full impact of iOS 7 will be.

Consumerization Nation #22: We talk BlackBerry and mobile app management standards.

Jack Madden — Thu, 30 May 2013 04:02:00 GMT

Colin Steele and Jack Madden were joined by James Furbush for this episode of Consumerization Nation. In this episode:

The BlackBerry Z10.
BlackBerry's dual roles pushing both and endpoint and a management platform.
More thoughts on Citrix Synergy.
Mobile app management standards.

Give us your questions for the Citrix Synergy Geek Speak Tonight! panelists

Jack Madden — Mon, 20 May 2013 04:00:00 GMT

One of the most fun parts of Citrix Synergy is Geek Speak Tonight! Geek Speak Tonight! features experts (both community members and folks from Citrix) debating the technology issues facing our community today. It's pretty informal and off-the-cuff, and there are always some good laughs, too.

This year's session takes place at 4pm to 6pm on Tuesday, May 22, at Citrix Synergy in Anaheim, California. The first hour of the session, moderated by Dan Feller (Twitter @djfeller) from Citrix, will cover desktop virtualization. The panelists for the first half will be:

Robert Morris (@agsi_rmorris)
Steve Greenberg (@stevegreenberg)
Jarian Gibson (@jariangibson)
Shane Kleinert (@shanekleinert)
Kraig Stewardson (@kraigstew)

The second hour of the session will cover enterprise mobility management, and I'm honored that the folks at Synergy have asked me to be the moderator. Here's the line-up:

Shawn Bass (@shawnbass)
Thomas Krampe (@thomaskrampe)
Waheed Qureshi, Citrix CTO for XenMobile
Injong Rhee, SVP and Head of Technology Strategy and Enterprise R&D at Samsung

But here's where we need your help: you can give us your questions for the speakers. I have plenty of ideas for things to ask them about, but what makes this great is that we can get the community involved.

You can post your questions here to this Podio web form, tweet at any one of us (I'm @jackmadden), or leave a comment below. And if you're not going to be at Synergy, remember that Citrix will stream the whole session live. See you there!

VMware is releasing Horizon Mobile Android virtualization, and your phone might be capable of running it today!

Jack Madden — Wed, 15 May 2013 12:00:00 GMT

Today VMware announced that Horizon Mobile for Android, their dual-persona mobile virtualization product, is finally available on two phones from Verizon (the LG Intuition and the Motorola RAZR M). We’ve been waiting for this release for a long time, so today’s announcement feels important. However, there still some interesting surprises that could change the way we think about Horizon Mobile.

Horizon Mobile for Android consists of a guest virtual machine that separates corporate apps and data from personal apps and data on the host. If you’re not familiar with it, you can read these articles to get up to speed:

And of course today, Horizon Mobile for Android is finally being released.

The problem with mobile virtualization is that it requires a specially-modified version of Android to act as the host—it won’t work on just any Android device. With VMware Horizon Mobile, there’s a kernel module that lies latent in the host until it’s activated by installing an app from VMware. Users login and connect the app (called VMware Switch and available in Google Play) to their corporate environment, and then IT can provision and manage a work VM with appropriate apps and policies.

What’s new with today’s announcement is that Verizon is installing the kernel module as part of over-the-air operating system updates. In fact, the two phones that were announced today—the LG Intuition and the Motorola RAZR M—already had the update with VMware’s kernel module pushed to them about a month ago. So if you have one of these phones, it already works with Horizon Mobile!

Verizon has plans to push the update to more existing phone models in the coming months. This means that VMware Horizon Mobile will be available on a larger number of devices than we previously thought. The old assumption was that this would only be available on new phones, so this is kind of a big deal.

How big? Verizon may be the largest cell phone carrier in the US, but as we’ve known all along, when it comes to mobile virtualization, we still have to deal with fragmentation in some form or another. In this case, Horizon mobile won’t be available on phones from other carriers, and VMware didn’t mention anything about tablets, either. Compare that to other vendors’ dual persona mobile app management products, which can work across a much wider range of devices from different carriers. Right now all VMware has for these other Android devices is the Horizon Workspace app and an email client.

For sure today’s announcement is a huge win, and I don’t want to take anything away from that, but we’re still left wondering if VMware is going to go full-on into mobile app management for Android, like it intends to do for iOS.

Still, this is an exciting time. There was a trial release of Horizon Mobile for Android starting last December in Japan, but now after talking about and debating this product for nearly five years, we finally can get our hands on it and see what happens.

Will the next versions of Android and iOS solve today’s EMM challenges?

Jack Madden — Wed, 08 May 2013 04:03:00 GMT

Google IO is next week, and Apple WWDC is next month, which means that we’ll soon be learning about all the new features in the next versions of Android and iOS. Today I’m going throw around some ideas about how changes in each of these platforms could impact the enterprise mobility management world.

It’s around this time that bloggers love to tons of wish lists for new features and try to predict what’s in store. So bear with me here... I’ll just say that what follows is going to be pretty speculative.

Today’s Android and iOS challenges

Last week I wrote about the journey that Android and iOS both took, and how they went from being completely unmanageable to having respectable MDM capabilities. However, if you’ve been around around the enterprise mobility management space, you know that’s old news. The real problem is that modern mobile OSes provide lots of ways for apps to share (or leak!) data with each other. As a result, the challenge now is to figure out how to manage and secure corporate apps and data separately from personal apps and data (I use the term “dual persona” for this).

