From the enterprise management perspective, mobile devices—especially iOS devices—are a restricted black box. So we're cool with that, right?
For years, we've been used to having complete control over our Windows machines. When they come in, we wipe them clean and install our own image, so we know exactly what we're dealing with. And there are good reasons to do that, as the latest fracas about root certificates on Dell laptops shows.
But with mobile devices, we don't have nearly as much control. We're limited to whatever MDM APIs are provided by the OS and OEM; and we're also at their mercy when it comes to updates. In Android they come too slowly, putting our devices at risk, and in almost all cases, we have no control over when they happen. There are several examples over the last few years of iOS updates breaking enterprise apps, and all we can do is block these devices with MDM or sit back and write an email to our employees saying "please don't update your iPhones yet."
Now for the most part, we're getting used to this. Mobile devices, OSes, and apps are built around a completely different set of assumptions than Windows was years ago. We have hardware-based security insuring the integrity of many of these devices, the apps run in sandboxes and can't mess with each other or with the OS, and there are user-defined permissions to protect sensitive data. Cheaper Android devices can be a mixed bag, but for iOS and flagship Android devices, we're generally in a good place. The MDM APIs that are given to us are also way more comprehensive than they used to be, and can work for a wide variety of use cases. Jailbreak and root detection is a standard EMM feature.
We're also getting used to this because we don't always have much choice—rooting or jailbreaking users' devices for them might be a way to get more control, but that's obviously a non-starter.
Anyway, clearly this is the way of the future. Even Windows 10, with Universal Windows Platform apps, the Windows Runtime API, and MDM APIs fits in this model, too. (And here we get a lot more control over things like updates.)
But what about companies that aren't cool with this? There are all the security and control reasons described above, plus when it comes to mobile app management, there are some tradeoffs and difficulties that can make corporate IT chafe at the restrictions of mobile devices and mobile apps. A company can have complete control over a specially-modified app and just make that their point of trust, but modifying apps from public app stores not a standard, accepted practice (more on that later). And if you want to control a publicly-available app, you have to put your trust in the device.
On Windows 10, the answer is easy—just keep doing what you're doing. You don't have to use MDM if you don't want to, and in fact there are even a lot of ways to combine the best of new mobile-style features with traditional full management.
On iOS and Android, there are some interesting products that exist to address these concerns, including Bluebox Security, Better Mobile Security, and Zimperium Mobile Security. These are notable because they go beyond the capabilities of typical EMM platforms to do things that—according to the conventional wisdom on EMM and mobile OSes—aren’t usually possible or allowed.
- Bluebox has provided app wrapping for apps from public app stores.
- Citrix showed off app wrapping for public apps at Synergy this year.
- Better provides an agent app that can apply policies to other third-party apps installed on a device (without using app wrapping or anything for those other apps). The Better agent can also interact directly with MDM APIs on the device, locally.
- Zimperium (yes, the same Zimperium that discovered the Stagefright Android vulnerability) can detect malicious app behavior and change the state of device wifi connections.
Of course these companies all have explanations of how their products fit within the Apple and Google realm.
- BlueBox is now concentrating more on custom and and consumer apps, and no longer providing app wrapping for public apps.
- Citrix's app wrapping for public apps was just a demo, so they don't really need to have an answer.
- Better says that their agent app does not violate any of Apple’s security mechanisms, sandboxing, or policies. They say that it does use some non-public APIs, but that those APIs are not private APIs.
- Zimperium says their product works by using low-level code to analyze thousands parameters on mobile devices, allowing an agent app to detect when devices are compromised. They said that their ability to control wifi on iOS devices is all with approved APIs, but that they have to get creative to make it happen.
What conclusions can we draw?
We’re left wondering what Google and Apple really think. It's not like we're going to see them make big public pronouncements about individual products, though clearly with Android for Work and all the mobile app management features that are built into iOS, we know what their preferred positions are. Also, the Apple Developer Enterprise License Agreement clarifies that Internal Use Applications do not include third-party applications even if some customization has been done; and Apple's WWDC 2015 session on app privacy stated that apps should not try to figure out what other apps a user has installed.
I’m not trying to spread FUD—it’s just that when products do things that are out of the ordinary, they attract attention. And right now these products certainly fulfill a need—MAM has tradeoffs, and given the restricted nature of mobile OSes, some companies will want to have more control and visibility than is provided by standard MDM APIs.
But overall mobile devices have a completely different management model, and we're all going to have to get used to that.
This article was first published on August 17, 2015, and was republished in an expanded form on November 30, 2015.
This article was updated on December 1st, 2015, with new information about Bluebox.