How to create logical containers and manage corporate data in BYOD using MDM containerization?

MDM containerization refers to the process of segregating personal and corporate data on personal devices by creating a logical container to enhance corporate data security. For organizations adopting mobility to increase employee productivity and customer satisfaction, BYOD (Bring your own device) seemed like the perfect solution as it allowed users to access corporate data from personal devices, thereby ensuring there is no extra cost to be borne by the organization and absolutely no learning curve. But, BYOD also has it's downside, since the device also contains personal data and apps, the organization cannot take complete control over it, thus increasing the chances of a data breach.

Here's how a data breach may occur from a personally owned device:

  • If the personal apps present in the devices access the corporate data present on corporate apps.
  • If the confidential data downloaded from the corporate websites are accessed using personal apps.
  • If the corporate data is transferred from the managed devices to unmanaged devices
  • If the e-mail attachments available in the corporate e-mail account is accessed using personal apps
  • If the data available in the corporate accounts are backed up into the user's personal accounts

The simple solution to managing the personally owned devices, is to compartmentalize the personal and corporate data on the devices with BYOD containerization through MDM. Mobile Device Manager Plus (MDM), which is a container management software, in addition to being a mobile device management solution, allows organizations to achieve BYOD containerization on Android and iOS devices. 


Follow the steps given below to achieve mobile device containerization using MDM:

Android Devices

When Android devices are provisioned as Profile Owner using a container management software or an MDM solution, a Work Profile is automatically created. This ensures MDM containerization is achieved without any manual steps. Refer this for the list of enrollment methods that provision devices as Profile Owner

All the apps distributed using the MDM solution are considered as corporate apps and will be available in the Work Profile. They will be denoted with the briefcase symbol for easy identification. These corporate apps in the Work Profile do not communicate with the apps in the personal space. Additionally, it also ensures that the corporate data cannot be transferred from the corporate space to the personal space or to other devices using USB, thus maintaining complete data security.

MDM Containerization also ensures that the user cannot modify the corporate e-mail account configured by the organization. Thus, preventing users from adding their personal account to the corporate e-mail app. For the personal account, an additional app can be downloaded in the personal device space.


iOS Devices

In case of iOS devices, the containerization can be achieved only using a container management software like MDM. Certain restrictions need to be applied to the devices to create a mobile application container and ensure data on the corporate apps and accounts remains completely secure on personal devices. Here is a list of suggested restrictions that can be applied to the devices to create a virtual mobile device container-

  • Share data from managed apps to unmanaged apps
  • Share data from unmanaged apps to managed apps
  • Screen capture and screen recording
  • Allow USB connections and pairing with iTunes
  • Sync data and documents of managed apps to iCloud

For a list of other restrictions for achieving containerization using MDM and the configuration steps, refer this document.

NOTE: When the restriction Share data from managed apps to unmanaged apps is enabled, the unmanaged apps would be unable to access managed contacts on iOS 11 devices. On devices running iOS 12 and above, the admin can allow access to managed contacts by enabling the option Allow unmanaged apps to access managed contacts.

Here are a list of other settings supported by container management software such as MDM in order to secure corporate data in BYOD deployments:

Managed Web Domain

Managed Web Domain can be configured to ensure that any document downloaded from specific websites can be viewed or stored only in the ME MDM app in the devices. This is essential when users download confidential documents from corporate websites onto their personal devices. Configuring Managed Web Domain prevents unauthorised or personal apps from accessing the corporate data.

Document Viewer

Document Viewer is available in the ManageEngine MDM app present in the devices. It allows users to view the content shared from the MDM servers, e-mail attachments or documents downloaded from pages configured in the Managed Web Domain profile. Since the document is downloaded in the ManageEngine MDM app, none of the personal or unauthorized apps can access these documents.The document viewer prevents the content from being uploaded to third-party cloud services.

Virtual Private Network (VPN)

Configuring a VPN grants secure access to the corporate data on the internet. Most organizations mandate the use of a VPN to access corporate data using personal devices. While VPN protects the data on the internet, the data available on the corporate apps can be protected by configuring per-app VPN, which creates a VPN when data on the specified apps is accessed.