There are a number of ways to accommodate dual persona, but the emerging favorite is mobile application management (MAM). MAM faces some challenges, including how to get all of the apps you need to work with the system, but I believe this problem is being solved.

However, with new versions of Android and iOS due soon, it’s natural to wonder what changes might be coming that could make it easier to deal with dual persona issues. I’ll look at the platforms individually.

iOS

What could iOS do to enable dual persona, or at least make it easier for EMM vendors to do so? This is a question that I think about a lot, and there are a few ideas that come up:

First, iOS could add “secure” or “private” versions of common sharing frameworks, such as an extra contacts API that only the corporate Exchange account and other managed apps could use, a secure document handling framework, and a way so that only certain apps use the VPN, and secure clipboard, and on and on and on...

Soon enough you realize that this gets really complicated really fast! Would this work on older hardware? Who knows? Do you have to build apps that specifically ask for access to the extra set of frameworks? Or could you use configuration profiles to whitelist whatever apps you want? There are a million questions, and this all seems like it would be such a drastic change that Apple would never go for it.

How about approaching it from the other direction? What if configuration profiles could have more options to restrict access to data that’s associated with corporate Exchange accounts. This is more along the lines of the controls that Apple has been adding gradually, so maybe it’s more feasible.

And then there’s another completely different direction that Apple could go in—they could loosen restrictions around the behavior of third-party apps. Right now one of the biggest issue with using MAM to get dual persona is that third-party email apps aren’t allowed to download messages in the background. If Apple were to relax this rule, that would eliminate one of the biggest drawback of third-party mail clients. There’s a history of this type of change, too. In the early days of the App Store, Apple didn’t allow any apps that duplicated the functionality of built-in apps, but today we have lots of options that can easily take their place.

Android

Android is a completely different story. Remember from last week’s article that Android is built around the idea that management features are left up to device manufacturers to do on their own. To that end Samsung KNOX and all of the mobile virtualization vendors have versions of Android with dual persona frameworks already built into the OS.

Because the core version of Android only includes very basic management features, I have very little expectation that revolutionary dual persona features will show up in the next version. But what if something did happen? It still wouldn’t be a big of a deal because we would still have to deal with fragmentation and the fact that most of the devices out there wouldn’t have the new features. MAM would still remain as the best way to achieve dual persona across a wide variety of different versions of Android.

How will this impact the EMM?

Keeping in mind the danger of making predictions, I’m going to say overall that there’s very little that could happen in upcoming OS updates that could have a significant impact on how we deal with dual persona issues. In addition, regardless of what happens with the new OSes, here’s why I think MAM will continue to grow and be strong:

Android fragmentation. Enough said.
Even if dual-persona capabilities are built into devices, you’ll still need to provide apps to do anything beyond email and browsing.
If iOS background processes are opened up, then there will be that much more demand for MAM.
A lot of people don’t want to worry about the device and just manage apps—the fact that dual-persona frameworks would be built into the device would be insignificant.

Stay tuned!

We’ll hear about Android next week, but the bigger news will likely be iOS 7 in June. While I don’t think it will turn the EMM world upside-down, each iOS release has had something in it for the enterprise, so there will be something to talk about.

Why is it so difficult to manage Android? Here’s a history of MDM features from 2008-2013.

Jack Madden — Wed, 01 May 2013 05:38:00 GMT

To follow up on yesterday’s history of Apple iOS management features, today I’m going to do the same thing with Android. A warning, though: there’s just not just not as much here. I’ll explain why and then dig into the history.

Why is Android difficult to manage?

The mean reason people say that Android is difficult to manage is because of fragmentation. But what does "fragmentation" really mean, and why is Android this way?

When Android was first created, it was meant to be a mobile phone OS that handset manufacturers and carriers could easily customize to suit their own needs. As a result, many features—including enterprise management tools—weren’t included in the core unmodified version of Android. While that was a noble plan it soon became evident that not all manufactures were adding management features as part of their customization process, so as a result, Google added some very basic management features into the core version of Android.

There’s still a catch, though: most Android devices don’t get updated to the most recent versions of the OS, since device makers focus their efforts on adapting the new versions of Android to the newest devices only. And it’s not uncommon for Android devices—especially the cheap ones—to ship with old versions of the OS even when they’re brand new.

There are some manufacturers, like Samsung, who have added extensive management features into their versions of Android. In fact, most of the devices from major manufactures have at least something added in. There are also several vendors working on virtualization as a way to manage Android.

Nevertheless, if you’re tasked with supporting whatever random Android device a user brings in the door, you’ll want need to support whatever the lowest common denominator is. With that, here’s a history of Android management features.

2008

The first Android device was the HTC Dream, released in October 2008, with absolutely no provisions for enterprise management. The only saving grace was that Android did launch with the ability to install third-party apps, and various app makers filled the enterprise void by offering sandboxed corporate email apps. The idea was that since the device couldn’t be managed, security features would be built into the app instead. Products like GoodLink (from Good Technology) had been doing this for years on other platforms, and the model worked well on Android.

2009

In September 2009, Android 1.6 added VPN support (though at the time there were already third-party VPN apps), and later that year Android 2.0 brought support for Exchange email accounts. Unfortunately there was no way enforce any Exchange security policies, and in general Android was way behind iOS when it came to management features.

2010

In May, version 2.2 of Android introduced the Device Administration API. This API lets an Android app enforce device-level management policies, including password requirements, wiping the device, and locking the device. While it was a great addition, having an API meant that there weren't any well-defined configuration profiles like with iOS devices, and instead each MDM vendor had to make their own app that interfaces with the Device Administration API. Still, it meant it was finally possible to build MDM apps that at could at least enforce the basics of over-the-air management, without having to rely on device manufactures to build the features on their own. This was pretty close to the time that iOS 4 added major features as well, and it helped kick off a huge boom for MDM.

