Understanding Citrix’s 'Dynamic Containerization' demo and the future of app wrapping

At Citrix Synergy 2015, Citrix showed a demo of XenMobile using app wrapping to apply "dynamic containerization" to apps from public app stores.

At Citrix Synergy 2015, Citrix showed a demo of XenMobile using app wrapping to apply “dynamic containerization” to apps from public app stores. This is interesting because it brings up questions about app licensing, the future of mobile app management, and enterprise app strategy in general. Today I’ll dig in to see if there are any answers.

First off, why is app wrapping public apps interesting? To understand you need to know about the two main categories of mobile app management that are prominent today. There are a lot of technical and marketing terms floating around, but I refer to the categories as app-level MAM and device-level MAM.

  • App-level MAM is any technology that incorporates management hooks and features directly into apps themselves. It’s powerful because you can build in whatever features you want, but it’s limited to a subset of apps because of the need for advanced planning. Examples include apps built with MAM SDKs, apps that come from EMM vendors and their partner ISVs, and app wrapping as we know it today. (I’ll explain more in a second.)
  • Device-level MAM puts the enterprise app management hooks in the OS. This has the advantage that it can be applied to any app, but it’s limited to whatever capabilities happen to be available in the OS, as well as the need to manage the entire device with MDM.

You can see that these each have their strengths and weaknesses. An ideal solution would combine the best of both world, and this is where app wrapping public apps comes in.

App wrapping takes a pre-existing mobile app binary and puts it inside of a new shell app that has the necessary app-level MAM capabilities built in. Technically this solves our problem, but unfortunately there are issues with licensing. Since app wrapping can change the behavior of an app and usually involves resigning and redistributing an it, the general consensus in the EMM industry is that this is against the rules of the public app stores. So a company can’t just wrap any old app, and app wrapping is more like any other app-level MAM technique that requires an advance arrangement. Often it’s positioned as a more convenient alternative to development using a MAM SDK.

So as I was saying, it would be useful if we actually could go ahead and wrap apps from public app stores. What’s the status of those efforts?

  • So far neither Apple nor Google have officially endorsed it. On the other hand, I haven’t heard of anyone getting in trouble for it, either.
  • Citrix demonstrated it at Synergy, but it was in their day 2 keynote that was meant to show off potential future features, not firm announcements about shipping products. So there’s no real answer yet about how licensing is handled. You can read some Citrix employees’ comments in this article from Colin Steele.
  • Bluebox Security already provides app wrapping for public apps. They said their legal team has reviewed all the relevant terms and conditions, and that Google and Apple are aware of what they do, and that it’s perfectly fine. I wrote that this could the new wisdom about app wrapping.
  • Other similar efforts in this space are Better Mobile Security and Pulse Secure’s app virtualization for Android. These are more involved, so read here and here for the details.

Before we go any farther, let’s look at the situations where you would or wouldn’t want to wrap a public app. Here’s where you would need to wrap a public app:

  • If a company wants to add advanced app-level MAM features to an app, but can’t make advanced arrangements with the ISV.
  • You’re dealing with devices that don’t have any device-level MAM features (essentially many of today’s Android phones and tablets).
  • You can’t or don’t want to manage the device with MDM (because of BYOD or because the user works for multiple companies).
  • The device-level MAM available doesn’t have the features you want. (For example, one of the future reasons to use Citrix’s app-level framework is that it will provide X1 Mouse support on iOS.) This is a problem that will never go away, no matter how advanced the mobile OSes get.
  • You don’t want to put all your trust in the mobile OS. This is another problem that never goes away.

On the other hand:

  • Many of the apps that we would want to use in an enterprise are starting to have enterprise management features anyway.
  • Would many ISVs really want to miss out on a deal by not letting customers use app wrapping on their apps?
  • We can ignore the vast majority of consumer apps since there’s no need to wrap or manage them.
  • As companies start moving on towards more advanced app strategies and build more custom apps they’ll have the opportunity to add in any MAM features they want.
  • Device-level MAM keeps on getting better. (iOS 9 will surely bring another wave of EMM improvements later this year.)
  • Device-level MAM will also get more prominent. (Android for Work will be available on more devices as time goes by.)

All of these arguments for and against app wrapping public apps might seem a bit academic, and indeed they can be—unless you happen to have an “app that matters” and can’t figure out any other way to manage it.

One possible example could be with Microsoft’s mobile apps. There are customers and third-party EMM vendors that would like to manage the Microsoft apps with app-level MAM, but Microsoft has made it clear that they don’t plan on opening up their apps for this—the only way you’ll be able to manage them is with Microsoft Intune or by using device-level MAM. (By the way, notice that in the demo at Synergy, the app that Citrix wrapped was Lync for iPad. :)

Now that Citrix has brought more attention to app wrapping public apps, hopefully this will also force some sort of answer on the issue. Don’t forget that Apple’s Worldwide Developer Conference is next week, which means a chance for more clarity.

Just thinking out loud for a second, I can envision some ways to make this practice more acceptable. For example, for every time you want to push a wrapped app to a device, it would have to be pulled directly from the app store first. (So you couldn’t download an app just once and distribute it to many devices, but instead keep a 1 to 1 relationship between store downloads and copies installed on devices.) This could be limited to just established EMM vendors, and happen in a careful, controlled way.

Overall, there will always be a place for app-level MAM and, likewise, there will always be situations where we’ll want to use app wrapping on apps from public stores. So stay tuned.

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.