Technology overview of_mobil_247134-1

G00247134

Technology Overview of Mobile ApplicationContainers for Enterprise Data Managementand SecurityPublished: 24 January 2013

Analyst(s): Phillip Redman

As mobile device and network technologies advance, users need access tomore complex data, often on devices the enterprise doesn't own. IT andnetwork leaders must understand how containerization now supports theadvanced security and management of enterprise and third-partyapplications and data.

Key Findings■ With support for new platforms and apps, containers are an emerging technology that can

support managing and securing enterprise data on mobile devices with a closed (proprietary)file system.

■ Organizations can choose from various containers and container technologies, based on whichmobile OS platform can be supported and which technology works best for them. Companiesshould make these decisions based on their required security levels and other policies.

■ The mobile container market is still emerging, with no standards or definitive technology leader.The market is an important technology, because of the unique architecture of proprietary mobiledevice file systems that prohibit single apps from controlling systemwide management andsecurity functions.

■ Virtual containers are new, and are not often sold independently from desktop virtualizationsystems.

Recommendations■ Assess the use of containers for sensitive enterprise data and content supported on mobile

devices, and create use cases based on employee profiles.

■ Develop user and data requirements before implementing them, even though many policies canbe supported, and assess your strategies for desktop and mobile virtualization whenconsidering a mobile virtual container.

■ Assess the technical, financial and organizational viability of any container company, becausethis is still an emerging technology.

■ Test the impact of dual-persona-style container uses on the user experience.

Table of Contents

Strategic Planning Assumption............................................................................................................... 2

What You Need to Know........................................................................................................................2

Analysis..................................................................................................................................................3

Technology Description.................................................................................................................... 3

Technology Definition....................................................................................................................... 5

Operating Requirements...................................................................................................................6

Uses.................................................................................................................................................6

Selection Guidelines......................................................................................................................... 7

Technology Providers....................................................................................................................... 8

Recommended Reading.......................................................................................................................11

List of Tables

Table 1. Examples Policies That Can Be Enforced by Mobile Containers................................................ 4

Table 2. Major Container Vendors and the Features They Support......................................................... 9

Strategic Planning AssumptionBy 2017, 70% enterprises will support at least two different types of containers from the sameprovider.

What You Need to KnowAs mobile smartphones and tablets become predominant and as network technology speeds keepincreasing from kilobits to megabits per second, users can access more complex data beyondemail. Enterprises want solutions to manage and maintain the security of enterprise data on theirusers' devices — both trusted and untrusted. Enterprises should assess their mobile strategies, andshould include the use of the emerging capability of containerization to support the advancedsecurity and management of enterprise and third-party applications and the data they contain onnon-Windows x86 mobile platforms.

Page 2 of 12 Gartner, Inc. | G00247134

AnalysisAs mobile devices and network technologies advance, users need access to more complex databeyond just email. Enterprises seek solutions to manage and secure enterprise data on their users'devices. This often occurs as a result of the bring your own device (BYOD) trend of devicesenterprises do not own. Containerization, a still-emerging capability, is now able to support theadvanced security and management of enterprise and third-party applications and the data theycontain. This report covers the container strategy for closed file system devices, which include iOS,Android, Windows Phone 8 and Windows RT.

Technology Description

Today's mobile platforms consist of two basic file system philosophies: open file systems (Windowson x86) and closed file systems (iOS, Android, Windows Phone 8, BlackBerry 10 and Windows RT).Closed file systems do not permit applications to write to files owned by other applications. Anyapplication that intends to manage or back up the entire device image is a violation of the closedarchitecture. Because traditional PC management tools cannot be used on closed architectures,two types of solutions have emerged to provide management of these platforms: policy managers(mobile device management [MDM]) and containers. MDM constrains user actions and enforcescorporate policies. Containers go deeper into adding policies specifically to enterprise and third-party applications. They also can create a separate workspace for enterprise data, often referred toas a second or dual persona.

Mobile containerization is the ability to partition, manage and secure data locally or virtually on amobile device. Any application can be containerized, and a secure workspace can be designed forenterprise use, following corporate policies administered by a management tool. Although theprimary effort is to prevent enterprise data loss on mobile devices, containers also can promoteefficiency and operations for mobile users with increased management and remote support.Container app policies are still emerging, but various options are available, from adding the samepolicy to each app, to each app having its own policy. Allowing apps to communicate with eachother for single sign-on or data sharing also is becoming available. Some containers will eventuallyallow telecom service providers to split their billing between personal and business usage.

Container policies vary by type of container and vendor. Table 1 shows an extensive list of policiesthat can be enforced by mobile containers.

