New containerization technologies can help BYOD initiatives succeed by creating separate spaces on smartphones for work and personal use.
安东尼·珀金斯希望员工在纽约梅隆银行把他们的个人智能手机,并使用这些替代公司发行的黑莓访问企业电子邮件,应用程序和数据。
But there's a catch: Not all employees are comfortable with the prospect of having their personal phones locked down and controlled as tightly as the BlackBerries that Perkins would like to phase out. That's where the notion of containerization comes in.
一个把你自己的设备(BYOD)策略是好生意,说帕金斯,CIO对纽约梅隆银行的财富管理业务。它减少了参与维护和管理公司拥有的黑莓的时间和费用。“我们希望在管理软件的业务,而不是硬件。在RIM的世界里,你管理的硬件,”他说,指的是黑莓手机制造商Research In Motion公司。
缺点是,我们今天的流行的移动设备re developed for the consumer market, and third-party management tools don't offer the same degree of control over user devices that RIM systems have over BlackBerries. RIM designed and controls the BlackBerry client architecture and has been especially responsive to the needs of corporate customers.
Because corporate apps and data are often mixed in with the user's personal content, mobile device management (MDM) tools tend to be very strict when it comes to managing corporate resources on users' phones. Usage policies often apply to the entire device, covering both personal and professional apps and data. Users may not be willing to give up control of their personal phones in exchange for the privilege of using them for business.
To get around such user resistance, Perkins is turning to containerization, an emerging class of management technology that carves out a separate, encrypted zone on the user's smartphone within which some corporate apps and data can reside. Under such an arrangement, policy controls apply only to what's in the container, rather than to the entire device.
Containerization tools are typically complementary to MDM software, and an increasing number of MDM vendors are incorporating containerization functionality.
But as great as containment is for safeguarding corporate data, it doesn't necessarily prevent personal data from being lost in a wipe by the IT department if a phone is lost or stolen. Some IT shops recognize that some users may not know how to properly back up their personal data and apps and are helping them set up backup systems.
Ryan Terry, division CIO and chief security officer at University Hospitals Health System in Shaker Heights, Ohio, turned to containerization because he sees the use of traditional MDM tools to control the entire device as a liability issue. The hospital needs to have apps or data delivered securely to clinicians without interfering with the users' ability to access their personal apps and data. "We can't afford to delete things of a personal nature or impede their ability to use their personal asset," he says.
一个lex Yohn, assistant director of technology at West Virginia University, is also wary. "I don't want my guys doing settings on the personal side that could come back to haunt us," such as accidentally deleting data or making configuration changes that affect how the users' personal apps run, he says.
对于公司需要强有力的安全策略,面对严格的法规遵从要求高度管制的行业,集装箱可以在使BYOD体验,为用户更可口特别有帮助,IT领导人说。
Choose Your Container
供应商提供,在本质上,三种不同的方法,以集装箱:创建加密的空间,或文件夹,在其中的应用程序和数据可以被倾倒;创建一个保护性“的应用程序包装器”创建围绕每个企业应用程序及其相关联的数据的安全气泡;并使用移动虚拟机管理程序,它创建用户的设备上的整个虚拟的手机那是严格用于商业用途。
一个ll of these approaches offer more granular control over corporate applications and data on users' devices than whatever security comes standard with smartphones currently. And with containerization, users aren't limited to using devices on an approved list of smartphones that have been certified and tested by IT, because corporate apps and data reside inside a secure, encrypted shell.
However, the need to switch back and forth between the business and personal environments may be perceived as inconvenient and affect overall user satisfaction, says Phillip Redman, an analyst at Gartner.
Neither Apple nor Google offer containerization technology, and neither would comment for this story, but each company did point out some resources that might be helpful (see sidebar, below).
Encrypted Folders
The most mature containerization approach is the use of an encrypted, folder-based container, Redman explains. AirWatch has such an offering, and Good Technology is an early market in sales to organizations that have adopted containerization enterprisewide, particularly within regulated industries.
For basic mobile access, BNY Mellon uses Good for Enterprise to create an encrypted space on smartphones within which users can run Good's email and calendar client and use a secured browser. "It's a secure container with an app that can send and receive corporate email that's encrypted," says Perkins. All communications are routed through Good's network operations center, which authenticates mobile users.
Good has been offering its basic email and calendaring tools for several years. Late last year, it added the capability for other apps to run within its protected space using the Good Dynamics Platform, but each app must be modified to run in Good's proprietary environment. So far, about a dozen commercial apps are available, including QuickOffice, which is typically used for reading and editing downloaded Microsoft Office file attachments.
Perkins is using Good only for email and calendar -- the "killer apps" for most employees, he says -- and accessing internal, browser-based apps using Good's browser.
对于谁需要到企业网络,SharePoint和其他服务的完全访问权限的用户,纽约梅隆银行使用的Fiberlink的MaaS360,基于云的MDM系统,该系统可以利用用户的设备的完全控制权。什么获取写入和操作系统MaaS360监控,并阻止访问某些个人的应用程序,如雅虎邮箱和Gmail,当设备访问企业资源。
“当它在我们的网络,我们拥有它,控制它,”帕金斯说。当在个人模式下使用,个人可以控制哪些应用程式可以使用。
Vendor Perspective
Where Apple and Google Stand on Mobile Device Management
对于苹果和谷歌发言人也不会在这个故事的归属发表评论,但都尖锐计算机世界来,可能是通过电子邮件乐于助人,提供澄清资源。
Google Apps for Business, Government and Education administrators can use the Google Apps Control Panel to manage end users' Android, iOS and Windows Mobile devices at the system level. The panel allows the device to sync with Google Apps, encrypts data and configures password settings.
