Protecting Enterprise Information on Mobile Devices, Using Managed Information Containers

27 January 2014 ID:G00259536
Analyst(s): Eric Maiwald

VIEW SUMMARY

Managed information container products are an option for protecting business information and applications on mobile devices, but their effectiveness depends on the use case. We examine the technology's strengths and weaknesses, and summarize the features of 21 major products available today.

Table of Contents

Summary of Findings

Bottom Line: Container products have generally reached parity with base functionality on iOS and Android mobile devices, but which products will survive is unclear. Use cases determine if containers are an appropriate choice for an organization. Containers, in general, provide an appropriate level of control for low-risk and (perhaps) medium-risk information in mobile environments. Organizations should consider any choice of container products as tactical, short-term solutions. While containers provide security, they often do so at the cost of user experience and, therefore, are not appropriate for all users, use cases and devices. The market for containers continues to be in flux.

Context: Mobile devices (smartphones, tablets and so on) have become primary information consumption devices, and businesses have taken advantage of mobility to enhance productivity, reduce costs and gain new revenue opportunities. Effective enterprise mobility requires seamless access to information — from anywhere, at any time and from any device. Mobility can facilitate business continuity, improve collaboration, simplify teleworking and increase employee retention. Bring your own device (BYOD), while not part of every mobility strategy, is increasingly accepted in enterprises as consumerization firmly takes hold. Enterprises must incorporate security into their mobility strategies.

Take-Aways:

  • Isolating business information and applications on a personal device offers a mechanism for the enterprise to protect business information and apply controls, while still allowing employees the freedom to choose how their devices are configured and used. Managed information container products can provide this separation.
  • The container creates a workspace on the device that is defined and managed by the enterprise. The container products have reached parity in base functionality and usually include applications for email, calendar and contacts, as well as a secure browser and applications to view and manipulate data.
  • Containers include controls for authentication, encryption, wipe, authorization, secure communication and content that are managed by the enterprise.
  • Containers, when managed and configured properly, provide an appropriate level of control for enterprise information in mobile environments if the risk to the enterprise of unauthorized disclosure is low to medium (depending on the risk appetite of the enterprise).
  • Technology changes from device manufacturers (notably Apple and Samsung) impact how containers are deployed on these devices. Container vendors are adjusting their products to take advantage of new capabilities.
  • Use cases are maturing and now include requirements for information distribution, sharing and synchronization, as well as resident mobile and mobile Web apps. Dealing with use cases moves the discussion out of the technical realm and into the domain of organizational culture and end-user preferences.
  • User experience is an important consideration for the use of containers. While the user interface is likely not native, containers can bring improvements over native apps and benefits in the area of support.
  • Activity in the container market is picking up with mobile device management (MDM) vendors adding capability and platform support. MDM and container vendors have been noticed by larger firms as evidenced by two acquisitions in November 2013 (Bitzer Mobile by Oracle, and Fiberlink Communications by IBM) and another in January 2014 (AirWatch by VMware).
  • The strengths of managed information container technology are:
    • Containers enable the separation of business and personal applications and data so that a single device can be used for both work and personal life.
    • Containers help an enterprise manage the risk of sensitive data exposure through authentication, encryption, selective wipe and data use controls.
    • Containers can provide a common user experience across multiple devices.
    • Containers can help reduce enterprise support costs for mobility.
    • Containers can provide a single sign-on capability across multiple applications.
  • The weaknesses of managed information container technology are:
    • The user experience is not the same as native applications on the device and, therefore, is not sought after by employees.
    • Even when the container app has benefits or when true native apps are used in the container, the UI still has a poor reputation.
    • Container vendors are not supporting all mobile computing devices and OSs.
    • Users do not like the process of switching between the container and the main user screen or the associated reauthentication that is often necessary.
    • Containers do not support the complete separation of phone and texting functions on mobile devices without the use of a separate voice over IP (VoIP) or unified communications (UC) application.
    • The protection offered by managed information containers is only as strong as the OS they are running on.
    • Technology and market changes make container vendor selection a tactical decision.
  • Recommendations:
    • Containerization remains a strategic technology, but consider your vendor choice to be tactical, and do not consider container products to be long-term strategic purchases.
    • Determine use cases first as the use cases will define information and application requirements. Apps will drive the decisions around security controls to a greater extent in the future, and knowing the use case will help to identify the appropriate container solutions.
    • Use cases also define risk and help determine if containers are an appropriate option. Containers can be used when the risk of unauthorized disclosure is low to medium (depending on the risk appetite of the enterprise).
    • Include users in decision making. User experience is an important consideration, and user input is critical to later acceptance.

Conclusion: Container products are not appropriate for all users, use cases and devices, and while they do provide security, containers often do so at the expense of user experience. Containers, in general, provide an appropriate level of control for low-risk and (perhaps) medium-risk enterprise information in a mobile environment, but enterprises should consider container product choices as tactical, short-term solutions. The mobility market is evolving, and while container products have generally reached a level of parity when it comes to base functionality, the future of specific container products is unclear.

Analysis

Enterprises and employees use mobile devices on a daily basis, and these devices are becoming their primary information consumption devices. Therefore, sensitive information will exist on mobile devices. Enterprises need to protect the information, but they are constrained when the employee owns the device (such as when BYOD is allowed). Separating business information and applications on a personal device offers a mechanism for the enterprise to protect business information and apply controls, while still allowing employees the freedom to choose how their devices are configured and used.

There are multiple approaches to securing sensitive business information in a mobile environment:

  • Physical protection could be employed to protect the entire device from unauthorized access. While this approach limits the mobility of the device by confining its use to a limited physical geography (such as an industrial plant), it may be necessary for some high-risk use cases.
  • Information could be kept off the device entirely by requiring the user to access applications and data through virtual desktop infrastructure (VDI) or mobile Web applications (MWAs). While this approach may reduce or eliminate the need for controls on the device (if there is no information stored or cached on the device), it also precludes the offline use cases.
  • The entire device could be controlled through MDM or enterprise mobility management (EMM) products so that the enterprise sets the configuration and monitors activity on the device. While this approach does give the enterprise a mechanism for mitigating the risk of unauthorized access to sensitive information on the device, it may not be appropriate in a BYOD environment as the employee retains ownership of the device and may not accept enterprise control.
  • Separation between enterprise and employee apps and data could be created on the device. As discussed in this document, managed information container products (including Type 2 hypervisors, containers and managed cooperatives) can be used to provide security controls around enterprise apps and data, while leaving the rest of the device under the control of the employee.

For more information on determining the most appropriate approach for an enterprise, see "Decision Point for Mobile Endpoint Security."

Container Security Controls

MDM vendors commonly use a broad market definitional term, "container," to describe products that separate or isolate business information and applications from personal information and applications on a mobile device. This is also referred to as "personas" in some products. The term covers several technical architectures that actually provide the separation, including client virtualization, containers and managed cooperatives. Container, in this case, is essentially a view of what is under management and what is not. This marketing terminology is broadly accepted, but should not be used in a detailed examination of the underlying technical architecture, which is often unique to each OS platform and MDM vendor.

