Enterprise mobile is the discipline of running corporate apps on devices the enterprise does not fully own, under regulators it must satisfy, on a platform the vendor controls. The decisions here decide whether a programme is governable.
| 1 | Overview | 2 | MDM and MAM In Depth |
| 3 | Zero Trust Mobile Architecture | 4 | TCO and Cost Optimisation |
| 5 | On-Device AI and ML | 6 | Emerging Platforms |
| 7 | Anti-Patterns | 8 | References |
This reference covers enterprise mobile management: MDM and MAM, Zero Trust mobile architecture, total cost of ownership, and on-device AI. It frames the governance, security, and cost decisions for running corporate apps on devices the enterprise does not fully own.
The Mobile Device Management and Mobile Application Management landscape consolidated through the last decade and three vendors hold most of the production market. Jamf Pro is the iOS specialist — approximately 75 percent of Fortune 500 Apple fleet management runs on Jamf, with deep Apple Business Manager integration via Automated Device Enrollment (the DEP-successor flow that ships devices pre-enrolled from Apple's distribution network). Microsoft Intune is the cross-platform leader for Microsoft-shop enterprises — native Azure AD Conditional Access integration, the Intune App SDK or app wrapping for MAM, integrated with Microsoft Defender for Endpoint, included in Microsoft 365 E3 and E5 bundles making it the cost-effective choice when the organisation already pays for the suite. VMware Workspace ONE (recently rebranded Omnissa after the Broadcom spin-off) is the breadth play for organisations needing iOS, Android, Windows, macOS, and ChromeOS managed from a single console.
MAM without enrollment is the BYOD answer. The user installs the corporate app from the public App Store; the app detects an enterprise Azure AD identity at first launch and applies the MAM policies declared in Intune. Policies enforce PIN requirements, copy-paste restriction between corporate and personal apps, screenshot blocking on sensitive screens, encryption of app data, and selective wipe — IT can remotely wipe corporate data without touching personal photos, messages, or banking apps. The user never enrols their device; the enterprise has no visibility into personal data; the trade-off both sides accept.
App wrapping versus SDK integration. Wrapping modifies an existing IPA or AAB binary post-build using the Intune App Wrapping Tool (Smali manipulation on Android, runtime swizzling on iOS) — zero source-code changes, appropriate when the enterprise needs to manage an app it did not write. SDK integration links the Intune App SDK into the app source — finer-grained policy queries (shouldAllowSharing, shouldEncryptDataAtRest), policy errors surfaced at compile time rather than at wrap time. SDK is preferred for new apps where source access exists.
AppConfig Community standard. The MDM pushes a key-value configuration through the platform's managed-app-config channel. iOS reads via UserDefaults.standard.dictionary(forKey: "com.apple.configuration.managed"); Android reads through the Android Enterprise Managed Config API. The pattern preconfigures server URL (no user input required), SSO settings (Okta domain, Azure tenant), feature enablement (which features are turned on per customer tenant), and branding — single binary, runtime configuration, no per-customer build forks.
Managed Open In prevents corporate documents from being opened by personal apps — a critical DLP control on regulated workloads. The OS enforces the boundary; the app trusts the OS.
NIST SP 800-207 Zero Trust principles applied to mobile rewrites the implicit trust model the enterprise built around corporate Wi-Fi and VPN.
Every API request is authenticated regardless of network location — no implicit trust for requests originating from the corporate network. The corporate Wi-Fi was the soft underbelly for two decades; Zero Trust eliminates the assumption.
Device health is verified before API access. Microsoft Conditional Access blocks API access from devices not enrolled in Intune, not running the minimum OS version, with detected malware indicators, or below the team's compliance threshold. Okta Device Trust provides the equivalent for non-Microsoft stacks — a verified device posture signal enters the access decision alongside user identity and resource sensitivity.
Continuous authentication. Session tokens are revalidated on risk signals: new device, new geographic region, unusual transaction amount, mismatched behavioural pattern. Step-up authentication (re-prompt for biometric or push notification approval) triggers automatically on the higher-risk signals; low-risk signals continue without friction.
Certificate-based authentication for managed devices. The MDM pushes a client certificate to the enterprise app at install via managed app config. The app presents the certificate for mutual TLS handshake with the corporate API. The backend validates the certificate chain against the enterprise root CA. Devices without the certificate cannot reach the API at all — the network boundary is replaced by a cryptographic boundary.
Five-year TCO comparison, normalised to pure native iOS plus Android at 100 percent baseline:
Build time as developer cost. A Gradle build of three to eight minutes for a large modular project, multiplied by 50 builds per day per engineer across a 10-engineer team, sums to 25 to 67 engineer-hours per day spent waiting. The cost is real and compounds. Gradle build cache shared across CI machines saves 40 to 60 percent of build time on warm builds. Feature modularisation enabling parallel compilation saves 30 to 50 percent on multi-core CI machines. The investment is one engineering month; the payback is in weeks.
