MobiVisor blog series: Container app or MDM for data separation?

The use of mobile devices in companies requires special requirements, for example with regard to data protection. Given different usage models for mobile devices, such as BYOD or CO-WP, it is particularly important to know these requirements and implement them safely. One of these requirements is clean data separation on mobile devices. In the following article we will show you what options there are and how they can be implemented.

 

Container app: Easy to implement and use

A container app contains all functions that are used for mobile working in the company. These include, for example, file sharing, address books, calendars and emails. The app is authorized to access the company network and is usually connected to the company server. Additionally, additional authorization procedures can be set up, e.g. identification using a fingerprint, as is also known from banking apps. 

The advantage here is that it is relatively easy to implement, as the company can simply have the container app installed on existing devices. This is particularly practical if private mobile devices are allowed to be used according to the BYOD model. However, it should be borne in mind that although these apps are data protection compliant, they cannot access the operating system and therefore do not comply with more extensive data protection regulations.

 

Data separation via Mobile Device Management

A more extensive variant for data separation compared to the container app is available Mobile Device Management The fundamental difference is that Mobile Device Management (MDM) can access the operating system of the mobile device. Depending on company requirements, there are different ways to achieve data separation, although there are also differences between Apple and Android devices.

 

BYOD and CO-WP: Mixed use on Android devices

BYOD (Bring Your Own Device) means that the user can also use an existing, private device for work. The advantage for the company is that no new device has to be purchased and the operation is already known. To use it, the user simply downloads the MDM client app and logs in. A container with all work apps, marked by a small suitcase, is then automatically created on the device. The device appears in the device overview of the MDM. From there, security policies can be applied to the work profile. However, the MDM client can be removed by the user at any time. 

There must be a clear policy in the company regarding BYOD, otherwise there could be legal consequences. In order to ensure acceptance among employees, urgent questions should also be explained in advance, such as: “Can the MDM spy on my private data?”. In that sense it is BYOD-Modell probably best compared to the container app, although somewhat more extensive in terms of the applicable security guidelines. 

Another way to set up devices for professional and private use is the Company Owned – Work Profile (COWP) Model. The company provides a device which is then set up so that two profiles appear on it. Android provides the appropriate selection option for this during setup. The user can switch between profiles without any problems. However, an MDM can be used to decide that, for example, business data may not be transferred to the private area, etc. In this model, the IT admin has the greatest leeway with regard to the guidelines of the work profile. The MDM client also cannot be uninstalled by the user.

 

Datentrennung auf Apple-Geräten: Möglich ohne Container-App!

Data separation works a little differently on Apple devices, as there is no container or two profiles on the device. In principle, Apple only supports the mixed use of devices for private and business purposes to a limited extent, which is why there can also be disadvantages here. On Apple devices, apps are divided into “managed” and “unmanaged” apps. System apps receive two profiles within one app, but data exchange is not possible here either. The separation between managed and unmanaged apps occurs in the background. The managed apps can be managed by the MDM, as the name suggests. It can also be configured whether the user is allowed to download unmanaged apps via the app store or not. There is no visual separation of the two areas in the sense of a container on Apple devices.

The BYOD model is also possible on Apple devices. To do this, the user downloads the MDM client app and grants the MDM limited access to the device.

 

Conclusion

In order to achieve legal security for the private and business use of mobile devices and to comply with GDPR guidelines, the proper separation of data into business and private data is essential. In addition to the container app, there are a few other variants that can be implemented using an MDM.

Ultimately, companies need to know exactly whether such mixed use is even feasible and sensible, or whether devices that are completely designed for work would better suit their needs. However, if all the requirements are met, using just one device for private and professional purposes can mean enormous relief and greater convenience.

 

Do you already have devices in your company and are you still missing the right strategy to integrate them? Then contact us today!

Contact us
Kontakt