Divide and Conquer: Boost Security Via
Smartphone Container Management

Split-personality mobile devices demand split-personality management

Cloud & smarter Infrastructure Weekly. An IBM service management perspective.For many organizations, the Bring Your Own Device (BYOD) revolution has been a mixed blessing. While team members have certainly benefited from the added convenience when accessing company services and data, the IT ramifications—in particular, the security ramifications—are problematic, to say the least.

As just one example, imagine a phone normally used for business purposes that is left in a taxi on a trip to New York. Such a simple mistake by one individual can in theory create a world of trouble for IT by opening an unwanted door to company data, empowering non-employees to do things like copy that data, alter it, or even delete it.

Endpoint management solutions like IBM Endpoint Manager have been developed to respond to this situation. They grant IT new capabilities to manage even BYOD devices—given employee permission. And the case for that permission is strong; new security that improves matters for IT also usually improves matters for the device owner.

The phone left in the taxi, for instance, can be wiped remotely by IT, which helps keep photos of the employee, her children, her home, and details about its location out of the hands of complete strangers.

Even so, many team members may be uncomfortable with the idea of granting any form of management control over phones to their employers. In such a case, the usual desire would be to keep the work life and the home life completely separate... even though that desire is at odds with the premise of using the phone as a corporate endpoint (which the team member also wants).

IBM Endpoint Manager and Divide: Ham, meet eggs

Using Divide, the hypothetical team member who wants the best of both worlds with her smart phone can actually get it. Separate containers on the phone can be created for her work and personal lives, and because they are separate, they can be managed separately as well.

Fortunately, IBM's endpoint management development team has taken this situation into account. IBM Endpoint Manager now offers an attractive solution to the problem: integration with Enterproid's Divide offering.

What is Divide all about? Just as the name implies, Divide allows a smart mobile device to be divided into different logical sections —"containers"—each of which is sandboxed away from the others, rather like the way hard drives can be partitioned to support different operating systems.

Using Divide, the hypothetical team member who wants the best of both worlds with her smart phone can actually get it. Separate containers on the phone can be created for her work and personal lives, and because they are separate, they can be managed separately as well. That means enterprise IT can take full advantage of endpoint management solutions (like IBM Endpoint Manager) to secure the work container, its apps, and its data to the best effect allowed by the host OS (whether iOS or Android).

Meanwhile, the personal container is "off limits" to IT; its data cannot be copied or deleted, its apps cannot be provisioned, deleted, or updated, and its user configuration cannot be altered. Such a phone, thanks to its split personality, offers the employee everything she wants, and nothing she doesn't, while also substantially reducing the security risk to her employer.

And now, thanks to the integration between IBM Endpoint Manager and Divide, it's easier than ever to implement and oversee such a comprehensive architecture. IBM Endpoint Manager and Divide thus represent a complete mobile device management/BYOD solution, one that is particularly well suited to the needs of larger enterprises.

Organizations of this size, for instance, typically have an extraordinarily large number of endpoints to oversee, as well as a broad range of endpoint types—everything from virtual servers running in a cloud to traditional workstations like laptops, and now, of course, smart mobile devices as well. By integrating with Divide, the scope of Endpoint Manager's capabilities is extended even further—to individual containers on those smart mobile devices. Yet all endpoints (including containers) can continue to be managed in a centralized way, from a single server that supports up to a quarter million endpoints, all driven by a unified policy engine and overseen using a unified interface.

An impressive range of management capabilities improves security without compromising privacy

Initial setup is very straightforward—as soon as the Divide app is provisioned to the device, it's also bound to IBM Endpoint Manager.

Exactly what can Endpoint Manager then be used to do with smart mobile containers? Until recently, the answer was:

In the latest release, however, IBM Endpoint Manager can be used to fully define and execute Divide policies, all from within the IBM Endpoint Manager for Mobile console. That means a far wider, more granular range of management options over the work container; these in turn translate into improved security for the organization, yet introduce minimal new complexity (since only one management solution is being used).

For example, it's possible for IBM Endpoint Manager to detect when a phone has been "jailbroken"—then take appropriate action based on company policy. Or imagine that on an Android-based phone, the debugger has been enabled on the work container (something no normal user would typically need to do). In this situation, the organization might elect to block the debugger's functionality while simultaneously warning the user of the potential problems that might otherwise arise.

Management control also extends to work-side applications. It's possible, for instance, to create a whitelist of acceptable apps, or a blacklist of forbidden apps, and then manage containers using those lists—detecting when whitelisted apps are missing (and reprovisioning them), or when blacklisted apps are installed (and deleting them). Since these actions only apply to the work container and not the personal container, the phone's owner is far less likely to have any sort of objection. And if the owner chooses to install problematic or insecure apps in the personal container, they are far less likely to create a security issue for the organization than if no containers were used.

Also helpful is the fact that Divide is designed in such a way (using logical "wrappers") as to support both standard Divide apps and third party apps of all types. Competing container-based solutions, on the other hand, require third party apps to be rewritten to support container management controls. This is a significant drawback, since many app developers won't take the time or trouble to rewrite their code, meaning app choice would be significantly restricted for both the user and organization.

Finally, consider that the IBM Endpoint Manager/Divide combination is also appealing for the users because it preserves the native, OS-specific user experience (instead of imposing a proprietary interface, as some competing offerings do). Meanwhile, for the enterprise, a secure VPN links the work container and the organization's infrastructure—protecting data in motion much more effectively than other offerings that don't support container-specific encryption for data in motion.

These strengths illustrate just how well Endpoint Manager and Divide are suited to both employers and employees—a perfect response to the BYOD dilemma.

Additional information

Recent Articles

Contact IBM

Considering a purchase?

Unified Device Management

Unified Device Management

IBM Endpoint Manager lowers the total cost of managing and securing mobile devices, laptops, desktops, and servers – physical or virtual, on or off-network, personally or corporate-owned.

Log Analysis Simplified

Log Analysis Simplified

IBM SmartCloud Analytics - Log Analysis provides the capability to rapidly analyze unstructured data to assist in problem identification, isolation and repair.