The inrush of personal devices into the workplace might bring convenience and augmented productivity for organizations. But this Bring Your Own Devices (BYOD) trend also has a darker side. If the devices are not managed properly there is a huge risk of corporate data breach. Devices with valuable corporate data on them can be lost, stolen or hacked. The compromising of customer information and internal business data can be a disaster for many organizations.
Organizations can’t mandate strong security policies on employee devices as this could raise privacy concerns. Performing a complete wipe on a compromised device often requires the employees’ consent. From the organization’s perspective, it’s not the device but the valuable data on it which is more important. However, for the employees, their privacy would be a major concern. Thus, BYOD can ultimately lead to a conflict between privacy and security.
Containerization: the ultimate solution for BYOD management
BYOD has tremendous potential in the corporate world and couldn’t simply be banned considering the security risks. The key is to implement BYOD in a manner that simply ensures security without compromising employee privacy. The concept of containerization unsprang then.
What is containerization?
Containerization is all about separating work and play. It allows business and personal apps and data to co-exist on a single device, but each stays within its confines. Containerization establishes separate, encrypted containers on personal devices — a secure area on the device that keeps business data insulated from everything else on the device and allows admin to manage only what is in the container restricting corporate access on personal data. Data and apps in personal space are kept separate and remain private. All the interactions between the user and corporate data take place within the container in its encrypted area.
Key advantages:
- Encryption — Most containers use the AES (Advanced Encryption Standard) based encryption and ensure that the corporate data can’t be accessed from outside the container.
- Remote wipe — Highly targeted remote wipe is possible with container-based products. Selective wipe ensures that only corporate data are wiped leaving personal data untouched.
- Data leakage protection — Organizations can retain control over their data by strictly limiting the flow of data into and outside the container. Admins can enforce strict security policies to control the data flow with an MDM solution.
First generation containerization was proprietary having limited options for employees to use their preferred productive apps and IT teams had no options to roll out mobile apps not supported by these containers. But now containerization is more flexible and integrates with app stores from Apple and Google allowing employees to work with their preferred apps without compromising privacy. With flexible containers, organizations can offer the users a significantly larger app store experience which can add on to their productivity.
Today it is possible to deploy containers with an MDM profile to enable containerization keeping the management focused on the corporate part of the device rather than the entire device. Mobile Device Management (MDM) solutions support containerization keeping the IT focused on containerized apps rather than the entire device. Deploying MDM technology with containerization gives the opportunity to enforce the use of strong authentication and encryption and to wipe corporate data from lost or compromised devices selectively, personal data remaining untouched. Thus, admins can prevent personal applications from accessing corporate data and users can be confident that the organization won’t access the personal information that they store on the device outside the container.
The Android Enterprise container
Google’s Android Enterprise program offers several features to secure and manage corporate data on Android devices. Android Enterprise lets admins create a separate workspace on Android devices in which business-managed apps and data reside. With a compatible MDM server, IT can control how data is managed within the workspace by enforcing strong security policies. Android Enterprise is supported as of Android 5.0 (Lollipop) and is available in almost all recent Android devices. Android Enterprise containers support any Google play store apps and Google Play’s entire catalog of premium business apps is available to download through Android Enterprise. Additional functionality allows organizations to publish private applications to authorized devices along with approval and configuration of Managed google apps.
Android Enterprise comes with two different types of deployment. Organizations can choose to use MDM either for profile-based or complete management of their Android devices. That is, the company can manage either a work profile on the device or the entire device.
Management modes:
- Device owner (Fully managed device) — Company has full control over the entire device. In the case of corporate-owned devices provisioning the device as Device owner ensures that the device is entirely managed by the organization. Device owner supports all the profile owner supported features along with additional features such as kiosk mode and a set of advanced restrictions.
- Profile owner (Work profile) — Android Enterprise creates a dedicated work profile that isolates and protects work data. Admin will have complete control over the work apps and data but have no visibility or control over the personal apps and data on the device. Google suggests personal devices to make the MDM agent a profile owner, where they obtain access to both personal and work apps, work apps being marked with a work badge.
