The official hub of The Enterprise Mobility Foundation
Want more than just blog posts? Login or Sign up for a free acount and get research, videos, slide decks and more! Join the online social network for Enterprise Mobility.

Can Someone Please Explain To Me The Real Value of Mobile Containerization?

Good G*d.  It’s been ages since I have written anything here.  Candidly, my professional and personal lives have been chaotic and are only going to get more so.  Oh well…this is what most people call good problems.  In any case, let me cut to the chase.  I want to talk today about mobile containerization.  While I have shared some opinions in the past on this subject, it’s obvious that the market for containerization solutions has increased and evolved aggressively.

As you might know, enterprise mobility management solution providers who offer “containerized” solutions are looking to offer secure alternatives to the native email, calendar and browser solutions available on the mobile devices.  These native solutions are considered unsecure for enterprise usage…and while mobile device management solutions can help address these issues, the ONLY way to TRULY provide secure connections to your email, calendar, contact, web and corporate applications is to do so via a container.

Right?

Well…as with most things in mobility, it depends.

Let’s be clear.  I get BYOD…because it drives me nuts.  I get COPE….well, because I created the concept.  I understand the need to secure and protect corporate information all the while letting individuals use their mobile devices for their personal needs and enjoyment.

But what about “legacy” desktop (a.k.a. laptop) use cases.  Have you ever installed an application on your corporate laptop without corporate approval?  If you have an iPhone, I think you have.  Have you ever downloaded and INSTALLED an alternative browser because the conferencing system you were trying to use did not work properly with your corporate browser? Never.  Have you ever had your corporate email go down and you needed to send a file and therefore you used your personal email address to send the file?

Of course you haven’t.  Never ever. Ever.  By the way, have you ever checked your email via Outlook Web Access on a PC you or your company didn’t own?  Of course you haven’t.

So.  Now that we recognize that in the PC world, we will in fact download apps that are not 100% for work and we will IN FACT use them for work and that sometimes we have no choice but use them for work…and that we can use non corporate devices for work….

Why does this not apply to mobility?

Why do we need secure 3rd party email clients that prevent forwarding?  Why do we need secure web browsers?  Why do I need to replicate the functionality that is provided natively by the operating system just to “secure” things?

Isn’t Microsoft Outlook considered a safe and secure client for mobile email (at least on your laptop)?  If you are a M$FT basher, I don’t want to hear it.  Outlook is the De Facto corporate standard.  Get over it.  If somehow the native email clients on mobile devices aren’t good enough, then why hasn’t Microsoft delivered a more “robust” version of Outlook for said mobile devices?  Maybe they should.  By the way, Microsoft could destroy the market by making it free – as long as you have an Exchange CAL.

So what about “Secure Browser” – I get the need for secure connections, but not all browsers run off of a VPN.  Besides, I will argue that 99.99% of HTTP connections are not secure…and the world has not come to an end.  So why is “Secure Browsing” so important?  Why can’t I use HTTPS?  That’s what we do on desktops – no?  What about InPrivate browsing?

Has the enterprise mobility world created solutions in the search of problems that may not be as real as they seem?

I don’t know.  The title of this missive is not to be challenging, but truly to better inform me.  I know a lot of companies are either developing or considering or deploying mobile container solutions.  Are they just solving problems that are made up by vendors or is this something real that I am missing?

Let’s discuss…

6 Comments

  1. Posted March 13, 2014 at 09:08 | Permalink

    Before leaping into the substance of your question, I’m going to protest your claim of inventing the COPE concept. Sure, you developed it and lent it legitimacy, but that’s the easy stuff… right?

    For your readers, COPE arose from a typical Philippe/Nick argument (imagine an old couple arguing). Philippe was nagging about BYOD and why a Corporate-Liable (CL) approach was needed that accomplished the same separation of biz and personal. I was doing my best to ignore Philippe’s complaints and instead nagging about the silly proliferation of acronyms in the MDM/EMM space. To make my point and placate Philippe, I referenced his latest EMF post about how to “cope with BYOD” and made up an acronym. Proof that two wrongs can make a right. Also, proof that a joke can stumble on something cool.

