Identity and EMM just go together: A look at OneLogin’s recent app wrapping acquisition

Get familiar with another identity as a service vendor and how they think about mobility.

Recently news came out that identity as a service vendor OneLogin acquired an EMM startup called Sphere Secure Workspace. We haven’t written about OneLogin before here at, so I got on the phone with Thomas Pedersen, their CEO, to learn more.

A quick look at OneLogin

Thomas founded OneLogin with his brother, Christian; previously they both worked at Zendesk. OneLogin launched doing single sign-on in 2010, and then added other identity components like multi-factor authentication, provisioning, and RADIUS and LDAP support. They now support SAML for about 1200 apps.

Besides Sphere Secure Workspace, OneLogin did a few other recent acquisitions: CaféSoft, last year, for on-premises web access management, and Portadi, in June, for password management. This acquisition isn’t their first foray into the endpoint, either—OneLogin Desktop can bind authentication on Macs and PCs to their cloud directory service.

Sphere Secure Workspace acquisition

OneLogin didn’t want to start a full-fledged EMM offering, but naturally they saw a need for better SSO and management for mobile apps.

The issue is that for the first several years of iOS and Android, identity in native mobile apps could be challenging. Many vendors, including OneLogin, could do SSO on mobile, but only to web apps at first. Now many native apps support SAML, but the remaining challenge was that users still have to type in their username and password. There are several ways to smooth this out, including SDKs or through Chrome Custom Tabs or Safari View Controller, often along with MDM.

Sphere Secure Workspace has on another approach: they add one-touch SSO to apps using a form of app wrapping. They were in stealth for about two years; OneLogin decided to acquire them about 6 months ago and the transaction is now complete.

Here’s how this works: App binaries (iOS or Android) are uploaded to Sphere Secure Workspace/OneLogin for wrapping. The wrapper includes common MAM functions like encryption and remote wipe. For SSO, the wrapper can insert a certificate into the webviews used in the SAML login process so that users don’t have to type in their credentials manually. The apps are signed with the customer’s app distribution credentials and then redistributed to users.

Of course, this comes with the usual caveats and opportunities of app wrapping, and touches on the larger AppConfig MAM/MDM versus standalone MAM discussion.

On one hand, customers must get permission from ISVs to wrap their apps. Some ISVs won’t play along, but Thomas said OneLogin will announce support from about 20 ISVs soon.

On the other hand, app wrapping means there’s no need to manage devices with MDM, a process that may be undesirable or not possible. Another benefit is that wrapped versions of apps can run alongside regular versions, allowing dual work and personal usage.

Many of OneLogin’s customers are newer “born-in-the-cloud” companies, and this app wrapping will (along with identity management in general) will be the only EMM they do. However, OneLogin also has more complex customers that use other EMM vendors like AirWatch and MobileIron.

Final words

As I’ve been saying for years, we need all different types of MAM and MDM. OneLogin recognizes that app wrapping isn’t going to work for all use cases, but the fact that they chose it is yet another example of the need for diverse EMM techniques.

OneLogin’s acquisition is also another example of identity management and EMM coming together, an important and useful trend that will continue in 2017.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.