This week the Apple World Wide Developer Conference is going to take up a lot of attention in the EMM space (we’ll dig through that later this week) but today VMware has some EUC announcements of their own.
If you haven’t heard of Tanium (which I hadn’t until this announcement) it works through a desktop agent that can be queried and controlled in real time. (Tanium is not a mobile product, just to clear up any potential confusion.) Tanium was founded David and Orion Hindawi, the father and son team that built BigFix and sold it to IBM. TrustPoint will add more new capabilities to VMware’s endpoint management play, alongside AirWatch and AppVolumes.
Second, VMware is bringing cloud access security brokers (CASBs) into the AirWatch Mobile Security Alliance. The idea behind the Mobile Security Alliance is that different types of security vendors can connect to AirWatch via APIs. The security vendors can provide whatever their unique technology does, and then AirWatch can be used to apply policies and do remediation on mobile devices. This saves security vendors from having to build their own EMM stack. Blue Coat, CloudLock, Netskope, Palo Alto Networks, Skyhigh Networks are joining the program. (By the way, it’s also time for us to write an article called “What is a CASB?”)
Third, VMware is making updates to Workspace One and AirWatch, and if you’ve been following the complexities of the mobile app management space for a while, this is pretty interesting.
AirWatch and Identity Manager updates include:
- Support for all the latest iOS 9.3 MDM APIs.
- Support for Apple School Manager.
- A new multi-factor authentication app called VMware Verify.
- Support for more Windows 10 and Windows 10 Mobile features, including Business Store Portal integration, license management, and kiosk mode.
Here’s the interesting part: AirWatch is going to get more nuanced about how it uses iOS MDM profiles.
Today, MDM is often thought of a binary thing. Either a device is managed, and IT can take advantage of built-in mobile app management features; or the device is unmanaged, and IT has to rely on MAM features that are built directly into special versions of apps. Both techniques have their own inherent strengths and weaknesses.
If the device is managed, IT can also potentially remote wipe it or see the user’s personal applications. This obviously makes some users uncomfortable with enrolling their personal devices in MDM.
MDM doesn’t have to be all or nothing, though. In iOS, it has actually always been possible for an MDM server to just ask for limited specific management rights on a device, instead of having complete control. So for example, an MDM server could be able to install and remove corporate apps and profiles, but not be able to wipe the entire device. IT can still use the built-in MAM features, and users should be more comfortable about privacy.
Up until now, very few MDM servers had actually taken advantage of these nuances. Instead, most products take all the rights by default and then implemented any restrictions on management controls in the admin UI. However, now VMware will offer MDM connections with these more limited capabilities. I’ve always been a proponent of offering as much mobile app management flexibility as possible, so I love this announcement.
Things are a little different on the Android side. When Android for Work used in profile owner mode (which would be in most BYOD situations) the MDM server already has limited control over the entire device, and cannot see users' personal apps.