    Now, I must reluctantly toot Philippe’s horn. COPE was not an understood concept. He badgered (nagged) everyone within electronic reach about the idea and developed it. It is a legitimate approach to enterprise mobility. My summary (and serious) response to Philippe’s question is that there is no magic bullet or single approach or solution to enterprise mobility. Some will go with a COPE model. Some companies will go with a wide-open approach – all Cloud and using any client/app that employees prefer. Some will go with “container” or dual persona. It’s not about which tool or approach will conquer the rest. It’s a discussion about which tool is right for YOUR company and therefore a discussion on which tools solve which problems (or enable which new possibilities).

    Thumb up 1 Thumb down 0

    • Posted March 13, 2014 at 10:32 | Permalink

      Nick – agreed that there is no magic bullet. Don’t forget that the genesis of the conversation was that everyone was saying BYOD is THE future…but to your point, there is no magic bullet. CL – as it was in the old days – is flawed. CL was all about providing ONE standard that was locked down and didn’t allow employees to be people. That’s why I argued with you that we needed to evolve CL into something more modern…and THAT was the genesis of the COPE model.

      Thumb up 0 Thumb down 0

  2. Posted March 13, 2014 at 09:46 | Permalink

    Let’s not forget the personal side of the discussion. Do I want my personal email traffic, web-surfing habits and App usage traversing my employer’s perimeter security and its scrutiny? Do I want my employer knowing my whereabouts? Do I want IT to have the ability to detonate my entire device? Does IT really ever want to push the button? Do I want my employer knowing which Apps I’ve downloaded and scrutinizing (if not blacklisting) them? Should my employer think less of me because I have 246 game apps on my device?

    Last night’s use-case: Can IT figure out a way to help us parents resist our kids? Last night, my wife and I gave our kids our smartphones in the hopes of shutting them up so we might enjoy a conversation over dinner. We gave them our passcodes, and our two security threats downloaded at least 5 games each.

    I don’t expect IT to help me on the parenting front. I’m also fairly certain I don’t want them scrutinizing my personal life. Frankly, I don’t think IT really wants to do that either – because it’s creepy and because Legal has informed them of privacy laws or liability issues with doing so. This leads to a conundrum: How does IT secure and manage something they can’t see (the personal “side”)?

    Container is a solution to that conundrum. It’s a broad term, as “container” might include dual persona or managed apps (iOS 7) or VDI or even solutions called container. VDI is a parallel on the PC side. Google is fairly consistent with identity/context-switching across its various services (gmail, etc). In the Cloud realm, companies like Box and Dropbox struggle with how they separate personal and business… a struggle perhaps born of their freemium go-to-market model! The bottom line is that Work-n-Life / Business-vs-Personal often can’t coexist because those personas have very, very different needs. They’re like two cats in the bag – they won’t get along. Solutions are needed to separate them. Mobility exacerbates the problem as it’s more intensely personal – in terms of likes and how it permeates our lives (including last night’s dinner). I don’t often bring PC’s to dinner. That said, Mobility is helping draw contrast on the Work/Life friction, and we’re seeing solutions extend to PC and Cloud. People are bringing their MacBooks to work (BYOD) and using Box for both business and personal. People’s sharpening expectations on separation are being applied to those, and happily, we’re seeing solutions address those in mobile and beyond. All we need now is another acronym to define this space ;-)

    Thumb up 0 Thumb down 0

    • Posted March 13, 2014 at 10:36 | Permalink

      Great example Nick – and as I have said to you before, the container approach makes a ton of sense to me as an enabler of COPE…meaning protect your personal data on the device that your company provided you. My main point however is that there is a huge wave of interest in containers, but I will challenge this wave only by saying that one size does not fit all and that in fact we may be offering a solution in search of a problem. This issue does not exist in the PC world – even when we bring our laptops to the workplace – so why is it such an issue in the PostPC world? And no…the answer is not because of BYOD.

