Bring your own device (BYOD) continues to grow as a preferred option for enterprise device programs.

Users benefit from being able to use the device of their choice while avoiding the hassle that comes with lugging around two sets of devices, one for work and one personal. A recent study by Gartner, we feel, validates the notion that workers are generally more satisfied working from personally owned devices (Graphic Source 1).

One of the greatest challenges BYOD creates for the Enterprise is striking the delicate balance between adequate security and personal privacy. In general, typical end users doesn’t feel very comfortable with an “agent” residing on their personally owned devices. It’s quite common for IT to offer little or no guidance about on what agents can see and do on an employee’s device.

Concern for personal privacy is real. In fact, I know a number of people who forgo their company BYOD programs and opt for a corporate-issued device instead. To them, keeping things separate feels safer.

Enter XenMobile

The architecture of Citrix XenMobile Unified Endpoint Management is unique in that it includes separate independent layers for Mobile Device Management and Mobile Application Management. This means that XenMobile MAM can run on its own without the requirement of an MDM agent.  With most UEM vendors, an MDM agent is still required for MAM to work.

Sounds good, right? XenMobile can apply a complete library of over 70 security policies to the managed applications ONLY, leaving the device alone and the end-user’s sense of personal privacy intact.

Everybody wins. IT gets the security they require and the end-user can relax, knowing that IT can only see and manage applications provided/published by the business.

We call this solution the XenMobile “MAM-only” approach.

Enforce passcodes without MDM

Far and away the #1 MDM policy almost every company wants to enforce is Device Passcode. A lost or stolen device with no passcode can be a company’s worst nightmare.

With “MAM-only” from XenMobile does that mean IT can’t enforce this most basic MDM policy? Great news! Citrix has a special of way of enforcing the device passcode MDM policy without actually having MDM!

Here’s how it works. Using MAM, XenMobile can check to see if the device has a passcode set. If not, the managed application won’t launch and the user will get a notification telling him to set the passcode. This is the message a user would see:

Here is the MAM policy, as it is found in the XenMobile console.

Once the passcode is set, the application will launch.

That’s a pretty cool way to enforce a passcode without actually using MDM! Wouldn’t you agree?

XenMobile also shines when it comes to MAM security. On top of standard device level encryption, XenMobile adds an additional layer of FIPS-120-compliant app-level encryption for each individual application container.

Finally, it’s quite common for Enterprises to use multiple MAM solutions to meet of their end-user requirements. XenMobile provides an integrated solution with Microsoft EMS/Intune for application security for Office 365. Admins can apply Intune App Protection policies directly from the XenMobile console without having to toggle between multiple management platforms.

For more information please check out the XenMobile Security Whitepaper on

To learn more about XenMobile Unified Endpoint Management and BYOD security please stop by the Citrix Booth at RSA this week in San Francisco. You can find us in the South Expo Hall at Booth #1515

1 Gartner: Managed Workplace Services Will Transform End-User Outsourcing to Enable Digital Business Transformation, Daniel Barros, Helen Huntly, Karen A. Hobert, February 26, 2018.