On the Radar: VMware AirWatch

VMware AirWatch provides a platform of Enterprise Mobility Management tools that enable organisations to deploy, configure, and manage mobile devices, the apps installed on them, and the content they use. A cornerstone of its management suite is AirWatch Content Locker, which offers secure content management and collaboration capabilities geared towards mobile workstyles.


AirWatch is based in Atlanta, GA with four further offices across North America, and offices in the UK, India, Hong Kong, Australia, and Singapore. VMware (AirWatch’s parent company) is headquartered in Palo Alto, CA.

What does it do?

VMware AirWatch provides a platform of Enterprise Mobility Management (EMM) tools that enable organisations to deploy, configure, secure, and manage their workforce’s mobile devices, apps and content.

Though touching on some of the wider elements of EMM in context, this report focuses primarily on AirWatch Content Locker, the company’s mobile content collaboration tool. AirWatch Content Locker provides secure mobile access to corporate content by integrating with a raft of ECM products (such as Alfresco, Box, Dropbox, EMC Documentum, Microsoft SharePoint, Microsoft OneDrive, OpenText, Oracle WebCenter Content, IBM FileNet Content Manager, and SAP HANA Cloud Document Service) and providing secure access to content on a mobile device through its corporate container. Any of AirWatch’s supported business applications can consume and render content from any of its supported (30+) repositories, with access mediated via the Content Locker. Content Locker integrates with VMware Boxer (and AirWatch Inbox) and VMware Socialcast out of the box. Business applications can also share files if whitelisted by IT.

The product has been developed on AirWatch’s EMM platform, controlling access to email infrastructure, directory services, WiFi networks, VPN connections, certificates, content filtering, content repositories, and SIEM; offering multiple authentication methods for end-users; and encryption for all data in-transit, at-rest and in-use with AES 256-bit, FIPS 140-2 compliant encryption.

AirWatch Content Locker supports a variety of different devices (such as smartphones, tablets, ruggedised devices, desktops and laptops, peripherals) and platforms (iOS, Android, Windows, Mac). It’s designed to operate in the real world, where a mix of shared devices, BYOD policies and corporate-owned devices often is the norm. It delivers content in a managed way through a variety of client tools – applying contextual awareness of device type, ownership, location (for geo-fencing), and security posture (for conditional access); operating system; telecoms configuration; and document sensitivity to determine and apply appropriate levels of access rights to content.

AirWatch Content Locker is available in two versions:

  • AirWatch Content Locker Standard offers content distribution controls, enterprise-grade security, data loss prevention, an admin console, analytics, and globalisation options;
  • AirWatch Content Locker Advanced expands on the capabilities provided by Content Locker Standard, adding user content storage, a desktop client, user portal, file sharing, editing and annotation.

Although it is possible to purchase Content Locker as a standalone product, the company reports that customers tend to buy it as part of wider package. It’s available as part of VMware Workspace ONE, VMware’s integrated identity, application, and enterprise mobility management suite: Content Locker Standard is part of Workspace ONE Standard, and Content Locker Advanced is part of Workspace ONE Advanced and Workspace ONE Enterprise. Content Locker is also included as part of AirWatch’s EMM management suite (which is available in a number of variations and bundles) and VMware’s Collaboration Bundle (which packages Content Locker with Socialcast and AirWatch Video).

Who is it for?

AirWatch Content Locker allows end-users to access content whether stored either in the cloud or on-premise, in corporate or personal storage, through the same applications – but makes the distinction that corporate content remains under enterprise management (leaving personal content and applications, where sanctioned by IT, under users’ own control and untracked by the enterprise). Optionally, customers can deploy VMware’s Workspace ONE Secure App Token System (SATS) to prevent end users from signing into their own SaaS applications independently on a different (unmanaged) device.

Mindful that some end users may remain suspicious of the extent to which their employers are able to access and track content and application usage deemed to be under the ‘personal’ part of their own device (when managed under BYOD policies), AirWatch allows customers to delegate responsibility for sensitive privacy-related settings to a HR or a Chief Privacy Officer role (i.e. outside of corporate IT).

The level of offline access to synced content can be controlled by the enterprise (for content under management) so that, say, IT can set policies on whether users can mark files as favourites and access them when offline or not.

