When Jack last checked in with Mocana's Mobile App Protection (MAP) platform last summer it was a more innocent time in the enterprise mobility management space. MAM was just something that was garnering buzz, vendors like Citrix, Nukona, and AppSense were just starting to dip their toes into the app wrapping waters, and Mocana's MAP was "only available through partner MDM and MAM solutions, including Boxtone, CACI, Apperian, and Mobiquity, among others," as Jack pointed out.
Fast forward to about a year later. MAM, at least in these here circles, isn't so much a buzz word anymore because it's perceived as a solid approach to enabling mobile productivity while also keeping corporate data secure. That doesn't mean it's not without problems -- as both Colin and Jack have argued over MAM standards recently (MobileIron is trying to address this with an app alliance) and Gabe took a deep-dive into the logistical problem of wrapping and publishing apps.
A quick tangent to address both those issues: the logistical problem of wrapping and publishing apps is much more problematic than the issue of standards. That's because wrapping and deploying apps is an actual problem an IT team needs to solve. It requires planning and thought and rolling up the sleeves to make a reality. Plus, it's not effortless at the moment.
Standards is sort of a straw man kind of thing. Just about every MAM vendor I've talked with has admitted that having a roster of exclusive mobile apps would certainly help distinguish their product and make a great selling point or bullet point in a press release. However, that app vendors focused on making a serious market penetration in the enterprise -- Evernote, Box, etc. etc. etc. -- have no desire to work exclusively with one or two MAM vendors. Those ISVs want their software sold to as many enterprises as possible. That means they have to make their SDK available to as many MAM vendors as possible, just like they've all published open APIs to integrate with each other, even seemingly competing apps. For IT departments that want to wrap apps themselves, many of those same ISVs have said in discussions that they will make their binaries available if the customer just asks. This is why I don't think MAM standards is much of an issue.
Quick tangent over, sorry.
Back to Mocana
The biggest change is that MAP is now available by a per user subscription or perpetual license basis. A MAP server is installed on-premises that acts as an app-wrapping gateway. IT pros can take any unsigned binary application developed in-house via the DevOps team or from third-party ISVs (obtained from the enterprise themselves by asking or from pre-arranged deals worked out by Mocana) and load them into the MAP server. The server is a web-based console that acts like a light weight app catalog or enterprise app store. From the console, an admin can select the application, select which security policies to add to it, and then output that APK as a compiled binary.
After the wrapped app has been signed it can be pushed down to the mobile device in a variety of ways, including an MDM product, an internal app store, linked to from an intranet site, etc. Mocana has also released a series of MAP APIs so IT can use the app wrapping technology as a service in conjunction with an existing MDM product that calls out to the MAP server.
Currently, only iOS and Android are supported platforms and I get the impression that BlackBerry and Windows Phone won't be coming anytime soon. Call it a hunch.
Among the policies that Mocana supports are some standard stuff like remote data wipe, jailbreak detection, passphrase, encryption, and the like. The latest release, however, rolls out some interesting new security policies:
- Remote Data Wipe provides the ability to delete application-specific data of wrapped apps on managed and unmanaged mobile devices.
- Smart Firewall provides the option of implementing a secure app connection to the enterprise network using an SSL reverse proxy. This option is an addition to the existing per-app IPSec VPN policy. Essentially, this ensures that a specific application can only connect to a specific server when it's connected to the network.
- Geo-fencing defines where an app is usable based upon a real-world geographic location. Seems perfect for retail stores, restuarants, schools, military bases or even government that doesn't want their apps used outside the boundaries of a pre-designated location.
- Location masking protects the user by preventing an app from obtaining the current location from the device it is running on.
- App expiration defines a start and end date for app functionality which can be used with contractors and others needing temporary use of an app, or as a fail safe for ensuring an app can no longer be used by former employees.
- App Federation allows a group of wrapped applications to share a single passphrase and have more granular data control and sharing between them. Say you deploy five wrapped application for an employee to use on their personal device. App federation loosely links those apps together but prevents them from interacting with the rest of the device. For example you could copy and paste data from a file syncing tool into a third-party email client but not paste that information into a personal instance of CloudOn or Gmail.
There are plenty of issues that MAM has to continue to iron out, but it's good to keep in mind that some of those issues are definitely on the minds of vendors and with the right amount of planning and understanding the business case your are working to enable, those problems might not be as problematic as some make them out to be.
Bonus: Next week, Jack will take a gander at Mocana's just announced Mocana Developer Program (MDP), which allows third-party mobile app ISVs to upload their app to a testing portal to ensure it works with Mocana's MAP before making their SDK available to enterprises.