What En­ter­prise Mo­bile Man­age­ment Strat­egy Should You Adopt for BYOD?

The cur­rent BYOD (bring your own de­vice) trend for en­ter­prise mo­bile ap­pli­ca­tions has its pros and cons. The au­thor walks the reader through the prob­lems faced by sys­tems ad­mins when im­ple­ment­ing strate­gies for en­ter­prise mo­bile man­age­ment (EMM), draw­ing

OpenSource For You - - Contents -

De­vel­op­ers or prod­uct man­agers of en­ter­prise grade mo­bile apps of­ten wish their apps could be man­aged by en­ter­prise IT ad­mins us­ing pop­u­lar En­ter­prise Mo­bile Man­age­ment (EMM) so­lu­tions. Sim­i­larly, IT ad­mins are on the look­out for the ideal mo­bile strat­egy to man­age and se­cure busi­ness apps, with data re­sid­ing on the user’s per­sonal mo­bile de­vice.

Over the course of my work in this do­main, I found so­lu­tions to ad­dress both these im­por­tant re­quire­ments. It hap­pened while work­ing on an as­sign­ment to de­fine an ex­ten­si­ble mo­bile strat­egy for a pop­u­lar work­force man­age­ment (WFM) mo­bile prod­uct. The task was to en­able it to be man­aged by IT ad­mins us­ing pop­u­lar EMM so­lu­tions in the mar­ket, whether Air-watch (AW), Mo­bileIron (MI), SOTI or SAP Afaria. The ma­jor re­quire­ment was to en­able the IT ad­min to dy­nam­i­cally con­fig­ure WFM to set key prop­er­ties like the server URL from the EMM ad­min console.

This ar­ti­cle is based on my ex­pe­ri­ence from that ex­er­cise. It will pro­vide in­sights to help you de­cide the best mo­bile man­age­ment strat­egy for your needs. Ad­di­tion­ally, it will help you un­der­stand the new, stan­dard EMM in­te­gra­tion ap­proach by high­light­ing the pros and cons of each of the legacy EMM in­te­gra­tion ap­proaches nor­mally used.

BYOD: Ben­e­fits and trends

The use of mo­bile de­vices for work op­er­a­tions has be­come

quite com­mon. In fact, with BYOD (bring your own de­vice), it has be­come a ba­sic need nowa­days.

Ac­cord­ing to Wikipedia, BYOD refers to the pol­icy of per­mit­ting em­ploy­ees to bring per­son­ally owned de­vices (smart­phones, tablets, etc) to their work­place, and to use those de­vices to ac­cess priv­i­leged com­pany in­for­ma­tion and ap­pli­ca­tions.

BYOD has re­sulted in a lot of ben­e­fits like:

1. In­creased productivity of em­ploy­ees when they work from de­vices they are fa­mil­iar with as it helps them com­plete tasks faster. A sur­vey car­ried out by Dell and

In­tel con­firms this.

2. Em­ployee sat­is­fac­tion.

3. Cost re­duc­tion—no hard­ware/COPE (cor­po­rate owned per­son­ally en­abled) de­vice pro­cure­ment.

Ow­ing to the ben­e­fits men­tioned, there has been sub­stan­tial adop­tion of BYOD in en­ter­prises in the past few years and this is ex­pected to grow even more in the fu­ture. Ac­cord­ing to Gart­ner, half the em­ploy­ers around the world were op­er­at­ing on the ba­sis of BYOD by the end of 2016, and 90 per cent of or­gan­i­sa­tions will sup­port some as­pect of BYOD through 2017.

The need for MDM al­ter­na­tives for BYOD

Mo­bile de­vice us­age for work has led to IT ad­mins search­ing for tech­nol­ogy so­lu­tions to se­cure these de­vices and safe­guard

com­pany/busi­ness data.