2011

Android 3.0 in February 2011 gave the Device Administration API the ability to enforce more complex password policies and device encryption—a feature that would open up more use cases. Then Android 4.0, in October, added the ability for Device Administrator apps to block the camera.

What else?

If this list of management features seems paltry, that’s because it is! It just reminds us that the real Android MDM innovation is taking place among manufactures. They’re doing some great things, but none of them will be able to help the fact that we have to deal with fragmentation.

By the way, Google is expected to announce the next version of Android in two weeks at Google IO, and while I'm excited for the incremental improvements, I'm certainly not holding my breath waiting for anything that will make the the difficulty of managing Android go away.

Who says Apple isn't enterprise focused? Check out the history of enterprise management improvements in iOS from 2007-2013.

Jack Madden — Tue, 30 Apr 2013 04:03:00 GMT

A lot of people criticize Apple for not being an "enterprise focused" company. This consumer focus manifests itself in a myriad of different ways, from how the company markets their products, deals with bulk purchases, and addresses security and enterprise management capabilities. For years this didn't really matter, since Apple only had a small market share of desktops and laptops and companies just sort of dealt with them as they came up.

But everything changed when Apple released the iPhone and iPad, as users started bringing those into their work environments on their own, en mass. Whether or not Apple was serious about the enterprise didn't matter to those users one bit.

All that said, Apple has actually made quite a few improvements to iOS (the OS that iPhones and iPads run) over the years. As we gear up for Apple's WWDC in June (with fingers' crossed that we'll get even more enterprise management features in iOS 7), I thought it would be good to take a look at just how far Apple has come over the years when it comes to improving the enterprise management aspects of iOS.

(By the way I've compiled a similar list for Android which I'll post tomorrow, as Google IO is coming up soon too and we also hope that they announce more management features for Android.)

Anyway, let's look at iOS through the years, from the perspective of enterprise management. You'll see that Apple is actually quite serious about it!

2007: The original iPhone

The Apple iPhone was first announced in January 2007 and released that June. When it debuted it was solidly a consumer device, more closely related to an MP3 player than to any kind of enterprise device. There was absolutely no way to manage it, and it didn't even support Exchange ActiveSync (EAS), so it was completely ignored by IT. The original iPhone did support POP and IMAP email, so technically it could be used with Exchange if you chose to turn those on. (And hey, there was always Outlook Web Access!) But generally since there was no way to enforce any management policies, it was only high-power executives that got corporate email on their iPhones. When Apple said the iPhone supported Exchange, it was a bit of a stretch.

There were also other reasons the original iPhone wasn’t a considered a “corporate” phone. For one, it had to be activated and synced with iTunes, and how many IT departments would have allowed iTunes on users’ computers at the time? Also businesses didn't like it because it was expensive and only available from a few carriers in each country.

Still, the browser—and the fact that it was actually usable—did make the iPhone valuable for some corporate users. And while there were no 3rd-party apps at that time, it did have a built-in VPN client. While most of the conventional knowledge in 2007 was saying that the iPhone was not appropropriate for corporate use, there were some people saying it was a great phone and a great work tool, and that companies would be better served by trying to figure out how to support it.

2008: Configuration profiles, Exchange support, and the first (basic) over the air management

Apple announced and released the beta of the second version of iOS (which was then known as “iPhone OS”) in March 2008, announced the second generation hardware (iPhone 3G) in June, and released them both in July. This was a huge deal, because iPhone OS 2 supported Microsoft Exchange ActiveSync for corporate email and new configuration profiles to manage device settings. Also this was the release that allowed 3rd apps to be developed using the newly-released iPhone SDK.

For corporate users, Exchange ActiveSync (EAS) support meant that email, calendars, contacts, and global address lookup could be accessed from the iPhone, though there wasn’t yet support for other features like tasks, creating meetings, out of office notifications, or follow-up flags.

More importantly, EAS brought a degree of over the air (OTA) management to iPhones for the first time. IT could now do basic things like remote wipe and enforce password policy, although there wasn’t yet support for device encryption. The lack of encryption was a problem for many environments, but despite this there were still some sweeping declarations of “Hurray! Now the iPhone is a corporate phone!” Of course the next time a new set of advancements came around there were even more sweeping declarations of its corporate acceptability. (“Okay guys, this time we really mean it’s a corporate phone!”) Naturally thanks to the consumerization of IT, employee demand brought these devices into the workplace anyway, regardless of whether or not analysts considered them to be “corporate ready.”

The configuration profiles introduced in iPhone OS 2 later become the basis for many future iOS MDM advancements. (Configuration profiles are XML files that specify settings for a range of security and administrative features on the device.) In 2008 Apple also introduced the iPhone Configuration Utility, a tool for creating these configuration profiles. Profiles could be installed via email attachments, downloading them from a server, or installed directly to a device using a USB cable.

Initially, configuration profiles didn’t provide any way to manage a device over the air, but EAS could take care of that. To some degree, profiles were more a matter of convenience because they didn’t do much that you couldn’t already do in the UI.

The first profiles contained settings for passcode policy, WiFi, VPN, POP and IMAP mail accounts, Exchange accounts, and carrier access point name settings (these determine how the device connects to the telecom data network, something that’s usually not a concern for most MDM situations). Profiles could also be used to install certificates on devices, and the profiles themselves could be signed. All of the settings and credentials installed by a profile get removed from the device if the profile was removed.

