Feels similar to the enterprise not stipulating that employees MUST install a home security alarm system if they are bringing corporate data home on weekends.
Things are alot simpler with a shift in focus to the data rather than the device. Here's my list of security requirements
- Ensure that mobile apps can access only enterprise data appropriate to the employee using it
- Protect data in transit
- Protect data at rest
- Delete data when necessary
(Of course, 'not allowing apps to store data on the device' probably means tinkering with the binary.....)
#2 is easy.
#1 implies that the app, in requesting data from enterprise or cloud servers, can somehow indicate to the server the employee in question. More and more, OAuth 2 is the default choice for achieving this. The native application gets an OAuth token that reflects the employee's identity & roles, and presents that token on a RESTful API call to get data.
Consequently, #1 is really about ensuring that
- the application can securely obtain a token that reflects the employee's identity
- the API can make the right authorization decision when it sees that token included on API calls