In the past, mo­bile de­vice man­age­ment (MDM) so­lu­tions worked well, giv­ing IT ad­mins the man­age­ment ca­pa­bil­i­ties to man­age COPE de­vices. The usual MDM so­lu­tion en­ables IT ad­mins to man­age and govern the com­plete mo­bile de­vice. MDM al­lows IT ad­mins to wipe all data, lo­cate de­vices, ap­ply poli­cies and gen­er­ally govern COPE de­vices.

The rise in BYOD opens up the need for al­ter­nate mo­bile man­age­ment strate­gies as MDM isn’t a fit for BYOD. Let us briefly un­der­stand the ra­tio­nale be­hind the need for al­ter­na­tives.

Along with ben­e­fits, BYOD comes with chal­lenges. With BYOD, the chances are high that en­ter­prise data on the user’s per­sonal de­vice can be com­pro­mised. For ex­am­ple, if an em­ployee uses a smart­phone to ac­cess the data on the com­pany net­work and then loses that phone, un­trusted par­ties could re­trieve any unse­cured data from the phone. Such risks call for an ap­pro­pri­ate mo­bile strat­egy to se­cure en­ter­prise apps and data.

MDM does not mesh well with BYOD users as they would like to keep their pri­vacy in­tact while they use their smart­phones for work. Users may not like MDM so­lu­tions to com­pletely govern their per­sonal de­vices, which may have their per­sonal files along with busi­ness apps and data. Users will be re­luc­tant to use their de­vices for work if the gov­ern­ing MDM so­lu­tion is al­ways keep­ing an eye on their geo lo­ca­tion or if there is a chance that their per­sonal files may get ac­ci­den­tally wiped by the IT (MDM) ad­min.

On the other hand, IT ad­mins may like to at least have ba­sic mo­bile man­age­ment ca­pa­bil­i­ties, even for BYOD, so as to ef­fec­tively do the fol­low­ing:

ƒ Dis­trib­ute busi­ness ap­pli­ca­tions (in-house or third party) from one place.

ƒ Se­cure data on the move. Com­pany em­ploy­ees will run busi­ness apps on their mo­bile de­vices and may fetch busi­ness data over pub­lic/open Wi-Fi or 2G/3G net­works. This con­fi­den­tial data get­ting trans­ferred over net­works while users are on the move is termed as data on the move. It be­comes im­por­tant to take mea­sures to safe­guard this data as it can be sniffed and com­pro­mised on open net­works.

ƒ Se­cure data at rest. Com­pany em­ploy­ees may save busi­ness data/files lo­cally on their mo­bile de­vices while us­ing busi­ness apps. These con­fi­den­tial data files stored lo­cally can be ex­tracted by any­one who gets ac­cess to the mo­bile de­vice. Thus it be­comes im­por­tant to safe­guard these data files.

ƒ Pro­tect data leaks. There could be a few busi­ness mo­bile apps serv­ing very sen­si­tive data to the end user, like the price quo­ta­tions of a prod­uct. IT ad­mins may want to re­strict the screen cap­ture or copy/paste of such sen­si­tive pieces of in­for­ma­tion from the ap­pli­ca­tion.

• Con­fig­ure the ap­pli­ca­tion. IT ad­mins may want to set up busi­ness apps for their em­ploy­ees by dy­nam­i­cally con­fig­ur­ing key pa­ram­e­ters like the en­ter­prise back­end server URL and port, where the ap­pli­ca­tion should con­nect or fetch data from.

Con­tainer­i­sa­tion and MAM – the MDM al­ter­nate strat­egy best suited for BYOD

The need for the ear­lier men­tioned mo­bile man­age­ment ca­pa­bil­i­ties and the par­tial mis­match be­tween what MDM does and BYOD users want, have re­sulted in con­tainer­i­sa­tion. This is a new method­ol­ogy which sep­a­rates busi­ness data from per­sonal data on the user’s de­vice. This method­ol­ogy cre­ates a sep­a­rate and se­cure stor­age space on the de­vice to store busi­ness apps and data, away from per­sonal data. This space can be thought of as a sep­a­rate con­tainer/box which keeps busi­ness apps and data se­cure in si­los, away from in­trud­ers.