另一种工具,称为谷歌Apps设备策略,强制执行安全策略,如设备加密和强密码,也可以定位,锁定和擦除设备。它也可以阻止使用相机和实施电子邮件保留策略。然而,不只是支持企业数据的部分湿巾。
MDM vendors can use Google's Android Device Administration API to provide similar controls outside of Google Apps.
至于谷歌的使用需要访问二进制文件创建一个围绕企业具体应用一个策略包装集装箱/应用包装技术的位置,谷歌并没有提供这样的工具本身并拒绝进一步置评。
一个pple
一个pple says it supports third-party MDM tools. It allows MDM servers to manage in-house apps and third-party apps from the App Store and supports the removal of any or all apps and data managed by the MDM server.
In practice, however, MDM servers are limited. While most tools allow for selective deleting or blocking of specific enterprise apps, there's no automated way to identify and erase all of the associated data. "No IT manager can sit around and go through thousands of files that may be on each user's phone," says Phillip Redman, an analyst at Gartner.
至于苹果对应用需要访问应用程序的二进制文件创建一个围绕是企业特定应用程序的策略包装集装箱/应用包装技术的位置上,苹果并没有提供这样的工具本身并拒绝发表评论。
What's more, BNY Mellon may wipe devices -- including all personal apps and data -- that are lost or stolen, although MaaS360 and most other major MDM tools do allow selective wipes. Citing security concerns, Perkins declined to say how many times the company has had to wipe phones.
相比之下,只有企业的容器从丢失或被盗的设备,只是必须通过良好的技术,电子邮件和日历访问擦拭。
一个pp Wrapping
一个newer, more granular approach is to enclose individual apps in their own encrypted policy wrappers, or containers. This allows administrators to tailor policies to each app. The market for tools that support app wrapping is dominated by small vendors with proprietary products, including Mocana, Bitzer Mobile, OpenPeak and Nukona (which was recently acquired by Symantec).
就其本身而言,这个capabi RIM正在增加lity to its BlackBerry Mobile Fusion MDM software. (Mobile Fusion works with Android and iPhone devices in addition to BlackBerries.) Peter Devenyi, senior vice president of enterprise software at RIM, says the company's offering will be "a containerized solution where one can wrap an application without the need to modify source code so you can run it as a corporate application and manage it as a corporate asset."
With app-wrapping tools, "you can put together a pretty complete, fully wrapped productivity suite that's encrypted and controllable," says Jeff Fugitt, vice president of marketing at mobile integrator Vox Mobile. But the technology has not been widely adopted.
Forrester分析师克里斯蒂安·凯恩描述应用程序包装为“应用级VPN”,可以让制定政策,以确定哪些应用程序可以与用户的设备上或在网络上交互的管理员,什么访问应用必须后端资源。它还允许该容器的远程擦拭,包括应用程序和任何相关联的数据。
"Application wrapping is not mature," and the existence of competing architectures in this nascent market is holding back growth, says Gartner's Redman. But, he adds, app wrapping will eventually be more widely adopted when the technology is integrated into the larger and more established MDM platforms.
的缺点应用包皮每个应用程序必须进行修改,这意味着管理员需要访问应用程序的二进制代码。这意味着,来吧Android或iOS手机预装一些应用程序可能不支持。此外,可实现比因为得到的二进制代码通过苹果的App Store销售的应用问题的iOS与Android设备的工作更加顺畅。出于这个原因,包装工具,往往不与iPhone应用程序的工作。例如,Mocana的移动应用保护产品不支持iPhone上的电子邮件客户端 - 或其他内置应用程序,对于这个问题。
用户可以访问免费的iOS应用程序的二进制代码,但必须购买应用程序商店的商品,它需要一个协议,购买直接从供应商和旁路苹果的商店。
一个pple currently turns a blind eye to users who employ app wrapping or change apps bought from its App Store, "but by their rules, you're not supposed to do that," says Redman. "They could clamp down and not allow that, although so far they haven't." Apple declined to comment.
未来观察
Cloud-based MDM Services on the Horizon
移动device management typically involves installing agent software on each user's device and setting up a server-based management console. Don't want to do it yourself? Service providers that help IT manage mobile devices and software are plentiful.
For example, integrator Vox Mobile offers a "managed mobility" service that includes comprehensive monitoring and reporting, Fiberlink offers MaaS360 for corporate email and documents, and mobile carrier AT&T introduced its cloud-based Toggle mobile management service last year.
With Toggle, AT&T installs a "work container" on each smartphone, which the user logs in to with a password. Administrators can then manage container policies by way of a cloud-based portal and app store called Toggle Hub. In the third quarter, AT&T plans to add the ability to run antivirus scans on all managed devices, as well as the ability to lock or wipe the container.
"More and more of this will move into the cloud. But today, it's still a small percentage," says Phillip Redman, an analyst at Gartner.
"Where this is leading is dual data plans on the same device," says Mobeen Khan, executive director of advanced mobility solutions at AT&T. "You will have a phone number for the container and one for your personal device."