Beware - Not All MAM Solutions Are the Same

Most companies realize that mobile device management (MDM) isn’t going to work for bring your own device (BYOD); instead mobile application management (MAM) is the better option as it allows for the separation of personal and company data as it runs through the applications.

Unfortunately, it seems that fewer companies realize that there are different approaches to MAM.

The first MAM approach leverages application programming interfaces (APIs) and security controls that are available through both the mobile operating system (OS) and device.  While there is a separation of data and additional controls at the application level – such as preventing cut, copy and paste (depending on the OS) – this approach may require enrolling the device and installing an MDM client on the user’s device in order for it to function properly.  For some companies – and in certain countries – the MDM requirements to enable MAM are considered an infringement upon an employee’s personal privacy.  In addition, MAM coupled with MDM generally depends on encryption technology built into the mobile operating system (requiring a device PIN code to be set) to protect data on the device.

The other MAM approach – which is referred to as MAM only at Citrix – provides separation of personal and company information and application level controls without the requirement to enroll the device or install an MDM client.  Most EMM solutions do not offer a MAM only approach.

MAM only solutions also include their own encryption, so the lack of device encryption isn’t an issue. Another benefit of device-independent encryption:  if the device’s encryption becomes compromised (for example through an OS vulnerability that exposes the device’s encryption keys), the security of separately-encrypted data is not affected.

Another major misunderstanding of MAM is related to securing access to company resources behind the firewall from a mobile application.  Some EMM vendors market this capability as a “per app VPN”.  This is not the same as “micro-app VPN”.  What’s the difference?  With micro-app VPN, there is a unique VPN for each application. This model is more secure than a single VPN connection as each managed application has its own VPN connection that no other app can use.  With per app VPN, there is still only one VPN tunnel that can be used even by any app including compromised apps. 

With marketing message sounding similar across many vendors in the mobile security space, it’s often hard to distinguish the difference between the various types of MAM offerings… therefore, it’s easy to see why there’s confusion in the market when it comes to securing mobile application data.

If you have questions about MDM, MAM, or mobile VPNs and happen to be at Black Hat 2016, please come by and visit our booth #324 to meet our mobile experts to have your questions answered. 


Suzanne Dickson

Suzanne Dickson is a Sr. Director of Product Marketing for Mobility at Citrix.  She is currently responsible for developing and managing go-to-market strategies for Citrix’s Enterprise Mobility Management Solutions.

More about Suzanne