Nearly four years ago, in February 2009, Microsoft released its last mobile operating system -- Windows Mobile 6.5 -- that could support corporate security and management needs. Nearly three years ago, in February 2010, Microsoft unveiled its replacement, Windows Phone 7, which had none of the security and management capabilities of Windows Mobile; that October, the first Windows Phone 7 devices shipped amid market indifference. Five months later, in July 2010, Apple released iOS 4, which brought those capabilities to the iPhone and put the iPhone on the path to being the new corporate standard smartphone. The world turned upside down.
This week, Microsoft formally unveiled Windows Phone 8 -- and Nokia and HTC showed off smartphones based on it expected to ship in November -- and finally brought back security and management capabilities to its smartphone platform. Windows Phone is a pretty OS, with compelling UI innovations, but its inability to work in most business environments has helped keep its adoption at trivial levels.
[ Get expert advice about planning and implementing your BYOD strategy with InfoWorld's in-depth "Mobile and BYOD Deep Dive" PDF special report. | Keep up on key mobile developments and insights with the Mobilize newsletter. ]
Does Windows Phone 8 now have what it takes to compete with iOS in the corporate management and security department? The short answer is yes, at a basic level. Ojas Rege, vice president of strategy at mobile device management (MDM) vendor MobileIron (whose MDM also supports Windows Phone 8), says that Windows Phone 8 is fully capable of supporting information workers in open corporations, those not needing to meet high-level regulatory or security requirements. It can't work in those higher-need environments yet, he notes, due both to supporting fewer policies than Apple's iOS and to the fact MDM vendors can't yet implement clients that provide the same level of extra controls they can for iOS and in some cases Android to go beyond what the OS itself supports.
What exactly does Windows Phone 8 offer natively? Like iOS and Android, it supports Exchange ActiveSync (EAS) policies for basic management via Microsoft Exchange or System Center 2012, as well as native policies for MDM vendors to use. Perhaps the biggest change is the new ability to manage apps -- both from the Windows Store and an enterprise's own catalog -- similar to iOS's approach but handled more centrally, says J.P. Halebeed, global director of R&D at AirWatch, whose MDM also supports Windows Phone 8. The tables on the following pages compare the three mobile OSes' EAS and other native capabilities.
When you compare Windows Phone 8's EAS policy support to that of Windows Phone 7.5, there's not much difference. "Microsoft has not really added much on the management end," notes Halebeed. A critical addition is support for encryption on the device (it's on by default for internal storage, but not for SD cards) and the related support for EAS's encryption policies. The lack of support for encryption had been one of the biggest barriers to Windows Phone's business acceptance. Microsoft also supports the new information rights management (IRM) EAS policy, which lets companies enable rights management for data on devices; Microsoft of course has an IRM server product that this is intended to work with.
Android's EAS support has increased in each version, with Android 4 supporting more EAS policies than previous versions. However, various Android devices may support more policies than what Table 1 shows, because smartphone makers like HTC, Motorola Mobility, and Samsung support additional EAS policies on at least some of their devices.
Table 1: EAS policy support compared
|iOS 6||Android 4||Android 3||Android 2||Windows Phone 8||Windows Phone 7.5||Windows Mobile 6|
|Allow device encryption||Yes||Yes||Yes||No||Yes||No||Yes|
|Require device encryption||Yes||No||Yes||Yes||Yes||No||Yes|
|Encrypt storage card||NA||Yes||No||No||Yes||No||Yes|
|Minimum password length||Yes||Yes||Yes||Yes||Yes||Yes||Yes|
Minimum number of complex characters (password)
|Device wipe threshold||Yes||Yes||Yes||No||Yes|| |
|Disable removable storage||No||No||No||No||No||No||Yes|
|Disable SMS text messaging||No||No||No||No||No||No||Yes|
|Require manual sync while roaming||Yes||Yes||No||No||No||No||Yes|
|Allow Internet sharing from device||No||No||No||No||No||No||Yes|
|Allow desktop sharing from device||No||No||No||No||No||No||Yes|
Disable email attachment access
|Disable POP3/IMAP4 email||No||No||No||No||No||No||Yes|
|Allow consumer email||No||No||No||No||No||No||Yes|
|Configure message formats (HTML or plain text)||No||No||No||No||No||No||Yes|
|Include past email items (days)||Yes||No||No||Yes||Yes||Yes||Yes|
|Email body truncation size (KB)||No||No||No||No||No||No||Yes|
|HTML email body truncation size (KB)||No||No||No||No||No||No||Yes|
|Include past calendar items (days)||No||No||No||Yes||No||No||Yes|
|Require signed S/MIME messages||No||No||No||No||No||No||Yes|
|Require encrypted S/MIME messages||No||No||No||No||No||No||Yes|
|Require signed S/MIME algorithm||No||No||No||No||No||No||Yes|
|Require encrypted S/MIME algorithm||No||No||No||No||No||No||Yes|
|Allow S/MIME encrypted algorithm negotiation||No||No||No||No||No||No||Yes|
|Allow S/MIME soft certs||No||No||No||No||No||No||Yes|
EAS policies are just the first tier of enterprise mobile management. Because EAS is built into Exchange and supported by System Center 2012, most companies can use EAS to manage mobile users without buying additional tools. It's the broadest layer of mobile management available.
But the various mobile OSes offer additional capabilities beyond what EAS provides that third-party MDM servers can tap into. Apple, for example, has several dozen such APIs that use remotely installed configuration profiles not only to configure various iOS settings (such as preconfiguring VPN or allowed access points) but also to manage app behavior (such as disallowing the forwarding of corporate messages via personal accounts in Mail). iOS 6 adds several new policies, including the ability to prevent app removal, lock a user to a specifc app (such as for kiosk or retail usage), and prevent paid apps from being purchased -- all are part of what iOS calls a supervised environment, in which the iPhone or iPad is treated as an appliance.
Along the same lines, in Windows Phone 8, Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or unenroll devices, and remotely update business-provisioned apps. One capability in Windows Phone 8 not available to other mobile OSes is its integration with Active Directory, notes Ahmed Datoo, vice president of marketing at MDM vendor Zenprise. What that means is that MDM tools such as Zenprise's can access the Active Directory groups, then assign policies to those groups rather than maintain a separate set of groups in the MDM tool from the set in Active Directory. That's a time-saver for IT, he notes; it reduces the risk of employees not being in the correct groups for the policies that should apply or falling through the cracks when terminated in, say, Active Directory but not in the MDM tool's user database.
Microsoft and Google provide far fewer such capabilities in their APIs, though Samsung and Motorola Mobility have added their own security APIs to their Android 4 devices. Microsoft uses a central manager in Windows Phone 8 called DM Client that contains all the relevant user and corporate profiles (like the Windows Registry, in effect), rather than rely on a set of separate installed configuration profiles (like the OS X System Folder, in effect). Table 2 shows a selection of commonly desired capabilities.
Table 2: Other native management capabilities compared
MobieIron's Rege describes three bands of management requirements that IT should be thinking about.
The first set of requirements is around configuration and protection of lost or compromised devices. That typically requires password enforcement, encryption enforcement, remote lock and wipe, remote email configuration, certificates for identity, remote connectivity configuration (such as for Wi-Fi and VPNs, though he says this configuration capability is not essential if usage is just for email and over cellular networks), and detection of compromised OSes (such as jailbroken, rooted, or malware-infected ones).
"Windows Phone 8 in the first Windows Phone release is targeted at No. 1 to get into the enterprise. That means companies can add it to the approved device list for general usage," he says. But Rege notes remote connectivity and compromise detection are still to be determined in Windows Phone 8 -- they're not there out of the gate.
The second set of requirements is around data loss prevention (DLP), which covers privacy controls (such as for user location), cloud-usage controls (such as for iCloud, SkyDrive, and Google Docs), and email DLP controls (such as the ability to restrict email forwarding and to protect attachments). "More regulated environments may require No. 2, and these policies are still TBD for Windows Phone," Rege notes. By contrast, iOS and Android have supported most of these needs since iOS 4 and Android 3, though a few such as managing email forwards are handled outside the OS by MDM clients such as MobileIron's.
The third set of requirements is around apps, such as their provisioning and data security. Although both Apple and Microsoft have mechanisms to do at least basic app management -- iOS can essentially hide an app so that it's no longer available to a user, and Windows Phone 8 can update corporate apps remotely -- mobile application management (MAM) capabilities are mostly up to the mobile management vendors to deploy, Rege says.