Container products create a workspace or context on the device that is defined and managed by the enterprise (see Figure 1). The container product usually includes functions for email, calendar and contacts, as well as a secure Web browser. Often, capabilities to view and manipulate data that resides within the container are also included (depending on the specific product). It is generally possible to link applications to the container through the use of application extensions via a wrapper or software development kit (SDK) provided by the container vendor and, thereby, creating a managed cooperative of applications.

Figure 1. Conceptual View of Managed Information Container Separates Business From Personal Applications and Data
Figure 1.Conceptual View of Managed Information Container Separates Business From Personal Applications and Data

Source: Gartner (January 2014)

Containers provide security controls to mitigate the risk of unauthorized disclosure that are managed by the enterprise through a management console. The management system sets the configuration for all security controls and may reside on the enterprise premises, or it may be cloud-based. The controls include:

  • Authentication Users are prompted to authenticate prior to accessing information or apps within or linked to the container.
  • Encryption Information stored within the container is encrypted while at rest on the device.
  • Wipe The enterprise controls the removal of information and apps from the device. Wipe can be initiated on demand or in response to a policy setting, and impacts only enterprise apps and data.
  • Authorization Prior to starting, the container software verifies that the underlying device complies with policy and is authorized to run the container software. This policy usually requires verification that the device has not been jailbroken or rooted.
  • Secure communication Information sent to the container or from the container to the enterprise is properly protected.
  • Content control The enterprise controls copy and paste functions on the device so that information in the container cannot be moved outside of the container (to the personal side of the device) unless allowed by policy.

The Details section of this report contains further information on these security controls, along with tables showing how vendors implement these features.

Generally, the security controls provided by managed containers on mobile devices can be sufficient to manage enterprise risk of unauthorized information disclosure in a mobile environment, but there are caveats that must be considered.

Authentication is a very important control, and without a sufficiently strong mechanism, the encryption of data at rest provides little or no protection, as shown in a recent article in IEEE Security & Privacy.1 The use of weak passwords or PINs, therefore, must be reduced, and this can be done with policy. Container products allow enterprises to set policies for password strength, as well as the number of failed login attempts before a wipe is initiated. Password policies must be set with care so as to not make it overly difficult for employees to actually make use of the container (typing complex passwords on a smartphone screen can be difficult and cause employee dissatisfaction). Stronger authentication mechanisms such as tokens and card readers are available for some products (for example, AirWatch, Bitzer Mobile, Fixmo, Good Technology, LRW Technologies, Mocana, NitroDesk, OpenPeak and Thales have support in current products). However, the user experience can be unpleasant, and they can be excessive for use cases without obvious high risks. Soft token support is available as well, but may not provide the strength of mechanism required. For more information on strong authentication on mobile devices, see "How to Achieve Single Sign-On With Mobile Devices."

Wiping enterprise information off a device is a good idea when the device is lost, stolen or otherwise decommissioned from enterprise use. However, while sending a wipe command from a management system is straightforward, the mobile device may never receive the command. Removing the SIM card from the device or placing the device in "airplane mode" stops the device from communicating and receiving the command. Container products provide additional options, but the enterprise must make use of them. Policies can be set so that a wipe occurs if too many failed authentication attempts are made, or if the container goes too long without communicating with the management system. These policies must be set carefully so as to not cause problems for users who have a hard time typing strong passwords or who happen to be on vacation or in situations where communication is limited.

Jailbreaking or rooting a mobile device is a cause for concern. All container products attempt to check the integrity of the underlying device OS before starting up and allowing the user to authenticate. However, relying on a container product to verify the integrity of the OS it is running on may not be sufficient. Container vendors are very circumspect in describing exactly how they check the underlying OS, which does not improve confidence. OS vendors are making improvements in this area. For example, both iOS 7 and BlackBerry 10 perform integrity checks on the OS kernel (see "Apple iOS 7 Architecture, Security and Management Capabilities" for more information on the iOS 7 mechanism). Device manufacturers are also making improvements here. For example, Samsung's Knox program uses a hardware root of trust to verify the integrity of Android. Table 1 summarizes the issue with jailbroken or rooted devices.

Table 1. Security Concerns With Jailbroken or Rooted Devices

Device Possession

OS Integrity Verified (That Is, Non-Jailbroken)

Jailbroken or Rooted Device

Legitimate user

All is well — security controls are in place and verified by the management system.

Malicious software or rogue app could cause harm (for example, it captures authentication information typed into the device, captures screen images or accesses unencrypted information in memory).

Unauthorized user

Container authentication and encryption protect information.

Information is protected by authentication and encryption, but the container could be duped with false information from the OS.

Source: Gartner (January 2014)

Overall, the use case for mobility and mobile devices will determine the risk to the enterprise and the appropriate course of action. Mobile environments do not have the same level of physical control found in enterprise facilities. Containers, when managed and configured properly, provide an appropriate level of control for enterprise information in mobile environments if the risk to the enterprise of unauthorized disclosure is low to medium (depending on the risk appetite of the enterprise). There are some variations between container products as previously noted (and also shown in the Details section), so it is important to consider the use case.

However, if the use case requires mobility and poses a high risk to the enterprise, it is not appropriate to use employee-owned devices. In this case, enterprise-owned devices should be heavily managed (meaning limited applications, limited browsing and tight policy controls); strong integrity controls should be used; and employees should be forced to use strong authentication to access enterprise applications and data. Additional physical security controls should be in place to prevent the loss or theft of the device (see "Decision Point for Mobile Endpoint Security" for more information).

Technology Changes

As with all things in IT, technology moves forward and impacts existing business practices and vendor products. In the area of containers, two changes occurred in 2013 that impact how containers are deployed:

  • iOS 7 was released by Apple and includes policies implementing greater control over managed applications.
  • Samsung released a container capability for its high-end Android devices.

