Mobile Device Management: BYOD gets religion

Mobile Device Management: BYOD gets religion

Summary: Several technologies shown at Mobile World Congress 2013 in Barcelona will finally allow enterprises to get serious about a Bring Your Own Device strategy.


Around 1.2 billion Catholics will wait on pins and needles as the Cardinals enter the Sistine Chapel in Rome's Holy See during conclave in order to elect the new Supreme Pontiff, for as much as two weeks or maybe even a month, according to Vatican history.

However perhaps a billion smartphone and tablet users -- with Android and iOS claiming nearly as many religious followers as Roman Catholicism -- are still waiting for the blessings of Enterprise IT before their devices can enter their Holy Networks. 

Bring Your Own Device, or BYOD, has always been a tricky issue for large corporations. To lower IT costs, allowing employees to bring their own smartphones and tablets to work has a clearly identifyable cost savings over employer-supplied devices, but there are three major problems with this.

First is the issue of securing the employee device to meet any number of corporate  security standards that allow it to participate on the network as a managed client, the second is to ensure the security of corporate data, and the third is allowing the employee to use their device freely for personal use.

There have been a number of approaches to this in the past, all with varying degrees of success, but overall BYOD has only been considered a small experiment in corporate IT in most companies.

At this year's Mobile World Congress in Barcelona, a number of technologies and initiatives previewed by mobile device vendors and ISV/System Integration companies will now ensure the "Holy Trinity" for BYOD can finally be achieved.

Samsung, the Korean electronics giant and the world leader in handset sales, has released KNOX, an integrated security offering for BYOD that allows any enterprise the ability to secure their smartphones on a corporate network.

Among other features, such as integrated Centrify Active Directory single sign-on capability, KNOX is a "containerization" technology, which gives enterprises the ability to run applications, data and settings in a segmented and fully protected region of the Android OS that is entirely separate from the employee personal data and applications and can be remotely wiped if the device is lost or the employee is terminated.

This security implementation is not unlike the "Jails" or "Zones" which exist on Oracle's UNIX-based Solaris operating system that runs on their UltraSPARC mid-range enterprise servers.

Containers are a type of virtualization also referred to as "OS virtualization" where a single OS kernel provides the constructs for memory and storage isolation, and is considered the least resource intensive form of virtualization.

While Container technology like KNOX when combined with policy-enforced management may be sufficient for many enterprises, it limits smartphone use to a single vendor (in this case Samsung) and may not be secure enough for other types of enterprises such as Government, Banking and Healthcare.

For the most demanding security requirements, there is GD Protected, which is an entire suite of technology offerings from General Dynamics C4 Systems. Yes, the very same General Dynamics that has brought you the F-16 jet fighter and the ultra-secret "Obamaberry."

Ultra-secure devices like the Sectera Edge "Obamaberry" used in military and government communications used to be extremely vertical, and extremely expensive (as in multi thousand dollar each) in nature. But with the acquisition of Open Kernel Labs' Type-1 OKL4 "Microvisor" technology General Dynamics is looking to make a big splash in the commercial space using far less expensive commodity hardware like the Samsung Galaxy SIII and the LG Optimus.


This broad suite of technology which is avaliable to OEM and carrier partners to license and use in their own offerings includes TrustZone Integrity Measurement and Attestation, Certification & Accreditation of the hardware, Trusted Boot & Provisioning, Secure Voice/Email/Data/Browsing & Network Access, Containers, On-Device data encryption, Mobile Device Management (MDM), Global Policy Arbitration, Virtual Private Networking, Smartcard verification, Secure Gesture and Mobile Virtualization.

General Dynamics has created a proof-of-concept smartphone using LG's hardware called "Groom Lake" (named after the super-secret government facility in the Nevada Test Site which reportedly houses "Area 51", that makes the goings-on at the Vatican look downright open by comparison) which utilizes all of these security technologies and is currently avaliable for evaluation by enterprises. 