Overall, while there were huge enterprise improvements in iPhone OS 2, there were still stumbling blocks. One issue was that the devices had to be activated with iTunes, and users could update devices on their own, making it harder for IT to authorize new OS updates like they were used to doing. Users could also backup and restore devices on their own, which was another security risk. The lack of encryption also meant that the iPhone was still a "no-go" for many regulated industries.

2009: Encryption

The iPhone OS 3 beta and SDK were released in March 2009, while the third generation of the hardware, the iPhone 3GS, was announced in early June 2009 and released later that month.

There were a few new important management features, including the ability to encrypt an iPhone, more ways to restrict its behavior, and the ability to prevent configuration profiles from being removed. General new features for the iPhone included cut/copy/paste, the MobileMe service (which allowed end users to locate and wipe lost iPhones), and the Apple Push Notification Service.

The new device restrictions featured in configuration profiles included policies for blocking explicit content, Mobile Safari, the YouTube app, the iTunes store, downloading apps from the Apple App Store, and the camera. Other features included the ability to ensure that backups were encrypted and the ability to add web clips (shortcuts), LDAP lookup, and calendar subscriptions.

Over the air management was still limited to Exchange ActiveSync, but at least with now with encryption a whole new class of use cases could be supported. Users, on the other hand, continued to run amok.

2010: Over the air configuration profiles

In April 2010, Apple announced the beta for iOS 4 (renamed from iPhone OS after the iPad was introduced), and the iPhone 4 was announced and released in June. iOS 4 included a few more options for device restrictions, but by far the most important new feature was the ability to manage devices and profiles wirelessly over the air.

Remember that before iOS 4, the only way to manage devices wirelessly over the air was through the fairly limited capabilities provided by Exchange ActiveSync. iOS 4 brought a whole new range of over the air management capabilities: First, it gave IT the ability to manage configuration profiles—and all of their associated settings—over the air. Second, it gave an alternative way to manage the device itself that was much richer that EAS.

Companies could also use these new over the air capabilities to distribute in-house apps via provisioning profiles, (which are similar to configuration profiles). It was no longer necessary to use iTunes or the iPhone Configuration Utility to install enterprise-signed apps.

The available device restrictions were upgraded, and included the ability to prevent screen capture, automatic mail syncing while roaming, voice dialing while locked, and in-app purchases.

It’s widely acknowledged that the changes that came with iOS 4 were a revolution in mobile device management and really launched the MDM industry for iPhone.

2011: No more need for iTunes

The beta for iOS 5 was announced in June 2011, and it introduced iCloud, Siri, and the ability to do over the air activations and OS updates. This meant no more need for users or admins to have iTunes, a huge plus for enterprises!

July 2011 brought the Volume Purchasing Program for Business and the Custom B2B program, a way for developers to use the Apple App Store to distribute apps to select audiences. The iPhone 4S was announced and released in October 2011.

2012: Apple Configurator

The biggest iOS management news of 2012 was the debut of the Apple Configurator, which could backup iOS device images, create golden images for mass deployments, and “supervise” devices. (Supervising devices with the Apple Configurator means checking users’ images in and out on different devices, returning devices to a base-line state, installing apps, etc.)

This was followed up by the iOS 6 beta in June. In iOS 6, devices supervised using the Apple Configurator could be locked down to a single app, use a global HTTP proxy, and have a few more feature restrictions. iOS 6 also revamped privacy settings so that users have per-app control over access to photos, calendars, contacts, and reminders. The iPhone 5 itself was announced and released in September 2012.

2013: What will iOS 7 bring?

I’m not going to try to predict what Apple will do in iOS 7, but stay tuned for some articles on how changes to iOS management features could potentially impact the enterprise mobility management industry. The good news is that Apple has been making steady progress with enterprise management capabilities for iOS over the past six years, so I'm sure we'll see even more great stuff in iOS 7!

UPDATED: We have a winner! — Win a pass to Citrix Synergy (and then use it to come to Geek Speak Tonight!)

Jack Madden — Mon, 29 Apr 2013 04:02:00 GMT

UPDATE: Monday, April 29, 2013:

We have a winner! Congratulations to @PaulinoVelo for tweeting the best reason to get a free pass to Synergy! His tweet: "Send me to synergy so I can finally know the people who I have googled for support since I started with Citrix #SNDME2SYNRGY" To me, that just about sums up one of the best reasons to come to events like Synergy. Thanks to everybody for all the great tweets, too!

The folks at Citrix have asked me to moderate the Geek Speak Tonight! mobility panel session at Citrix Synergy, and they've given me a free pass to the conference to give away! Here are all the details.

Geek Speak Tonight!

Citrix Synergy 2013 runs from Wednesday, May 22, to Friday, May 24, (the week after BriForum London) at the Anaheim Convention Center in Los Angeles. The Geek Speak Live! session track features...well...geeks talking about technology in a less formal and more down-in-the-weeds style.

Geek Speak Tonight! is the main kickoff event night before the conference begins, and will be at 4:00 pm on Tuesday, May 21. This session features various community members, Citrix CTOs, and CTPs talking for an hour about desktop virtualization and an hour about enterprise mobility management. Dan Feller from Citrix will moderate the desktop virtualization part, and I'll be moderating the EMM part. Here's the full panel line-up:

Desktop virtualization panelists:

Robert Morris (@agsi_rmorris)
Steve Greenberg (@stevegreenberg)
Jarian Gibson (@jariangibson)
Shane Kleinert (@shanekleinert)
Kraig Stewardson (@kraigstew)

Mobility panelists:

Shawn Bass (@shawnbass)
Thomas Krampe (@thomaskrampe)
Waheed Qureshi
Injong Rhee

And they haven't confirmed it yet, but in past years there has been beer and pretzels at this thing, too.

How to win a free pass to Synergy

So here's the cool part: since I'm moderating the mobility panel, Citrix gave me a free pass (with a street price of $1945!) to give away. To win the pass, tweet me (@JackMadden) why you should go to Synergy, and include the hashtag #SNDME2SYNRGY. That's it. I'll pick the winning tweet after April 26, and the winner will receive a registration code good for a free conference pass. Dan Feller, who is moderating the first half of the Geek Speak Tonight! will also be giving a pass away, so you can tweet at him (@djfeller) too. That means two chances to get in free!

Help make Geek Speak Tonight! awesome

Now as I mentioned above, there are two parts to the Geek Speak Tonight! panel session, with Dan Feller and I each moderating one half. The Citrix social media team has put us up to a challenge to see which half is going to be better. You all know that I really love enterprise mobility management, so I want the EMM session to just flat out rock and be totally awesome.

To do this, I need everybody to help spread the word about the mobile half of Geek Speak Tonight! You can suggest questions to ask the panel, tell us why mobility is important for you, and generally talk up how great it's going to be. You can tweet to me (@jackmadden) and to Dan (@djfeller). Use the hash tags #CitrixSynergy and #GeekSpeak, and don't forget that you can tweet to the rest of the panel as well.

Keep an eye out for more more posts here leading up to Synergy, and see you in Los Angeles!

The delta between work capabilities and consumer capabilities is where "FUIT" happens. Luckily we're past that now!

Jack Madden — Wed, 24 Apr 2013 04:03:00 GMT

Over the last few months, I’ve been thinking about a lot of different ways to explain the consumerization of IT (because I've been speaking at TechTarget's consumerization events and writing a book!) The realization that I had was that while we do live in a new era of consumerization, the hard part—which was making the transition from the pre consumerization era into our current era—is over, and life should be easier for us now.

Let me explain in more detail:

We know what consumerization is now

We've come up with a lot of ideas about what consumerization is. Here are some of the ways that Brian, Gabe, and I have talked about it:

Users can do whatever they want. (Not that we’ll let them do whatever they want, but rather they have the ability to run amok however they want.) Not only is IT powerless to stop the Users, often IT doesn’t even know that it’s going on. (Here's an early, great article on this subject from Brian)
IT is in competition with every website, app, and service in the world.
FUIT - The Latin term for he or she was, as in, "IT was in control of the users. Now they are not." We also use FUIT (spell it out... F.U.I.T... get it?) to describe users in the act of using consumer technologies to get around corporate IT.

What is the root cause of this? It’s essentially that employees now have access to consumer technologies that are way more powerful and awesome than the technology provided by corporate IT departments. This is the reality that we face today.

So the thing is, I think the hard part is over now, and dealing with consumerization is going to be easier from here on out.

Why? You might think that it's because we have new tools like MDM or MAM, or because companies are handing out iPads, or because more companies are using more cloud services, or becuase VDI means we can deliver desktops as a service, or because we're or... or... any one of the huge range of new tools and tactics that IT departments are using to embrace consumerization. And it's true, all of these are important, they do make it much easier to deal with consumerization of IT.

However, the real reason why consumerization is easier to deal with today is that the inversion—the point in time when consumer tech surpassed corporate IT—was a one-time event, and we're past it now.

The initial consumerization chaos was a one-time event

For many years, the technology employees used at work was way more powerful than technology at home. Many people used a PC, the internet, email, and smartphones at work before they did any of these things on their own. My favorite example of this is the idea of Cyber Monday: This is the idea that employees would do their online holiday shopping the Monday after Thanksgiving when they returned to the office (having done their shopping at brick and mortars store on Black Friday) because their offices had broadband internet connections

This is the way everything was before consumerization, illustrated here in Figure 1a:

But then then consumerization of IT happened, and the relationship between consumer technology and corporate IT was inverted. This didn't happen all at once—in fact, we can point to different events over the last decade to see where this inversion happened. Some examples are Gmail in 2004, ubiquitous home broadband, the arrival of the iPhone in 2007, Dropbox, Salesforce... the list goes on and on.

All of these technologies came and completely took IT by surprise, because nothing like this had ever happened before. That's when we got all the FUIT horror stories about employees running amok, illustrated in Figure 1b:

The thing is that this inversion was a one-time event. Yes, most people in IT were taken by surprise, and things might have been pretty crazy for a while, but we can be excused. Something like this had never happened before.

Sure, there will be surprises when the next hot consumer technology comes along, but however disruptive they are, we know where we stand now. That inversion will never happen again and we can breath a sigh of relief that we got through it.

Mind the gap

We’re never going to catch up to or surpass consumer technologies (there are exceptions here—there are thousands of important things that enterprise apps do that no consumer app will ever do). And let's face it, to surpass or stay even with what the users are doing on their own would require an enormous amount of effort (and money!)