Both changes have impacted how container vendors provide solutions to customers. In the case of iOS 7, several container vendors have developed support for the new policies, while a few vendors have dropped their container offerings in favor of the iOS 7 capabilities. Samsung Knox requires the support of an MDM or other container management product to meet enterprise container needs, and this support is available or planned for most of the container vendors.

iOS 7

A complete discussion of the security and management features of iOS 7 can be found in "Apple iOS 7 Architecture, Security and Management Capabilities," so this discussion will focus specifically on iOS 7's ability to provide container solutions for enterprises. There are four primary items to consider:

  1. iOS 7 enables better control of enterprise applications that process or store sensitive information:
    • This relates only to apps that come from a corporate app store or that are deployed to the device through an MDM. Apps that employees purchase or download through iTunes cannot be managed.
    • There cannot be two versions of the same app on a device, so if the employee has already downloaded an app from iTunes, and the enterprise wishes to use and manage the same app, the employee will have to uninstall the unmanaged version of the app.
  2. For managed apps and mailboxes, iOS 7 now has an "open in" control to limit the applications that can open a file. For example, if this control is applied to an enterprise mailbox, attachments sent to the employee can be opened only with one of the managed apps, as opposed to the app of the employee's choice:
    • However, there is no copy and paste control, so once the information is opened in an app (managed or not), the employee is free to copy information and paste it to an unmanaged app or mailbox.
    • Sharing is also not controlled, so an employee is able to open a file and then choose to share the file through unmanaged apps, such as Facebook, Dropbox or LinkedIn.
  3. Managed apps can be configured to require a VPN connection back to the enterprise for all communication:
    • The VPN used is shared with all managed apps requiring a VPN.
    • The enterprise may need to acquire a VPN client for the mobile device that makes use of new iOS 7 APIs. VPN clients that fit this requirement have been slow to emerge.
  4. The new controls require a management product to function. MDM and container vendors are working on this, and some products are available with this capability.

While the new features of iOS 7 are certainly a step in the right direction, they do not, by themselves, constitute a replacement for managed information containers when the enterprise needs to manage medium risks. They may provide sufficient controls for managing low risk, but enterprises will need to examine the specific use case.

Samsung Knox

Knox was developed by Samsung to provide separation between business and personal apps and information. It is based on Security Enhanced (SE) Android and is available on high-end Samsung Android smartphones and tablets, although availability varies with geography. Knox creates a container for enterprise apps and data by deploying a second instance of the Android user interface and apps diverted to a different name space on the device.

Integrity mechanisms in Knox verify the integrity of the boot loaders as well as the OS. These mechanisms use the ARM processor TrustZone features. If an integrity violation is detected (such as when a new version of the OS is installed, or the device is rooted), a hardware fuse is blown, and the device is forever considered untrustworthy. The Knox integrity mechanisms are not enabled by default from the factory.

The Knox container requires authentication and provides encryption for data stored within it. A VPN is provided from the container back to the enterprise. However, Knox requires a management product to be enabled. MDM and container vendors are working on this, and products are available that can manage the Knox container.

Apps loaded into the Knox container must first go through a process (at no cost) that injects code into the app binary. Apps that go through this process are available only through the Samsung app store, and the Knox container will not install apps from any other source. Apps inside the container cannot communicate with apps outside the container.

Knox is still a young product, and its security mechanisms will need to be vetted to see if they live up to their claims (note that early versions of Knox were vulnerable to rooting by an exploit called "Root de la Vega," but the vulnerability has been corrected by Samsung). However, the integrity mechanisms offer the potential to detect the installation of malicious software at higher assurance levels than those found in other container products. Enterprises will need to determine if use cases can be accommodated with only Samsung devices, while employees will need to determine if they are willing to live with the limitations that Knox applies to their devices. More information on Knox can be found in "Android 4 Architecture, Security and Management Capabilities," "Samsung's Bid for Enterprise-Grade Security Shows Promise but Needs to Mature," and "Samsung Knox — Bringing Android Under Enterprise Management."

Use Cases

How well containers fit an enterprise's mobile strategy is determined by the use cases needing to be met. The email, calendar and contacts use case has been and is generic and prevalent across most enterprises. Most container vendors provide apps within their basic products to meet this use case. While variations in functionality exist between the vendors, generally, the products can connect to the major on-premises email systems, and many have recently added support for cloud email, such as Gmail and Office 365.

Beyond the basic email use case, enterprises must identify applications needed for specific groups or job functions (see "Guidance Framework for Creating a Defensible Business Case," "Increase Mobile Productivity by Choosing the Right App, for the Right Device, for the Right User" and "How to Succeed With iPads in the Enterprise and Avoid the Pitfalls" for more information on creating use cases). If these apps are to contain sensitive information, the enterprise will examine how to provide the necessary controls. Linking the apps to a container (through the use of a wrapper or SDK) or making use of one of the managed cooperative products (such as those from Mocana and Symantec) is one option and often easier than trying to build security into an internally developed app.

In discussing mobility strategy with end-user organizations, we found that some enterprises are using homegrown apps on mobile devices, but organizations were looking for ways to make use of commercial off-the-shelf (COTS) apps instead of continuing their own development. The use of COTS apps will push enterprises to examine the application ecosystem surrounding the container vendors (see the Applications section for more details). Apps already available that can be linked to a specific container product make that product much more attractive to the enterprise and the employees.

Use cases are maturing and now include requirements for information distribution, sharing and synchronization. This has driven container vendors to add this type of functionality to their products, to provide add-on products to support this requirement, or to partner with third-party vendors. In many cases, container vendors are both adding their own functionality and partnering with third-party vendors.

Dealing with use cases quickly moves out of the technical realm and into culture and user preference. Enterprise and personal culture will strongly influence how use cases are defined, the policies that allow personally owned devices, and ability of the employees to direct technical solutions.

COPE

One area where container products do not provide a solution is in the area of corporate-owned, personally enabled (COPE) devices. These are devices provided by the enterprise, but the enterprise allows employees to use them for some personal activities — such as listening to music; sending and receiving personal email, phone calls and texts; or loading personal applications. To support a COPE model and maintain employee privacy, the enterprise would create a personal space on the device where the enterprise exercises no control or monitoring, while the device itself was under the control and management of the enterprise. In effect, this model reverses what the container products do.

BlackBerry comes closest to offering a product to support COPE. BlackBerry 10 devices running BlackBerry Enterprise Service 10, Service Pack 2, includes a personal space that is separate from the workspace on the device, and policies can be set as to what the user is allowed to do within the personal space. Other container products do not support such a model. More information on this issue can be found in "Are Mobile Devices Too Revealing? Balancing Privacy and Information Protection in COPE and BYOD."

Applications

As was noted in the Use Cases section, it is all about the apps! Employees use apps on mobile devices to perform some job function. At the very least, the email app is used for communication. Enterprises use internally developed resident mobile apps (RMAs) for various functions, but increasingly, COTS applications are preferred. RMAs are not the only option for enterprises, however. Mobile Web apps are also used and provide different challenges to enterprises and employees.

Resident Mobile Apps

An enterprise that chooses a container solution for mobile devices will have access to either a wrapper, an SDK or both, provided by the container vendor, to link internally developed RMAs to the container. However, internally developed applications are a minority of the apps that employees need and want to use.

Container vendors have built ecosystems around their containers to make their products more attractive to enterprise customers. The idea is that the more COTS apps there are that are already built for the container product, the less work a customer will have to do, and therefore, the more willing an enterprise will be to purchase the container product (or MDM for that matter). However, most of the ecosystems have limited numbers of apps, and while the vendors will discuss how their ecosystems are constantly growing, potential customers will do well to examine the apps currently available and match them to the current and expected enterprise use cases.

