How Windows Phone 8 security compares to iOS and Android

Microsoft finally delivers a smartphone platform that businesses can accept, but overall, it still falls short of the iPhone

1 2 3 4 Page 3
Page 3 of 4

EAS policies are just the first tier of enterprise mobile management. Because EAS is built into Exchange and supported by System Center 2012, most companies can use EAS to manage mobile users without buying additional tools. It's the broadest layer of mobile management available.

But the various mobile OSes offer additional capabilities beyond what EAS provides that third-party MDM servers can tap into. Apple, for example, has several dozen such APIs that use remotely installed configuration profiles not only to configure various iOS settings (such as preconfiguring VPN or allowed access points) but also to manage app behavior (such as disallowing the forwarding of corporate messages via personal accounts in Mail). iOS 6 adds several new policies, including the ability to prevent app removal, lock a user to a specifc app (such as for kiosk or retail usage), and prevent paid apps from being purchased -- all are part of what iOS calls a supervised environment, in which the iPhone or iPad is treated as an appliance.

Along the same lines, in Windows Phone 8, Microsoft supports the ability to revoke applications, restrict email forwarding, remotely enroll or unenroll devices, and remotely update business-provisioned apps. One capability in Windows Phone 8 not available to other mobile OSes is its integration with Active Directory, notes Ahmed Datoo, vice president of marketing at MDM vendor Zenprise. What that means is that MDM tools such as Zenprise's can access the Active Directory groups, then assign policies to those groups rather than maintain a separate set of groups in the MDM tool from the set in Active Directory. That's a time-saver for IT, he notes; it reduces the risk of employees not being in the correct groups for the policies that should apply or falling through the cracks when terminated in, say, Active Directory but not in the MDM tool's user database.

Microsoft and Google provide far fewer such capabilities in their APIs, though Samsung and Motorola Mobility have added their own security APIs to their Android 4 devices. Microsoft uses a central manager in Windows Phone 8 called DM Client that contains all the relevant user and corporate profiles (like the Windows Registry, in effect), rather than rely on a set of separate installed configuration profiles (like the OS X System Folder, in effect). Table 2 shows a selection of commonly desired capabilities.

Table 2: Other native management capabilities compared

(May require management server to use)

  Apple Google Microsoft
  iOS 6 Android 4 Android 3 Android 2 Windows Phone 8 Windows Phone 7.5 Windows Mobile 6

S/MIME

Yes

No

No

No

Yes

No

No

Over-the-air data encryption

Yes

Yes

Yes

Yes

Yes

Yes

Yes

VPN

Yes

Yes

Yes

Yes

Yes

Yes

Yes

Configure VPN Yes Yes

Yes

No

No No

No

Restrict/block app stores

Yes

No

No

No

Yes

No

No

Restrict/block wireless LANs

Yes

No No

No

No

No

No

Configure allowable access points Yes Yes

Yes

No No

No

No
Signed apps required Yes No No No Yes No No

Selective wipe of business apps and data only

Yes

No

No

No

Yes

No

No

Remotely update business apps Yes No No No Yes No No
Secure boot Yes  Yes*  Yes*

No

Yes No

No

App sandboxing Yes Yes

Yes

Yes

Yes Yes

Yes

Disable iCloud/Microsoft Account/Google Account sync and storage

Yes No No No No NA NA

*Added by some smartphone makers

1 2 3 4 Page 3
Page 3 of 4