At Techfield day, VMware presented to us delegates their Mobile Virtualization Platform (MVP) and as expected all these geeks where very interested to see what VMware had to offer. Unfortunately the overall feeling was that the product as demonstrated to us was a bit disappointing. Of course it is still no released product, but even then there are some points to worry about, but first let’s have a look at what VMware MVP really is.
Taken from the VMware MVP website ( http://www.vmware.com/mobile):
“Employees want to use their personal smartphone for work and are pushing IT to support those devices. This trend—sometimes called “Consumerization of IT”—challenges IT requirements for security, compliance and ease of management. VMware MVP enables enterprises to embrace this trend, by allowing IT to safely support employee owned devices. With VMware MVP, enterprises can get the security and ease of management they require, while reducing CAPEX.With VMware MVP, a personal profile and a corporate profile can securely and simultaneously run on the same device in isolated containers. Corporate applications and data are securely isolated from an employee’s personal profile.With VMware MVP, employees can connect their own mobile devices to the corporate network from a corporate profile that is provisioned and managed by the corporate IT group.”
First important message to all those hypervisor geeks that thought of running multiple VMs on their smartphones giving them total freedom, that is not what VMware MVP is aiming for. VMware MVP want’s to create a secure environment in which you can run your business applications and uses a hybride hypervisor model to create this environment. VMware MVP will create a single secure VM environment on top of the smartphone’s native OS by inserting a MVP module into the kernel of the native OS, called the MVPkm.
See this blog for more details on how exactly MVPkm hooks into the native OS and an in-depth explanation of the pro’s and con’s of this choice. http://www.ok-labs.com/blog/entry/vmware-mvp-how-it-works/ (Author: Gernot Heiser).
The take away from Gernot Heiser’s post is this:
- The hybride hypervisor model is better than the type 2 hypervisor performance wise, but it is no type 1 hypervisor either since it has no exclusive control of the hardware.
- The hybride approach’s biggest disadvantage is that it creates a new attack surface and adds nothing to the security of the guest apps.
If the architecture doesn’t provide the additional security how do we get a secure environment then? Well, VMware MVP will only run OS’es inside the VM that have been provided and adjusted (secured) by VMware. You cannot just download the latest build of the smartphone’s OS and run it inside the MVP VM.
The plan that VMware has is that the enterprise admin will download the image supplied by VMware, add the corporate applications and then deploy them to user’s phone. This deployed VM is locked and the user cannot install any other apps into it. Well actually, the admin is supposed to lock this image and prevent further installation of new apps by the user. He could leave the image unlocked but that would defeat the whole purpose of having a ‘secure image’ with approved apps only.
Biggest drawback of this approach is that as a corporate admin you will have to wait with updates not until the vendor releases them, but for VMware to receive that update and adopt it to fit in the VMware MVP. Questions that where asked but could not answered at the Techfield Day demo:
- Will VMware add extra security to the image supplied by the vendor?
- What is VMware aiming at for the update cycles, how fast are they planning to release their image after the vendor releases it? Will they only release big updates (3.3 to 3.4 upgrade for example or also 3.4 to 3.4.1 updates?
- Will Apple allow running iOS inside a VM on top of android OS? And the same question of course also goes for RIM (Black Berry). I wonder what their motivation is in working together with VMware in this as they all have their own solutions to secure their devices. Specifically with Apple I could imagine that they want their iOS running on other hardware device than an iPhone, since “user experience” would be different than on a real iPhone.
It was at VMworld 2008 that VMware first talked about their ideas on Mobile Virtualization Platform and got a lot of people very excited. Now we’re 2.5 years down the road and what have we got?
- MVP will only run on android right now and inside the VM it will also run android only
- MVP will only support a single SIM, which means you still have to walk around with two smartphones if you want to keep a separate private and business number
- The management framework that would deploy these images to the users smartphones could not be demoed yet since it is not ready and no comment could be made about what stage it is in.
All these unanswered questions give a lot of concerns. Personally I think VMware shouldn’t even try to release it if only Android on Android is supported. They should at least have one other OS they can run it on and run inside the VM to prevent that after release, all that is remembered by people who evaluate the product that it only runs on android. It will be very hard to invite those people again to evaluate the product when in a big update a new OS is added to the list.
My biggest concern is that the security gap they are trying to fix won’t be fixed by adding a hypervisor into the equation, but should be done by really securing those business apps. There are some real good management tools available that can protect a smartphone, lock down applications and secure your e-mail. Have a look at GOOD ( http://www.Good.com) for example. Others have already mentioned it would be better to go down the road of application virtualization instead of a hypervisor.
I’m wondering how long it will take for VMware to finally release a version 1 product and if it will ever be released. What they have shown us now wasn’t much and looked like a lot of work still needs to be done. I see a parallel here with the VMware Client Hypervisor (CVP) that eventually got canceled and merged into VMware View’s offline mode. Maybe, eventually VMware MVP will be merged with ThinApp and make mobile application virtualization possible.
Be aware that the Tech Field Day event is fully sponsored by the companies we visit, including flight and hotel, but we are in no way obligated to write about the sponsors.