VMware’s Strategy for iOS 7 and Industry Implications
Apple announced iOS 7 last month at WWDC and we think this release will have a profound impact in the enterprise market with categories collapsing and vendors disappearing off the map. But getting more specific, as a result of this announcement, VMware is embarking on a new iOS strategy and I’d like to share more details on this shift in strategy as well as my perspective on how this release will impact the industry.
Quick review of relevant iOS 7 features:
At a high level, Apple extended its Mobile Device Management (MDM) APIs to also manage applications so in addition to turning knobs to control device characteristics, IT can now control application capabilities as well. The most relevant iOS 7 features that will impact the enterprise market are:
- Control of Open In: With iOS 7, Apple will introduce a new API that lets IT administrators control which applications (called managed apps) they will allow users to use to open attachments. Prior to iOS 7, users could open an attachment within an email using any document application (i.e. native viewers, Dropbox, Evernote, QuickOffice, etc.), which was a security hole since it increased the risk of data leakage especially through consumer cloud services.
- Per-application VPN: Prior to iOS 7, VPN connections were implemented at the device level, which meant that once you enabled VPN on a device, every application on the device would have access to the intranet. With iOS 7, Apple allowed a set of managed applications to use a VPN tunnel using any of the supported VPN vendors (Cisco, Juniper, F5, etc) which offers greater control and security for IT.
- Single Sign-on: In iOS 7, Apple implemented Kerberos SSO at an application level. So if your in-house native iOS application uses Kerberos style authentication, you could SSO to authenticate users to the application.
- Configure application settings: In addition to pushing and deleting applications on the device, iOS 7 will allow IT administrators to configure application settings as well.
Future of Application Wrapping and Containers:
Container technologies allowed IT administrators to isolate personal content from corporate content and protect the corporate content by not allowing data to leak out of the container. Broadly speaking, this was Mobile Application Management (MAM). Many of the MAM vendors also provided their own email and browser apps in the container and with app wrapping or an SDK, others apps could participate in the container.
Because email/PIM was in the container, the MAM vendors could prevent email attachments from being opened by applications not present in the container so, corporate data did not leak out. MAM vendors also implemented application tunnels that were app-specific “VPN” tunnels so applications had access to intranet resources without enabling the device VPN. This technology was tied to the browser in the container so that users could seamlessly access intranet and other web apps deployed behind the firewall.
While containers offered better security, the user experience was far from ideal. No single usability limitation was catastrophic on its own but together the collection of them felt like a thousand little compromises. For example, in order to prevent data leakage through emails, MAM vendors provided their own email applications. Since this enterprise email app was different than the standard Apple-provided one, users had to learn a new app and it lacked some users’ favorite features.
Many of the capabilities that our Android solution offered – the ability to seamlessly push to or delete applications from the container, the ability to configure apps before provisioning them, the ability to run any third-party application as-is in the container, etc. – were simply not possible to implement on iOS 6.
The need for containers and application wrapping is vastly diminished with iOS 7. With the managed application feature, IT can prevent data leakage from the native email client so this negates the need for a separate email/PIM application for corporate use. And with the per-app VPN, IT can now enable individual applications to have their own intranet access so this negates the need for application tunnels and a “secure” corporate browser. While there are a few other cases where app wrapping helps – for example, protecting cut/copy/paste across personal and corporate boundaries – it is fair to conclude that IT administrators can achieve their goals without leveraging app wrapping or containers and even offer a much better user experience. Further, IT administrators no longer have to plead with their ISVs to wrap or recompile the app with their chosen container technology.
VMware’s iOS Strategy
VMware has been an early and loud proponent of managing only the corporate content on a device rather than managing the entire device (ala MDM). Although, we developed application wrapping and container technology as part of our iOS mobile device strategy, once iOS 7 was announced, we evaluated its new capabilities against customer requirements we gathered over many quarters and concluded that leveraging Apple’s application management APIs would address our customers’ needs and provide the best possible user experience.
As Apple has provided a path to achieve MAM support using native iOS 7 capabilities, we refocused the team to build upon that platform and deliver the application management and data leakage controls that customers require. This means that Workspace 1.5 (which GAd today!) will no longer include our iOS application wrapping capabilities. However, we will add iOS support in a future release by leveraging iOS 7 APIs.
It is critically important to note that Android does not offer similar application management capabilities – and given its fragmentation, we believe Horizon Mobile (virtualization) is the right solution to make Android enterprise ready.
In all, we feel this shift in our strategy will benefit our customers given the capabilities that exist in iOS7 – and I welcome your comments on our move as well as your thoughts on the impact iOS7 will have on the mobile space.