As we look at the ecosystems, it is interesting to note that some independent software vendors (ISVs) have taken steps to have their apps included in many different container ecosystems. Some very popular app vendors have done this, and it is hard to imagine that this state of affairs can continue indefinitely. In speaking to ISVs, we found that, if the container vendor has a wrapper, the cost to add the app to an ecosystem is small. However, as the number of ecosystems increases, the cost to the ISV every time a new version of the app is created can be large. As one ISV said, "App sprawl becomes a major issue." In cases where the container vendor uses an SDK to add apps to its ecosystem, the cost to an ISV can be large — as high as one to two man-months of coding effort — with each update incurring additional effort.

Given the number of container and MDM vendors, there must eventually be a move by the ISVs to support only the larger container and MDM vendors. This will be a factor in eventually reducing the number of container and MDM vendors, as only those vendors with strong app ecosystems will successfully compete for enterprise customers.

Mobile Web Apps

Some enterprises are focusing their mobile application strategies on MWAs instead of developing their own RMAs. This makes sense as many enterprise apps are already Web-based, and enterprises generally have greater familiarity with Web app development than with RMA development.

Container products generally include a browser inside or linked to the container that takes advantage of the authentication and encryption protection afforded by the container. Traffic to and from the browser can take advantage of the container's secure communication channel as well. Several container vendors enable enterprise single sign-on for Web apps running in the secure browser. The majority of container vendors have built HTML5 support into their browsers, but the level of support for HTML5 is inconsistent with current browsers and between vendors.

Unfortunately, MWAs are not a solution for all use cases. In part, this is because not all Web app architecture options support offline use well. If the enterprise builds in offline support into an HTML5 app, the offline use issue may be solved. While not all container vendors support HTML5 in offline mode, the majority do, and the app and any data stored in the app will be protected by the container mechanisms.

User Experience

  • "User experience is horrible!"
  • "It is not native!"

These are just a couple of the comments we heard when containers are discussed as a solution to the issue of sensitive enterprise information on employee-owned mobile devices. It is true that the user interface provided by containers is not exactly like the native app interface that employees have when they purchase an iPhone or Android device. However, there is more to user experience than just the interface.

Native Interface

Mobile device vendors spend a lot of time and money on the user interface for their devices. At times, it seems that container vendors (and security vendors in general) do their best to create a challenging user interface. While it is easy to say that the user interface on most container products has improved, in the end, comfort with the user interface depends on the user.

That said, there are benefits to using container products even from the user's perspective. For example, the calendar feature within Good for Enterprise and NitroDesk's TouchDown products can check free or busy times for calendar appointment scheduling. This is not something that can be done through the native calendar on iOS.

Just using a container product does not preclude the use of native apps. Several products allow the use of native apps within their containers:

  • Thales Teopad on Android
  • VMware Horizon Mobile on select Android devices
  • Samsung Knox devices (when managed by a container or MDM product for enterprise use)
  • BlackBerry 10 devices (when managed for enterprise use)

In addition, if the enterprise finds that using the iOS 7 application policies (managed by a container or MDM product) is appropriate to its risk management requirements, native apps can be used as long as they are acquired through the enterprise app store or deployed through an MDM product.

Using the Phone

Smartphones are still phones, and using them as such is still a part of the overall user experience. How calls are initiated and received is an area of frustration for users if container products are deployed. The same is true for SMS text messaging. Users don't want to authenticate before answering a call. They want to have information about who is calling them to appear on their screens.

Generally, container products allow making a call or sending a text message from inside the container. Once inside the container, all contact information is available, and the experience is the same as using a personal contacts list.

Receiving calls and texts occurs outside the container, and unless enterprise policy allows the sharing of contact information from the container to the personal side of the device, the user will not be presented with information from the business contacts database.

Container vendors have presented options to solve this problem. For example, VoIP or UC apps could be linked to the container and then used for all business communication. Messaging apps linked to the container could be used instead of texting. However, answering a call still requires authenticating to the container.

Android devices offer some flexibility in solving this problem, and container vendors are working on better solutions. For example, Divide has written its own phone and texting app so that incoming calls and texts that correspond to a contact inside the container are transferred into the container.

File Sharing and Synchronization

Apps are not the only access a user needs on a mobile device. Users also need access to information — documents, spreadsheets and the like — and it is becoming more important to provide a mechanism to access information without attaching files to email. Container vendors are improving file sharing and synchronization mechanisms to support this need.

Eleven of the 21 vendors examined in this research provide a file sharing and synchronization mechanism. The mechanism provided by the container vendors is usually an on-premises solution. Fourteen of the vendors support access to Microsoft SharePoint within their products. In addition, fifteen of the vendors support third-party file sharing and synchronization products as part of their ecosystems. Generally, this is a cloud solution. Many of the vendors without file sharing and synchronization solutions or partnerships have it on their road maps. More information on file sharing and synchronization products can be found in "Mobile File Synchronization Evaluation Criteria" and "Enterprise File Synchronization and Sharing: Thinking Through the Security Issues."

Support

Another aspect of the user experience is how the employee gets help when things are not working as expected. Enterprises are often limited in the support they will offer by the fact that the employee owns the device (and therefore the enterprise does not have full control over activities performed on the device) and by the vast number of device variations (especially true with regard to Android devices).

The use of containers may offer assistance in providing support. The container limits the business aspect of the device — only apps inside or linked to the container are supported by the enterprise — and it provides a consistent user interface across devices. For the employee, the limits of enterprise support are defined, and proper expectations can be easily defined through policy. For the enterprise, support is offered for the container (on whatever devices the particular container product is provided) and not all of the various devices. This may allow the enterprise to add Android devices to BYOD programs without incurring huge support costs.

Market

MDM (or enterprise mobility management [EMM]) vendors are taking full control of the managed information container space. In the past year, major MDM vendors have added container functionality that rivals those of the stand-alone container vendors. In some cases, the added functionality has been developed internally, and in other cases, the MDM vendors are partnering with container vendors to provide the container function.

The container market remains intermingled, with vendors partnering with competitors — for example:

  • MobileIron uses the Divide email, calendar and contacts app (wrapped with MobileIron's security wrapper) and NitroDesk's TouchDown on Android devices.
  • BlackBerry's container for Android and iOS is built with technology from OpenPeak.
  • SAP partners with Mocana to secure apps.
  • AT&T uses technology from OpenPeak as the basis for Toggle.
  • Verizon uses technology from Divide as the basis for Enterprise Mobility as a Service.
  • Symantec uses NitroDesk's TouchDown for email.

MDM and container vendors have been noticed by larger firms as evidenced by two acquisitions in November 2013 and one in January 2014:

  • IBM acquired Fiberlink.
  • Oracle acquired Bitzer Mobile.
  • VMware acquired AirWatch.

Platform support from container vendors is still centered around iOS and Android (see Figure 2). There is little interest in supporting BlackBerry devices, but support for Windows Phone 8 is increasing. Perhaps most interesting is the increasing support for Windows 8 and OS X. This may be an indication that vendors agree that "mobility" and "BYOD" mean more than just smartphones and tablets, but really include all types of mobile employee platforms.

