We’re going to have to learn some new concepts for iOS 7 mobile app management

iOS 7 and its mobile app management (MAM) capabilities are the talk of the EMM industry. The short version of the story is that MAM features that were once only available from third-party vendors are now going to be available directly through the operating system.

iOS 7 and its mobile app management (MAM) capabilities are the talk of the EMM industry. The short version of the story is that MAM features that were once only available from third-party vendors are now going to be available directly through the operating system. This brings rise to a range of of new ways to think about MAM.

As a disclaimer, don’t forget that the details of how all of this works are under NDA until iOS 7 is released, which rumors are saying will happen in September. Everything I’m talking about today is based off the fairly limited amounts of information that Apple has released so far. However, even with the this limited data, there’s still a lot to talk about.

There’s new way of doing MAM, and it utilizes Apple’s existing mobile device management technology

iOS currently provides mobile device management capabilities through configuration profiles. These profiles can be used to change various settings on the device, and can connect devices—over the air—to management servers. (To learn more about configuration profiles, check out the iPhone Configuration Utility.) iOS 7 will extend these capabilities to include granular, app-level management features.

This will for sure be awesome, because right now granular app-level management means using third-party MAM and specialized apps, as well as dealing with things like app wrapping, SDKs, and vendors building up ecosystems of partner apps. Acquiring apps that work with third-party MAM can be a hassle.

The end result is that soon there will be two ways of getting granular app management: OS-enabled MAM and third-party MAM. These MAM techniques have many similar features, but it’s very important to keep in mind that they also have inherent differences. (I wrote an article about this few weeks ago.)

We have to change the way we think about Apple’s MDM protocol

For the last year or two, we’ve thought about the EMM space like this: If you wanted to manage the whole device, you go with the profiles and protocol offered by Apple. So iOS MDM means taking over the device. And if you want to manage apps, that’s a third-party thing involving specialized apps. Got it?

One of the use cases of MAM is for when you want to just want to worry about a few apps without taking over the device. So just doing “apps only” means not dealing with the iOS protocol and profiles and all that. But if you want to use iOS 7 MAM to manage the apps, then that will mean taking over the whole device with MDM and profiles and everything? Hmmm...

Here’s the thing: configuration profiles are actually pretty flexible. While we always think of them as taking over the device, they can actually get very specific about what rights the MDM server or remote administrator can have on the device. Check out the screenshot of the iPhone Configuration Utility (below). It shows the part of a configuration profile that makes the MDM connection from the device to the server, with all the rights that can be assigned or not assigned.

What this means is that depending on how everything in iOS 7 is implemented, it will actually be possible to use MDM profiles to manage just the apps and not take over the device, similar to the way third-party MAM can be used today. You’ll just choose not to to include any access rights that aren’t necessary for managing apps.

This is very different from the way that we’ve been thinking about iOS MDM configuration profiles for the last couple of years. So no more “iOS MDM profiles = take over the device.” Now we have to think of this in a new, more nuanced way. Of course this is all predicated on the third-party servers that we use to interface with configuration profiles. They have to be able to give us flexible ways to use the configuration profiles—in other words, all of these granular options have to be exposed to administrators or usable through policies.

This new way of managing apps might be a tough sell in some cases

We’ll soon have this new way of managing apps using iOS 7 MAM, but is it going to work for all of the use cases that third-party MAM does?

In situations where iOS MDM and third-party MAM are already being combined or where just MDM is being used, iOS 7 MAM will be just fine—and this is probably a lot of cases. But think about the situations where people are just using third-party MAM and no MDM or configuration profiles at all—moving to iOS 7 MAM would be a big change.

Third-party MAM is an easy concept to grasp because it’s “just an app.” But an app plus a configuration profile and MDM, for the same functionality? That’s a little bit more complex, certainly something that users would have a more difficult time understanding. If you want to just manage apps and not devices, but then in order to do that you’re using configuration profiles and MDM, is this approach too heavy compared to just an app alone? Is having to include a profile overkill? Then again on the other hand, there are advantages because now you will be able to do this with any app, not just special MAM-compatible apps.

Again, we don’t really know exactly how all this will work, and we’ll just have to wait what we learn when iOS 7 comes out. I’m not trying to spread FUD or anything, but these are the questions that I’ll be asking.

There are still a lot of use cases for third-party MAM

Regardless, there are still some cases where you definitely will need third-party MAM.

First, there’s the “apps only” use case that I was just talking about. If you decided that the iOS 7 way is not the way for you, then it’s back to just third-party MAM. This could be because of privacy requirements, or it could be because iOS devices can only be linked to one management server at a time.

The second and possibly more important use-case for third-party MAM is to go above and beyond the features that iOS 7 will provide. Apple’s list of MAM features is actually fairly basic compared to what many third-party MAM vendors offer. You can bet that a lot of third-party MAM vendors will be marketing around this, while MDM vendors without third-party MAM will dismiss this.

The good thing about all of this is that even though the landscape is shifting, we’re ending up with more options than we had before. Everybody will benefit from that.


The next article in my series of iOS 7 coverage will look at how iOS 7 MAM will affect different types of EMM vendors. Stay tuned! After that, I’ll put a bow on my iOS 7 coverage until it actually arrives.

Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

I don't give a crap about the Apple NDA,don't know why everybody tip toes around it so much. I've spoken to developer buddies and they showed me that the iOS MAM capabilities are very basic and don't come anywhere close to meeting enterprise needs. MDM and MAM vendors will simply leverage them if they need and add value on enterprise features around management. Much ado about nothing. Just feels like the OMG RDS and RDP are going to kill ICA and Citrix BS we've heard for the last 15 years.


@appdetective Some folks give a crap because they understand that the NDA is a binding agreement and by signing it they give their word to abide by it. Those of lesser moral character may sneer at it, but others actually believe that their word means something.


@appdetective -- I've heard the same thing from developers. I guess the SSO for apps uses keberos. I didn't quite understand it technically, but someone said authentication hasn't been done like that since 1999 and he was confused as to why Apple was taking that approach.

MAM/MDM vendors are happy they are there because it makes their jobs easier in certain respects, but nothing ground-shaking like people first thought.


very good points Jack, I have some similar points in my blog on iOS7. There is a certain segment of the market, especially BYOD that does not want to MDM manage their devices or can't for privacy reasons and Apple's solution REQUIRES that devices are MDM managed. MAM can be a nice addition to MDM, but should not depend on MDM.

MANY details to still be revealed by Apple around perApp VPN and Enterprise SSO that are not public yet. Will make a further opinion when more is known.

In the meantime, we are happy that Apple recognizes the need for MAM in the market as do we and hopefully they will give app developers control without the enforcement of an MDM.