AT&T says it has the answer for corporations that want to let employees access work applications from personal phones without becoming a security threat. A new virtualization-style technology that works on both Android and iPhones creates a work container that is isolated from an employee's personal applications and data, letting IT shops manage just the portion of the phone related to work.

This isn't a new idea. ARM is talking about adding virtualization into the smartphone chip layer. VMware has been promising to virtualize smartphones for some time. What is notable about AT&T's technology is its flexibility. VMware's technology hasn't hit end users yet, largely because it must be pre-installed by phone manufacturers, limiting it to carriers and device makers that want to install it on their hardware.

AT&T's "Toggle" technology, meanwhile, works with any Android device from versions 2.2 to 3.x, as well as iPhones, and can be installed after a user buys it. Moreover, the technology is somewhat separate from AT&T's cellular division and can be used with any carrier.

AT&T Toggle launched in a trial run last fall on Android. Version 2.0, which supports both Android and iPhone (as well as tablets running Android or iOS), was announced this week. Version 2.0 is in trials with some corporate customers and will be generally available in about a month, AT&T said. While Android and iPhone are the initially supported platforms, BlackBerry and Windows Phone are reportedly coming later this year.

Toggle beats VMware to market with more flexible approach

Toggle, as we alluded to, is similar to VMware's Horizon Mobile for Android phones, which we wrote about last September. Both create a work partition on a smartphone that can house an employee's business e-mail and applications, while being walled off from the user's personal e-mail and applications. Samsung, LG, and Verizon are partnering with VMware to bring Horizon Mobile technology to Android devices, but no specific rollouts have been announced.

Like VMware's software, Toggle lets a user enter the work side of their phone by clicking an application icon. In addition to work-specific e-mail and text messaging, business applications can be delivered through private, corporate app stores that AT&T will help customers set up. Document attachments are encrypted, and the Toggle work partition has its own secure Web browser. Data is pushed from company applications to phones over SSL, and administrators can view all the details of devices connecting to the network and enforce permissions, set policies at a company-wide or group level, and perform a screen lock or remote wipe on the work partition.

While VMware uses virtualization to build a guest operating system on top of the phone's host operating system, AT&T built its own partitioning software without deep hooks into the operating system, making it capable of being installed by corporations and users on all sorts of phones. That's why AT&T was able to get to market faster than VMware, AT&T's Mobeen Khan, executive director of mobility marketing, told us. "This is almost at an application layer," Khan said. "There are no hooks into the operating system."

The product is being offered through AT&T's business division rather than its cellular division. As a result, the software can be installed on phones provided by any carrier.

Security comes first

Whether AT&T's method of isolating work and personal partitions is more or less secure than VMware's is hard to say, as VMware's product has only been shown in demos. We've asked VMware for release date information and clarification about what issues—security or otherwise—have prevented a more timely release. We'll update if we receive feedback. AT&T's Khan notes that "you cannot talk about security on absolute terms," but says Toggle's software container is designed to "protect all data and applications inside the container."

SSL encryption is supported for the work partition, and IT administrators can apply the usual password protection policies and other security requirements on the phone's work partition. If a phone were to be compromised, the IT department could wipe the work portion remotely, leaving the employee's personal data and applications intact. The IT shop can also determine what level of interaction the work and personal partitions may have, like whether calendars can be mixed and whether notifications can flow from the personal space to the work space or vice versa. IT administrators can also set policies on what applications users may download from a company's private app store, restricting employees to only the applications they need to do their jobs.

VMware has promised that its virtualized phones will have two phone numbers, one for work and one for personal calls, with users being able to take calls from either regardless of which partition they're in. AT&T's Toggle supports just one number for the moment, but Khan says "later in the year we will be announcing dual phone numbers, one phone number associated with the work container and another that's your personal phone. The idea behind this is you as an employee bringing your own device to do work don't want to pay for whatever usage is on the work side of the container."

Toggle also comes with antimalware software from Juniper that can scan both the work and personal parts of a phone. If a virus is spotted on a phone, an IT shop might choose to remotely wipe the work partition, or at least notify the user that something is amiss.

Toggle is mostly targeted at employees bringing their own phones to work, although it could theoretically be installed on employer-purchased devices as well. A corporation must pay $750 for configuration and training to get started, plus $6.50 per device per month, with a minimum of 20 licenses per order. Ongoing support costs another $1.50 or $2.50 per device per month.

From the user's perspective, AT&T says it should be easy. Employees don't have to give up their phones for an hours-long setup process. They just enter the Toggle portal with a login and password supplied by their employer, and download the appropriate software.

"The key value to the employee," Khan said, "is that they can bring their own device. Anything that is on the personal side is totally isolated from the IT administrator," with the exception of the malware tracking.

Many employers today still block access from personal devices, even for applications as ubiquitous as e-mail. But the comfort level IT shops have with personal devices is increasing. While AT&T can be congratulated for getting Toggle to market relatively quickly and in a cross-platform and cross-carrier manner, this type of technology could well become the standard rather than the exception over time.