Mobile application management without the heavy hand

IT concerns are fast moving from mobile device management (MDM) to mobile application management (MAM) as part of a shift in thinking from whether to allow mobile devices in to how to best take advantage of them. At IT conferences, I hear more and more questions about how to manage those applications. For organizations used to controlling the software on a user’s PC via tools such as IBM’s Tivoli and Microsoft’s SMS, the iPhones, iPads, and Androids now becoming commonplace herald a Wild West environment.

The heterogeneity of those devices is daunting enough — most desktop application management tools can’t even do a decent job of handling Mac OS X applications, so no one expects them to go near the mobile devices. But mobile OSes veer even more dramatically from the desktop, making app management less suitable for IT’s traditional approach. The use of app stores means IT isn’t the central distributor of apps in mobile, while the mix of HTML and native apps raises another level of complexity. Sure, IT can put together its own mobile app “store,” but it’s often a glorified website or intranet site with links to approved or recommended apps, both internal and external.

Even as IT has given up the notion of ruling over mobile devices and instead has come to view them as a device jointly “owned” with the user, IT rightfully wants to manage the business-oriented apps on those devices. That way, when an employee leaves the company or a device is lost, the application and its data can be removed from the device. IT also rightfully wants to be able to manage updates and licenses, as well as track usage — especially in the messy context of apps used by employees, contractors, and business partners, in which even a control-oriented organization simply can’t seize the traditional control over all the devices.

The first wave: Managing HTML app containers via policies What’s evolved in the device management space is a policy-oriented approach. In this scenario, a tool such as BlackBerry Enterprise Server (BES), Microsoft Exchange (via Exchange ActiveSync protocol), or a third-party MDM utility, such as those from Good Technology, MobileIron, and Trellia, manages the data it provisions, including mail, contacts, and so on. It can also impose devicewide access policies, such as password requirements, remote lock, and more. Some of these tools can even manage applications they provision, essentially allowing or disallowing access, as well as pushing updates.

The same is beginning to happen in mobile application management. A few weeks back, I profiled the approach used by Antenna Software, whose MAM essentially puts HTML apps in a virtual box on the iPhone or Android device. IT can then control and monitor the apps in that box. The approach is very similar to how many MDM tools work, providing their own clients, managing the email, and so on, apart from the rest of the device; it’s akin to the VDI approach used in Citrix Systems’ Receiver app for mobile devices.

That box approach provides a clear separation between work and personal apps and data, but it’s a bit heavy-handed, forcing users (in the case of Antenna’s Volt) to open a container app to access business-provisioned HTML apps. That’s acceptable for HTML apps, as users typically first launch a browser before running a Web app, and you can think of the Volt client as a browser for enterprise apps. Plus, IT directly controls those apps because they run on IT’s servers just like a desktop Web app.

The second wave: Managing native apps directly via policies But it doesn’t extend to native apps, which can’t run inside another app or on IT’s servers. That’s where the AppCentral and AppGuard services come in. The company AppCentral (formerly named Ondeego) today released iOS and Android versions of its MAM technology that take a different approach to mobile application management and distribution, one that appears very well suited to native apps.

In a nutshell, with the AppGuard part of the service, you add code to your iOS and Android apps that uses AppCentral’s policy APIs and provides a “listener” function. The APIs let the app communicate with an AppCentral server as to policies for that app and/or user, such as restricting usage to specific Wi-Fi access points (a common requirement in health care) or zeroing out the app and its data if the user’s permissions are revoked (such as when a contractor’s gig is completed).

The “listener” function monitors activities such as an app launching or coming to the foreground (suggesting it’s in active use), so it can then check the current device and application state against the policies. The “listener” function also communicates app status and activity back to the server — not entire device status, which may allay concerns from employees, contractors, and business partners over how invasive your management may be.

What’s key is that the management is embedded in the app, so you don’t have to manage the device itself. Thus, you should be able to extend legitimate application management to a greater number of users than the universe of devices you actually manage.

Apple has blessed AppCentral’s technology, so iOS developers need not worry about their apps being rejected due to use of non-Apple APIs. In the Android world, there is no such approval concern, of course. And in the Android world, IT can wrap someone else’s app with the AppGuard technology, to produce an IT-manageable and -monitorable version. (Apple forbids such changes to iOS apps, to ensure their integrity.)

The AppCentral tool provides the provisioning of the apps, including licensing management and distribution of third-party titles — a big challenge in the mobile space, especially with iOS apps where Apple allows enterprises to directly distribute their own programs and requires all third-party apps to be distributed through the App Store. There are also challenges in both iOS and Android in bulk licensing, given the pay-per-user model of the Apple App Store and Android Market; you can buy multiple licenses and issue redemption codes to users so that they’re not billed, but that’s not a terribly efficient mechanism for a large organization. AppCentral has some capabilities here, though the issue is a complex one, and IT’s and mobile OS vendors’ interests may not fully align.

The new MAM shows IT is adjusting to the new “consumerized” reality We’re still in early days when it comes to mobile management. In the last two years there’s been a mini gold rush in the MDM space, with dozens of vendors joining the fray. In the last year, the MDM concept has taken hold in the enterprise, allowing even highly regulated companies to support iPhones, iPads, and Androids — unimaginable in 2009.

MAM is next. IT worrywarts are shifting their hand-wringing from devices to applications, some for legitimate purposes, some as a new objection to raise. I fully expect that companies like Antenna and AppCentral will lead the charge to resolving legitimate application management needs as Good, MobileIron, and Sybase did in the MDM space.

Even better, approaches like AppCentral’s that move away from the heavy hand of total control to the nuanced approach of specific control indicate that IT is adjusting to the emerging “consumerized IT”-driven shared model of business technology, where users, IT, and third-party providers are all part owners and thus part managers. That approach requires a shift to more granular management and policy-based management. The tools to support that new reality are emerging.

This article, “Mobile application management without the heavy hand,” was originally published at InfoWorld.com. Read more of Galen Gruman’s Mobile Edge blog and follow the latest developments in mobile technology at InfoWorld.com. Follow Galen’s mobile musings on Twitter at MobileGalen. For the latest business technology news, follow InfoWorld.com on Twitter.