Most of the prominent MDM tools also support the creation of an enterprise app store -- a feature that IT executives say their users find helpful. Hillarys has one in-house-developed app its sales representatives can download, but its store also includes other recommended Android apps for download, including Flashlight and Tape Measure. "Rather than forcing them to go to Google Play it's easier to just point them to a corporate area with all of the apps we recommend," Bond says.
At Skanska, Roman uses AirWatch to both push out homegrown enterprise apps and to provide access to others on demand through an app store, which has both a corporate and public apps page. Users belong to groups based on location, and each group has different policy controls that lock out or enable certain features based on the needs and regulatory restrictions in each region.
"In some places we're not allowed to have a camera active on the device. In others, management doesn't want anything but business resources on the phones so we whitelist or blacklist apps." The app store, he says, provides quick access to apps that the user knows are approved.
Limitations and disclaimers
Users can sometimes get around policy controls. For example, jailbreak detection can be defeated by jailbreak spoofing apps users can download that make it look like the device hasn't been jailbroken, says Guinn. "If technology doesn't enable them to get access to the data, there's probably two or three ways they can work around that," he says.
"Apple will not allow MDM software to password-protect a root-level MDM profile on the user's device, so any user with a little knowledge can unenroll themselves without putting in a password," says Roman. "And with Android it drives me crazy that I cannot deliver my Microsoft Exchange ActiveSync settings down to the phones without using a third-party application."
When a user is unenrolled, MDM can remove the certificate on iOS devices. "But with Android we have to do a complete device wipe or send someone from IT to unenroll them and remove the certificate manually," he says.
Mobile OS update requests get pushed to users before Bond's team has a chance to test them, and while he warns users not to jump the gun, he says they're so accustomed to various updates that they tend to accept them without thinking. "The user doesn't know whether it's a big or a little update. And you can't expect people who aren't employees to exercise the same level of care," he says.