      Thumb up 0 Thumb down 0

      • Posted March 13, 2014 at 11:28 | Permalink

        I REALLY don’t think this is a solution searching for a problem. The solution for endpoint management (PC) and MDM (mobile) was to manage the WHOLE DEVICE. The was the default thesis and approach. Anyone arguing for dual persona two years ago (if not more recently) was deemed nuts. What we’re seeing is vendors REACTING to needs as they evolve and sharpen.

        The problem does exist in the PC world. One of my more recent employers gave me laptop that had boot encryption and forced me to break out a RSAid at boot-up. It was hard-wired to the network (VPN), and no, I couldn’t install any non-approved .exe (app). I was also advised that my web usage would be monitored (a policy reinforced with AUP pop-ups at every boot up).

        In the PC world, we also use VDI as a BYOD solution. That’s arguably container… just a different approach. That approach SUCKS on mobile, because finger-navigating a remote XP image doesn’t thrill on user experience. I have a friend in IT at a major FinServ company who LOVES it, but he has no friends in his company’s employee ranks.

        And there’s now a new crop of vendors building new PC container solutions like Moka5. Cool folks – former BigFix – who saw a problem and built a company and solution to solve it.

        The difference between PC and Mobile? It’s way, way, way more personal than a PC. We bring it everywhere. We want to use the damn thing all the time. We hate carrying the weight of two devices in our pockets. Net = the desire to use a mobile device for both work and personal is FAR more pervasive and that means the problem is more acute and urgent to solve than PC.

        Thumb up 0 Thumb down 0

  3. Posted March 18, 2014 at 13:40 | Permalink

    Great topic, Let me explain in simple terms…

    The way mobile apps exploded and existed in devices , made it as almost independent entities to be service fulfilled and assured. Enterprises are in the era of > 4 app workflow mobilizations / roles. The control of the enterprises are predominantly from a device/user level , exercised by an MDM. The control of enterprises on apps restrict to 2 modes, 1. The app install, uninstall patch permissibility 2. What the app allows to be managed.

    Containerization is also a concept the way BYOD is used, where the app instances runs over a container and the container is controlled by the enterprise.

    So how it happens is by the pure nature of sdks consumed by apps over it , by the nature of binary wrapped controls that is available, by the MAM apis available. All of these hooks to native stack via containers can get “policy orchestrated” by engines like MAM/MDM-Next etc.

    Basic relationships are explained at my blog here
    http://www.soclomo.org/entries/general/what-is-byod-to-enterprises-

    Now coming to secured browsing, HTTPS allows certificate safety on paths, But secured browser “tunnels the traffic” via an enterprise mandated path.. So all traffic travels through the tunnel and exist from enterprise gatways to internet.. Man in middle, malware threats all contained. Eg : GOOD/MI etc

    Now coming to mails a native email client talking to MS Outlook , means the mail resources has to be exposed to public domain in a safe and secured way and outlook client talks via that. The safest way to protect mail assets is making the traffic over a VPN session so that it is interception safe. So there are organizations that doesn’t allow pop/imap kind of protocols or even their secured modes exposed directly. A VPN via mobile looks complex in usability, hence a “tunnel” is preferable – like GOOD/MI etc provides.

    The reality is that mobiles lives in rouge environments, mobiles can get jail broken/rooted, mobiles can have os/apps tweaked the way any hacker wants. IT assets like laptops are hardened and sensed all time by asset management engines. Making mobile “access and trust” to an enterprise – securing assets, browsing contents, mails, apps become a “multi tier” enterprise responsibility, and that is possible by a mix mode approach …mdm, mdm+mam, mdm+container+mam, mdm+secure browser access only etc. The cost we pay for the technology in the name of COPE/BYOD etc is the price for “access and trust” ing the devices to enterprise…

    Hope I covered the perimeter ..:)

    Thumb up 0 Thumb down 0

Post a Comment

You must be logged in to post a comment.