EMM Containers: Finding the Perfect Fit



While all containerization technologies share the same objective – securing corporate applications and data on mobile devices – they vary significantly in the way they achieve that objective. Here we compare four current approaches to mobile device containerization.


There are two container types that fall into the virtualization category: mobile virtual desktop infrastructure (mobile VDI) and mobile OS virtualization.

Mobile VDI

Mobile VDI is essentially a mobile version of traditional server-hosted desktop virtualization, also known as a “thin client,” which has a long history in the enterprise. This virtual container approach protects data chiefly by executing applications and storing content in a behind-the-firewall centralized location, rather than on the device.

This approach’s best attribute is security, as all or nearly all corporate data resides on servers located in the cloud or in a corporate network. Still, a thin client running on top of a compromised OS is vulnerable to screen scraping, particularly if there are no security assurances for the integrity of the host operating system. Mobile VDI-based containers also score low marks due to their dependence on a persistent, high-bandwidth mobile connection, which still presents a problem in many work environments. Other drawbacks include limited feature sets and potentially high application development costs.

Mobile OS virtualization

Mobile OS virtualization containers, implemented using hypervisors, create virtual machines that can be managed essentially as separate operating systems. These containers come in two flavors, Type 1 and Type 2. Type 1 containers run at the device, or hardware layer, and are embedded into the smartphone or tablet. Type 2 containers run on top of the OS and are inherently less secure than Type 1, but not as difficult to deploy.

Mobile OS virtualization containers, similar to VDI-based approaches, provide a secure environment by thoroughly isolating corporate data into dedicated workspaces. The hypervisor technology, however, is far from optimal on the usability front, delivering sluggish performance, short battery life and the requirement for users to switch between completely independent device environments, which can be a cumbersome process for many users. But the most worrisome aspect of OS virtualization is the high cost of ownership due to the inherent complexity of virtualization technology.

Application Specific

Application-specific containers are distinguished by the requirement to custom-develop applications for the workspace and are also known as bolt-on Software Development Kit (SDK) containers. This container approach requires utilization of these APIs in the applications to protect against data leak issues.

This somewhat dated brand of containerization suffers from across-the-board shortcomings connected with the requirement to custom build applications for secure environments. Ironically, from a security perspective, bolt-on SDKs can actually create new exposures to attacks. Moreover, application-specific containers impose a non-native user experience that leads to employee dissatisfaction.

Application Neutral

Application-neutral containers utilize application wrapping, a process that involves securing an application by encasing it with security capabilities that reside outside the platform’s native application code. Application-neutral containers do not require recoding of the application and the application wrapping process can be accomplished in a short period of time.

With the introduction of application-neutral containers, IT departments gained access to data leakage prevention solutions capable of bringing harmony to the enterprise’s simultaneous need for security, usability and productivity. Application development is also streamlined, as enterprise developers can leverage native SDKs. In terms of usability, an application-neutral approach provides a native-like look and feel to applications, as well as a consistent user experience across work and personal spaces.

Integrated Containers

Resting at the top of the mobile device containerization food chain is the integrated container, which is characterized by deep integration into the mobile device OS. This approach provides excellent security, significantly reducing vulnerabilities associated with containerization types that are not embedded into the OS. An integrated container also simultaneously offers greater security flexibility and user transparency. The holistic design strategy associated with integrated containers optimizes security and productivity by utilizing bundled business productivity tools and apps, which increase work flow efficiencies. In addition, integrated containers excel in the areas of security and usability due to the container supplier’s intimate knowledge of the underlying OS, which can be leveraged throughout the design process.

About Joe McGarvey

An Enterprise Mobility Strategist at BlackBerry, McGarvey has covered the enterprise and telecommunications industries for more than 20 years as both a journalist and analyst. He is best-known as a long-time principal analyst at leading market research firm Current Analysis. McGarvey has also been an analyst for Heavy Reading and an editor at several leading technology magazines.

Join the conversation

Show comments Hide comments
+ -
blog comments powered by Disqus