Containerization or device lockdown. What makes sense and why?

Rick Cooper

Aug 23, 2022

7 min read

As more companies enable remote work, the world has moved towards BYOD (Bring Your Own Device) and COPE (Corporate-Owned Personally Enabled) devices to increase productivity and decrease operational costs. However, as with any new technology, there are obvious advantages and disadvantages. Although a BYOD device where both an employee’s corporate data and personal data are stored in the same device is ideal, it is not always the case. Sometimes, it is better to opt for device lockdown for the management of the device.

For example, office staff might have to work even outside of the office, so a personal device might suit them better. So, containerization works well for them as the IT team can keep track of office data without peeping into personal data. On the other hand, when considering the warehouse staff, they are required to work only at the warehouse with their device, and there is no other use for the device other than work. So, a device lockdown solution is better for this case. Containerization or device lockdown, before answering this question, we need to understand what they exactly mean.

What is containerization?

The primary purpose of containerization is to separate corporate data from personal data. As the name suggests, it aims to sort the data into separate containers, where corporate data and personal data can co-exist on the same device while still staying independent of each other.

The device is split into two containers, a corporate container and a personal container. The company can control only the corporate container and not the personal one. Simple actions like copying, pasting and moving content between containers will be restricted. Moreover, data sharing is only allowed through the approved containers, the data is encrypted to protect the data from prying eyes.

In case of a breach to the corporate container, admins can wipe the corporate container while not interfering with the personal container. This provides an extra layer of protection, Literally!

What is device lockdown?

Device lockdown is a management method in which a mobile device is restricted in terms of usability. This means the user is restricted in terms of the device functionalities and number of apps they are allowed to access; they can be a single or a couple of apps. Here, the user can’t access any other part of the device other than the ones specified by the IT admin. Typically, device lockdown is used to set up devices as kiosk devices.

What makes more sense, containerization or device lockdown?

Both these scenarios are used in widely different use cases, and a direct comparison cannot be made, but a better approach would be to understand their differences and choose an ideal solution that best suits your needs.

In support of containerization

When employees use the same device for work and personal use, containerization makes more sense. In these situations, the business must ensure that the employee’s device meets the security requirements for handling corporate tasks. If the work container is not sufficiently safeguarded and segregated from the personal space, an attack on one could also damage the other. Containerization also enables businesses to prevent employees from copying and storing company data outside of the work container.

By allowing employees to use their own devices for work, containerization lowers the operational budget significantly and helps businesses save money that would otherwise be spent on the purchase of new devices.

Another aspect of containerization that can be guaranteed is employee satisfaction because individuals won’t have to carry about multiple devices for various tasks.

In support of device lockdown

Organizations can ensure greater employee productivity by implementing device lockdowns, which can restrict access to apps and documents used for work. The employees can’t access any other websites because the gadget is restricted to a certain use case, ensuring the security of the device.

Businesses that utilize their devices to interact with customers can offer a far more immersive experience for their clients by using device lockdown.

Lockdown is also used in a variety of different fields, such as educational institutions, where an organization must make sure that the gadgets are being used for their intended purpose. In healthcare, limiting the usage of devices to only the necessary features can help organizations run more efficiently.

Containerization or device lockdown are both beneficial for streamlining office work. While the latter limits the employees to particular tasks, the former gives them a little bit more freedom

Where can they be applied?

Containerization can be applied in any environment where a BYOD or COPE trend is supported by the business. Device lockdown is frequently employed in mobile services like logistics and healthcare, where each device has a unique function.

What is the role of UEM in containerization?

UEM solutions like Hexnode help businesses enforce containerization. They aid containerization by isolating resources in the corporate environment, wherein only necessary business software is accessible to users while still restricting the user access to other resources. Employing UEM technology with containerization allows for the selective wiping of business data from lost or compromised devices while leaving personal data unaffected.

Enterprise wipe is also useful when an employee using a personal device for work departs an organization, and the company needs to delete any data from the business container without erasing any resources the device owner has in their personal container.

Android enterprise containerization and iOS Business container are two major features that Hexnode supports to help manage corporate data on Android and iOS devices, respectively.

Android Enterprise provides profile owner mode where a distinct work container is created on the device, where the work data is stored and secured. Administrators will have total control over the work container but no control over the personal container. When an Android device enrolls as a profile owner, a work container is automatically created. The main advantages of using profile owner mode on devices are the per-app restrictions, silent installation and deletion of work apps located inside the work profile. In order to distinguish them from personal apps, work profile notifications and application icons come with a work badge by default.

You can containerize data on iPhones using iOS Business Container and iOS User Enrollment. While iOS user enrollment is more suited for BYOD, business containers are more suited for COPE. Although there are different containers for personal and business data, the contrasting fact is that the entire device will be under the control of the firm when using the business container. Data flow between managed and unmanaged apps can be handled once everything is set up.

User enrollment resembles the profile owner mode of an Android Enterprise. A separate Apple File System (APFS) volume containing the controlled apps and data will be created and encrypted on the device once the user enrollment is done. Such containerization enables businesses to handle corporate data without affecting the personal information of end consumers. User Enrollment only supports a small number of payloads and constraints on the device, in contrast to business containers, where the UEM has all authority over the device. Examples of crucial UEM instructions that cannot be executed include enabling/disabling lost mode, allowing/clearing activation lock, etc. Additionally, the UEM console cannot be used to get device-specific data such the serial number, UDID, IMEI, MEID, etc.

What is the role of UEM in device lockdown?

The majority of today’s UEMs have the capabilities to lock down devices. You can utilize a UEM like Hexnode to handle both device lockdown and mobility management instead of investing in a singular kiosk lockdown software. Lockdown modes have several capabilities

Single app mode: In single app mode, the device can only run one program

Multiple app mode: In multiple app mode, it can only run a limited number of apps as determined by the firm

Browser lockdown: It can only run one or a small number of web pages. In digital signage, the device is restricted to a form of media, this can be an image, video or even a PDF.

In conclusion

Device lockdown and containerization are quite different concepts, and depending on the use case, the corporate can choose either one. However, one cannot be used in place of the other. Your organization’s decision to choose between containerization or device lockdown can help you in having better mobility management.

Rick Cooper

Product Evangelist @ Hexnode. Millennial by age. Boomer by heart.

Share your thoughts