VMware says Horizon Mobile will do app wrapping for iOS, but OS virtualization for Android.

Last year VMware announced a project called "Horizon Mobile" that would be their solution for keeping work and personal apps and data separated on smartphones. Horizon Mobile consisted of a corporate-controlled Android VM that runs as a guest on a user's personal Android phone, a project that VMware has been working on for almost four years.

Last year VMware announced a project called “Horizon Mobile” that would be their solution for keeping work and personal apps and data separated on smartphones. Horizon Mobile consisted of a corporate-controlled Android VM that runs as a guest on a user’s personal Android phone, a project that VMware has been working on for almost four years. While they talked about it as if it was the perfect solution for BYOD, the elephant in the room was the iPhone. There’s no way that Apple is going to allow iOS to be virtualized, so Horizon Mobile really only addressed half the market.

That all changed last week at VMworld 2012 in San Francisco. VMware announced that for iPhones, Horizon Mobile will manage native iOS applications using a technique called “app wrapping.” (I’ll dig more into app wrapping later in this article.) The app wrapping space is starting to heat up, with several vendors announcing app wrapping products for both iOS and Android. This got a lot of people wondering if VMware would forget virtualization and go with app wrapping for Android, too. However, while no dates have been announced yet, all indications are that VMware remains firm that it will go to market with virtualization for Android.

Why the separation?

App wrapping and phone OS virtualization are both meant to solve the same problem: keeping and personal and corporate information separated on mobile devices. With conventional mobile device management (MDM) solutions, security policies are applied to the entire device. That means that if IT wants to protect corporate apps with a complex password, then users have to deal with that password when they access personal apps too. Or if IT wants to remote-wipe corporate data from a phone, all the personal data is lost too. Another problem with managing the whole device is that there’s no way to prevent the commingling of personal and corporate data. (For example, a personal app could import contacts from a corporate email account.)

So the goal of Horizon Mobile is twofold: maintain privacy for personal apps and data while keeping corporate data from leaking into personal apps. Let’s take a deeper look at how the two technologies actually work, starting with last week’s announcement.

Horizon Mobile for iOS: app wrapping

Since iOS can’t be virtualized, Horizon Mobile for iOS—like most other dual-persona mobile app management solutions—keeps corporate and personal apps separated by applying a management policy just to specific corporate apps. This way a devices is free to not have a password, but corporate apps can still require them. (Or, when a remote wipe command is sent, only the corporate apps are wiped, not the entire device, etc.) In order to keep data confined within corporate apps, the apps have to be modified so they can only communicate with each other and not personal apps. By combining a corporate email client, wrapped apps, and a file syncing app, a managed work ecosystem can safely reside on an unmanaged personal device.

Horizon Mobile uses app wrapping to create these managed, insulated work apps. In this process, existing application binaries are wrapped with code that adds the management hooks and keeps them from interacting with personal apps. The problem with this is that application package files can’t be acquired directly from the Apple App Store. Instead, companies have to make arrangements with individual vendors and then distribute the apps to employees on their own.

Horizon Mobile for Android: phone OS virtualization

We’ve known about Horizon Mobile for Android for quite some time, and that it takes a completely different approach: corporate apps and data reside in a guest virtual machine. The entire VM can be managed with with no need to worry about individual apps, similar to the way that conventional mobile device management works. However, there are concerns about the usability of virtualized mobile device, and now that app wrapping exists, why not just forget it and go with one technique for both platforms?

The main advantage to virtualization is that unlike with app wrapping, any app can be deployed to the Android VM without modification. There’s no need to worry about how to wire together an email client, a file syncing app, and wrapped apps—they can all just work together natively. Another advantage is that a standard corporate Android VM gives IT a common provisioning target. Between different versions of Android, different cellular carriers, and different hardware manufactures, there are dozens or hundreds of different Android configurations out there, while for Apple there are only a small handful. With an Android VM, IT only has to worry about one configuration.

