MobileIron advances Android MDM

MobileIron advances Android MDM

Summary: Improvements in security and management for Android devices by MobileIron should make Android deployment an easier and safer decision.


Android is cleaning up in market share for smartphones, but it's still a dodgy bet in the enterprise. The security architecture has always been a few steps behind that of Apple's iOS, and even third party products have had a hard time filling in the gaps.

Now MobileIron, one of the leading Mobile Device Management (MDM) companies, is announcing improvements in their Android support with the goal of making it a safe choice for the enterprise. Already, according to the company, more than half of their customers are using Android devices under management by MobileIron; 30 customers have over 1000 Android devices under management. But IT still sees Android as risky, and deployed iOS devices vastly outnumber Android devices.

The highlights of the announcement are:

  • Containerized Native Email. Mobile Application Management (MAM) products allow developers to "containerize" an app to make it manageable and to provide fine-grained security. But they can't containerize the pre-loaded Android apps like the Mail client. MobileIron, as part of a partnership with Divide (formerly Enterproid), will provide a containerized version of the native Android Mail client built from the Google Android distribution.
    Because it's the standard Android Mail app, users will have a familiar experience and the app should work on all Android distributions.  It can be managed from the same MobileIron console as other managed apps, allowing IT to impose policies such as: encrypt all content, run app in secure container, block copy paste with unprotected apps, run embedded URLs through MI secure browser, and so on.
  • A containerized IBM Notes Traveler app. There are still many Notes installations and they are at very large corporations. A secure and manageable app will be appealing to these companies.
  • Validated FIPS 140-2 encryption. Encryption for data at rest and in motion by MobileIron has been certified by an accredited lab for FIPS 140-2 Level 1. Support for this standard is often required for government agencies and regulated businesses.
  • Secure tunneled browsing. Traffic to and from Web@Work, the MobileIron secure web browser, will travel through Sentry, the MobileIron secure gateway, making a device-wide VPN less necessary. Sentry provides a single sign on for both web and native apps under management, and uses Kerberos Constrained Delegation (KCD) to get a Kerberos ticket. This ticket can be used to access enterprise resources within the enterprise network.
  • Samsung KNOX support. MobileIron is the first commercial licensee of Samsung KNOX. KNOX devices, such as the Samsung Galaxy S4, are not enabled for KNOX out of the box. You need a license key and a service to manage the device. MobileIron now provides that, using KNOX native facilities for containerization and policy.

MobileIron expects Android deployments in the enterprise to accelerate, in part because of a September recommendation by Garner that customers move off of Blackberry. Rather than be locked into iOS, they will grow their Android usage. For certain applications, such as ruggedized deployments (a market that had been dominated by the old Windows Mobile), Android is especially appealing, as OEMs can customize many features as needed.


Topics: Security, Android, Mobile OS

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • so all this additional security brings android up to the level of iOS?

    What are the specific issues with default android vs iOS besides the option to sideload potentially malicious apps?

    I think it has more to do with the incredible variety of android devices (hardware fragmentation) and that you never know what might be going on with some of the less reputable brands.

    For example a cheap no-name chinese phone (presumably with no play store access) could ship with a fully rooted build of android, and no-questions-asked superuser elevation.

    Its not "androids fault". Its just the nature of the fact that anyone can customize, compile and deploy it.
  • Yes, depending...

    Depending on how strictly you want to manage your devices. You could whitelist apps and only allow approved, managed apps for example. You could require that only the secure, managed browser be used. You could require only certain approved Android devices from more respectable vendors.
    Larry Seltzer
  • KNOX and FIPS Claims

    What do you mean by "MobileIron is the first commercial licensee of Samsung KNOX"? They are actually late to the game as companies like AirWatch and Citrix previously released support for KNOX in their EMM products.

    FIPS - Did they disclose if their FIPS 140-2 Level 1 accreditation was for iOS and Android platforms or just Android?

    Did you see any proof of this accreditation from the third-party lab? I ask because it has been a long standing tactic for vendors to claim their product is FIPS 140-2 validated and really not be.
    • What it means

      "[t]he first commercial licensee of Samsung KNOX" means that they can issue a KNOX key rather than you having to get one from Samsung. I know for a fact that while AirWatch supports KNOX, you still have to go to Samsung for the keys.
      The FIPS support is just for Android (or at least that's all they're claiming now). From the MobileIron site: "MobileIron’s use of FIPS 140-2 cryptographic libraries for Android has now been validated by an accredited Cryptographic and Security (CST) laboratory in full compliance with the Cryptographic Module Validation Program (CMVP)."
      I didn't ask which lab performed the tests. I will ask, but I don't believe for a second that they would fake a claim like that.
      Larry Seltzer
      • CSC

        MobileIron got back to me. The testing was performed by CSC (Computer Sciences Corp.). I didn't know they were in the FIPS testing biz, but I'm not surprised. They showed me the letter announcing the test results. The MobileIron code appears basically to be an implementation of the FIPS modules in OpenSSL, so while the testing was (according to MI) extensive, it was probably straightforward.
        Larry Seltzer
      • Scott Cochran

        Larry, thanks for the review. FWIW, it looks like Scott Cochran is employed by Citrix and is a member of their technical sales team. Looks like he also trolls the MobileIron YouTube channel and stirs up comments. In the spirit of full disclosure, one would think he would reveal that in the spirit of transparency.

        Keep up the good work!
        • I think you're right

          Ragging on a competitor in a public forum without identifying yourself? Uncool, Scott.
          Larry Seltzer
      • Mobile Iron was not first to offer a KNOX license

        Vendors such as Centrify announced this weeks before MobileIron announced this per
        and in fact there were other worldwide resellers signed up and announced (e.g. Bell Canada, TelecomNZ) etc prior to this announcement.
      • What does it matter to be "the first"

        Hi Larry,

        just to give you some feedback from the field as addition to MobileIron's marketing input you received... I am testing MobileIron VSP 5.8, AirWatch 6.5/7 and Citrix XenMobile MDM 8.6 in my lab. In this round MobileIron currently offers far less functionality managing Knox containers than the other twos. Compare the policies defined by Samsung and then have a look into the MI administration. Being "first" has some history at MobileIron. They promised to have the first MAM implementation they call "AppConnect" in late 2011. It was first published in January 2013. Early 2012 they shouted to be first to support Samsung SAFE - it was still not working in July (you find more details about that on my site They claim to be the first ones supporting the new iOS7 enterprise features. Still their management interface lacks even simple things as deactivating TouchID.

        So what does it matter to offer "Knox licenses" at the first place?

        I am not related to any of these vendors, but yes, MobileIron does not like my open words. They do not like facts to be published.