What we can do is make sure that we at least stay reasonably close to what the consumer technology is doing. This means supporting iOS and Android, implementing modern file syncing, giving users reasonable mailbox size limits, and so on... This is illustrated here in Figure 2a:

Because if ignore what's going on in the consumer world and fall too far behind, (like what happened the first time when consumerization took us by surprise) then that's when FUIT will happen again, as illustrated in Figure 2b:

Ever since the consumer technology / corporate IT inversion, we've been living in a different world. For a while we didn't know what to make of things. Today, even though users still have the ability to say FUIT, we can rest assured because we know where we stand, and that the inversion was a one-time event that won't happen again. And so to avoid FUIT from here on out, we need simply to mind the gap between consumer technology and the technology provided by corporate IT.

Symantec is rolling out improvements to its enterprise mobility management offerings

Jack Madden — Tue, 16 Apr 2013 04:03:00 GMT

Over the last year Symantec has been making a big move into the enterprise mobility management (EMM) space. Today they’re continuing that effort by announcing several new EMM improvements at Symantec Vision in Las Vegas. In advance of today’s news, I caught up with Brian Duckering, senior mobility strategist at Symantec.

First, let’s do a quick regroup on where Symantec is with their mobility efforts. They made their first step a little over a year ago by acquiring mobile device management (MDM) vendor Odyssey. (Symantec had been OEMing Odyssey for a while before the acquisition.) Then a few weeks later they acquired mobile application management (MAM) vendor Nukona. That was followed up in July by releasing a slew of features and other products. Overall, this newly-formed mobility group has been growing rapidly.

Today’s announcement brings four new components:

MDM/MAM integration: MAM and MDM are now together in single console . This isn’t really a new product, though. Here’s what happened: After Odyssey and Nukona were acquired, they became known as Symantec Mobile Management and Symantec App Center, respectively. These two products got combined into Symantec Mobile Management Suite (along with Symantec Mobile Security, an Android and Windows Mobile antivirus product.) The problem was that there wasn’t any real integration, so Symantec is addressing that by adding more robust MDM features directly to Symantec App Center. App Center will now be able to take care of most enterprise mobility management use cases on its own. However, this doesn’t mean that Symantec Mobile Management (which has SCCM and Altiris integration) is going away, so now it looks like they’ll have two MDM products.
Mobile mail client: Symantec announced a sandboxed mobile email app for iOS and Android. It will be available in public app stores, and manageable through Symantec App Center.
SSO for MAM: Users with multiple apps managed under Symantec App Center will now be able to take advantage of single sign-on. Supported authentication techniques include LDAP, SAML, Symantec O3, and CA SiteMinder.
MAM connection security: Apps managed by Symantec App Center app wrapping tool can now be forced to use SSL communication, and URL whitelisting can be used to make sure apps only send data to approved servers.

Last fall I wrote that one of Symantec’s biggest challenges would be integrating MDM and MAM and making sure they had all of the components of a full enterprise mobility management suite. I was a little bit wary because the conventional knowledge about Symantec is that their acquisitions tend to languish and don’t always end up very well integrated. So how are they doing this time around?

In this case, it is true that Symantec App Center and Symantec Mobile Management aren’t actually being integrated, but now that App Center can take over most of the functions Mobile Management, then who cares how they accomplished it? It’s still a good step. We also got the email client for iOS (a component that was missing before) and the ecosystem of App Center-compatible partner apps is continuing to grow. These are all steps in the right direction for Symantec’s enterprise mobility management offerings.

NitroDesk TouchDown is the Android mail app used by many EMM vendors. Here are some cool things you might not know about it.

Jack Madden — Fri, 12 Apr 2013 04:02:00 GMT

NitroDesk TouchDown is a third-party Exchange ActiveSync (EAS) app for Android and iOS. Because so many enterprise mobility management vendors support it and use it as their email client of choice, I wanted to learn more about it, and so recently I had a chance to talk to Nitrodesk COO Ron Goins. I’m not going to get into any hard core analysis in today’s post (it’s Friday, after all) but here are a few interesting things I learned:

First, some background on mobile mail clients. These days third-party mail clients often are used to keep personal and corporate data separate, or to secure corporate mail without having to lock down the user experience on the rest of a device. But before modern MDM came along, third-party clients used to be the only way to deliver and secure corporate email on many devices (and this was happening since way before iOS and Android, too).

When Android was launched in October 2008, it didn’t have an Exchange ActiveSync client, nor did it have any provisions for corporate management. Several third-party mail apps were released around that time, and one of them was NitroDesk TouchDown, created by Goutham Sukumar and released in November 2008.

At the same time, Ron Goins was looking every day to find a corporate email client for Android. He found TouchDown, installed it, and it didn’t work. It turned out that that Ron lived just a couple of miles away from Goutham, so the met up so that Goutham could debug the app. That lead to Ron becoming part of NitroDesk, which today has 10 employees and over 2 million users.

About the TouchDown app

In the beginning, NitroDesk used a combination of WebDAV and Exchange Web Services. They subsequently took an Exchange ActiveSync license, giving TouchDown push notification capabilities in March 2009, and full Exchange ActiveSync support shortly after.

(Just for reference, the native built-in Android email client didn’t support Exchange ActiveSync until version 2.0 was released in October 2009; and Android didn’t really have any management features until the introduction of the Device Administration API in version 2.2 in May 2010. Then don't forget that it takes a while for these versions to filter down to production phones, and most old ones don't get updated.)

TouchDown supports all the usual Exchange ActiveSync Exchange ActiveSync policies, and other security features include AES-256 encryption, support for S/MIME, and support for Microsoft Information Rights Management.