Mo­bile ap­pli­ca­tion man­age­ment (MAM) is also gain­ing pop­u­lar­ity with con­tainer­i­sa­tion. MAM is about man­ag­ing just the busi­ness apps used for busi­ness op­er­a­tions in­stead of man­ag­ing the en­tire de­vice. MAM and con­tainer­i­sa­tion go hand in hand, and have be­come the mo­bile man­age­ment strat­egy for BYOD.

The older EMM in­te­gra­tion method­olo­gies for con­tainer­i­sa­tion and MAM

Ini­tially, EMM (en­ter­prise mo­bil­ity man­age­ment) ven­dors de­vised di­verse in­te­gra­tion method­olo­gies to achieve con­tainer­i­sa­tion and MAM. These had some ben­e­fits as well as quite a few down­sides.

Let me high­light a cou­ple of old method­olo­gies along with their pros and cons, which I ex­pe­ri­enced while do­ing some WFM MAM work for iOS and An­droid.

1. MAM (EMM) SDK in­te­gra­tion method­ol­ogy: In this method­ol­ogy, the de­vel­oper needs to in­te­grate the EMM pro­pri­ety mo­bile MAM SDK code into the mo­bile ap­pli­ca­tion code. Each EMM pro­pri­ety MAM SDK li­brary code will be dif­fer­ent, and will pro­vide vary­ing mo­bile man­age­ment fea­ture sets. There are sev­eral EMM so­lu­tions in the mar­ket and, with this ap­proach, MAM SDK code for each of these EMMs has to be plugged in with the mo­bile ap­pli­ca­tion to sup­port them all. The fol­low­ing are the pros and cons of this ap­proach.

Pros

Full blown MAM fea­ture sup­port.

Fine grain man­age­ment and con­trol.

Pos­si­bil­ity of ex­tended/cus­tom man­age­ment and se­cu­rity fea­tures.

Cons

Can only sup­port in­ter­nal mo­bile apps with MAM

SDK. Chances of man­ag­ing pub­lic mo­bile apps from third party ISVs are less as the app may not have EMM SDK code in it.

EMM ven­dor lock-in, if the mo­bile ap­pli­ca­tion is in­te­grated with the MAM SDK code of just one EMM. To sup­port the new EMM, MAM SDK code of the new EMM has to be plugged in within the app code.

Mul­ti­ple EMM MAM SDK codes in a sin­gle mo­bile ap­pli­ca­tion will in­crease the fol­low­ing:

a. Code com­plex­ity;

b. Ap­pli­ca­tion bi­nary—the key con­sid­er­a­tion is to look at the mo­bile de­vice stor­age ca­pac­ity;

c. Side ef­fects ow­ing to code con­flicts, as more or less all MAM SDK codes will be lever­ag­ing sim­i­lar events within the ap­pli­ca­tion; d. Per­for­mance degra­da­tion of the ap­pli­ca­tion. Main­te­nance over­heads with con­stant up­grades for the lat­est MAM SDK li­brary up­dates.

Unavail­abil­ity of the SDK can be­come a bot­tle­neck. While work­ing on WFM, ini­tially (Q1, 2015) we in­te­grated an iOS vari­ant with MI's App con­nect li­brary. For An­droid, the MI MAM SDK/li­brary wasn’t avail­able.

2. App wrap­ping method­ol­ogy: In this method­ol­ogy, the al­ready com­piled and pack­aged mo­bile app is wrapped with MAM (EMM) ven­dor dy­namic li­braries, and this is called app wrap­ping. MAM li­braries are lay­ered over the al­ready built mo­bile ap­pli­ca­tion bi­nary and then the com­plete set is re­com­piled, repack­aged and re­signed with the EMM app sign­ing cer­tifi­cate to gen­er­ate a new MAM ca­pa­ble mo­bile app bi­nary. Post wrap­ping, stan­dard sys­tem calls from the orig­i­nal mo­bile app are routed through the MAM API li­brary to en­sure that the calls are se­cured and man­aged. This method­ol­ogy does not re­quire any devel­op­ment work, that is, no code change is re­quired to hook the MAM SDK. There are sev­eral EMM so­lu­tions in the mar­ket and, with this ap­proach, the mo­bile ap­pli­ca­tion needs to be wrapped with the MAM SDK of all EMMs. The fol­low­ing are the pros and cons of this ap­proach.

