Why Citrix shouldn’t add mobile device management to CloudGateway

Citrix has recently been hinting that Cloud Gateway could include mobile device management (MDM) capabilities in the future. While MDM could add certain features to CloudGateway, the industry in general is starting to move towards application management and a more device-agnostic future.

Citrix has recently been hinting that Cloud Gateway could include mobile device management (MDM) capabilities in the future. While MDM could add certain features to CloudGateway, the industry in general is starting to move towards application management and a more device-agnostic future. So I wonder, is this a step back for Citrix?

Citrix and native mobile apps

This past May, Citrix announced that CloudGateway would manage native iOS and Android applications. We had been speculating about this for a while, and were really excited about this announcement. Citrix had opened the door for native mobile applications  in October 2011 with the Sharefile acquisition: Citrix Receiver with ShareFile integration allows files to be opened in local, native applications, instead of remotely with XenApp. Between these two developments, Citrix has become a player native mobile application arena, bypassing mobile device management.

Recently, however, Citrix hinted that MDM may indeed be in the future for CloudGateway. In an interview with Colin Steele, a Citrix executive stated, "CloudGateway will probably be adding in some lightweight MDM kind of management—like device authentication, some things like that—just because we can't totally wait for the market to catch up and understand that MAM is really more the wave of the future."

Since “lightweight” and “device authentication” could also simply mean management through Exchange ActiveSync (many people use the term “MDM” when they really mean just Exchange ActiveSync controls) and I had heard otherwise from another source, last week I got a confirmation from Citrix:

“...We recognize the need to support additional capabilities and policies that organizations would like to add in their environment and Citrix is committed to ensuring that these policies will be available. As an example, today we can provision native mobile apps to devices, but we cannot directly remove them from the iOS springboard -- adding support for MDM-based app APIs would provide this capability while reinforcing our strategic vision.”

To understand why this is significant (and the one possibly ambiguous part of that statement) we have to look at what MDM could add to CloudGateway.

What does MDM add to mobile application management?

What would MDM add to CloudGateway? First of all, there are the usual MDM capabilities:  ensure that devices are encrypted, enforce password requirements, remote wipe devices, and provision settings to corporate devices. But encryption, passwords, and remote deactivation can all occur at the application level through various types of mobile application management, leading many to question the need for device management. There are other advantages to MDM—you can make corporate phones into whatever you want them to be, you can rapidly set up wifi and vpn access for hordes of users, and one of the standard default use cases for MDM is regulated industries. 

For MAM, the one important extra feature you get with MDM is the ability to see what other applications are on the device. It’s possible to push app installations, and for Android (but not iOS devices) it’s possible to remove applications. (This is why the second statement from Citrix is a little bit inaccurate. For iOS MDM, removing an application usually consists of becoming aware of its presence, then threatening the user with some sort of action if they don’t uninstall it—usually something like booting the device off of EAS or the network or even remote wiping the whole thing.) (UPDATE: It is actually possible, under certain circumstances, to remove an iOS app if it was installed by the configuration profile, and not the user.)

Why do you want this visibility into applications? Usually it’s to keep nasty ones from accessing corporate email in a device’s built in email client. A sandboxed email client could solve this issue, but then users miss out on smooth integration. (We saw got a glimpse of such a client from Citrix at Synergy, but there’s no indication at all that it is a product coming up.)

Citrix and MDM

Citrix is an application delivery company, not a device management company. MDM could be a new market for them (perhaps even as a Citrix Online product?), but by the sound of their statements, Citrix isn’t going to MDM for device management, but instead just to give a limited boost to the MAM capabilities. But if they are using it for that reason, then there’s a failing of their MAM technology. CloudGateway’s MAM comes through app wrapping, which means that you can take any old app and add all the encryption, passwords, VPN tunnels, and remote kill switches you want. (Remember, you still can’t remove the app, but you can make it unusable for accessing corporate data).

If CloudGateway needs MDM to sweep up the left behind bits, then something’s not right with the MAM. If there’s something you need to deactivate, it should be built into the wrapper, or deactivation should be through identity. (I wonder if Brian Katz’s definition of a crapplication include one that needs MDM on the device in order to be secure?)

When it comes to the device management portion of MDM, MDM is not a good fit for Citrix. Citrix is in a good position to push this industry ahead towards a more device agnostic future. With the entry of desktop-related companies into the mobile field (Citrix, AppSense, RES, VMware), the dynamics of MDM and MAM will surely be changing. Instead, going to MDM based management is a step backwards. Remember that the big story here is about BYOD, and users are smart enough to get their devices onto a wifi network and set up email.

What about “light” use of MDM?

Citrix and MDM brings up some another interesting question—are there degrees of variation in MDM configuration profiles? The standard answer when it comes to using MDM with BYOD is that it’s all about how the tool is implemented. Companies can choose to be more liberal with how they manage employee’s personal devices (keep passcodes to just 4 digits, avoid remote wiping, keep away from heavy-handed app blacklisting). So if some of that stuff isn’t even present in the CloudGateway MDM UI, does that make it “light MDM”? Citrix said they wanted MDM for the ability to remove apps, so that means exposing the list of installed applications to administrators. Will users be okay with admins looking at what personal apps they use? See the article How much control over your phone are you willing to give up? Every user will be comfortable with different levels of management. (Though there could be some users, like contractors, that are using devices that are already managed by other companies)


For right now, we don’t actually know how Citrix will actually implement mobile device management in CloudGateway, so this is mostly based on speculation. Having said that, Citrix should take this opportunity to push for a device-agnostic mobile application management-based future.


Join the conversation


Send me notifications when other members comment.

Please create a username to comment.

Great article.

MDM in my view is simply a way to cripple or slow down the adoption of BYOD in an organization.

Regardless of how restrictive the IT policies are being enforced by an organization's MDM tool, managing 'the device' is simply a battle that IT can't win!

I really like the concept and ideas behind what Simon Crosby is doing at Bromium with MicroVMs.

In the end, IT devices will always be exposed to a hostile environment. IT organizations and IT vendors alike need to ask themselves what it is that needs to be protected in an organization's IT environment.

The whole idea of BYOD or consumerization of IT is that it doesn't matter which device I use to do my work.

So, applying the IT controls at the data and application level instead of the device level makes it a lot easier for me to move between devices.

Going back to the core of the article, why can't the app wrapper simply include a self-destruct mechanism that either scrambles the wrapped app or makes the wrapped app otherwise 'unreadable' for reverse engineering purposes .....


It's a nice blog to provide a good information. Hope more people reaching your blog because you are sharing a good information. I bookmarked this blog further more useful information. Thanks for sharing this.