In addition to Exchange ActiveSync policies, TouchDown has management APIs that can be addressed directly by MDM client apps that are on the same device. That means that there’s no separate management protocol, just EAS for mail and whatever the MDM app is doing. There are DLP policies available to keep users from doing things like from cutting and pasting text out of TouchDown, sharing contacts with other apps, or opening attachments with other apps. The MDM integration can also handle licensing the app. Just about all of the big name MDM vendors integrate with TouchDown.

NitroDesk released an iOS version of TouchDown in October 2012, but it doesn’t have push notifications or download emails when the app is closed, because of the restrictions iOS puts around background processes. (The Android version does run in the background in order to receive email notifications through EAS.) This iOS background issue is a huge pain for a lot of people, and we’ll explore it more in a future post. There are also versions for Windows 8, Windows RT, BlackBerry, Kindle Fire (here's a cool explanation from their blog), and the Nook.

MobileIron is working on an “Open App Alliance” for mobile app management interoperability. Here’s everything we know so far.

Jack Madden — Wed, 10 Apr 2013 04:03:00 GMT

In the last couple of weeks we’ve published several articles discussing the idea of standards for mobile app management (MAM). It turns out that MobileIron has been thinking about MAM standards as well—recently Noah Wasmer, VP of product management, and Ojas Rege, VP of strategy, reached out to share information about an initiative called the Open App Alliance. There haven’t been any formal announcements about the program yet, but they are ready to start talking about it publicly. Here’s everything we know so far.

Why do we need MAM standards?

Before we look at the Open App Alliance, let’s do a recap of how mobile app management standards could be beneficial to the industry.

First, why the need for MAM? There have been tremendous improvements in management since iOS and Android were first introduced. However with few exceptions, there’s no way for mobile operating systems or mobile device management (MDM) technology to keep corporate and personal apps and data separated. Instead, we turn to application-level controls, through MAM. Using MAM, admins can ensure that personal and corporate apps remain appropriately isolated from each other, and that restrictive security policies only affect sensitive corporate apps.

A developer building an app can incorporate these management features by using an SDK or app wrapping tool provided by a MAM vendor, and some MAM vendors are encouraging ISVs to create publically-available apps that incorporate management features. The problem is that there are a dozen or two different MAM vendors, and none of their management protocols or apps are compatible with each other.

Because of this, all sorts of issues begin to emerge. If an ISV wants to sell an app with MAM capabilities, how do they choose which protocol to use? Do they have to create multiple editions of their app to be compatible with different MAM vendors? And there are problems for IT, too. What if you want to manage an app, but it’s not compatible with your MAM solution? Do you pick your MAM solution based on compatible apps, or based on other criteria? The MAM industry is completely fragmented, and this could cause some people to be hesitant about adopting it.

One way this situation could be resolved is if standards for MAM were to emerge. Regardless of whether the standards are formal or informal, there would be benefits for all parties involved:

End-users could have a wide selection of IT-approved choices for common tasks like corporate email clients or browsers.
ISVs would only have to develop one version of each app, knowing that it could be managed by a variety of different MAM products, and thus more marketable.
Corporate IT departments can implement MAM solutions knowing that they won’t be locked into a small set of apps.
MAM vendors will be able to boast a wider number of compatible apps.

The Open App Alliance

The Open App Alliance is an effort by MobileIron to make MAM standards a reality. There’s a lot of work that goes into this, and right now they’re at the beginning stages, creating a charter and gathering members. The one important part about this is that membership and use of the standards will be completely free and open.

As for what other vendors are involved, there won’t be any announcements for another four or five weeks. In my conversation with Ojas at MobileIron, he mentioned that they’ve been recruiting a wide variety of organizations, both in their community and in other communities. In other words, we just have to wait for the formal announcement to see if any big-name ISVs or enterprise mobility management vendors are involved.

The next step will be to work out technical specifications, but again they’re not sharing any details right now. However, looking at the features that are common to just about all MAM vendors, it’s not too hard to guess where the Open App Alliance could start.

Will it take?

Even though we don’t have many details yet, I think it’s hard to argue that MAM standards could be anything other than beneficial to the industry. Assuming the specifications are robust and easy to implement, any effort here reduces fragmentation in the MAM industry, even if a limited number of ISVs and MAM vendors participate.

While there are many examples of failed technology standardization efforts, there have been many successes, as well, especially in the consumer space. It’s not too much of a stretch to make a comparison here—in this case, both end users and corporate IT departments are the consumers of products that come from the MAM industry and ISVs. On another note, MobileIron’s co-founder, Ajay Mishra, was a part of the WiFi Alliance, which we can agree was pretty successful, too.

It’s too early to know what will the end result will be, but the idea of the Open App Alliance is a big step for the industry. Hopefully it will be a win for a lot of people, and kudos to MobileIron for getting it started.

Consumerization Nation #21: We talk Samsung SAFE and KNOX, iOS mail clients, and MAM portability

Jack Madden — Wed, 03 Apr 2013 04:02:00 GMT

For todays episode of Consumerization Nation, Colin Steele and I were joined by James Furbush and Gabe Knuth for a lively show. Here's what we talked about:

Samsung SAFE, Samsung KNOX, and Android fragmentation.
Jim's iOS experience, iOS mail clients, and iOS background processes.
And finally, we all agree that de facto MAM standards would be great, but we're not quite sure what pressures will actually be able to make it happen.

Thanks to everybody for listening!

Will it ever be possible to move from mobile app management (MAM) to true mobile information management (MIM)?