Android devices enrolled as Profile owner will automatically create a work container upon enrollment. By default, work profile notifications and app icons have a work badge so they’re easy to distinguish from personal apps. Apps in the work profile do not interfere or communicate with apps in personal space. Apps that are to be used in both the personal and business areas simply run double on the device, one unmanaged for personal use and the other managed. Applications that are part of the Work Profile will be highlighted by a small orange briefcase icon on top of the app icon, but except for that, the app will work just as expected and will be integrated into the overall Android user experience.
Key advantages of enrolling in Android Enterprise:
- Access to the Managed Google Play store — Managed Google play is the content marketplace for Android Enterprise that allows admin to manage and distribute pre-approved applications. Organizations can deploy any play app in the Google Play Store to a secure Android container without any additional wrapping. Besides this, apps that are to be distributed internally within an organization can be published as private apps in Managed Google play. They aren’t visible or available to the users outside the organization. Managed Google play store also supports bulk purchases of paid apps.
- Silent app installation — You can add apps to the app inventory as Managed Google Apps and push the apps silently on to the devices. Enterprise apps have to be published to the Managed Google play to support silent installation.
- Custom app store — You can build a custom app store with Managed Google apps, customize it with pages and app categories. You can approve and add Managed Google apps to the MDM app inventory and design a store layout with custom pages and apps.
- App configurations and permissions — On MDM console, IT admins can configure settings for a particular app. You can control the features that a work app can access and configure the app even before the app is pushed to the devices. You can also set up what a specific app can do or have access to, right before they are assigned to any device.
- Enhanced data security with Android Enterprise restrictions and configurations — You can restrict what can be shared between personal and work profile, block screen capture in the work profile, restrict network connectivity options, app settings and so on.
Apart from Android Enterprise, Samsung devices have a built-in containerization platform called KNOX. Samsung KNOX is a containerized approach which builds Samsung’s defense-grade mobile security platform into Knox-supported devices released by Samsung. Apps in the KNOX workspace is protected by extensive DAT (Data at Rest) protections and is secured with AES-256 level encryption. KNOX requires an MDM platform for the activation and management of its container. MDM has an extra set of features built for Samsung KNOX devices. However, Samsung KNOX devices can be enrolled in Android Enterprise if they are running OS versions 6.0 and above. When Android Enterprise is deployed on Samsung devices, it can have enhanced platform and hardware level security.
The iOS Business container
iOS Business container seamlessly manages corporate apps and data separately from personal apps and data. The data exchange is defined using Managed Open-in. Apple’s Managed Open-in is a security feature released in iOS 7 that prevents attachments or documents from managed sources from being opened in unmanaged destinations and vice versa. Managed apps are apps installed via MDM. The Organization has full control over managed apps and their associated data. MDM can specify whether the app should be removed when the MDM profile is removed and can remove these apps and associated data at any time on demand.
Apple’s containerization approach divides the device into two virtual containers: one for managed work apps and the other for personal apps. Data flow between these two spaces is controlled by applying a set of restrictions from the MDM console. The iOS Business container has a specific set of features that enable corporate data to be managed at a granular level and ensures that the data doesn’t leak out to the user’s personal space.
Here is the list of restrictions available in the iOS business container to protect your organization’s valuable data:
- Disabling documents from managed sources to be opened in unmanaged destinations and vice versa.
- Prevent managed apps from writing to unmanaged contact accounts and unmanaged apps from reading from managed contact accounts.
- Block sharing managed documents using AirDrop.
Along with these, the admin can also enforce other restrictions to secure managed apps by preventing managed app data from syncing with iCloud, preventing screen capture and so on.
Apple’s containerization is quite different from Google’s Android for Work approach. The most important thing is that in Android for Work, work profile is visibly demarcated from the personal one whereas in iOS managed and unmanaged domains are not clearly distinguished. iOS business container runs in the background. This seamlessly enables admins to efficiently manage corporate data without the user even being aware of it.
The result of containerization is greater data security and control. Whether the platform is Android or iOS, admin can have explicit control over the work container and make sure that the corporate data is always safe and secured. Thus, containerization can be the perfect key for BYOD management.
