Comparing iOS and Android MDM Protocol Design Philosophies
Mobile Device Management (“MDM”) is an infrastructure protocol for executing privileged commands on mobile devices. At Apperian, we view MDM as infrastructure technology that enables administrators to take full advantage of features already included on devices. The MDM specifications are provided by operating system designers, for example Apple and Google, and include guides on how to implement them. MDM is not the silver bullet for enterprise mobility but one piece of many. Advanced Enterprise Mobility Management platforms such as Apperian EASE use MDM as one the technological approaches for securely managing and deploying apps to employee devices. The two dominant mobile platforms, iOS and Android, each have an MDM specification but they are entirely different.
- Uses configuration profiles to define an MDM administrator
- One MDM administrator per device
- MDM commands use a well defined protocol over APNS (push notifications) and HTTP
- Commands are executed by the operating system
- Voluminous amount of MDM commands covering various aspects of the system
- MDM command list is defined by Apple and works on all of their iOS devices
- Uses an Android application as the MDM administrator, by requesting additional Android permissions
- Multiple MDM apps are allowed per device
- MDM commands are included as Android library functions. Deciding when to execute those commands (in response to polling, in response to a push notification, etc.) is left up to the MDM spec implementer (the programmers)
- Commands are executed by the MDM app whenever it decides to
- Small amount of MDM commands covering security features
- MDM command list has been expanded by various manufactures using proprietary specifications (SAFE, KNOX, etc.)
The differences between Google’s and Apple’s design philosophies become apparent when looking at their MDM specifications. The most fundamental one is how MDM gets enabled. On Apple, a config profile is delivered and installed on the device. This gives a remote server additional capabilities. Apple views the MDM administrator as a miniature version of Apple themselves. For example, Apple retains the ability to execute all sorts of unique commands on your device, from location tracking (Find My iPhone) to deleting App Store installed apps off your device if a security flaw is discovered. The MDM administrator gets a subset of Apple’s command list to send to the device. The device recognizes the MDM backend as a privileged user (just like Apple), and executes those commands. Google sees MDM capabilities as app library functions to execute commands, enabled with the inclusion of additional Android permissions. For instance, when you install an Android app, the operating system explains what permissions the app wants. This includes access to contacts, location information, etc.
The MDM app has additional MDM permissions, such as device lock and device data wipe (factory reset). The large difference in the number of MDM commands also reveals philosophical differences. Apple provides over one hundred MDM commands, and are constantly adding new ones. The Google MDM spec has about ten, and over the past two years have only added two new commands. However, Google allows their device manufacturers to extend the protocol and add their own. Samsung SAFE has hundreds of additional MDM commands, from deleting apps to controlling which bookmarks are in the web browser. Similarly, Intel’s recently announced Device Protection Technology (DPT) Management Extensions provide another very large number of additional MDM commands. Apple likes to maintain full control of their software and hardware, while Google’s hands-off approach encourages their hardware partners to innovate. Who got their MDM specification “right”?
As it currently stands, Apple is clearly dominating. For customers that want full control over as many aspects of a device as possible, iOS has the most MDM features and is arguably a more secure protocol, as it’s well defined and relies heavily on security certificates for authentication. MDM vendors have little room for accidentally creating security flaws, even with sub-par implementations. Google allows each MDM provider to make up their own implementation, which allows for varying degrees of security. Google allowing their manufacturers to make up their own MDM specifications also encourages fragmentation, as each MDM vendor will have to write code to support each competing protocol. For example, engineers would need to write additional code to support SAFE devices, while adding a new iOS MDM feature automatically adds the feature of all iOS devices, if limited to Apple’s spec.
In any case, regardless of what devices your company wants to manage, Apperian’s industry-leading Enterprise Mobile Management platform simplifies the complexity of all these MDM nuances. Apperian combines MDM, App Wrapping, Mobile Dynamic App Policies, App Inspection, and App Deployment technologies to allow your company to take full control of your mobile app lifecycle and the mobile security of your organization. These capabilities are fruit of our own innovation as well as the extensibility of our platform that enables the integration of market-leading solutions from our partners, such as Mocana and Appthority. This post originally appeared on Carlos Montero-Luque's From the Office of the CTO on Monday, March 10, 2014.