MDM vs. MAM and Apple’s Point of View
Bring your own device (BYOD) has been a hot topic for the last couple of years. Though IDC has published a prediction for 2014 that this year “BYOD as an enterprise mobility strategy is dead” and instead embracing CYOD (Choose your own device) will take over, companies are still struggling what the right approach regarding employee owned private devices is.
I have been involved into a lot of discussions with customers on their BYOD strategy and whether employee owned devices should be managed or not by their Mobile Device Management platform/cloud platform (e.g. SAP Afaria). Since the release of iOS7 with deeper level of controls and far more possibilities, customers are still wondering if including the device into MDM – or app wrapping by an MAM (Mobile Application Management such as Mocana) system is the right approach. Basically every company can choose from four approaches how employee owned devices are treated in it’s corporate infrastructure:
- Only online corporate apps (such as web apps) without caching are allowed – No MAM, no MDM
- Do MAM for apps that store or cache data on the device – MAM, no MDM
- Control the device via device management – MDM, no MAM
- Perform app wrapping plus a lightweight device management (looser controls than for company owned devices) – MAM + MDM
I came across a very interesting blog entry by Securosis named “Apple’s Very Different BYOD Philosophy” from Securosis. In this blog post the author has examined iOS7 in detail and has extracted his understanding of Apple’s point of view of handling of BYOD devices:
– The devices should be included via MDM to corporate systems
– If the user accepts connoting his private device to the corporate MDM, certain minimal security is applied (such as a passcode policy)
– The user gains access to corporate email via the default email client
– The enterprise can install managed apps
– If the user opts out of the device management, all enterprise content is removed, but no private content has to be touched at no point in time
Though this is probably only Apple’s understanding, it is still important to understand the implications. Apple is still gaining traction in the enterprise world. What are the implications for an enterprise out of this?
I do see the following:
- Enterprises should include BYOD devices with their corporate MDM with very lightweight policies (enforce an passcode, some email policies for corporate email access, etc.) if unwrapped apps are in use.
- Even if app wrapping is performed for all corporate apps, a passcode policy can enhance the security level by protecting and encrypting the device on a device level (approach 4: MDM + MAM).
- Enterprises have to apply totally different policies for company owned devices in the MDM.
- Apple is committed to BYOD and will probably extend the management capabilities to enhance BYOD with iOS devices further to further allow the distinction between private and corporate apps/accounts.
- Companies with high security requirements should consider both MDM for basic protection of the device and MAM for high profile protection of the app data. As always this might conflict with usability of those apps.
What is your point of view how BYOD devices are included within your companies infrastructure?