Figure 2. Managed Information Container Platform Support
Figure 2.Managed Information Container Platform Support

Source: Gartner (January 2014)

Mobility continues to be an important topic for enterprises, and it is obvious that mobility means more than just smartphones and tablets. In fact, mobility is a cultural and business issue. Therefore, continued consolidation in this market is expected, along with expansion into "desktop" platforms.

Futures

The technology of managed information containers is linked to mobile technology in general. It is impossible to examine a future for containers without considering the future of mobile devices and their OSs. At the same time, mobile devices are personal devices, and the importance of the container and its features will be driven by personal choices.

Balancing personal preferences and enterprise security concerns is nowhere more obvious than in the authentication mechanism used with containers. Today, most enterprises default to PINs or passwords, while longing for a stronger mechanism. The U.S. National Institute of Standards and Technology (NIST) is working on a standard for Near Field Communication (NFC) that may provide an alternative. NIST Special Publication 800-73-4 "Interfaces for Personal Identity Verification — Part 3: PIV Client Application Programming Interface" (now in draft) specifies an interface with smart cards to retrieve and use personal identity credentials over NFC. Vendors are still waiting to see how the standard is finalized before implementing it, and there are questions about whether Apple will add NFC to its devices in the future. For more information, see "How to Achieve Single Sign-On With Mobile Devices."

As MDM vendors become EMM vendors, they will attempt to build products that offer solutions for all mobile use cases. As noted in the Market section, the number of vendors in this space will decrease as this process occurs. EMM vendors will attempt to move into the PC space, but they are likely to run into significant competition there. The concept of a workspace aggregator has taken hold with several vendors (see "An Overview of Workspace Aggregators," "Workspace Aggregators Help Enterprises Deal With Consumerization by Uniting Five Core Capabilities," and "Virtual Desktop and Application Delivery" for more information), and they are building on products, already existing in the PC space, to move into mobile devices. Enterprises will see two categories of options with similar features and functionality to solve their mobility requirements. In the end, availability and the ease of adding apps (both RMAs and MWAs) will push enterprises in one direction or the other.

Strengths

The strengths of managed information container technology are:

  • Containers enable the separation of business and personal applications and data so that a single device can be used for both work and personal life.
  • Containers help an enterprise manage the risk of sensitive data exposure through authentication, encryption, selective wipe and data use controls.
  • Containers can provide a common user experience across multiple devices.
  • Containers can help reduce enterprise support costs for mobility.
  • Containers can provide a single sign-on capability across multiple applications.

Weaknesses

The weaknesses of managed information container technology are:

  • The user experience is not the same as that of native applications on the device and, therefore, is not sought after by employees.
  • Even when the container app has benefits or when true native apps are used in the container, the UI still has a poor reputation.
  • Container vendors are not supporting all mobile computing devices and OSs.
  • Users do not like the process of switching between the container and the main user screen or the associated reauthentication that is often necessary.
  • Containers do not support the complete separation of phone and texting functions on mobile devices without the use of a separate VoIP or UC application.
  • The protection offered by managed information containers is only as strong as the OS they are running on.
  • Technology and market changes make container vendor selection a tactical decision.

Recommendations

Managed information containers can help enterprises control the risk of sensitive information disclosure on mobile devices. The following recommendations are offered to assist enterprises when considering the use of containers.

Containerization remains a strategic technology, but the vendor choice should be considered tactical. Container technology is not future-proof. Changes in devices and OSs will impact how containers are built — or if separate products are even necessary. Products purchased today will likely have limited life spans or may become niche solutions for older devices. Enterprises should build the mobility strategy to change and adjust with time, and should not expect the managed information container product to always be a part of the solution.

Managed information containers are useful security controls for certain use cases. Before making a purchase, enterprises should examine their mobile use cases and see what information and applications employees need to access. Applications will drive the decisions around security controls to a greater extent in the future, and determining application requirements will help match the most appropriate product to the need.

Use cases also define risk and help determine if containers are an appropriate option for the enterprise. Enterprises should use containers if the risk to the enterprise of unauthorized disclosure is low to medium (depending on the risk appetite of the enterprise). Containers, when managed and configured properly, provide an appropriate level of control for enterprise information in mobile environments. However, if the use case requires mobility and poses a high risk to the enterprise, it is not appropriate to use employee-owned devices.

Moreover, enterprises should include users in decision making about the use of containers. Mandating a container to protect applications and data on mobile devices will impact users. They will be forced to provide authentication information and to utilize a different UI. At the very least, users must be educated as to why these changes are being made. Users (or representative stakeholders) must be included in the decision-making process. Different container products offer different user experiences, and the products that meet the enterprise's security needs should be tested and piloted with the user community prior to purchase and rollout.

The Details

Managed Information Container Details

Managed information containers provide:

  • Authentication
  • Encryption
  • Wipe
  • Authorization
  • Secure communication
  • Content control

The following sections provide details on what these security controls actually mean in the context of a container.

Authentication

Only authorized users should have access to enterprise data and applications. Therefore, some type of user identification and authentication must occur prior to the user gaining access to the container. The type of authentication required should be tied to the risk of an unauthorized individual gaining access to the information and also to the use case.

Container products offer different types of authentication mechanisms. All products offer PIN or password authentication and enable the enterprise to set policy for the strength of the password and the number of failed login attempts allowed. Tokens and certificates are supported in some of the products. SAML is also supported in a limited number of products. User identity and authentication can be tied to enterprise directories, such as Active Directory or other LDAP repositories.

When choosing the authentication mechanism, enterprises should keep the device use case in mind. If enterprise data and applications will be used offline, some type of local credential storage or cache will be necessary. Products that link to Active Directory include policies for the local caching of Active Directory credentials. These policies may include a timeout for how long the credentials can be cached (if at all) before communication with the management system or Active Directory is required.

Table 2 summarizes the authentication mechanisms supported in the various products. Unless otherwise noted, the information applies to all platforms supported by the vendor.

