BYOD Smackdown 2012: Good Technology's "island of trust" lets users retain control

Now that I've had some time to get more familiar with a number of BYOD/MDM/split persona vendors, I'm going to go down the list and report on my briefings with each one. These vendors run the gamut from application management to mobile hypervisors to traditional mobile device management solutions.

Now that I’ve had some time to get more familiar with a number of BYOD/MDM/split persona vendors, I’m going to go down the list and report on my briefings with each one. These vendors run the gamut from application management to mobile hypervisors to traditional mobile device management solutions. Overall, the concentration is on vendors that, no matter what their background, promise solutions that enable BYOD with some degree of separation between work and private personas. I’m going through the vendors in the same order that I spoke to them, and there are still more briefings to be had and more vendors to be added to the list.

In December I met with with John Herrema, SVP of corporate strategy at Good Technology, and Nicko van Someren, Good’s CTO. Good has been around since 1996, and these days they have about 4000 customers. Their primary BYOD product, Good for Enterprise, is available for iOS, Android, and a few other platforms, but not for Blackberry.

Good Technology’s approach to BYOD/split persona

Good takes an application-only or “secure container” approach to managing BYOD. Essentially, the Good Technology approach is to be unconcerned with the user’s personal device, avoiding restrictions on how it is used or what applications can be installed. Instead, they provide their own applications (or partners’ applications) to give the enterprise “islands of trust” (as Nicko put it) on personal applications

There are some MDM capabilities built into the product (the Good for Enterprise application can reach out and wipe the whole device if necassary), but generally the security restrictions are around the Good applications only. Users can manage their devices as they would have previously—with whatever level of security they please (such as weak or nonexistant passwords, because, hey, the user’s data is their own problem, not the company’s)—leaving the security around only the enterprise applications and data. It is this layer where Good for Enterprise’s features come into play and fine-grained permission-based security policies can be applied.

The core Good Technology application

The Good for Enterprise core application has features that support secure emailing, browsing, and document handling (with restrictions around open-in and clipboard capabilities, for example). Tasks like enforcing policies, pushing applications, and locking users out are restricted to the core Good for Enterprise application. Data to and from the device is encrypted, requiring infrastructure on the corporate end, inside of the firewall. The result, though, is that no special ports have to be opened. Good for Government has similar features, but adds more options features, such as support for CAC cards, S/MIME and Department of Defence public key infrastructures.

To enroll in Good for Enterprise, any user can download the app, but naturally it’s useless without permission to join a corporate environment. Similarly, a user can always choose to remove the app, and their access to corporate resources will disappear.

Third-party apps

Good Dynamics is the platform for developing third-party apps that can interact with the Good for Enterprise core application. Currently (February 2012) it’s only available for iOS, with Android support expected in April (2012). Good Dynamics consists of an SDK that enabling developers to create applications that incorporate the same security features as Good for Enterprise.

John and Nicko told me that amoung the security features that Good Dynamics incorporates are provisions for encrypting data in motion within a device. Data to and from a device and data at rest on a device are the usual targets for encryption. With Good Dynamics, data that is transferred between Good for Enterprise and third-party applications developed with their SDK is not allowed to touch the memory in an unencrypted state. This is necessary because “erasing” data from flash memory generally consists of merely marking blocks to be overwritten, leaving the remnants susceptible to being read by other applications.

The approaches for locking-down access to third party apps are the same as for the core application. Depending on how permissions are set, open-in, clipboard, hardware access and other parameters are limited or monitored.

Organizations can develop their own apps using Good Dynamics, or turn to commercially available “Good”-compatible versions of apps. Ultimately, though, end users do have to have to rely on the availability of these special versions of applications, and if one isn’t available, a user could be tempted to get data and work on their personal device using alternative means (FUIT). An organization will need to be proactive in ensuring that applications are available for their users. On Good Technology’s part, in order to encourage a broad ecosystem of apps, one of the first things they did was look at the 100 most popular apps in the enterprise—and after removing all of the job-finding apps—they approached the creators about making Good Dynamics versions. Good also notes that this creates opportunities for individual developers.

Final thoughts

Good Technology’s product enables a dual-persona BYOD scenario, while keeping a small footprint on the end-user side. On the corporate side, there is a need to ensure that Good-compatible versions of apps (both commercial and home-grown) and back-end (for Good servers) infrastructure exists.

While Good for Enterprise is not separated to the degree of supporting multiple phone numbers or billing plans, all of the core functions are “containerized”. Having all the core functions under one application makes it easy to separate corporate work from personal usage. When “work” is just one icon, it’s easy to hide it for the weekend, instead of having a prompt for a long password reminding users about it every time they pick up their phone.

Feature Overview

This feature overview will be updated from time to time, and a similar feature overview will be included with every article in this series. If you notice any inaccuracies, please comment or email me at There are a lot of vendors and features to keep track of, and I want to be sure and keep everything straight.

  • Platform iOS, (including Good for Enterprise, Good Dynamics, and Good for Government) Android (Good for Enterprise; Good Dynamics pending), Windows Mobile, Symbian, PalmOS (Good for Enterprise only)
  • Architecture containerized Application
  • Security at the application level 
  • App sources integrated with the product, home-grown, third-party
  • How external apps are brought in developed using SDK
  • App stores corporate, commercial
  • Split plans/phone numbers no
  • Management interface web based
  • On-site requirements Yes, can be virtual machine
  • Provisioning users download, then ask to join corporate environment

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.