How Windows Phone 8 security compares to iOS and Android


Become An Insider

Sign up now and get free access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content from the best tech brands on the Internet: CIO, CSO, Computerworld, InfoWorld, IT World and Network World Learn more.

Microsoft finally delivers a smartphone platform that businesses can accept, but overall, it still falls short of the iPhone

Nearly four years ago, in February 2009, Microsoft released its last mobile operating system -- Windows Mobile 6.5 -- that could support corporate security and management needs. Nearly three years ago, in February 2010, Microsoft unveiled its replacement, Windows Phone 7, which had none of the security and management capabilities of Windows Mobile; that October, the first Windows Phone 7 devices shipped amid market indifference. Five months later, in July 2010, Apple released iOS 4, which brought those capabilities to the iPhone and put the iPhone on the path to being the new corporate standard smartphone. The world turned upside down.

This week, Microsoft formally unveiled Windows Phone 8 -- and Nokia and HTC showed off smartphones based on it expected to ship in November -- and finally brought back security and management capabilities to its smartphone platform. Windows Phone is a pretty OS, with compelling UI innovations, but its inability to work in most business environments has helped keep its adoption at trivial levels.

[ Get expert advice about planning and implementing your BYOD strategy with InfoWorld's in-depth "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]

Does Windows Phone 8 now have what it takes to compete with iOS in the corporate management and security department? The short answer is yes, at a basic level. Ojas Rege, vice president of strategy at mobile device management (MDM) vendor MobileIron (whose MDM also supports Windows Phone 8), says that Windows Phone 8 is fully capable of supporting information workers in open corporations, those not needing to meet high-level regulatory or security requirements. It can't work in those higher-need environments yet, he notes, due both to supporting fewer policies than Apple's iOS and to the fact MDM vendors can't yet implement clients that provide the same level of extra controls they can for iOS and in some cases Android to go beyond what the OS itself supports.

When you compare Windows Phone 8's EAS policy support to that of Windows Phone 7.5, there's not much difference. "Microsoft has not really added much on the management end," notes Halebeed. A critical addition is support for encryption on the device (it's on by default for internal storage, but not for SD cards) and the related support for EAS's encryption policies. The lack of support for encryption had been one of the biggest barriers to Windows Phone's business acceptance. Microsoft also supports the new information rights management (IRM) EAS policy, which lets companies enable rights management for data on devices; Microsoft of course has an IRM server product that this is intended to work with.

Android's EAS support has increased in each version, with Android 4 supporting more EAS policies than previous versions. However, various Android devices may support more policies than what Table 1 shows, because smartphone makers like HTC, Motorola Mobility, and Samsung support additional EAS policies on at least some of their devices.

Table 1: EAS policy support compared

  Apple Google Microsoft
  iOS 6 Android 4 Android 3 Android 2 Windows Phone 8 Windows Phone 7.5 Windows Mobile 6
Allow device encryption Yes Yes Yes No Yes No Yes
Require device encryption Yes No Yes Yes Yes No Yes
Encrypt storage cardNAYesNoNoYesNoYes
Minimum password length Yes Yes Yes Yes Yes Yes Yes

Minimum number of complex characters (password)

Yes Yes Yes Yes Yes Yes Yes
Password history Yes Yes Yes Yes Yes Yes Yes
Device wipe threshold Yes Yes  Yes No Yes


Disable removable storage No No No No No No Yes
Disable camera Yes Yes No No No No Yes
Disable SMS text messaging No No No No No No Yes
Disable Wi-Fi No No No No No No Yes
Disable Bluetooth No No No No No No Yes
Disable IrDA NA No No No No No Yes
Require manual sync while roaming Yes Yes No No No No Yes
Allow Internet sharing from device No No No No No No Yes
Allow desktop sharing from device No No No No No No Yes

Disable email attachment access

Yes Yes No No Yes No Yes
Disable POP3/IMAP4 email No No No No No No Yes
Allow consumer email No No No No No No Yes
Allow browser Yes No No No No No Yes
Configure message formats (HTML or plain text) No No No No No No Yes
Include past email items (days) Yes No No Yes Yes Yes Yes
Email body truncation size (KB) No No No No No No Yes
HTML email body truncation size (KB) No No No No No No Yes
Include past calendar items (days) No No No Yes No No Yes
Require signed S/MIME messages No No No No No No Yes
Require encrypted S/MIME messages No No No No No No Yes
Require signed S/MIME algorithm No No No No No No Yes
Require encrypted S/MIME algorithm No No No No No No Yes
Allow S/MIME encrypted algorithm negotiation No No No No No No Yes
Allow S/MIME soft certs No No No No No No Yes

EAS policies are just the first tier of enterprise mobile management. Because EAS is built into Exchange and supported by System Center 2012, most companies can use EAS to manage mobile users without buying additional tools. It's the broadest layer of mobile management available.

But the various mobile OSes offer additional capabilities beyond what EAS provides that third-party MDM servers can tap into. Apple, for example, has several dozen such APIs that use remotely installed configuration profiles not only to configure various iOS settings (such as preconfiguring VPN or allowed access points) but also to manage app behavior (such as disallowing the forwarding of corporate messages via personal accounts in Mail). iOS 6 adds several new policies, including the ability to prevent app removal, lock a user to a specifc app (such as for kiosk or retail usage), and prevent paid apps from being purchased -- all are part of what iOS calls a supervised environment, in which the iPhone or iPad is treated as an appliance.

Along the same lines, in Windows Phone 8, Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or unenroll devices, and remotely update business-provisioned apps. One capability in Windows Phone 8 not available to other mobile OSes is its integration with Active Directory, notes Ahmed Datoo, vice president of marketing at MDM vendor Zenprise. What that means is that MDM tools such as Zenprise's can access the Active Directory groups, then assign policies to those groups rather than maintain a separate set of groups in the MDM tool from the set in Active Directory. That's a time-saver for IT, he notes; it reduces the risk of employees not being in the correct groups for the policies that should apply or falling through the cracks when terminated in, say, Active Directory but not in the MDM tool's user database.

Microsoft and Google provide far fewer such capabilities in their APIs, though Samsung and Motorola Mobility have added their own security APIs to their Android 4 devices. Microsoft uses a central manager in Windows Phone 8 called DM Client that contains all the relevant user and corporate profiles (like the Windows Registry, in effect), rather than rely on a set of separate installed configuration profiles (like the OS X System Folder, in effect). Table 2 shows a selection of commonly desired capabilities.

MobieIron's Rege describes three bands of management requirements that IT should be thinking about.

The first set of requirements is around configuration and protection of lost or compromised devices. That typically requires password enforcement, encryption enforcement, remote lock and wipe, remote email configuration, certificates for identity, remote connectivity configuration (such as for Wi-Fi and VPNs, though he says this configuration capability is not essential if usage is just for email and over cellular networks), and detection of compromised OSes (such as jailbroken, rooted, or malware-infected ones).

"Windows Phone 8 in the first Windows Phone release is targeted at No. 1 to get into the enterprise. That means companies can add it to the approved device list for general usage," he says. But Rege notes remote connectivity and compromise detection are still to be determined in Windows Phone 8 -- they're not there out of the gate.

The second set of requirements is around data loss prevention (DLP), which covers privacy controls (such as for user location), cloud-usage controls (such as for iCloud, SkyDrive, and Google Docs), and email DLP controls (such as the ability to restrict email forwarding and to protect attachments). "More regulated environments may require No. 2, and these policies are still TBD for Windows Phone," Rege notes. By contrast, iOS and Android have supported most of these needs since iOS 4 and Android 3, though a few such as managing email forwards are handled outside the OS by MDM clients such as MobileIron's. 

The third set of requirements is around apps, such as their provisioning and data security. Although both Apple and Microsoft have mechanisms to do at least basic app management -- iOS can essentially hide an app so that it's no longer available to a user, and Windows Phone 8 can update corporate apps remotely -- mobile application management (MAM) capabilities are mostly up to the mobile management vendors to deploy, Rege says.

To continue reading, please begin the free registration process or sign in to your Insider account by entering your email address:
From CIO: 8 Free Online Courses to Grow Your Tech Skills
View Comments
You Might Like
Join the discussion
Be the first to comment on this article. Our Commenting Policies