Table 2. Summary of Authentication Mechanisms Supported by Various Container Products

Vendor

Password or PIN

Policy for Password Strength and Failed Login Attempts

Link to Active Directory or LDAP

Supports Tokens or Smart Cards

SAML Support

Certificate Support

AirWatch

Yes

Yes

Yes

Yes

Yes

Yes

AT&T

Yes

Yes

Yes

-

-

-

Bitzer Mobile

Yes

Yes

Yes

Yes

-

Yes

BlackBerry

Yes

Yes

-

iOS and Android: Planned

BlackBerry: Yes

-

iOS and Android: Planned

BlackBerry: Yes

Citrix

Yes

Yes

Yes

Tokens: Yes

Smart card: Planned

Yes

Yes

Divide

Yes

Yes

-

-

-

Yes

Excitor

Yes

Yes

Yes

-

Planned

Planned

Fiberlink Communications

Yes

Yes

Yes

-

Yes

Yes

Fixmo

Yes

Yes

Yes

Yes

-

Yes

Good Technology

Yes

Yes

Yes

Yes

Planned for 2014

Yes

LRW Technologies

Yes

Yes

-

Only on iOS

-

-

MobileIron

Yes

Yes

Yes

Planned

Planned

Yes

Mocana

Yes

Yes

Yes

Yes

Planned

Yes

Moka5

Yes

Yes

Yes

Windows 7 and 8, OS X

Planned for 2014

-

NitroDesk

Yes

Yes

-

Yes

-

Yes

OpenPeak

Yes

Yes

Yes

Yes

Yes

Yes

SAP

Yes

Yes

Yes

-

Yes

Yes

Symantec

Yes

Yes

Yes

-

Yes

-

Thales

Yes

Yes

Yes

Yes

-

Yes

Verizon

Yes

Yes

-

-

-

Yes

VMware

Yes

Yes

Yes

-

Yes

Yes

Source: Gartner (January 2014)

Encryption

Encryption protects data stored on the device from an unauthorized individual attempting to bypass the authentication mechanism. Vulnerabilities exist for mobile device OSs, so attackers can gain access to the device's memory without going through normal device authentication mechanisms, and if the user does not choose any type of device authentication, anyone who picks up the device is free to access any data on the device. Forensic tools also exist that enable all device memory to be copied and analyzed on another machine. Even when the device is encrypted by default (such as with current versions of iOS), the storage of the device encryption keys may be weak and allow attackers to gain access to the key ring.

Containers provide a second level of encryption that reduces the risk of a successful attack. Encryption is used within the context of the container to protect information in storage. The container should not decrypt any information unless proper authentication is provided.

Encryption mechanisms used in the container should include a properly vetted algorithm, such as the Advanced Encryption Standard (AES). Key lengths should be sufficient to protect the data stored on the device. Most of the container products reviewed for this document use 256-bit AES keys. Implementations validated by Federal Information Processing Standard (FIPS) 140-2 are preferred, because the validation provides some assurance that the algorithm was implemented correctly and with no vulnerabilities identified during testing. However, the implementation of any cryptographic algorithm solely in software has inherent limitations in protecting cryptographic keys. For more information on the use of encryption to protect sensitive information, see "Understanding and Evaluating Cryptographic Systems: An Information Security Foundation," "Decision Point for Encryption," and "Decision Point for Cryptography."

Table 3 summarizes the encryption mechanisms supported in the various products. Unless otherwise noted, the information applies to all platforms supported by the vendor.

Table 3. Summary of Encryption Mechanisms Supported by Various Container Products

Vendor

Algorithm and Key Length

FIPS Certification

Crypto Supplier

Key Storage Location

AirWatch

AES 256

Yes

Vendor

iOS: Device key chain

Android: Device key chain encrypted with SQL key

Windows 8: Credential Manager

AT&T

AES 256

In review

Vendor (OpenSSL)

Within the container

Bitzer Mobile

AES 256

Yes

Vendor (OpenSSL)

Within the container encrypted with a key derived from user credentials

BlackBerry

AES 256

iOS and Android: In review

BlackBerry: Yes

Vendor

Within the container

Citrix

AES 256

Yes

Vendor

Within the container encrypted with a key derived from user credentials

Divide

AES 256

Yes

Vendor (OpenSSL)

Within the container

Excitor

AES 128 (AES 256 planned)

Planned

OS API

Within the container

Fiberlink Communications

AES 256

Yes

iOS: OS API

Android and Windows Phone 8: Vendor

iOS: Device key chain encrypted with user passcode

Android: Within the container encrypted by the user passcode

Windows Phone 8: OS isolated storage encrypted with user passcode

Fixmo

AES 256

Yes

Vendor

Within the container

Good Technology

AES 192

Yes

Vendor

Within the container encrypted with a key derived from user credentials

LRW Technologies

AES 256

Yes

Vendor

Within the container

MobileIron

AES 256

Yes

Vendor (OpenSSL)

Within the container

Mocana

AES 256

Yes

Vendor

Within the container encrypted with a key derived from user credentials

Moka5

AES 256

iOS, Windows 7 and 8, and OS X: Yes

iOS: OS API

Windows 7 and 8, and OS X: Crypto++

iOS: Within the container encrypted with a key derived from user credentials

Windows 7 and 8, and OS X: In a proprietary key safe

NitroDesk

AES 256

iOS, Android and BlackBerry: Optional

Windows 8 and OS X: No

iOS, Android, BlackBerry and OS X: Vendor

Windows 8: OS API

iOS: Key chain but encrypted with user PIN (when enabled through policy)

Android and BlackBerry: Within container encrypted with user PIN (when enabled through policy)

Windows 8: Application database

OS X: Key chain

OpenPeak

AES 256

In progress

Vendor

No information provided

SAP

AES 256

Yes

Vendor (Mocana)

Within the container encrypted with a key derived from user credentials

Symantec

AES 256

Yes

Vendor

Within the container

Thales

AES 256

No

Vendor

Within a secured file or on an SD card

Verizon

AES 128

No

Vendor (iOS: Objective-C API; Android: In-built Java API)

Within the container

VMware

AES 256

Yes

iOS: OS API

Android: Vendor

iOS: Key chain

Android: System key store for encryption key storage

Source: Gartner (January 2014)

Wipe

Removing enterprise data from employee-owned devices is an important aspect of controlling the information. At the very least, the enterprise should remove sensitive data if the device is lost or stolen so that the person in possession of the device cannot examine the data or attempt to bypass the controls at his or her leisure. However, wiping enterprise data from the device is also important if the employee decommissions the device and sells it or gives it to another person. Enterprise data should also be removed if the employee is no longer employed by the enterprise. The removal of enterprise data should be selective so that the employee's personal information and applications are not impacted.

Remotely wiping data from the device is accomplished through the container management system. The enterprise causes a command to be sent from the management system to the device, and the container on the device then either erases the data or deletes the encryption key (and therefore renders the data unusable). Remotely wiping data by itself is insufficient for most enterprises. In the case of a lost or stolen device, the person who found it or stole it may remove the SIM card and render communication to the device impossible. When this occurs, the message telling the container to wipe data will not be received. Container products may provide mechanisms to wipe information based on other criteria.

Table 4 summarizes the wipe mechanisms supported in the various products. Additional policies may also be available in various products. Unless otherwise noted, the information applies to all platforms supported by the vendor.