Jack Madden — Tue, 02 Apr 2013 04:03:00 GMT

Right now, mobile app management (MAM) is one of the enterprise mobility management techniques with the smallest footprint. The next logical step is to manage data itself, regardless of what app is used to manipulate it. However, there will be some difficulties.

What do we want?

In any enterprise mobility management situation, the company will want to make sure that corporate data is protected by policies, which usually means password enforcement, encryption, offline usage, sharing data with other apps, remote wipe, VPNs, and such. (Say what you want about policy versus compliance versus security—for now we’re just going to consider it all together). On the other side of the situation, users want to have as much freedom as possible for how they access and manipulate corporate data.

For years, combining corporate policies with mobile access meant using a BlackBerry. Then MDM came along and made it so users could choose iPhones and Android phones instead, and still comply with policies.

After that, mobile app management meant that not only could users choose iOS and Android devices, they could also have a lot more freedom about how they used their devices. Certain policies could be applied to just a few corporate apps, meaning users could treat the rest of the phone however they wanted. This made it a lot more safe and convenient for corporate and personal data and apps to reside together on the same device.

The next logical step is to shrink the footprint of corporate policy even more using mobile information management (MIM). The idea with MIM is that management policy is combined and delivered directly with corporate data, so that users can choose any app they want and the corporate policy will still be in place.

The difficulty

This is getting closer to the ideal of enabling total user freedom while still protecting corporate data with policies. But ultimately it’s impossible to satisfy both goals completely—there must be a compromise somewhere. For mobile information management, this means that users can’t actually choose any app they want.

Why? Because while MIM policies may be delivered with along with the data, they still need a client application to actually enforce them. And in order for that to work, the company needs to trust that a client app will faithfully respect the policies. There are a few ways to get that trust, which can be enforced by—you guessed it—policies.

The client app can be certified or come from a known source.
Use mobile app management technology.
The client app and the corporate data can be inextricably linked together by their very nature.

(Technically, it’s also possible to manage the app indirectly by simply managing the device on which it’s running, but that doesn’t really count for this conversation.)

Yes, some of these techniques can be a pain—there’s a lot of concern about how to get apps into a MAM ecosystem. But that will get easier as the industry grows or if formal or de facto standards for MAM come along. And a lot of corporate-generated data is intrinsically tied to the app that’s used to create it.

Overall, it's important to remember that using enterprise mobility management policies to protect corporate data will always require a compromise somewhere. We can aspire to make that compromise as small as possible, but true mobile information management will remain elusive.

Why the MAM industry needs to get together to create industry standards for mobile app management

Jack Madden — Fri, 22 Mar 2013 06:30:00 GMT

One of the issues that comes up with mobile app management (MAM) is that everyone wants to know where all these manageable apps are supposed to come from. The standard answer is that there are four sources:

Basic apps created by MAM vendors, like email clients, browsers, and file syncing clients.
In-house apps, developed with a vendor’s MAM SDK.
Using app wrapping tools to modify app binaries acquired directly from ISVs.
Apps in public app store that are built using a MAM SDK.

But here’s the problem: while there are standard APIs for managing mobile devices, there aren’t any standards for app management. This means that an app has to be specifically created or modified to work with a particular MAM platform. With at least a dozen different mobile app management SDKs out there, things are a fragmented mess.

But what if the industry could get together around a common standard for mobile app management, so that an app could be managed by any vendor? I’m definitely not the the first person to have this idea—in this case, credit goes to past article comments by Dan Shappir, Gabe, App Detective, and Shawn Bass (here)—but I wanted to take another look.

Benefits for all

The first and most obvious beneficiary to this is enterprise IT. It would give a much wider range of publicly-available, managed applications to choose from. That wide range of apps is also more consumerization friendly: more choices for apps means users are less likely to say FUIT.

A standard would be great for the industry, too. Right now there are several MAM vendors that can each boast a handful of compatible public apps, but it imagine if there were hundreds or thousands of compatible apps available. Vendors would then compete the same way they compete around MDM—on being able to scale and integrate management, and offer additional value.

But what will it actually take to get all of the parties to the table to adopt some standards? I can’t even begin to know—but we can start by asking and suggesting. It seems more likely that a standard could emerge if some vendors were to begin licensing MAM SDKs from other vendors. AT&T and BlackBerry are both white-labeling OpenPeak’s MAM, and several companies use Mocana for app wrapping, but I haven’t heard about any inter-compatibility in either of these cases.

A standard MAM SDK would have to include provisions to ensure that only one stakeholder could manage an app at a time, but we already have this issue figured out out for mobile device management, so it shouldn’t be insurmountable.

An alternative approach

An alternative would be to build a MAM service that didn’t have its own SDK or app wrapping tool, but instead supported apps created by other vendors—in essence, a universal mobile app management tool. This idea is still in the “thought experiment” phase for me.

Proponents of mobile virtualization, Samsung KNOX, and BlackBerry 10 will no doubt point out that these all avoid the MAM interoperability issue. However, this is at the expense of being smaller, niche platforms.

Should we cross our fingers?

So what are the chances that a mobile app management standard could emerge? As Gabe suggested, some vendors might want to protect IP invested in their MAM SDKs and app wrapping tools. But there’s already a lot of overlap between many vendors' feature lists, and by moving to an open standard, most of them would only loose the edge on one or two features.

Even though a MAM standard would be good for the industry, with all the diverse vendors it could be hard to get a lot of them around the table together. There’s a better chance that two or three de facto standards could emerge through smaller agreements, mergers, or the changing fortunes of the industry, and that would still put us in a better place than we are right now.