The new app-management protocols also let IT specify apps to be installed automatically on iOS devices and Macs, based on the new ability to buy and distribute app licenses rather than individual (per-user) redemption codes. MDM servers can manage which apps are available to whom and which are auto-installed (the others show up in the Purchased pane in the App Store app on the user's device, available for download if desired).
Licenses to such managed apps can be revoked, so apps no longer automatically become owned by the user, as in the case of redemption codes. (However, content licenses -- such as for books -- stay with the user and cannot be revoked.) Revoked iOS apps continue to work for a 30-day grace period, and a prompt to buy a noncorporate copy appears. (You'll need to manage access to information separately, such as by disabling VPN or email access using their own policies.) Revoked OS X apps stop working immediately, quitting on launch. For this to work, managed apps need to check their receipt status.
These licenses and their installation management are available for apps in the Apple corporate app store, aka the App Store Volume Purchase Program, and do not apply to apps in the public App Store -- Apple considers those to be personal apps that companies have no rights over. It's a clear separation: Even though there's one user interface, iOS and OS X tracks which apps and content come from the corporate app store, Exchange or other server, and any management servers, then provides IT control over those. Whatever the user buys from the public App Store or accesses from his or her own email and other accounts belongs to that user -- including the Apple ID.
That principle has been in iOS since version 4.2, but the new APIs and protocols extend it more deeply into the application and content domains. As a result, most organizations' data protection and app isolation needs should be supported without relying on specific vendors' management tools and APIs. IT can use a broader variety of corporate apps without being locked in to specific management vendors -- and thus should be able to get control over more apps than is possible today. Users avoid the hassle of switching between personas, a clunkier approach adopted by BlackBerry 10's Balance feature, Samsung's Knox protocol, General Dynamics' Android version, and Android tools such as Enterproid's two-year-old Divide. After all, who needs clunky?