Pros

No devel­op­ment/code change is re­quired.

Pub­lic mo­bile apps from third party ISVs/de­vel­op­ers can be cov­ered as well.

Cons

Wrap­ping pub­lic apps from third party ISVs/de­vel­op­ers or even pri­vate apps isn’t right and is not rec­om­mended. It vi­o­lates app terms and copy­right rules.

Not a re­li­able method­ol­ogy, as it cre­ates a lot of is­sues and side ef­fects. For WFM, ini­tially (Q1, 2015) we used it for both An­droid and iOS vari­ants. Post wrap­ping (with old wrap­ping en­gine ver­sions from MI and AW), the app used to get stuck at the land­ing page with a blank blue screen. Later, af­ter a cou­ple of months with newer wrap­ping en­gine ver­sions, the app was able to move ahead from the land­ing page but used to crash ran­domly in dif­fer­ent mod­ules. On de­tailed re­search on An­droid vari­ants, we found that the MI wrapped li­brary had is­sues with Im­plicit In­tent han­dling within the re­solveAc­tiv­ity method of the Pack­ageMan­ager class from the An­droid OS. It can in­ter­fere and ob­struct cer­tain func­tion­al­i­ties of the app. For WFM An­droid wrapped with MI, we found that the MI MAM li­braries were not al­low­ing the app to fetch GZip data from the server, and there wasn’t any way to con­fig­ure and al­low it. This be­came a big bot­tle­neck and we had to drop this ap­proach even­tu­ally.

Wrapped apps may not sup­port full blown MAM fea­ture sets and will not be able to pro­vide fine grained con­trol like in the SDK ap­proach.

For WFM An­droid, post wrap­ping with MI and AW, we ran into the blocker is­sue of reach­ing the 64k method count limit of Dalvik. An­droid apps run on Dalvik VM (DVM). Wrap­ping with mul­ti­ple EMM (MAM) li­braries cre­ated con­flicts.

For WFM, we had to add a dif­fer­ent EMM spe­cific code to re­ceive dy­namic app con­fig­u­ra­tion from EMM.

Old method­olo­gies could achieve vary­ing lev­els of con­tainer­i­sa­tion and MAM for small/medium mo­bile ap­pli­ca­tions but had sev­eral down­sides as men­tioned above. More­over, the rapidly chang­ing mar­ket in­tro­duced sev­eral method­olo­gies and thus frag­mented the mar­ket. It cre­ated a lot of con­fu­sion and chaos amongst IT ad­mins, prod­uct own­ers and app de­vel­op­ers to iden­tify the right way to achieve con­tainer­i­sa­tion and MAM.

OS con­tainer­i­sa­tion – stan­dard and rec­om­mended EMM in­te­gra­tion meth­ods

In the past few years, Ap­ple and Google re­alised the in­creas­ing use of per­sonal mo­bile de­vices for work and the need for stan­dard­i­s­a­tion. So they took the ini­tia­tive to bake in con­tainer­i­sa­tion and MAM ca­pa­bil­i­ties right into the mo­bile OS, that is, iOS and An­droid (An­droid­forWork or AFW). Mo­bile OS na­tive con­tainer­i­sa­tion can be thought of as a new, stan­dard, uni­ver­sal ap­proach. I will term it as OS con­tainer­i­sa­tion for the rest of this ar­ti­cle.

