Enterprise Mobile Security by MDM, Containerization or Both?

The realities of BYOD (Bring Your Own Device) create significant challenges when it comes to securing the corporate data residing on users' mobile devices. Corporate and personal apps co-existing on single device poses a threat of unapproved mixture of corporate data with personal apps, which in turn leads to challenges in data security & confidentiality. While Mobile Device Management (MDM) is a critical component of a mobile security strategy, it's alone not sufficient when it comes to securing app data. Analysts agree that to secure corporate app data on users' mobile devices, you need to employ a Mobile Application Management (MAM) strategy popularly known as Containerization.

According to recent market trend, Application-level management through containerization is gaining popularity, but MDM (mobile device management) is still the preferred method for BYOD security. Let’s see the Pros & Cons of MDM & Containerization.


MDM enables mobile security at the most foundational level; which is securing the device itself. With MDM, IT has the ability to configure advanced device management and monitoring the settings through profiles, which can be applied based on operating system or device ownership type; enabling enterprises to take more control of corporate deployed devices. MDM ensures the following:

  • Prohibit unauthorized actions on the mobile device along with restrictions against any download or installations

  • Enforce data encryption

  • Remotely lock the device

  • Track the device’s location

  • Perform an enterprise or device-level wipe etc.

MDM provides some unique benefits over other management models being:

  • Enables employees to automatically connect to corporate Wi-Fi and enterprise VPN networks without user interaction.

  • Allows administrators to configure Wi-Fi and VPN profiles to download automatically or on demand to user devices and profiles can be assigned based on user group, location or time.

  • Provides ability to provision a VPN profile, to automatically configure access to corporate networks and file systems.


Containerization offers organizations the ability to securely deploy and manage corporate content in an encrypted space on the device. All corporate resources such as proprietary application, corporate email, calendar and contacts reside within this managed space. The password protected container gives users access to all these corporate applications through single sign on (SSO) and provide a convenient way to access the managed space. By containerization approach we not only secure corporate data on a device, but also control the apps which can access data and how that data is shared. The types of containerization and their benefits are listed below.

Three categories of Containerization are:

  • Physical Containers: Physical containers work at the chip-set or kernel level of a mobile device to separate corporate apps and their data from a user’s personal apps. It creates hardware level segmentation between a mobile user’s corporate environment and personal environment. There resides a separate OS stack for operations of corporate apps in Kernel level. This OS stack is completely distinct from the mobile device’s normal OS stack where the users’ regular apps reside.

  • Virtual Containers: Virtual containers segment corporate apps within an encrypted workspace inside the operating system. It can be compared to a single sandbox or Java Virtual Machine (JVM) with multiple apps running inside it. The same operating system and kernel control the operations and interactions of all the apps on the mobile device regardless of whether those apps reside inside or outside of the virtual container.

  • Per-App Containers: Per-app container offerings create a self-contained sandbox to secure each individual app and its data. This application level segmentation provides security benefits similar to that of both virtual and physical containers. It provides administrators greater flexibility in securing apps, meanwhile presenting users a more seamless user experience. Under the per-app container model, policies still govern interaction between contained apps and non-contained apps where Administrators can choose to configure general policies that apply to all apps, specific policies for individual apps, or a combination of both.

Layered Approach with both MDM and Containerization:

Instead of having to narrow down to choose between MDM and Containerization, enterprises should define device use cases and security requirements within the organization to decide which solutions best suit their needs.

Organizations with all kinds of deployments, corporate-owned devices, BYOD or a combination of the both are finding that MDM and containerization together provide more flexibility, user productivity and enhanced security.

  • Administrators in large organizations with both corporate-owned and BYOD deployments may want to consider MDM for corporate-owned devices and containerization for BYOD devices.

  • Organizations with highly sensitive proprietary content or in strictly regulated industries may prefer the added security by deploying MDM and containerization on the same device. A corporate container deployed on a managed device provides an extra barrier to access corporate content.


MDM and containerization are often assumed as different security solutions but best security features can be achieved by using two in concurrence. Hence most organizations should prefer taking Layered security approach.

Rate this article: 
Average: 2.8 (4 votes)
Article category: