MAM allows organisations to mandate encryption, set and enforce role-based policies for applications including how they store and share documents and even remove data and de-provision apps when an employee leaves the company (or loses a device). In other words, you can ensure that sensitive data never leaves your customer relationship management app without preventing salespeople from playing Angry Birds on their own devices during their own time.
"I'm not going to access proprietary data by opening Angry Birds," said Brian Duckering, senior manager of Enterprise Mobility at Symantec, which has also adopted the MAM approach. "So do I need to manage Angry Birds? Probably not."
"We've always believed that ultimately security and compliance boils down to being able to control the data," added Herrema. "Trying to control the device, in a lot of cases, is neither necessary nor sufficient. A lot of the typical device management methods don't work anymore in a BYOD world."
"In many cases, you actually have great control over protecting that data than you would with a general MDM solution," Symantec's Duckering noted.
It should be noted that even when you manage applications rather than devices, special care is necessary for certain high-risk application types. For instance, in addition to providing the ability to manage internally developed apps and third party apps, Good also provides its own secure email app and secure browser app.
"The reason we have a secure email app and a secure browser app is that the native apps on these devices are inherently leaky," said Good's Herrema. "If you can't actually secure and manage the core browser and the core address book and core email app, you're still going to have data loss."
Run a Second Virtual Phone with Hypervisors
Instead of MAM, Red Bend Software takes an alternative approach that is more reminiscent of MDM. It uses type 1 hypervisors on particular Android handsets to create what is essentially two virtual phones running simultaneously on the same physical hardware. One phone is the standard consumer device for use with Facebook and Twitter and other consumer-facing applications. The other is a phone running a dedicated Android operating system geared for the enterprise.
"We allow the enterprise to completely manage that part of the phone," said Morten Grauballe, executive vice president of Corporate Development and Strategy at Red Bend.
Grauballe explained that by leveraging a type 1 hypervisor, Red Bend is able to achieve excellent performance because it runs directly on the phone's hardware (as opposed to a type 2 hypervisor, which runs as a software layer above a device's operating system). And, he adds, Red Bend achieves significantly better security because it doesn't run inside the same OS as the other consumer-facing applications.
Sign up for Computerworld eNewsletters.