Mobile device management has become an essential part of businesses. Even if it’s not yet been implemented, one can’t help but to see the presense of MDM as a pillar of IT that isn’t going away any time soon. But MDM has always been limited, to the exposed functionality of the MDM API provided by the manufacturer. In iOS, if Apple doesn’t want to allow administrators to perform a specific action, MDM providers are unable to provide it. Up until recently, this was also the case with the public-facing app-store applications. But as time goes on, additional functionality is added, and over the past few months most major MDM providers have added “App Wrapping.”
App wrapping involves taking publicly available app-store applications and “wrapping” them in additional policies. This allows us (the administrators) significantly more granularity in the application of mobile policies, opening up a scope of options that was never before presented. The following list represents a few pieces of functionality that might be presented, depending on the MDM solution enlisted
- Block access to the application if the device is jailbroken, not the entire device
- Require a PIN to launch the application
- Disallow launching the application when the device is offline
- Require VPN to use the application
So with this new functionality, a new world of granular policy is opened, allowing more functionality for modern-day workflows.
For instance, in a BYOD scenario, users may not necessarily need to have their entire device password-protected if only a subset of the applications installed is used for corporate purposes. Administrators can restrict copy and paste, data encryption and memory space of company applications in order to protect corporate data on non-company owned devices, without applying policies to the entire device. In the case of a third-party mail client (as opposed to the native mail app), these options become even more enticing.
As mentioned, the one downside is that this granularity doesn’t apply to native apps (i.e. – E-mail), but does for third party applications, including app-store apps and in-house developed applications.
These functions open a world of BYOD opportunity, with policy maintained and audited within the MDM system. Using these techniques, companies are able to overcome some of the legacy challenges of BYOD, through the true isolation of corporate applications from personal apps in a controlled way.
It wouldn’t surprise me to see this functionality eclipse current MDM functionality over the next months/years.
by Jim Joseph