(Update, Thursday, March 29: I finally had a chance to see a demo and hear directly from BlackBerry, so I’ve added an update below. This article was first published on March 19.)
Ever since the native Microsoft Office apps for iOS and Android came out, people have wanted to use mobile app management tools to secure them.
In use cases where MDM or Android enterprise work profiles are a viable option, you can just use these operating system-level mobile app management frameworks.
If OS-based techniques aren’t an option or don’t have the features you need, and you instead want to use proprietary app-level techniques like app wrapping or SDKs, then things are more limited: The Office Mobile apps have Intune’s proprietary app management features built in, but Microsoft will not allow any other vendors to wrap or modify the apps. That’s may be their right as an ISV, and it’s a good strategy for them, but if you use another EMM, it’s more vexing.
A little over a year ago, we got a new option: Using the Microsoft Graph API, other EMM vendors can integrate with Intune and essentially use it as middleware to manage the Office Mobile apps. (Assuming, of course, that you have a license for Intune in addition to your other EMM product.)
Many vendors—including BlackBerry—have embraced this server-side integration, but what about the client side?
In one example, Citrix added the Intune SDK to some of their XenMobile apps, so they can securely work with Intune and the Office Mobile apps.
Now today, BlackBerry is announcing another approach. BlackBerry Enterprise BRIDGE is an app that incorporates both the BlackBerry Dynamics and Microsoft Intune app-level MAM features—i.e. it’s a part of both proprietary ecosystems. For example, this will allow users to securely move documents back and forth between the BlackBerry Work email client and Microsoft Word.
According to the release, BlackBerry entered a “strategic partnership” with Microsoft. BlackBerry is making several products available on Azure, including BlackBerry UEM Cloud, BlackBerry Workspaces, BlackBerry Dynamics, and BlackBerry AtHoc. It's not clear yet what else this could mean for the Intune/BlackBerry relationship, but I have an inquiry out and will update this post when I hear back.
Not all proprietary MAM products are equal, and BlackBerry acknowledges this in their marketing materials, stating in a footnote that the combined solution is “Subject to implementation for comparable policies. There is no guarantee that InTune [sic] App Protection will match Dynamics in all respects or that it will support all the same policies that Dynamics does, or vice-versa.”
Having to deploy a hub app between the two ecosystems seems like a bit of a kludge, and I’m curious what the user experience will be like, but of course in software, that’s just the way things are sometimes. And not to look a gift horse in the mouth—instead, this really underscores that the whole situation around proprietary MAM SDKs and app wrappers is quite challenging.
(I’ve written a ton about this—see Evaluating MAM SDKs and wrappers is still hard. What can we do?, Apple’s iOS management protocol needs to get better for BYOD. Here’s why and what they could do, and Corporate devices are getting all the love these days, but BYOD challenges remain.)
Any effort towards mobile app management interoperability, standards, or better OS frameworks is always very welcome, so BlackBerry’s customers should be excited to learn about BlackBerry Enterprise BRIDGE.
Lastly, I'll note that BlackBerry announced a round of other EMM updates today, and it's quite an extensive list. They've been a bit on the quiet side recently, but I was very impressed with how they brought together Good and BES, and clearly they've been hard at work building thoughtful features like Do Not Disturb for work apps, support for Android zero touch, and more.
Update, Thursday, March 29
BlackBerry has uploaded a video that includes a demo (here at 3:49), so we can get a glimpse of the user experience.
As I suspected there might be, there is a bit of a double hop to get from Dynamics-enabled apps to Intune MAM-enabled apps. From the action sheet of a Blackberry app, users choose “Edit with Microsoft,” which launches the BRIDGE app; then from there they choose whichever Microsoft app they want.
I was able to speak to Frank Cotter, SVP for product management at BlackBerry, and I learned a few more key details. Obviously, BRIDGE contains the Intune MAM SDK, but in order to avoid collisions, as he put it, they had to skinny down the Dynamics SDK. They wanted to avoid having to modify the existing Dynamics ecosystem and have it be coupled to changes in the Intune MAM SDK, so they went with the “bridge” approach.
Another key feature they worked on was “identity coherency,” to ensure the same user is signed into both MAM ecosystems. BlackBerry isn’t sharing details about how this works right now, but Frank said they have filed for patents related to BRIDGE.
Anyway, I stand by my previous assessment. This seems like a 1.0 approach to the issue of connecting multiple containers on a device, but I’m not complaining or faulting BlackBerry. Mobile app management is complicated to begin with, and the landscape of competing providers makes it more so. It’s good that BlackBerry is taking this step.