AI-assisted development delivers measured productivity gains. GitHub Copilot's published 2022 study showed 55 percent faster typical-task completion in controlled conditions; enterprise measurements have settled at 20 to 30 percent reduction in time on boilerplate and repetitive code, less on novel architecture work. Cursor and Claude Code add multi-file refactor capability that single-file Copilot cannot match. The architecture's accommodation of AI assistants — clear patterns, documented exemplars, good tests — determines how much of the gain the team captures.
Device testing. Firebase Test Lab at $1 per device-hour for physical devices, $0.40 per virtual-device-hour. BrowserStack App Automate at $399 per month for unlimited parallel testing on a cloud device matrix. Internal device lab capital cost of $20,000 to $60,000 for 20 to 50 devices, amortised over three years at $550 to $1,650 per month — cost-effective above 1,000 device-hours per month or for regulated workloads where physical-device chain of custody matters.
Core ML on iOS. Models convert from PyTorch or TensorFlow to .mlmodel via coremltools; the runtime selects Neural Engine (15-38 TOPS on A-series chips), GPU, or CPU automatically based on the model and device. Privacy-preserving: data never leaves the device; offline capable. Use cases: document OCR via Vision framework, face detection, language identification, personalised recommendations, on-device translation.
TensorFlow Lite on Android. .tflite models with optional GPU delegate for hardware acceleration on Mali and Adreno GPUs, NNAPI delegate for Qualcomm Hexagon and MediaTek APU NPUs. Quantisation reduces model size three to four times with marginal accuracy loss.
Google ML Kit. Pre-built models for text recognition, face detection, barcode scanning, language identification, smart reply, pose detection — both on-device and cloud variants. The on-device variants are the default for privacy-sensitive use cases and run on any modern Android device.
On-device LLMs. Apple Intelligence (iOS 18 and later on A17 Pro and M-series chips) runs a 3-billion-parameter foundation model locally for writing tools, summarisation, and Siri context. The model is integrated into system frameworks; the developer accesses generative capabilities through WritingTools and the Foundation Models framework. Google Gemini Nano on Pixel 8 and later via the AICore API for summarisation, smart reply, and proofreading — accessed by the developer through the Android GenerativeModel interface.
watchOS and WatchKit. The paired app model — the iPhone app communicates with the watch app via WatchConnectivity for state and message sync. The standalone watch app model — direct network access on cellular models, the watch app runs without the iPhone present. SwiftUI on Apple Watch is the default UI layer since watchOS 6; complications via the WidgetKit framework expose glanceable data on the watch face.
Wear OS with Jetpack Compose for Wear. Scaffold, LazyColumn adapted for circular displays, CircularProgressIndicator, TimeText showing the current time at the top. Tiles for ambient glanceable views; Wear Health Services API for sensor data with on-device aggregation.
Foldables. WindowSizeClass API classifies the display as Compact (most phones), Medium (small tablets, unfolded foldables), Expanded (large tablets, foldables open). Responsive Compose layouts adapt to fold state. FoldingFeature from the Jetpack WindowManager library reports the hinge position and posture (flat, half-open, vertical) so the app can split content across the fold.
Apple Vision Pro visionOS. Immersive spaces for full 3D environments; volumes for placing 3D content alongside other apps; ornaments for window controls attached to the spatial window. SwiftUI on spatial computing is the same SwiftUI you write for iPhone, with new view modifiers for 3D positioning and gaze-and-tap interaction.
UWB (Ultra-Wideband). Precision indoor location (centimetre-level), secure proximity detection (Apple Wallet car keys, AirTag finding). U1 chip on iPhone 11 and later; the NearbyInteraction framework exposes UWB ranging.
Technology radar for mobile 2025. Adopt: Kotlin Multiplatform for shared business logic, React Native New Architecture, Compose for Wear OS, Swift 6 strict concurrency. Trial: Compose Multiplatform on iOS, Swift Testing, Apple Intelligence integration. Assess: AI-generated UI code (Locofy, Figma Dev Mode + Cursor pipelines), Gemini Nano integration patterns, visionOS for enterprise data visualisation. Hold: Xamarin (sunsetting), Objective-C for new code, XML layouts on Android, RxJava 2 for new code.
The enterprise insists on MDM enrollment for BYOD; users refuse or accept under protest; usage drops; shadow IT proliferates.
CORRECT: The fix is MAM-without-enrollment for BYOD.
The mobile team maintains a fork per enterprise customer with branded URLs. The fork count grows; maintenance dominates engineering time within 18 months.
CORRECT: The fix is managed app configuration — one binary, runtime configuration per enterprise.
The backend API trusts requests from the corporate VPN; the API is unauthenticated within. A compromised endpoint anywhere on the corporate network becomes a path to all data.
CORRECT: The fix is Zero Trust: every request authenticated, every device's health checked.
Controls are documented but not implemented; the audit passes because the auditor does not probe. The next breach reveals the gap; the regulatory notification proceeds.
CORRECT: The fix is continuous compliance validation, not annual self-attestation.
Selective wipe removes corporate data including the user's locally-stored work-in-progress. Hours of work lost.
CORRECT: The fix is the design ensuring work-in-progress syncs to the server before the wipe completes; offline draft state has documented backup mechanisms.