Table 4. Summary of Wipe Mechanisms Supported by Various Container Products

Vendor

Wipe on Command

Wipe on Jailbroken or Rooted Device

Wipe on Failed Authentication Events

Wipe After X Time of No Communication With Management Server

AirWatch

Yes

Yes

Yes

Yes

AT&T

Yes

Yes

Yes

Yes

Bitzer Mobile

Yes

Yes

Yes

Yes

BlackBerry

Yes

Yes

Yes

Yes

Citrix

Yes

Yes

Yes

Yes

Divide

Yes

Yes

Yes

Yes

Excitor

Yes

Yes (iOS)

Yes

-

Fiberlink Communications

Yes

Yes

Yes

Yes

Fixmo

Yes

Yes

Yes

Yes

Good Technology

Yes

Yes

Yes

Yes

LRW Technologies

Yes

Yes

Yes

Yes

MobileIron

Yes

Yes

Yes

Yes

Mocana

Yes

Planned

Yes

Yes

Moka5

Yes

-

Yes

Yes

NitroDesk

Through Microsoft Exchange Active Sync (EAS) or MDM command, or through specially formatted text or email message

-

Yes

-

OpenPeak

Yes

Yes

Yes

Yes

SAP

Yes

Yes

Yes

Yes

Symantec

Yes

Yes

Yes

Yes

Thales

Yes

-

-

-

Verizon

Yes

Yes

-

Yes

VMware

Yes

iOS: Administrator notified on jailbreak and allowed to determine if wipe should occur

Android: Yes

Yes

Yes (Android)

Source: Gartner (January 2014)

Authorization

The authorization function determines whether the container should run on a mobile device based on the device's compliance with policy. Most often, the authorization function verifies that the device has not been jailbroken or rooted. A device that has been jailbroken or rooted has potentially been compromised at the most basic level within the OS, and therefore, malicious software may be installed that can examine memory or capture input from the user to the device. Therefore, most enterprises feel that a jailbroken or rooted device cannot be trusted.

Just about all container products perform some check to verify the integrity of the underlying OS. Container products that run as applications on a device look for indications of a compromised OS, since they cannot check the integrity of the OS directly without performing some type of jailbreak or rooting operation themselves. Vendors are extremely reluctant to discuss what they look for with any specificity.

VMware has taken a different approach on Android devices. VMware has worked with device manufacturers to embed kernel modifications into the Android OS on specific devices, and these added components are used to verify the integrity of the OS.

Embedding strong integrity checks into the OS itself is the best option for verifying OS integrity. Apple and BlackBerry have embedded such checks into the iOS 7 and BlackBerry 10, respectively. However, even these checks may not prevent a device from being jailbroken by a user, as the recent Evasi0n tool shows for iOS 7 (BlackBerry 10 has not been jailbroken as of the writing of this document). More information on the integrity checking in iOS 7 can be found in "Apple iOS 7 Architecture, Security and Management Capabilities." Samsung has added integrity checks to some of its devices through the Knox program. In the case of Samsung, the integrity checks use a hardware root of trust and a process that verifies the integrity of all components, beginning with the boot loader.

Secure Communication

Sensitive enterprise data is open to possible disclosure in transit to and from the mobile device. The use of encrypted communications can prevent eavesdropping and reduce the risk of man-in-the-middle attacks (if used with proper mutual authentication). Two aspects to secure communication should be provided by the managed information container: (1) communication of management traffic; and (2) communication of data.

All container products encrypt communication between the management system and the container application. The encryption is usually AES (through the use of Secure Sockets Layer/Transport Layer Security [SSL/TLS]).

Communication of data varies from product to product. Some products provide a gateway or connector function that is installed on the enterprise network. This device communicates with data repositories (such as email servers or SharePoint) and then encrypts the data files as they are transmitted to the container on the device. This encryption usually uses AES. Other products do not offer a gateway or connector, but rather, expect the container to communicate directly with the enterprise data repository. When this is the case, the enterprise must properly configure the repository to encrypt the communication.

Content Control

Enterprise information that resides on a device is open to use (or misuse) by the device user. The container provides separation between business and personal data and applications, and to keep them separate, the container must exercise some control over how the user uses the data. The primary concern is that an employee would copy sensitive data from within the container and paste it into an application outside of the container or otherwise transfer data from the container to other applications (for example, by launching an external viewer for a particular file). Once this happens, the enterprise loses control over the data, and the employee is free to email or otherwise send the data to anyone.

Container products exert control over the copy and paste function on the device, and over which applications can be used to open a file. At the very least, copying and pasting from the container to another application outside of the container is blocked. In some products, the policy is configurable. Copying and pasting can also be controlled from an application outside of the container to an application within the container. Again, some products make this a configurable policy option, whereas others block this action entirely. Generally, inside a container, information flow is not restricted.

Vendor Summaries

The following sections provide a short summary of managed information container and managed cooperative products. Container products provide email, calendar and contacts applications as part of the basic product. Container products may also include:

  • Secure browsers
  • Data viewers and editors for various file formats
  • A mechanism to link other applications to the container

Managed cooperative products include a mechanism to add security controls and management to an application, but generally do not include functions such as email, calendar and contacts in the base product.

AirWatch

In January 2014, AirWatch was acquired by VMware. AirWatch supports both iOS and Android with container products. For iOS, AirWatch has a separate container app, and it supports the iOS 7 application policies. On Android, a container app is available. AirWatch also supports Samsung Knox. Secure Content Locker is available as a separate product and provides file sharing and synchronization capabilities. SharePoint integration is also available. Both a wrapper and an SDK are provided to link apps to the AirWatch container. Apps linked to the container can make use of device features, but this is governed by policy. HTML5 Web applications are supported in both online and offline modes.

AT&T

AT&T Toggle is supported on iOS (6 and 7) and Android (2.3.x and 4.x). Toggle is a container app and is built on technology developed by OpenPeak. An application wrapper is available to link apps to the Toggle container. Wrapped applications can make use of all device features, if permitted by policy.

Bitzer Mobile

In November 2013, Bitzer Mobile was acquired by Oracle. Bitzer Enterprise Application Mobility (BEAM) is a container app available for iOS (6.x and 7) and Android (2.3 and above). Products for Windows Phone 8 and Windows 8 are in development and expected to be released in 2014. BEAM with m/Drive can be used to access files within enterprise file stores. An application wrapper is provided to link apps to the BEAM container. HTML5 is supported in both online and offline mode.

BlackBerry

BlackBerry Balance is an integral part of the BlackBerry 10 OS, and data segmentation is accomplished by designating business applications as part of a "workspace" on the device. For iOS (6 and 7) and Android (2.3 and 4.x), Secure Work Space is a container app. Secure Work Space is a BlackBerry Enterprise Service 10 (BES10) offering that is built with technology from OpenPeak. BES10 also has support for the iOS 7 application policies. A wrapper is available to link apps to the Secure Work Space container, and access to device features is available.

