Mobile device management (MDM) is tricky enough when the device in question is provided to the employee by the IT department. Introduce bring your own device (BYOD), an almost unstoppable force in the workplace, and MDM gets even more challenging.

While there is the potential for provisioning to scale, enforcing proper security and limiting the applications that run on a corporate-sponsored mobile device, such luxuries are not possible with BYOD; sensitive corporate data and secure mobile apps must coexist with anything that can be downloaded on the mobile device’s app store — and even deal with the possibility that the device could go beyond the usual restrictions of the mobile OS by being rooted or jailbroken.

MobileIron has recognized this challenge since the beginning of the BYOD revolution, and its AppConnect solution takes a different tact. Instead of MDM, it focuses on MAM—mobile application management.

“This is about securing the applications that carry the data, and not having to sweat the device,” noted Alexander Romero recently on the MobileIron video blog, director of product management for MobileIron. “It doesn’t require device management on the mobile device.”

AppConnect works by wrapping mobile applications in a secure MobileIron container that is distributed via a private app store. The container around the app enforces the right policies and settings for the user, and it securely tunnels mobile data from the apps through the MobileIron Sentry Intelligent Gateway (News - Alert) to the enterprise IT’s internal computer systems. Further, apps wrapped in the MobileIron container can talk with each other while public apps outside the ecosystem cannot.

This container approach also means that IT departments can wipe corporate data from BYOD and company sponsored devices without having to commandeer the whole device. Private user data stays private while corporate data is secured and able to remotely be removed as needed.

Romero sees at least three innovations to the MobileIron approach. Chief among them is the concept of tunneling data securely on the application level instead of having to go through a virtual private network (VPN).

“If you think about all the applications that are actually on a device, some of them could potentially be malware, or could in some way access a network resource that you don’t want it to,” he noted on the video blog. “The second you put a VPN on the whole device, then it is like that device being on your internal enterprise network.”

By tunneling on the application level, insecure or malicious apps don’t gain access to the corporate network while corporate data still arrives securely.

The second innovation Romero mentioned was delivering configurations to scale.

“The challenge there is that the second the user hits the app, it launches,” he said. “Typically there are a bunch of fields they have to fill in. Well, if you’re deploying to 5,000 or 50,000 users, you’re going to get a lot of helpdesk calls asking what’s the server name, etc. So MobileIron built application configuration to deliver these configurations at scale.”

Third, AppConnect provides authentication on the app level to make sure that the right user is using the app in the right way on the right device. AppConnect can check if a device is jailbroken, and which user is trying to use the app—and it can even control what hours an app can be accessed. AppConnect gives total enterprise authentication control.

Overall, AppConnect adds up to a new approach to dealing with BYOD, one that takes the best of MDM but lessens the invasiveness. This can be a nifty trick for enterprises grappling with BYOD.