Recently I became acquainted with MobileSpaces, a mobile app management startup that has a completely unique solution for Android: MobileSpaces can essentially manage any Android app on any Android device. Before we dig into it, though, I want to take a second go over the current state of mobile app management
The conventional MAM landscape
For a while now, mobile app management has mostly only been available for special mobile apps that have management and security features built directly into them. (This is known as third-party MAM or containerization.) There are a variety of ways to get these special manageable apps, but no matter what, they’re just a small subset of all apps in existence. The good news though is that if you're able to use these specially-modified apps, there’s less of a need to worry about managing the devices they’re running on.
One of the big stories of 2013 has been the rise of MAM features built directly into mobile operating systems (OS-enabled MAM). Examples include Samsung KNOX, VMware Horizon Mobile, and iOS 7. With this type of MAM, administrators can manage any app they want, not just certain special apps (though with KNOX, the apps have to be sanctioned by Samsung). Naturally, this type of MAM requires the device to be managed, and for Android-based solutions, fragmentation means that only certain devices will have these features.
If you’re tasked with making sure that work data can’t be leaked into personal apps, then you pretty much have to deal with the two options I just outlined, each with its own tradeoffs: Third-party MAM works for only a subset of apps, but can run on any device, while OS-enabled MAM can work with any app, but only works on a subset of devices, and the devices have to be managed. If you’re okay with having work and personal data mix, then you have some more options, but overall the point is clear: there are tradeoffs no matter what.
This is where MobileSpaces, a mobile app management startup founded in 2011, comes in. For iOS 7, they offer MAM by utilizing the MDM protocol, just like many other EMM vendors.
For Android, MobileSpaces has a proprietary solution that works with any app and works on any device (without need to manage the device, either). When David Goldschlag, the CEO of MobileSpaces, first told me about this I was incredulous, but as we dug into the details of how they do it, I realized that they had come up with a completely new and unique type of mobile app management.
How does MobileSpaces work?
MobileSpaces can provide its functionality thanks to the modular way Android is built. Android provides users’ apps with various frameworks and built-in apps that give access to the file system and other resources such as contacts, cameras, photo galleries, calendars, sharing, and so on. All mobile OSes provide resources in a similar way, but what makes Android special is that it’s possible to replace any of the built-in resources with alternatives versions.
This is exactly what MobileSpaces does—it provides a set of apps that act as alternatives for various system resources. You can see where this is going. By controlling which particular apps may access these alternate resources and by controlling under what conditions they may do so, corporate data can be kept separate from personal data and apps. MobileSpaces calls the set of corporate resources the “app virtualization layer.”
Under normal circumstances, when a user launches an app, it can access and interact with all of the resources that are normally available on Android—the user’s contacts, calendar, the internet, SD cards, and so on.
To access corporate data, first the app virtualization layer (the collection of MobileSpaces resources) must be activated. After that, the app is launched, and now instead of having access to the user’s personal data, it instead can access the corporate data. To be be clear, it’s the same instance of the app, it’s just presented with a different set of resources. You can think of it like the equivalent of a file system filter driver in Windows.
To make this useful as a MAM solution, a few more things have to go on. To prevent just any app from accessing the app virtualization layer, MobileSpaces provides an agent app that acts as an app launcher. (This app is also used for enrollment.) Instead of users launching apps into the app virtualization layer on their own, MobileSpaces presents a list of apps that administrators have approved for use in the corporate environment. The user selects an app from the list, and MobileSpaces launches it. (It’s also possible for users to make shortcuts that appear on their home screen, but the concept is the same—the shortcut launches MobileSpaces, and then the corresponding app is launched.)
The result is that corporate data can only be access under special conditions, and it cannot be shared outside of the MobileSpaces environment. The corporate environment can be password-protected, encrypted, and wiped remotely, and network connections can either be routed through a VPN or be passed directly to the internet.
When the app virtualization layer is not activated, all of the corporate data is just like any other private app data. The only way for another app to access it would be if the device were rooted, and to that end, MobileSpaces includes root detection functionality.
Where this could go
For right now this article is just scratching the surface of how MobileSpaces works and all it can do (I’d love to spend an hour in front of a whiteboard with them and get a video) but you can get the idea for now. Their Android mobile app management solution is completely different from anything else that I’ve ever heard of. The fact that it can work with any app and that it can work on any unmanaged device is game-changing and revolutionary. Instead of the tradeoff between third-party MAM and OS-enabled MAM, we now have a third option without the tradeoff.
There are more places this concept could go, too. One idea that MobileSpaces is working on is being able to dynamically pass personal calendar or contact data through the corporate app virtualization layer, so that apps can use both sets of data concurrently.
Of course, this doesn’t absolve companies of the need to figure out how to provide mobile access to corporate resources in the first place. They still have to figure out things like mobile file syncing and how to mobilize existing apps, and third-party MAM, containerization, and specialized devices will still have their place.
Having said that, this brand new option for MAM is something that we should be excited about. It’s certainly the most unique solution I’ve learned about all year, and I hope we hear a lot more about it in 2014.