For several months now, I’ve been writing about various mobile application management (MAM) products and how managed apps can work together to form insulated corporate ecosystems on mobile devices. The components in this scheme include sandboxed email clients, mobile file syncing clients, browsers, and other apps, all brought together under the same management system. For now, I’ll refer to this as dual-persona MAM, since these solutions enable the creation of separate work and personal personas on mobile devices.
In this post I am going to explain how how all of the pieces of a prototypical dual-persona MAM environment work together. Before I get started, if you need the basics of mobile device and application management, check out this excellent article from Brian, What is MDM, MAM, and MAM? (And what’s the difference?)
What is dual-persona MAM?
The story of mobile device management versus mobile app management is pretty familiar now: managing an entire device can be intrusive to users, especially for personal devices, and MDM lacks the ability to have granular policies around individual apps. This means that if you want to have a complex password aroud email, for example, then the user also has to deal with that long password every time they want to play Angry Birds or send a text. With mobile app management, you can put granular security policies around individual corporate apps, leaving the rest of a device and all the user’s personal apps unmanaged.
How does a dual-persona MAM solution go beyond this? With these solutions, all of the corporate apps on a device are able to communicate with each other, and they’re all centrally managed with a the same system. There are policies for encryption, remote wiping, VPNs and proxies, and how corporate apps interact with outside unmanaged apps. Cutting and pasting can be encrypted so that it only works between managed apps, and corporate apps can be made so that only other corporate apps, and not user apps, can open documents and links. The management server (or SaaS offering) handles setting policy, authenticating users, and remote-wiping when necessary.
In practical usage, this means if you’re in your work email app and you want to open attachment, your options are only other apps provided by your company, not all of the random and potentially data-leaking personal apps that are on your phone. Your personal email stays in the device’s built in client, and whether or not you can use a work app to open a personal attachment is up to your company’s policy.
Let’s look at the typical components of the system.
For email, a managed corporate app can protect contacts, messages, and attachments; IT can use the device access rules in Exchange ActiveSync to ensure that no other clients are allowed to sync to a user’s mailbox. Since some users may prefer their device’s built-in email client, another option is to simply protect attachments by intercepting and encrypting them before they get to the device. All the apps on the device will be able to access contacts and messages, but only managed corporate apps will be able to encrypt the attachments. In this case, the client management policies in Exchange ActiveSync can be used to provide basic security for email.
File syncing apps are at the center of any dual-persona MAM system. When we think of mobile file syncing, we might think of various “Dropbox for the enterprise” products and that all of our files have to be in the cloud. While this is certainly an option, where the files are on the backend doesn’t really matter that much. Many products simply plug into existing on-premise storage, allowing files to be mobilized quickly. This is especially important because if a company doesn’t offer any sort of mobile file syncing, if a user wants mobile access (and they will) then they are 100% guaranteed to have to resort to some sort of consumer product like Dropbox.
The great thing about mobile file syncing is that even if it’s the only app that a company deploys, it’s still incredibly useful. Most file syncing apps have viewers for common file types, and IT can set policies around offline syncing in addition to all the general dual-persona MAM policies mentioned earlier.
A managed browser is generally incorporated to provide VPN access to internal web apps, intranet sites, or external SaaS products that a company uses. Managed browser can also to act as the default browser for links opened in any of the other corporate apps.
Other apps (SDKs, app wrapping, and public apps)
Other apps can be incorporated through mobile app management SDKs or app wrapping, and some dual-persona MAM solutions also have programs to encourage other vendors to develop compatible apps. An ideal solution would offer all three.
The final question is what role device-level management plays in a dual-person MAM offering. The jury is still out on this—some solutions use it, some don’t, and for some it’s optional. The arguments go like this: MDM shouldn’t be necessary if the MAM system is working properly, and if you don’t have to manage the device (with all the potential conflict when it comes to BYOD) why bother? On the other hand, it’s another tool and layer of security, so why not take advantage of it? For now, I’ll leave that discussion to a future article.
Who is doing it?
The idea of managing managing individual mobile apps (especially email clients) has been around for quite a while, and in fact predates the iOS and Android world. When MDM arrived for iOS and Android these in 2010, suddenly these device could be treated just like BlackBerrys, but the problem was that many of these came into the enterprise as personal devices, and the idea of locking them down into corporate devices wasn’t very attractive. Even if they were corporate-owned, the idea of locking them down is still un-appealing—after all, an iPhone is an iPhone no matter who bought it. This is also why dual-persona MAM is equally important for both corporate-liable and personal devices.
Anyway, the MDM explosion in 2010-2011 was followed by the explosion of MAM in 2011-2012. This is now being followed by a wave of vendors filling out their roster of dual-persona MAM components and wiring them all together. The list now includes the likes of Good Technology, Citrix, AppSense, MobileIron, Apperian, OpenPeak, Enterproid, VMware, and others. There are many other vendors that have just one or two pieces of the puzzle, but for them interoperability could be a problem. If you have to go to two different vendors to get all the pieces of a dual-persona MAM ecosystem but the pieces don’t work together, that could be big problem.
Where is this going?
We’re still very early in the game right now, but a lot of companies are putting their weight into dual-persona MAM. Just look at all of the list of MAM articles on ConsumerizeIT.com. It will also be interesting to see how these products change in 2013, but here you have it: the definition of dual-persona mobile application management.