As IT and end user computing march into the mobile and cloud era, concepts like enterprise mobility management and modern identity management are crucial for staying in control. This means learning about a lot of new topics, including one that I’ve followed closely over the years: mobile app management.
Managing mobile apps is now considered an essential part of dealing with mobility. However, from my time attending conferences, talking to IT pros, and talking to industry figures, I know that MAM is still challenging and confusing.
I’ve written dozens of articles about MAM over the years, but as 2017 approaches, I thought it would be useful to consolidate all this information into a handy 3-part guide.
- This article talks about why MAM is so challenging.
- Part 2 covers different MAM techniques.
- Part 3 looks at considerations for choosing and deploying MAM techniques in various scenarios.
Why is MAM challenging?
MAM forces us to deal with several new concepts.
First, there’s the fact that mobile apps and devices are controlled by Google and Apple, two companies that we haven’t always thought of as enterprise IT vendors. The control is also tighter than what we’re used to with Microsoft and Windows, where there’s historically been leeway for IT, third-party tools, and apps to really get under the hood and manipulate the Windows environment.
The tight control by Apple and Google has several effects:
- Neither IT nor enterprise software vendors can modify the OS. Only hardware OEMs can do that.
- Publicly-available apps are generally distributed through an app store, with functionality guidelines set by Apple and Google.
- Privately-distributed apps have to be digitally signed, and for iOS, the signing credentials must come directly from Apple.
- If you want to modify and repackage an app from an ISV, you can’t just buy the app from the retail app stores. Instead, you have to make special arrangements with the ISV to get permission to re-sign and re-distribute the app. Some ISVs go along with this, some don’t. (Microsoft, for example.)
This new model has plenty of benefits, though. The locked-down nature of mobile devices makes them more secure (and as a result, very few companies worry about more reactive mobile security techniques like anti-malware or threat detection). Other tasks, such as building images or working out app compatibility issues, are no longer necessary.
The other challenging concept that comes with mobility is that the relationship between users, IT, and the devices themselves are different. No longer does IT have complete control over all devices.
- In the now very well-know narratives of the consumerization of IT and bring your own device, many mobile devices in the enterprise aren’t actually the property of the organization, and users expect the right to privacy and to use these devices as they see fit.
- Users often have these expectations even when mobile devices are corporate-owned.
- As a result, applying restrictive management policies and completely locking down mobile devices just doesn’t work.
- Instead, we have to work around the fact that there are multiple parties with a stake in how a device is managed: there’s the use and the enterprise. (Or in some cases, the user, the enterprise, and other companies that the user might also work for.)
This multi-tenancy issue is why mobile management tasks such as encryption, password protection, secure network connectivity, DLP and sharing controls, and remote wipe must be applied granularly to just enterprise apps, not whole devices. This new challenge—which didn’t really exist in the past with Windows—is one of the primary reasons why MAM exists!
Why is the MAM marketplace so confusing?
Like any emerging technology area, different aspects of MAM (and EMM in general) arrived at different times, and there was a lot of hype and marketing messages that could lead to confusion. Let’s take a look at how this unfolded.
With the launch of the iPhone in 2007, enterprise mobility went from an orderly realm where a company could standardize on corporate BlackBerrys to the Wild West of iOS, Android, and BYOD. Early iOS and Android devices had very few enterprise security and management features, and the resulting hand-wringing was inevitable. Soon enough, though, the first enterprise-oriented third-party email clients arrived on the scene with NitroDesk TouchDown in 2008 and Good for Enterprise in 2009. These apps could provide an island of trust on otherwise unmanaged devices.
Then in 2010, mobile device management as we know it arrived on the scene with iOS’s over-the-air enrollment and configuration capabilities and Android’s Device Administration API. This was a huge step forward! But while some people were overjoyed and thinking, “Hurray, we can finally turn an iPhone into a BlackBerry,” many users didn’t like the idea. Around 2011 and 2012, there was a lot of debate between using MDM and using third-party enterprise email clients, which by that point had evolved into full-fledged MAM. The result? A lot of confusion. (Plus, even within MAM itself there were debates between SDK and app wrapping approaches.)
By 2013, the debate settled down, and most EMM vendors began to offer both MDM and MAM. However, the quiet period didn’t last long, as the idea of using devices with MAM features built directly into the OS (instead of into apps) began spreading. There were some earlier efforts at this that never really got much traction, so built-in MAM features really started getting attention with iOS 7 (in 2013), Samsung Knox 2.0 (in 2014) and Android for Work (announced in 2014, first available in 2015, and still spreading today).
The initial reaction to these built-in MAM features (which actually rely on MDM underneath) was to wonder about the future of MAM features that get built into apps. To a significant extent, that debate and the resulting confusion still exist today.
Other newer technologies like virtual mobile infrastructure and cloud access security brokers are also at times positioned as alternatives to MDM and MAM, leading to further debates.
The reality of the landscape today
In case you’re discouraged by some of these debates, think of the reasons behind all of this: Mobile devices and apps bring new business opportunities; user expectations have drastically changed (and aren’t likely to revert!); and mobility and the cloud are here to stay. MAM is one of the tools we need for this new landscape.
Looking at the MAM terrain today, there are still limitations and tradeoffs with various MAM technologies. For the time being—and for the foreseeable future—we’re going to need all types of MAM. That doesn’t end the confusion, though. All sorts of terms, many of them non-technical or even quite vague, are thrown around and used in both positive and negative ways. See especially “containerization” and “dual persona”
Fortunately, the rest of this series will dive into all the relevant MAM technologies and how they work, and then how different use cases affect MAM decisions. Stay tuned!