Gartner, Inc. | G00247134 Page 3 of 12

Table 1. Examples Policies That Can Be Enforced by Mobile Containers

Authentication Network Permis-sions

Data Stor-age

Data Policies Application Feature Phone Feature

User-basedVirtual private net-work (VPN) policiesMaximum failedpasswordsPassword strengthLock timeSecure tunneling(no VPN)Single sign-on

Allow networkcommunicationsfrom deviceForce all HTTPcommunications toHTTPSpecify domainsApply Wi-Fi accessruleGeofencing

External se-cure SDcard (read)External se-cure SDcard (write)

Cut, copy and paste re-strictions, sharing docu-ments via email or socialnetworkWipe — full and selectiveData editAttachment openingsEncryption levelDisplay of personal data inbusiness modeScreen shot preventionTime-based delete

Application idle timeout (minutes)Application expiry date (MM/DD/YYYY)Restrict application usage businesshoursRestrict application usage during busi-ness off daysApplication complianceHome screen policiesApp managementInternet site blocking/filteringHome page managementEmail policiesBlocking by device compliance rulesInactivity timeoutApp policy updatesTime-based delete

Allow SMS usage within theapplicationAllowed phone numbersAllow email usage withinthe applicationAllowed email IDsAllow phone dialingAllowed phone numbersAllow camera access withinthe applicationNumber ID restrictions

Source: Gartner (January 2013)


Technology Definition

There isn't just one technology to consider when it comes to mobile containers. From an appdevelopment perspective, there are three main types of mobile container technologies:

■ Application-Neutral (also known as application wrapping) — This adds policy outside theapplication logic. Code is added to an application binary that will allow the enforcement andmanagement of mobile policies. The code is injected by running an app in a software tool thatautomatically encapsulates the binary and applies the policy. This takes a very short period oftime — usually less than two minutes — to do. Policies may be controlled dynamically, usuallythrough communications with a central server as part of an MDM tool. If apps are notconnected to the network, their policies are fixed and can't be changed/updated until they arereconnected.

■ Application-Specific — The ability to create a specific container application to host data orprovide a software development kit (SDK) to load policies within the application logic bybuilding in proprietary APIs to a native application that will allow the enforcement andmanagement of mobile policies. The policies are then managed by an administrative tool, whichusually is part of the MDM system.

■ Virtual — This technology has three different types. The first is based on desktop virtualization,and extends a similar virtual ability onto mobile devices. The second and third use Type 1 andType 2 hypervisors to support containers (see "An Update on Mobile Virtualization and TrustedEnvironments"):

■ Mobile Virtual Desktop Infrastructure (VDI)/Hybrid Mobile VDI — Similar to server-hosteddesktop virtualization, this supports virtualization on mobile devices where the applicationruns and data is stored remotely on a server, not the endpoint. The use of a hybrid(meaning online and offline content) VDI system allows for offline content data stores in asecure container.

■ Hypervisor Type 1 — This is the ability to run a virtual machine (VM) on mobile devices.Type 1 runs directly on the host's hardware, and can run multiple OSs simultaneously. Type1 hypervisors must be installed by the device manufacturer, and have limited availabilityacross all mobile device platforms. Because of the limited models of devices available withType 1 hypervisors, and because most industries don't need this level of security, thetechnology is not covered in detail in this research. The policies supported would be thesame, however, although the separation between the phone systems adds a layer ofprotection.

■ Hypervisor Type 2 — This is the ability to run a VM on mobile devices. Type 2 runs on topof an OS. This is more of a software VM. Depending on the OS version, type and vendor, aType 2 hypervisor may be installed after a device has shipped. This will make it much easierto use this technology on mobile devices.


Operating Requirements

The challenge with any applications or services on mobile devices is that there is no standard.There are numerous different platforms (mobile OSs), each with its own capabilities to supportapplications, and to enforce policies around the applications. Some OS providers, such as Appleand Microsoft, limit what can be supported on policies, and don't always offer the strongestsolutions for the enterprise, their reasoning being to offer the best consumer experience.

For example, restrictions on the iOS that allow background processing (multitasking) prohibit real-time agents and third-party applications that need to run continuously. This makes it impossible toenforce policy in the background on iOS devices. Apple also does not allow native applications torun inside native applications. Rather than containing multiple applications in a single location, eachiOS app must have its own rules built in. Thus, the dual persona — the ability to have two distinctworkspaces, one for personal, one for business — is not available on iOS products. However, Web-based apps can run inside a container app in the iOS, which is one way to design a dual-personacapability. As a result, containers can work on iOS devices, but separate workspaces are not yetpossible.

These issues are the antithesis of Android-based devices, which allow multitasking and dualpersonas. However, there are still many different versions of the Android OS, and versions generallyunder 4.0 have their own security and capability limitations based on policy enforcement and nativeencryption availability. Gartner recommends restricting enterprise mobile devices to Android 4.0and above for container options.

Research In Motion (RIM) will support its own container on BlackBerry 10 devices in 2013, updatingits BlackBerry Balance capabilities. Since the Windows Phone 8 was recently launched, only mobileVDI containers are currently supported, with other container types to follow later in 2013.

Mobile hypervisors also have limitations based on the OS. Apple does not allow hypervisors on itsmobile devices, so this container technology is not available on the iOS. Gartner does not see thischanging in the immediate planning horizon. However, hypervisors are available for the Android.Type 2 hypervisors will eventually work on most Android devices supporting version 4.0 or greaterwithout having the device manufacturer build it in before shipment; it can be added later if needed.However, specific OS kernel modes must be present (see "An Update on Mobile Virtualization andTrusted Environments").

Uses

Companies, regardless of industry, should assess the use of containers as part of their mobile datamanagement and security strategies. Although over 80% of companies actively managing devicesdo not use a container technology, this will become particularly important to use when extendinginto more complex enterprise data stores, such as SharePoint or other file systems. Companiesshould gain control over where their data sits, especially data from email attachments. Anycompany supporting enterprise email with sensitive data should use containers to preventaccidental data loss. However, this means companies can't use the native email application on theiOS, because Apple does not allow the deep policy integration that companies need to secureemail. Enterprise should enforce the use of secure email on mobile devices, but should allow the


use of the native email application for personal usage. Containers for the iOS can support theseparation of data by application (through wrapping or an SDK), but cannot support a separateworkspace or dual persona, both of which Android devices can support.

The idea of dual-persona systems, where all enterprise content is separated from personal content,is becoming possible on Android devices. Gartner recommends the use of dual-persona systems toseparate enterprise data from personal data, and to enable more secure and easier management.Although the user experience can diminish through the use of a dual persona, it allows the best useof management and security by IT.

Selection Guidelines

Companies can choose from different container technologies, and the device the company cansupport, the level of security the company requires and the policies it needs to enforce will all guideproduct selection. Because companies are expected to support a variety of devices, Gartnerpredicts that 70% enterprises will support at least two different types of containers from the sameprovider by 2017. Some container products also support multiple types of containers, to provide thewidest capability. For example, virtual containers often include neutral or specific apps for offlineaccess to data.

Application-neutral technologies, which implement policies outside the application logic, have anadvantage over application-specific technologies, which implement policies within the applicationlogic. Application-neutral technologies can be implemented quickly, offer dynamic policies, work onmost mobile platforms, work on enterprise and third-party apps, and can alter policies byapplication depending on security and other requirements.

Application-specific containers also work across platforms and varied policies, but are best usedwhen the application is developed. Existing applications will need recompiling, and perhaps evenrewriting. Third-party application providers would be responsible for application-specific containersupport. This causes delays, and limits the number of apps that can be supported. Enterprises candirectly license with third-party app providers and wrap the apps themselves. Enterprises that needboth third-party and their own apps managed should choose an application-neutral technology forcontainers, as this offers the greatest flexibility. However, enterprises should be aware of therestrictions of wrapping third-party apps, and should follow the legal guidelines set by appdevelopers and stores.

Companies with a virtual desktop strategy should assess emerging mobile VDI vendors. AlthoughVDI typically is limited to online access only, these vendors understand that mobile users won'talways be within network range, and that they will need access to view and alter content. Manyvendors are looking at a hybrid virtual initiative that enables offline access, using the native wrappedapplications in a secure container the VDI uses. This became available when Citrix Systemslaunched its CloudGateway 2 server in 2012, although the number of apps supported by mobile VDIis limited, including those by third-party providers.

With any container, an administration tool is needed to implement and manage the related policy,even if it is only for the business information on a partitioned device. This can be done by a specific


tool as part of the container product, or often as part of an MDM system (MDM can only support thecontainers it provides). Container technologies will increasingly become a standard part of MDMproducts, which will offer a more integrated approach to managing enterprise applications andcontent. MDM products will merge with PC management tools, mobile device OSs, securityproducts and application development products. Because of this trend, it is important to considerall separate container products as tactical investments that will likely need to be retired in two tothree years.

Technology Providers

Containerization technology comes from numerous providers in and outside the mobile space.MDM vendors are one of the most prominent providers of container technology, as many of thesevendors are looking to expand beyond simple policy management to provide deeper support ofapplication and content management and security. MDM providers will have the most likelihood ofsuccess in promoting containerization technologies, as wide-scale adoption of MDM continues, andsince containerization is a natural complement to MDM. However, organizations still need to set andmanage a container policy, one that fits well within the MDM providers' administrative tool. A subsetof MDM is mobile application management (MAM). These providers, some of which also offermobile application development platforms (MADPs), provide limited MDM functionality with theircontainerization technology, and are being subsumed by MDM and other providers (see "HypeCycle for Wireless Devices, Software and Services, 2012" and "Vendor Groups Step UpDifferentiation in Mobile Application Management").