The Ap­pCon­fig com­mu­nity (a group of EMM providers, ISVs/ de­vel­op­ers and en­ter­prises) has been formed to stan­dard­ise and stream­line the OS con­tainer­i­sa­tion and in­te­gra­tion process. It has come out with an EMM in­de­pen­dent method­ol­ogy to lever­age OS con­tainer­i­sa­tion fea­tures. As a re­sult, many of the man­age­ment and se­cu­rity fea­tures are au­to­mat­i­cally taken care of by the OS and will not re­quire any devel­op­ment. For a few fea­tures, like app con­fig­u­ra­tion, min­i­mal but stan­dard OS code changes can be made so as to re­ceive dy­namic app con­fig­u­ra­tion val­ues from any EMM. With OS con­tainer­i­sa­tion, man­aged mo­bile ap­pli­ca­tions can be gov­erned by any app con­fig­u­ra­tion mem­ber EMM with­out any EMM spe­cific code. The fol­low­ing are the pros and cons of this ap­proach.

Pros

Re­li­able ap­proach, as it is backed by mo­bile OS ven­dors (Ap­ple/Google), EMMs, en­ter­prises, ISVs/de­vel­op­ers. No con­flict, nor code re­dun­dancy via a sin­gle uni­fied, stan­dard mo­bile OS in­fra­struc­ture, code for con­tainer­i­sa­tion and MAM.

No devel­op­ment/code changes are needed.

In­ter­nal (sys­tem) apps and pub­lic mo­bile apps from third party ISVs/de­vel­op­ers can be cov­ered un­der this.

No EMM ven­dor lock-in, as IT ad­min can change the ex­ist­ing EMM with an­other app con­fig­u­ra­tion mem­ber EMM, and it will work seam­lessly.

No 64k method count prob­lem on An­droid.

Cons

May take some more time to ma­ture, as OS con­tainer­i­sa­tion is grad­u­ally evolv­ing and a set of new fea­tures is get­ting in­tro­duced with ev­ery new OS ver­sion. AFW is com­plex to set up as it in­volves tie-ins with sev­eral Google con­soles and EMM in use to set up the en­tire sys­tem. Ex­am­ples of con­soles are Google Ad­min Console, Google Play for Work, Work Pro­file on An­droid de­vice, etc.

AFW can be costly as it is pow­ered by Google, which will levy charges on a per-user, per-month ba­sis. These Google charges will be ad­di­tional costs if your or­gan­i­sa­tion is al­ready pay­ing and us­ing some EMM tool.

For AFW, GCDS or Google Cloud Direc­tory (ear­lier known as GADS) may re­quire to be set up to sync your or­gan­i­sa­tion’s Ac­tive Direc­tory user/group with it. This may not be ac­cept­able as per the poli­cies of many en­ter­prises. OS con­tainer­i­sa­tion em­pow­ers IT ad­mins with the fol­low­ing key mo­bile man­age­ment and se­cu­rity ca­pa­bil­i­ties for BYOD: 1. Se­cur­ing data on the move via app tun­nel/per app VPN. 2. Se­cur­ing data at rest via com­plete en­cryp­tion.

3. Mo­bile app level DLP (data leak pro­tec­tion) by dis­abling screen cap­ture, dis­abling copy/paste, se­lec­tive app wipe, and pin pro­tec­tion for busi­ness app ac­cess.

4. Sin­gle sign-on.

I strongly rec­om­mend the OS con­tainer­i­sa­tion in­te­gra­tion method­ol­ogy as it is pro­vi­sioned by mo­bile OS ven­dors Ap­ple and Google and has be­come the stan­dard, thanks to the par­tic­i­pa­tion of pop­u­lar EMM ven­dors, ISVs, en­ter­prises, etc. It en­ables cov­er­age of a wide set of mo­bile ap­pli­ca­tions in a stan­dard­ised man­ner with­out get­ting locked with any sin­gle EMM ven­dor so­lu­tion, and that too in a stan­dard­ised man­ner.

Newspapers in English

Newspapers from India

© PressReader. All rights reserved.