by Andy Smith, VP, Product Management
 
Key decision criteria for your mobility strategy and infrastructure plans are based on the experience demanded by end users, applicable regulatory guidelines, and required security levels. When considering technologies such as mobile device management (MDM) and Secure Container, many of our customers see a happy marriage between the two. We have customers who require both MDM and Secure Container. We have customers who specify MDM and Secure Container for corporate-owned devices but Secure Container only for BYOD, and we have customers who have deployed Secure Container only.
 
When deciding among solutions to deploy, our customers typically consider three factors: employee privacy regulations in certain countries, desired email user experience, and access to behind-the-firewall applications.
 
Employee Privacy
Employee privacy laws differ from country to country. What a corporation is allowed to track and how it secures personal information can be constrained, especially in some European countries. These constraints also vary depending on device ownership as well as service ownership and payment. For example, privacy restrictions on personally owned devices are much stricter than those on corporate-issued ones. Personally owned devices with services paid for by the corporation lie somewhere in between the two. The more your deployment moves towards global BYOD, the stronger the requirement will be to separate personal and corporate data and applications.
 
Email User Experience
Email is an important app for any mobility program and typically the first one deployed. Depending on security requirements and user expectations, most customers have strong beliefs about the need to stick with the OS-provided mail client (i.e., Apple and Android) or whether a secure mail client is necessary. If the OS-provided client is a must-have, at least minimal MDM functionality is necessary to secure the native mail app. A passcode must be in place to keep anyone who finds a device from having access to sensitive information and to enable encryption, if provided by the OS. With a native email app, users will have a familiar experience, but because Apple and Android are focused on the consumer market, there are missing enterprise features that are not provided by those clients.
 
A secure mail client is an absolute must for some regulated industries. They would not consider using an OS-provided client, because it does not meet their requirements. In addition, some customers are looking for enterprise features provided by Microsoft Exchange, such as Tasks or available time lookup when scheduling a meeting. These are examples of Exchange features that can be enabled by a secure personal information management (PIM) client that are currently not supported by Apple or Android.
 
Behind-the-Firewall Applications
What applications are you looking to mobilize? Most companies start with email, but the greatest benefit of mobility is in bringing corporate information to the fingertips of users in the field. If your employees need access to applications behind the firewall, you have two choices. You can either activate a mobile VPN client on users’ devices or create apps that form their own encrypted tunnel through your firewall. The great thing about mobile VPNs is that they give users access to whatever they are authorized to do on the network. The not-so-great thing is that they run at the device level so that any app on their devices – including potentially harmful rogue apps – have unfettered access to this tunnel. In addition, many companies have deployed IPSEC VPNs and find that users complain about dropped connections and the need to continuously re-authenticate.
 
MDM solutions depend on mobile VPNs to access applications behind the firewall. Whereas, some Secure Container solutions provide an encrypted AppTunnel that authorizes only trusted/containerized apps and doesn’t run at the device level therefore avoiding the problem of rogue apps.
 
What is right for me?
Consider your needs for employee privacy, the email experience users need, and their access to behind-the-firewall applications. Where your requirements fall on this continuum will determine if you need MDM, a Secure Container solution, or a combination of both. At Bitzer Mobile, we have seen customers who start by deploying a standalone MDM because they are U.S.-based, want to use the native OS-provided email app, and have no immediate plans to offer any other apps. We have customers who deploy MDM plus Secure Container, because they have global operations. They have corporate-issued devices, as well as BYOD. They want Intranet access behind the firewall in addition to email. Finally, we have global customers in regulated industries who must have a containerized mail solution and don’t deploy MDM at all.
 
So what’s right for you? The answer, of course, is “It depends.” MDM solutions provide great value in asset tracking, deploying WiFi profiles and certificates to devices. Secure Container solutions isolate corporate from personal data and applications, giving users a “consumer” experience for personal apps and enforcing corporate security only when they are trying to access corporate apps. Considering your needs against these capabilities should make the decision pretty straightforward.