Citrix

Citrix XenMobile supports most enterprise mobile platforms. For iOS and Android, a suite of managed native applications is available:

  • WorxMail (for secure email)
  • WorxWeb (for secure browsing)
  • ShareFile (for file synchronization, sharing and editing)
  • GoToMeeting (for collaboration)
  • Podio (for social media)

ShareFile also supports BlackBerry and Windows Phone 8, as well as PCs and Macs. GoToMeeting is also supported on Windows Phone 8. A Type 1 hypervisor (XenClient) is available for Windows 7 and Windows 8, and a Type 2 hypervisor (DesktopPlayer) is available for Macs. VDI clients are available for all platforms as well. XenMobile supports the iOS 7 application policies, as well as Samsung Knox. In addition to providing file synchronization and sharing, ShareFile provides access to SharePoint. Both a wrapper and an SDK are provided to link apps to the XenMobile container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

Divide

Divide (which was previously known as Enterproid, and is now doing business as Divide) supports iOS and Android with container apps. Divide Files, a feature included in the container app, can create (if allowed by policy) a secure file system accessible only from the container app. On Android, Divide Files integrates with Box for remote file storage. A wrapper is provided to link apps to the Divide container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in online mode.

Excitor

Excitor supports both iOS and Android with its DME container app. SharePoint integration is included in DME. DME supports HTML5 Web applications in both online and offline modes, and these applications can make use of device features.

Fiberlink Communications

In November 2013, IBM announced its intention to acquire Fiberlink. Fiberlink supports iOS, Android and Windows Phone 8 with its MaaS360 container product. For iOS, Fiberlink has a separate container app, and it supports the iOS 7 application policies. On Android and Windows Phone 8, a container app is available. Fiberlink also supports Samsung Knox. The Secure Productivity Suite (included in MaaS360) includes a Secure Document Sharing feature providing file sharing and synchronization capabilities. SharePoint integration is also available. Both a wrapper and an SDK are provided to link apps to the MaaS360. Apps linked to the container can make use of device features, but this is governed by policy. HTML5 Web applications are supported in both online and offline modes.

Fixmo

Fixmo supports both iOS and Android with its SafeZone container product. For both iOS and Android, Fixmo has a separate container app. Fixmo also supports Samsung Knox. Fixmo SafeZone includes a client for SharePoint, along with a server-side plug-in that enables file synchronization and sharing. An SDK is provided to link apps in the SafeZone container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

Good Technology

Good Technology supports iOS, Android and Windows Phone 8 with container products. For iOS and Android, the Good Collaboration Suite includes Good for Enterprise (email, calendar and contacts), Good Share (SharePoint access) and Good Connect (instant messaging). Good for Enterprise is supported on Windows Phone 8. Good Technology also supports the iOS 7 application policies. Good Share provides file sharing and synchronization capabilities, as well as SharePoint integration. A development environment (Good Dynamics) provides both a wrapper and an SDK to containerize applications. These apps can communicate with one another (and with Good for Enterprise) and can make use of device features. HTML5 Web applications are supported in online mode.

LRW Technologies

LRW supports both iOS and Android with its Hubcap container app. Hubcap includes a file manager that can be used to share files between a mobile device and a file server. SharePoint access is available via a third-party solution that resides inside the Hubcap app. An SDK is provided to link apps to the Hubcap container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

MobileIron

MobileIron supports both iOS and Android with container products. On both platforms, the container is made up of multiple components: MobileIron Secure Email (for email, calendar and contacts), Web@Work (secure browser) and Docs@Work (file storage and sharing). On Android, MobileIron offers three options for email: Divide's email, calendar and contacts app secured with the MobileIron wrapper, NitroDesk's TouchDown or Google's Email+. MobileIron supports the iOS 7 containerization APIs, as well as Samsung Knox. SharePoint access is available through Docs@Work. Both a wrapper and an SDK are provided to link apps to the MobileIron container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

Mocana

Mocana supports both iOS and Android with its Mobile Application Protection product. Mocana's product wraps applications to add security management capabilities and, therefore, fits the managed cooperative category. By using Mocana's secure mobile browser, enterprises can apply the same policies to Web applications (including HTML5 apps in offline mode). The use of device features is supported through the Mocana wrapper.

Moka5

Moka5 supports iOS with a container product. Moka5 LiveData includes secure browser and a file viewing, editing and synchronization function. SharePoint support is included with Moka5 LiveData. On Windows 7, Windows 8 and OS X, the Moka5 desktop suite provides both Type 1 and Type 2 hypervisor options. HTML5 Web applications are supported in both offline and online modes on iOS, but are dependent on the browser for Windows 7, Windows 8 and OS X.

NitroDesk

NitroDesk supports iOS, Android, BlackBerry 10, Windows 8 and OS X with its TouchDown container app. TouchDown provides email, calendar, contacts and tasks, along with a file repository, on the iOS platform.

OpenPeak

OpenPeak supports both iOS and Android with its Advanced Device and Application Management (ADAM) container app. ADAM includes OpenShop for file sharing and content delivery. A wrapper is provided to link apps to the OpenPeak container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

SAP

SAP supports iOS, Android and Windows Phone with its SAP Mobile Secure products. SAP makes use of Mocana's Mobile Application Protection technology and, therefore, fits the managed cooperative category. SAP Afaria MDM system manages Mocana-wrapped apps, as well as the iOS 7 application policies and Samsung Knox. SAP Mobile Documents is available for file synchronization and sharing on mobile devices with SharePoint integration.

Symantec

Symantec supports both iOS and Android with its Mobile Management Suite. Symantec's product wraps applications to add security management capabilities and, therefore, fits the managed cooperative category. In addition, a Symantec-branded version of NitroDesk's TouchDown product for email, calendar and contacts is also provided. Management of TouchDown is through the Symantec console. Symantec also supports the iOS 7 application policies. The Symantec product can be used to wrap HTML5 applications. Both online and offline modes are supported. Applications wrapped by the Symantec product can access device features if allowed by policy.

Thales

Thales supports Android with its Teopad container product. Teopad uses "app proxyfication," which intercepts all calls from the app to the OS. This allows any app (commercial or internally developed) to be added to the container via the Teopad management system and its private app store. The process to add apps to the container does not require wrapping or the use of an SDK. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes, assuming a browser supporting HTML5 is deployed via that Teopad management system.

Verizon

Verizon supports both iOS and Android with its Enterprise Mobility as a Service product. Verizon's product is based on technology from Divide. A wrapper is provided to link apps to the Verizon container. Apps linked to the container can make use of device features. HTML5 Web applications are supported in both online and offline modes.

VMware

VMware supports both iOS and Android with its Horizon Workspace container products. For iOS, VMware manages the device and applications via the iOS 7 APIs. On Android, VMware provides a Type 2 hypervisor. Horizon Files provides a mechanism to share and synchronize files across both iOS and Android devices. No modification is needed to link iOS 7 apps to the container, they only need to be deployed through the Horizon management system. The same is true for Android as any Android app can be deployed to the Horizon Workspace via the management system. iOS apps have access to all device features, but on Android, apps do not have access to anything outside the container.

Download Attachments

Evidence

1 Wei-dong Qiu, Qian Su, Bo-zhong Liu and Yan Li. "iOS Data Recovery Using Low-Level NAND Images," IEEE Security & Privacy, Volume 11, Number 5, September/October 2013.