General Dynamics is not the only vendor that has created a virtualized, dual-personality smartphone for Enterprise use. Red Bend, who is a leader in the wireless carrier over-the-air software update and carrier handset provisioning space, has partnered with Samsung in releasing a Galaxy SIII handset under their "TRUE BYOD" branding which is being sold to enterprises today under Samsung's partnership program.

It should be noted that GD's "Groom Lake" systems architecture, as well as Red Bend's VLX, while initially implemented on Android, can work with other mobile operating systems such as Windows Phone, BlackBerry OS 10, Ubuntu for Mobile, webOS, and even Apple's iOS if the respective companies were willing to license the technology and GD and Red Bend were to para-virtualize the drivers necessary for each of the mobile operating systems to run on their respective hypervisors.

If this level of effort to virtualize all of the leading mobile OSes were undertaken, a "Best of Breed" smartphone could exist with say, Windows Phone 8 as the secure corporate image and Android as the personal phone, both virtualized on the same hardware. If anything, that would make smartphones and tablets in the enterprise religious-agnostic.

So far, Samsung has licensed the GD TrustZone piece as an add-on option in KNOX for enterprises looking to add OS image valaidation. But soon, by using the entire GD Protected suite and the microvisor technology, we could see systems like the Dual Persona Secure Smartphone as depicted below in enterprises all over the world. 

Will comprehensive Obamaberry-style security and mobile device management finally allow BYOD to "Get Religion?" Talk Back and Let Me Know.

Topics: Mobile OS, Networking, Security, Smartphones, Virtualization


Jason Perlow, Sr. Technology Editor at ZDNet, is a technologist with over two decades of experience integrating large heterogeneous multi-vendor computing environments in Fortune 500 companies. Jason is currently a Partner Technology Strategist with Microsoft Corp. His expressed views do not necessarily represent those of his employer.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Blackberry 10 Os already have this feature

    Well, maybe i need to investigate a little bit more about Groom Lake but, isn't this feature already on Blackberry 10 devices?. I mean, the posibility of keep your personal data isolated from enterprise data and apps. I don't Know if Blackberry use mobile virtualization or something like this microvisor but if you can isolate your both worlds (personal and work) with your z10 why do you have to pay more money for this tecnologie? I am very sorry, but I don't see it
    • sounds backwards

      Do these solutions support ios android and blackberry? Else IT will have to have different solutions for each platform. Correct me if I'm wrong but I thought blackberry bes now supports android and ios. I'm still not sure how I feel about devices inherently lacking security and having it supplimented after the fact. That's kind of how windows rolls. If an IT department was smart they'd roll blackberry 10 out to their staff and comprimise on android ios byod where desired.
  • Can anyone tell me how?

    Reading this in the article:

    "To lower IT costs, allowing employees to bring their own smartphones and tablets to work has a clearly identifiable cost savings over employer-supplied devices"

    I'm compelled to ask how? Where do these clearly identifiable savings come from? I've never seen a business case that proved it and I've seen and worked on many. In fact for most organisations BYOD increases costs not reduces them, but it yields flexibility benefits and other intangibles, nearly all of which can be achieved with company owned infrastructure too.

    You can let the employee pay for the device their software and support, but that's just shifting your cost to someone else; while some employees will accept this gladly, many won't. Particularly once they realise they are being asked to pay for the company's IT infrastructure.
    • For some technologies

      It does. Smartphones for sure. We only have about 200 corporate phones, as in phones paid for by the corporation. However we have well over 1500 connected to our Exchange environment. I think the cost savings is pretty clear.

      We do make our users sign a form saying that we WILL push down policies to these phones and we CAN AND WILL wipe them if leave the company on their own or not....all via Active Sync. We only support this for Windows Phones and iPhones as they have the best or most reliable Active Sync support. It irks the heck out of Android users but we have had way to many problems with the many versions of the Android OS not fully supporting Active Sync.
      • CALs...

        Have you purchased a Windows and an Exchange CAL (at minimum) for each of these devices?
  • There's a simpler solution

    Any solution that requires deep OS integration will only work on Android, because Apple and MSFT won't play along. The best solution is Over the-Top (OTT) containerized MDM, like the services offered by Mobile Iron, Good Technology, Airwatch, etc.

    The main challenge these MDM providers face is that the phone line falls outside of the secure container. They can secure everything expect the calls, texts, and voicemails. That's a deal killer for many enterprises, since that's where lots of the confidential stuff happens.

    Enter Line2, which provides an enterprise-administered phone line with its own number that can be put in the secure container. (I'm the founder, but in this case I think the shameless self promotion is relevant to the article.) So there are two phone lines on the phone - one personal - the native line, and one business - the Line2 line. The personal line and the apps outside the container are controlled by the employee, and the Line2 line and the apps inside the container are controlled by the enterprise. Everybody's happy, and you don't need to convince Apple, Microsoft, the carriers, or the handset manufacturers to go along. It just works.
    Peter Sisson
  • BYOD is a cancer...

    ...that has an incalculable cost across industry.

    IT never gets the respect it deserves. The lost person hours, coupled with the infrastructure costs to support some idiots mistaken idea that an iPad can be a productivity tool is categorically ludicrous.

    The IT staff have been specifically educated in the technologies and issues that affect an organizations ability to share information internally and externally. Their decisions on devices and tech to support the extensive research done by highly paid and educated BAs in detailing value creating processes and workflow need to be respected. IT never goes down to accounting and tells them what software packages to use, or demands that legal research only the cases and journals they approve.

    How and why the f does anyone outside of IT get to influence these things? People supporting BYOD should be tied up, and beaten with their stupid, unsupported devices.

    And if someone wants to BYOD, ALL of the services required are completely available to every individual. Just do it yourself, and don't be a little bitch about it if you want it so badly. There's no such thing as a free lunch, so put a couple hours in to educate yourself.
  • The sardonic irony is not lost on me...

    ...that BYOD is being discussed using catholicism as a vehicle should indicate what a stupid, ignorant, dangerous, laughable, poorly conceived, unsupported, baseless, and expensive endeavor it is. Not completely unlike all the other bullshit they believe in.

    Jason, you so funny. Nice work.
  • unfair..!

    that a company will instruct their employees on which device to buy?? coz one can comply with the corporate policies while other can't...and with multiple flavors and vendors selling Android it's nearly impossible to make them all roll out devices with same capability. Windows, Blackberry and possibly Apple are at a clear advantage here!
  • GD Trustzone is Giesecke&Devrient product

    The GD trustzone technology licensed by Samsung is developed by Giesecke&Devrient, not General Dynamics. Giesecke&Devrient (G+D) is a banknote printer and a smart card manufacturer from Munich.

    It was developed as part of the PrimeLife R&D project with a grant from the European Union.
    • No, it is still General Dynamics.

      The "Trustzone Integrity Management" module that is in KNOX as an add-in option is a General Dynamics product as part of the GD Protected suite, even though "TrustZone" itself is an ARM/EU standard.
  • Interoperability vs Proprietary

    What is it that we all want? a BYOD device that allows us to travel between networks, jobs applications. There is no interest by us as users to allow the device I paid for with my own hard earned $$ to be limited in function by my IT department. Therefore, the industry needs to think about users vs. making $$ as a company and then the fruits of our labors ($$) will flow, and both IT and users will be happy. We need to look at industry standards from GP, TCG and others to provide embedded security that can be used on any device type and provides the user and IT shops with the flexibility and tools to do what they want in a protected way.
  • Bring Your Own Device

    BYOD permits employees to access all the corporate data on the personal devices. This trend is prevalent today in all organizations however it’s the organization that has to make sure that the management and security of the data on these personally owned devices. Therefore, in order to keep a check on the employees and to maintain the security, enterprises have started to look for various solutions that can help them retain the trend as well as secure the corporate data BYOD apart few disadvantages has benefits too . It increases the productivity of an enterprise as the employees are more comfortable using their personal devices for corporate work. Employees work from home or outstation locations that increase the productivity of the enterprise.
    bharti mehta