Last year VMware announced a project called “Horizon Mobile” that would be their solution for keeping work and personal apps and data separated on smartphones. Horizon Mobile consisted of a corporate-controlled Android VM that runs as a guest on a user’s personal Android phone, a project that VMware has been working on for almost four years. While they talked about it as if it was the perfect solution for BYOD, the elephant in the room was the iPhone. There’s no way that Apple is going to allow iOS to be virtualized, so Horizon Mobile really only addressed half the market.
That all changed last week at VMworld 2012 in San Francisco. VMware announced that for iPhones, Horizon Mobile will manage native iOS applications using a technique called “app wrapping.” (I’ll dig more into app wrapping later in this article.) The app wrapping space is starting to heat up, with several vendors announcing app wrapping products for both iOS and Android. This got a lot of people wondering if VMware would forget virtualization and go with app wrapping for Android, too. However, while no dates have been announced yet, all indications are that VMware remains firm that it will go to market with virtualization for Android.
Why the separation?
App wrapping and phone OS virtualization are both meant to solve the same problem: keeping and personal and corporate information separated on mobile devices. With conventional mobile device management (MDM) solutions, security policies are applied to the entire device. That means that if IT wants to protect corporate apps with a complex password, then users have to deal with that password when they access personal apps too. Or if IT wants to remote-wipe corporate data from a phone, all the personal data is lost too. Another problem with managing the whole device is that there’s no way to prevent the commingling of personal and corporate data. (For example, a personal app could import contacts from a corporate email account.)
So the goal of Horizon Mobile is twofold: maintain privacy for personal apps and data while keeping corporate data from leaking into personal apps. Let’s take a deeper look at how the two technologies actually work, starting with last week’s announcement.
Horizon Mobile for iOS: app wrapping
Since iOS can’t be virtualized, Horizon Mobile for iOS—like most other dual-persona mobile app management solutions—keeps corporate and personal apps separated by applying a management policy just to specific corporate apps. This way a devices is free to not have a password, but corporate apps can still require them. (Or, when a remote wipe command is sent, only the corporate apps are wiped, not the entire device, etc.) In order to keep data confined within corporate apps, the apps have to be modified so they can only communicate with each other and not personal apps. By combining a corporate email client, wrapped apps, and a file syncing app, a managed work ecosystem can safely reside on an unmanaged personal device.
Horizon Mobile uses app wrapping to create these managed, insulated work apps. In this process, existing application binaries are wrapped with code that adds the management hooks and keeps them from interacting with personal apps. The problem with this is that application package files can’t be acquired directly from the Apple App Store. Instead, companies have to make arrangements with individual vendors and then distribute the apps to employees on their own.
Horizon Mobile for Android: phone OS virtualization
We’ve known about Horizon Mobile for Android for quite some time, and that it takes a completely different approach: corporate apps and data reside in a guest virtual machine. The entire VM can be managed with with no need to worry about individual apps, similar to the way that conventional mobile device management works. However, there are concerns about the usability of virtualized mobile device, and now that app wrapping exists, why not just forget it and go with one technique for both platforms?
The main advantage to virtualization is that unlike with app wrapping, any app can be deployed to the Android VM without modification. There’s no need to worry about how to wire together an email client, a file syncing app, and wrapped apps—they can all just work together natively. Another advantage is that a standard corporate Android VM gives IT a common provisioning target. Between different versions of Android, different cellular carriers, and different hardware manufactures, there are dozens or hundreds of different Android configurations out there, while for Apple there are only a small handful. With an Android VM, IT only has to worry about one configuration.
Now for the disadvantages: So far, nobody outside of VMware has had a device for a trial—we don’t know what real world performance or battery life will be like. Then there are availability issues: devices have to include an OEM enabler kit from VMware in order to host guest VMs. VMware’s goal is complete ubiquity of Horizon Mobile-compatible Android devices, but with only Verizon and Samsung on board so far in the US (and Telefónica and LG in Europe and Latin America), they have a ways to go.
What’s the value of two different approaches?
By sticking with OS virtualization for Android, VMware is taking an approach that’s completely different from every other dual-persona mobile app management vendor out there. Right now there are several vendors that do app wrapping for both Android and iOS, and most of them are shipping products today. So clearly app wrapping has a decent amount of support behind it. On the other hand, the dual-persona mobile app management market is still very new, and by doing something completely different, VMware could have a chance to outsmart the others. (Think VMware-versus-the-world circa 2001.) Also remember that VMware is a huge company, so virtualizing Android instead of doing app wrapping is a risk they can afford to take. While they might be close to market with Horizon Mobile, if the virtualization approach proves to be unpopular, it’s not unforeseeable that they could bring app wrapping for Android to market as well.
What do you think about these two different strategies for the two different platforms? Should they continue to focus on phone OS virtualization, or just app-wrapping? What about Windows Mobile and Blackberry devices?