The MDM-Only Dilemma: Why is it a problem?

Mobile Device Management (MDM) was developed about a decade ago–two decades ago if you go back to the Blackberry days.

During this time, MobileIron, AirWatch and a few others embarked on the MDM policy juggernaut, adding scores of mobile device security and control policies regardless of whether they would be used or if they were needed. Innovation was slow, limited and dictated by the mobile OS vendors (namely Apple and Google) that provided the necessary APIs.

Today, every MDM vendor–including Citrix–uses these same well-documented Apple and Google APIs to provide security at the device-level.

For example, Citrix fully supports Apple’s original guidelines under the Managed App Configuration, which documents the configuration and security features that mobility device management (MDM) vendors can use to secure apps as part of managing the device. And, there lies the challenge wherein MDM-only based solutions (from MobileIron, AirWatch, IBM, et al) control the entire device and everything on it – so, not just work stuff, but personal stuff, as well. Enterprise IT has to protect the entire device attack-surface from threats, and employees have to surrender their phones and tablets.

Imagine a BYO (bring-your-own) device program that sounds wonderful – use whatever device you wish for your personal use (emails, tasks, photos, Facebook, the usual) and, hey, guess what! You can also get your company email, calendar, contacts, and mobile apps. But there’s a big catch.

Employees have to “enroll” their devices with IT, which is a nice way of saying that your IT department can now control, see and wipe everything on your device (including your personal apps, photos, emails, social apps and so on in some cases). Who wants that? It’s like a BYO program for your laptop, but you have to “join the IT domain” where you’re required to run a bunch of stuff on your personal laptop. Been there, hate that, I’ll pass.

MAM and the approach for ‘Protect What Matters’

Something entirely new came along after MDM, and it was called Mobile Application Management (MAM).  MAM operated at the higher app-layer, and suddenly customer interest and success was reborn.  Now IT can focus on “protecting what matters” – that is, securing business apps and data, and not the entire device.

Don’t get me wrong. There are many scenarios for which customers want to add MDM for device security (e.g. task-based workers sharing devices), but we believe it must be optional and not a hard requirement. The EMM vendors that win in the long run are the ones which can offer MAM-only, MAM-MDM hybrid, and MDM-only solution flexibility for the right fit for the right user communities within an enterprise.

Here’s what’s also cool with MAM. IT can control business data.  For example, how cut-and-paste is enabled or prevented between apps, business app use of device cameras to keep photos within the container and not in the user’s personal “camera roll,” SSO between apps, etc. My personal favorite is MAM-only data encryption, meaning that device PINs (which are often known or guessed accurately by friends or relatives) are not enough to open and use business apps.


MCM and Data Security

But wait, there’s more. Data is tough and unlike apps, it actually leaves the user device and can live anywhere. Shrewdly, industry analysts that cover EMM are now adding Mobile Content Management (MCM) or Enterprise File Sync and Share (EFSS) requirements as a must-have in the EMM solution stack. Enterprises need to control file access (who can access what), file storage (can they save to the cloud or only to their datacenters), and file sharing (easy yet secure sharing with only the right people).

Citrix is way ahead of the game by including Citrix ShareFile within XenMobile. And not just packaging, but deep integration for attaching files to emails, seamless access to network shares, SharePoint, cloud drives, and other data repositories, and controlling where everything is stored – cloud or on-premises. With ShareFile, only Citrix provides an EFSS market leader within their EMM solution offering.

True App-Layer VPN

So, what’s still missing? MAM innovation and BYO solution fabulousness – check.  Flexibility to have MDM as an option which requires device enrollment – check. MCM integration – check. Ah, how about the end-to-end security through a network gateway. Can’t have a mobility solution without being able to access enterprise resources like directory services, mail servers, intranet sites, SharePoint, network drives and so on. You need a network gateway that can do the following:

  • Confidently scale to tens-of-thousands of concurrent connections
  • Run on a secure virtual or physical Linux-based appliance (no Windows please)
  • Easily configure High Availability (HA) pairs and arrays
  • Integrate with EMM solutions for advanced security policy controls
  • Seamlessly provide SSO capabilities for enhanced user experience
  • And most importantly, work at the app-layer for true MAM-only (non-enrollment) solutions

Let me explain this last bullet, as it’s really important. Many EMM vendors today claim “per-app VPN” capability. That is exactly what it means: that you can configure which apps can and can’t use the device’s VPN. A simple MDM policy.

XenMobile offers a highly differentiated “app-layer VPN,” which we call “micro-VPN.” It does not use the device VPN. In other words, for a MAM-only solution that’s securing the business apps and data that matter, there is no need to configure a VPN on the mobile device! Each app establishes a micro-VPN tunnel as needed (e.g. mail will establish one tunnel to Exchange and another to SharePoint for a file attachment) and when the app is closed, the tunnels are removed.

As any security pro can tell you, reducing the attack-surface is key. With XenMobile and micro-VPN, IT can also configure specific apps to use different network gateways; for example, if you want specific apps to require special MFA (multi-factor authentication) access control.

Again, Citrix is way ahead of the game by integrating and bundling Citrix NetScaler with XenMobile. And this is not just simple packaging, but deep integration with out of the box true app-layer VPNs and policy controls. With NetScaler, only Citrix can provide an ADC market leader within their EMM solution offering.

Did Anyone Say Workspaces?

Citrix practically invented the terms “mobile workspace” and “mobile workstyles” a few years ago. I know, I was there. It’s interesting to see others finally adopting these terms, a big thank you for following our thought-leadership. It is what’s best for customers who are looking for complete solutions that securely deliver any app to any device with full end to end security of information across all environments.

XenApp, XenDesktop, XenServer, XenMobile, ShareFile, NetScaler — the industry’s most comprehensive “workspace solution” on the market — is available in one composite bundle and price within the Citrix Workspace Suite for on-premise deployments and within the Citrix Workspace Cloud as an integrated suite.

We can all agree, I think, that it’s best to know where the market is headed rather than where it has been.

As you evaluate options to support your mobile initiatives and modernize your business, I encourage you to score and measure the different vendors based on the completeness of their current offerings, their product strategy and future direction and how well that product direction matches the vision for your business and technology strategy.

Synergy Banner