As the EMM market continues to grow and mature at breakneck speed, one challenge that’s been consistent is the desire of organizations to find an acceptable Bring Your Own Device (BYOD) deployment model.

To be effective, it has to be acceptable for IT AND for the end-user (Figure 1).

Finding an EMM solution that provides equal parts security for IT and experience for the end-user can be difficult. And, unfortunately for the end-user, often times corporate security mandates are non-negotiable. Security wins and experience suffers.

Today, I’m going to play matchmaker by suggesting a BYOD deployment model that will get a thumbs up from both sides of the fence.

Let’s start by identifying some of the main concerns from both sides:

End-User Concerns: End-user concerns with BYOD primarily revolve around issues of privacy. Why should I let IT manage my personally owned device? What can IT see on my device?

IT Concerns: IT concerns with BYOD primarily revolve around security. There is no room for error; a data breach could very well cost them their jobs.

So, it sounds like the ideal scenario would be to deliver maximum security to a personally owned device that doesn’t need to run a Mobile Device Management (MDM) agent. That’s a tall order!

Before we dive deeper into the problem, let’s go over some basic EMM factoids that will bring us all to the same starting point.

  • EMM is stack of technology that includes MDM, Mobile App Management (MAM), Data/Content Management, Productivity Apps and a Secure Mobile Gateway.
  • MDM requires an agent to run on the mobile device which allows IT to manage the device.
  • MAM applies security policies to the application rather than the device.
  • Most MAM relies on the device operating system to provide application security (MDM + MAM). Translation: even with MAM, you still need an MDM agent on the device.

Now that we’ve got a baseline of information to start from, let’s take a look at what makes XenMobile different from the others.

Remember that tall order I mentioned earlier? Maximum security without the requirement of the device to be enrolled with MDM management. XenMobile can deliver that today. We call it the MAM-only approach to BYOD; there’s no MDM in the equation.

XenMobile regularly receives industry recognition for our MAM offering. XenMobile provides almost 50 MAM-only security policies that can be applied to mobile applications completely independent of the MDM technology layer.

In addition to the large library of MAM-only policies, XenMobile is the only EMM vendor to offer micro-VPN connectivity. Micro-VPN means each application has its own VPN tunnel back to corporate resources. There’s no intermingling of application data and no requirement that allows multiple apps to share the same VPN tunnel (Figure 2). More importantly, there’s no dependency on device level VPNs that would require MDM to be managed and enforced.

In a recent review of XenMobile Cloud customer deployments, we found that over 80% had implemented the passcode enforcement MDM policy, making it far and away the most popular and common MDM policy. In fact, there are quite a few deployments in which passcode enforcement is the only MDM policy applied to the device. This is an MDM policy because it requires IT to actually have management and control of the device.  So naturally, a MAM-only solution would not be able to enforce a device level passcode, but XenMobile has found a way!

XenMobile has a MAM-only MDX policy that will check for a device passcode code during the user authentication process. If no passcode is present, the app won’t launch.  Additionally, an action can be taken that will notify the user to turn on device passcode to gain access to Worx Home. All of this can be done—you guessed itwith no MDM client.  The figure below shows what this policy looks like on the XenMobile management console.  It’s as simple as flipping a switch.


The ability to enforce device passcode without having to use MDM ensures that device level encryption is always turned on.

Here’s what the end-user will see if they try to authenticate without the device passcode being enabled.


XenMobile MAM-only deployment options deliver all of the security without sacrificing the end-user experience. A winning combination for everyone!

MAM-Only is just one of many ways that XenMobile beats the competition. If you are at VMworld, stop by booth #527, share what you just learned, build your own mini-me using Lego mini figs … and see the BYODifference that only XenMobile can provide.