How Microsoft and Mobilespaces are using the cloud for MDM

It appears that MDM vendors are betting that the consumerization of mobile apps will follow the consumerization of mobile devices in the enterprise.

image alt text

The most compelling mobile apps will drive more of enterprise IT into the cloud. Mobile Device Management (MDM) is shifting to the cloud, too. Microsoft and Mobilespaces just joined Mobile Iron and VMware/Airwatch with SaaS MDM offerings because securing new fast-growing cloud services is much easier than retrofitting older IT applications.

IDC predicts cloud spending, including cloud services and the technology to enable these services, will surge by 25% in 2014, reaching over $100 billion and outpacing growth in the worldwide IT industry.

Microsoft’s board understood that Android, iOS, and Windows 8 apps will drive enterprise IT growth, and made that clear by selecting Satya Nadella as Microsoft’s CEO. As head of the cloud services and enterprise group, Nadella had already led device-agnostic product developments. The best cloud or on-premise enterprise solution won’t sell if users’ mobile app portals are just merely adequate.

Only top teams of mobile app designers and developers can build great apps targeted at acquiring audiences of millions of users. These teams obsess over user behavior, design and iterative development, continuously improving their apps by monitoring users’ every interaction inside the app with analytics. The user experience (UI) is so important that these teams are increasing staff with expert iOS and Android developers. Due to the cost and scarcity of this talent, hiring such a team is not an alternative for most enterprises and ISVs because their mobile audiences are too small for the investment.

As the amount of time users spend at work shifts from PCs to mobile devices, the enterprise systems they use will move to enterprise cloud services with the best mobile apps because merely adequate enterprise mobile apps will be compared to the much better apps on the consumer side of the BYOD device.

Microsoft’s Windows Server & Management group started a device-agnostic course under Nadella before he became CEO, releasing early versions of iOS and Android MDM products in 2013. Last week, Microsoft’s Intune MDM became an entirely cloud-based service when many of the policy management features of Configuration Manager were added to the Intune cloud service, eliminating a connection to an on-premise System Center 2012 R2 Configuration Manager instance.

The announcement was an incremental addition to Microsoft’s “people-centric” approach already underway to leverage its strong position in PC management and include heterogeneous mobile devices. Microsoft’s direction is to extend its identity management and policies used for Windows devices to heterogeneous mobile devices. It won’t add incremental security into iOS and Android, but will build on the security features in these OSes. Compared to the additional burden of managing two separate consoles and synchronizing identity and policy data with a separate MDM system for enterprises using Active Directory and Configuration Manager, a device-agnostic Microsoft Intune service offering is compelling.

Microsoft also implied a new approach to securing apps. Andrew Conway, senior director of product marketing at Microsoft’s Windows Server & Management team, said that a release later this year would include the "ability to wrap policy around applications, giving administrators the ability to define how an application interacts with data and block undesirable functions such as cut and paste to other apps."

Wrapping instead of creating a container to isolate enterprise apps from personal apps is an intriguing technical decision. Wrappers are scripts that enforce security policies on apps without recompiling them. Mobile app developers have been slow to shroud their mobile apps in each MDM vendor’s proprietary wrapper because enterprises represent a small audience, and a different wrapper for each MDM vendor fragments their efforts to reach millions. MDM leaders list only about two dozen apps, each of which app developers have wrapped, limiting enterprise app choice. If Microsoft can deliver a wrapping technology that takes the app developer out of the critical path and enables administrators to implement wrappers, every app, proprietary or available from the App Store of Google Play, could be an enterprise app.

Startup cloud MDM service Mobilespaces has a different app philosophy. It has built a container for BYOD enterprise apps called workspaces that is managed by a cloud administrative service. The workspace separates enterprise apps and data from personal apps and encrypts enterprise data. The choice of apps and many security decisions are left to the enterprise. Mobilespaces recently announced that it secured mobile apps for Google’s Gmail, Apps, Drive and Hangouts apps in its workspaces.

Mobilespaces’s offering leaves the enterprise to choose its apps. Using a cleanly designed admin console, policies can be applied to allow or restrict app installations from the App Store, Play or manually by group policy. Group or individual policies can be set to lock a device based on conditions or specific events, such as the detection of a jailbroken or rooted device or if the USB port is turned to side load applications.

Depending on how you look at this, Mobilespaces either gives the administrator more flexibility in choosing apps or more responsibility in choosing apps that meet the enterprise’s security criteria. For instance, Google’s suite of apps is secure, but Google doesn’t provide policies to restrict their use to a specific device. So, although Mobilespaces can restrict copying and pasting data from Google Apps to the employees’ personal app space, it can’t restrict using Google’s app suite to only its enterprise workspace. This is Google’s design choice and it works for its Google Apps customers.

But an enterprise can choose other apps if this were perceived a risk. For example, an enterprise could deploy an email app using Microsoft Active Synch to Exchange to restrict email to a workspace. Or a company could deploy apps like Office 365 or Salesforce in a workspace configured to use a VPN. That way, the cloud service connecting to the app could be configured to restrict access to just the VPN.

Late entrants to MDM, Microsoft and Mobilespaces won’t backfill missing security features into Android and iOS, but they don’t have to. Apple and Google have backfilled security features into iOS 7 and Android 4.2+ that enable app developers to build more secure apps. Incumbent MDM vendors had to do a lot of backfilling to secure iOS 3.0 and Android 2.3 in 2010. That isn’t necessary now.

Both the Intune service and Mobilespaces share more than a cloud service design; they appear to be betting on developers building more secure enterprise apps as the consumerization of apps follows the consumerization of mobile devices.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2014 IDG Communications, Inc.

SD-WAN buyers guide: Key questions to ask vendors (and yourself)