Now for the disadvantages: So far, nobody outside of VMware has had a device for a trial—we don’t know what real world performance or battery life will be like. Then there are availability issues: devices have to include an OEM enabler kit from VMware in order to host guest VMs. VMware’s goal is complete ubiquity of Horizon Mobile-compatible Android devices, but with only Verizon and Samsung on board so far in the US (and Telefónica and LG in Europe and Latin America), they have a ways to go.

What’s the value of two different approaches?

By sticking with OS virtualization for Android, VMware is taking an approach that’s completely different from every other dual-persona mobile app management vendor out there. Right now there are several vendors that do app wrapping for both Android and iOS, and most of them are shipping products today. So clearly app wrapping has a decent amount of support behind it. On the other hand, the dual-persona mobile app management market is still very new, and by doing something completely different, VMware could have a chance to outsmart the others. (Think VMware-versus-the-world circa 2001.) Also remember that VMware is a huge company, so virtualizing Android instead of doing app wrapping is a risk they can afford to take. While they might be close to market with Horizon Mobile, if the virtualization approach proves to be unpopular, it’s not unforeseeable that they could bring app wrapping for Android to market as well.

What do you think about these two different strategies for the two different platforms? Should they continue to focus on phone OS virtualization, or just app-wrapping? What about Windows Mobile and Blackberry devices?

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I wonder if VMware was caught off-guard by the whole app wrapping concept? I totally get why they went with the VM approach two years ago.. the company is (was?) all about VMs.. so I imagine a meeting like, "How do we solve the phone management problem? With a VM of course!"

So part of me thinks that now they should abandon the VM approach since app wrapping will work on all platforms. Then again, app wrapping isn't really proven yet either, and if several other vendors are doing it, then having the VM approach might be good differentiation for them? Heck, maybe iOS will eventually let Android VMs run on those devices? (And I'm sure Windows Phone and Blackberry will since they both have nothing to lose.) So the VM think could be interesting!


Agreed that MAM is not yet proven, but it holds the most promise. A limited HCL for Android OS virtualization will continue to be the Achilles heel, hence the continued delay of a real product release. Any mobility solution which is limited by a HCL or an OS rev is bound to fail -- the handset makers churn out devices way too quickly.

Putting the HCL limitations aside, deploying a mobile OS VM presents the same app-mgmt issues that would happen if everyone in the organization received the same Windows image with a static set of apps. How does one track mobile app deployment/usage/licensing?

Android OS virtualization may serve a niche use case today, but as phones are released with dual-SIMs natively (Galaxy Duo, etc) does having a virtual phone OS make sense if i can securely deploy corporate apps and data using MAM?


I would not fully agree that MAM isn’t proven. Companies like Apperian & AppCentral are finding a lot of success in helping the Enterprise build a successful framework for application security. There are certainly gaps to fill, but this is a quickly maturing market.

As long as iDevices continue to dominate a large chunk of the consumer market, mobile agnostic OS virtualization solutions will stay vaperware. I am partially confused on this strategy by vmWare when they own assets like Zimbra & Sliderocket, but they are a gorilla with money to play all sides of the field.  

For the BYO initatives I’m involved with, Sandboxing and App-Wrapping are very convincing long-term solutions. It solves the business challenges of protecting corporate data and meets their perceptive savings going with a BYO policy. Most importantly, end users stay happy because they don’t have to “businessify” their devices with passwords and permissions. A mobile OS VM screams complication, added costs and scope creep.

Great write up BTW.


Neither confusing nor brilliant.  Just necessary.

Apple will not allow VMware to adopt the type II hypervisor approach with iOS, so the secure container approach is the only way to successfully implement BYOD on iPhone/iPad.  VMware could have adopted the same approach with Android, but the full virtualized OS gives IT greater control and if done right will not inconvenience or confuse the user. The key is that it must be done right, and VMware appears to have succeeded here.