Other technology providers entering the mobile market are those that offer desktop virtualization.Since many users are replacing their PCs with mobile devices, it's only natural that thesecompanies extend their capabilities to mobile devices. Although these products are the newest onthe market, many emerging only in the past 12 months or still to become generally available, theopportunity is strong for these vendors, because in the past they have worked on enabling any dataon any platform (PC or Mac). They also have created strong clients that are easily managed ondevices, and have proprietary protocols to reduce latency and increase performance on a wirelessnetwork. These vendors will face the key challenge of optimizing desktop applications forperformance on mobile devices.

Table 2 lists most major container vendors and the features they support.


Table 2. Major Container Vendors and the Features They Support

Vendor Primary Ven-dor Category

Product Name Container Type(s)Supported

ProvideEmail/

Personal In-formation

Management(PIM) Con-

tainer

Dual-Per-sona Sup-

port*

DynamicPolicy

Change

Secure DataSharing**

AirWatch MDM Application Wrapper as partof MDM version 6.3

App-specificApp-neutral

Yes: Touch-Down

Yes Yes Yes for pro-prietary apps,

no for thirdparty on de-

vice

AppSense MAM DataNow App-specific No Yes No Yes

Bitzer Mobile MAM Bitzer Enterprise ApplicationMobility (BEAM)

App-neutral Yes Yes No No

Cellrox Virtualization ThinVisor Virtual No Yes Yes Yes

Citrix Virtualization MDX Interapp for CloudGate-way version 2.5

Virtual/hybrid Yes Yes Yes Yes

Enterproid MAM Divide App-specificApp-neutral

Yes Yes Yes Yes

Fixmo Security SafeZone Workspace Edition App-specific No Yes Yes Yes

Framehawk Virtualization Framehawk Platform Virtual Yes No NA No

Globo MAM GO!Enterprise Mobile Client App-specific Yes No Yes Yes

Good Technolo-gy

MDM Good DynamicsAppGuardian

App-specificApp-neutral

Yes Yes Yes Yes


Kony MADP Kony Mobile Application Man-agement library version 1.0

App-neutral No No Yes Yes

McAfee Security McAfee Secure Container App-specific No Yes Yes No

MobileIron MDM AppConnect App-specificApp-neutral

Yes: Touch-Down

Yes Yes Yes

MobileOps MAM AppVisor App-neutral No No Yes Yes

MobileSpaces MAM Workspace version 1 Virtual/hybrid Yes Yes NA Yes

Mocana MAM Mobile App Protection (MAP) App-neutral No No No Android only

OpenPeak MDM Advanced Device and Appli-cation Manager (ADAM) Sec-

tor

App-neutral Yes Yes Yes Yes

Symantec Security AppCenter version 4.0 App-neutral No No Yes No

Thales MAM Teopad App-specific Yes Yes Yes

TouchDown MAM TouchDown App-specific Yes Yes Yes Yes

VMware Virtualization VMware Horizon Mobile App-neutral Virtual Yes Yes Yes Yes

Zenprise MDM Zensuite App-neutral No Yes Yes No

* Android only.** Within the container or wrapped apps.

Source: Gartner (January 2013)


Recommended ReadingSome documents may not be available as part of your current Gartner subscription.

"Using Managed Information Containers to Protect Information on Mobile Devices"

"An Update on Mobile Virtualization and Trusted Environments"

"An Overview of Workspace Aggregators"

"Vendor Groups Step Up Differentiation in Mobile Application Management"

Evidence

The product information for this research was gathered directly from each vendor.


GARTNER HEADQUARTERS

Corporate Headquarters56 Top Gallant RoadStamford, CT 06902-7700USA+1 203 964 0096

Regional HeadquartersAUSTRALIABRAZILJAPANUNITED KINGDOM

For a complete list of worldwide locations,visit http://www.gartner.com/technology/about.jsp

© 2013 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. Thispublication may not be reproduced or distributed in any form without Gartner’s prior written permission. The information contained in thispublication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness oradequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publicationconsists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressedherein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does notprovide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board ofDirectors may include senior managers of these firms or funds. Gartner research is produced independently by its research organizationwithout input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartnerresearch, see “Guiding Principles on Independence and Objectivity” on its website, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.


http://www.gartner.com/technology/about.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp

http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp