Here are the key content and application management APIs and related capabilities that iOS 7 and OS X Mavericks bring to the table. Apple of course has documentation on much of it in its developers website (you need a developer account to view these) as well as a public overview for IT.
Managed Open In
The Open In facility is how iOS exposes content from one app to another. In iOS, there is no shared file system, which prevents malware attacks and keeps apps' content stores separate from other apps. Instead, apps specify what file formats they both support and will accept from other apps. Users see this as the Share sheet pane of compatible apps when they use the Share button or other Open In trigger. The current app then calls the selected app and offers to send it the selected file. This is how, for example, you move a file attachment from Mail into GoodReader or Dropbox, or from Dropbox to Apple Pages or Google Quickoffice.
A new API in iOS 7 and OS X Mavericks lets you specify which apps may be sent Open In calls -- essentially, whitelisting apps that can accept data from the apps you provision or manage. The management is at the account level, so all accounts (including Mail and Calendar) and apps provisioned by the corporation follow the Open In policy set for that account. It's important to understand that managed Open In is binary: All managed apps (those provisioned by the company) have the same set of Open In policies, and all unmanaged apps (those provisioned by the user from the App Store) have none of your Open In policies applied, notes Ojas Rege, vice president of startegy at MobileIron.
Where the new managed Open In approach falls short is when an app has both personal and business uses, as many commercial apps do. The Open In policy applies to any and all documents in an app, as there is no way outside of account-based apps like Mail to know whether the data is corporate or personal. I've urged Apple and its competitors create a more granular information management standard I've dubbed InfoTrust.
iOS cannot run multiple instances of an app, so you can't have an unmanaged personal copy and a managed work copy, notes Dan Dearing, vice president of marketing at MobileSpaces. (Android doesn't have this single-instance limitation.) This is the Achilles' heel of Apple's new application management approach: Apple really should have taken the iOS 7 opportunity to allow at least two instances, so users could run separate instances of apps like Dropbox, Box, Quickoffice, iWork, and so on, one managed by their workplace and one for personal use.
Until that's possible, it will be hard for IT to apply managed Open In to common apps like Quickoffice and Pages, as there can only be one instance in iOS; the app either is managed and thus usable only for business, or it is unmanaged and used only for personal needs. Furthermore, if a device already has a personal copy of an app for which you want to apply managed Open In, its user has to remove the app, then install the corporate-provisioned copy of the app, Rege notes.
One workaround to the single-instance limitation would be to let developers sell one version in the public App Store and another via the corporate App Store, so iOS sees them as separate apps and allows both to be installed on the same device. That means users have to separate mentally the two app versions -- not elegant, but perhaps the only realistic method today. This is a scenario where there's still value in proprietary app-management systems (like Good's Dynamics and MobileIron's App@Work) for commercial developers to create separate business and personal versions.
I need to point out that this app collision won't apply to account-oriented apps like Mail, Notes, Calendar, and Reminders. iOS has long separated the data within accounts in such apps, so it "knows" the data from a corporate Exchange server is not to be commingled with that of your home IMAP provider. That's why a business can wipe your work email without wiping your personal email. iOS 7 simply makes the corporate accounts linkable to the corporate-provisioned apps (which after all are provisioned through the same management server), so Exchange email's Open In use can be restricted to specific apps without also restricting Open In from other accounts.