Airwatch Content Locker can also treat content differently at different stages in its lifecycle. For example, ‘required’ content can be removed from the device once consumed (useful for employee onboarding because it can track who’s accessed it); ‘featured content’ is similar to required content, but without the compliance component (e.g. corporate bookmarks); and ‘recent content’, as determined by the end user.

Why is it interesting?

End-users’ changing expectations of seamless mobility are changing the way work gets done within the enterprise, as well as between enterprises, their customers and partners. AirWatch’s overall management suite plays to enterprise IT concerns of securing and managing access to corporate content as mobile workstyles evolve. It’s designed to provide a managed digital workplace environment for mobile workers that integrates enterprise applications with mobile apps, and secures access to corporate content.

AirWatch Content Locker is primarily used by customers as a unified access and editing tool for ECM repositories, rather than being a content management system itself – although AirWatch does offer its own cloud storage for use cases where organisations want to publish content. However, it’s not simply a bolt-on file-sharing / sync / collaboration product that exposes ECM content on mobile devices either. AirWatch Content Locker is part of an overall suite that covers curation / search, productivity tools, workflow integration with enterprise applications, and data loss prevention capabilities.

Although content management and collaboration technology vendors might partner with specialist mobile vendors for aspects of mobile device management (such as data loss prevention, etc.), or in some cases acquire technologies to integrate some of these capabilities into their own products, AirWatch’s focus is the mobile worker and its products demonstrate an understanding of how mobile use cases and different workstyles require a variety of enterprise mobile management capabilities. It’s also able to provide the means to ‘wrap’ third-party apps in its framework and present a managed version for use securely on end-users’ devices.

The tools that comprise AirWatch’s management suites in general, and Content Locker specifically, can be configured to manage mobile apps and content in a variety use cases – particularly coming into their own in shared / BYOD environments where the mobile worker retains some level of personal ownership of the device for non-corporate activities.

AirWatch reports that, in general, its customers now have a more ‘consumerised outlook’ on what and how they extend their content capabilities for mobile workers, but that at the same time, customers want to be able to implement against content-based definition of risk (i.e. how much of the data is sensitive, where is it being accessed). AirWatch Content Locker enables customers to apply these evolving risk policies, define escalation protocols, specify actions; and provide advanced logging for regulatory audits, etc. – integrating with existing monitoring tools with an enterprise-wide purview, as well as satisfying content compliance requirements in isolation.

With a wider suite of enterprise management tools available around AirWatch Content locker, the company is able to combine mobile management capabilities for web apps, identity, and content stores (rather than only addressing the content management component).

How established is it?

AirWatch was founded in 2003. Initially the company concentrated on managing wireless endpoints and ruggedized devices, but in 2006 it began to focus on Enterprise Mobility Management – covering any mobile devices under an organisation’s control.

AirWatch was acquired by VMware for $1.54bn in 2014. VMware is 80% owned by EMC and is part of the EMC Federation alongside EMC, Pivotal, RSA, VCE and Virtualstream. The AirWatch business now has over 1,800 employees (representing around 10% of VMware’s total workforce).

The VMware AirWatch EMM platform has more than 16,000 customers in over 150 countries, and is available in 17 languages. Customers include National Bank of Canada, Delta Airlines, Air France, Australian Sports Commission, University of Westminster, UK National Health Service, Roland, Ted Baker, and City Electrical Factors.

VMware’s total revenue was $6.57bn in 2015 (up 9% on 2014’s figures). Its End-User Computing business however performed stronger than the company as a whole, seeing revenue grow 30% to $1.2bn, with AirWatch products contributing $370m to that figure (up 85% on 2014).

How open is it?

AirWatch has exposed RESTful APIs that allow app developers to access personal content and take advantage of its sync engine. AirWatch AppShield partners are encouraged to develop apps based on AirWatch’s framework and open APIs and make them available in the AirWatch Marketplace (see below).

Who does it partner with?

As well as VMware partners that resell AirWatch, the latter maintains its own three-strand partner programme:

  • Service Provider Partners – organisations that currently deliver mobility solutions to their own customer bases, providing EMM as a managed service (potentially ‘white-labelled’) from within the AirWatch-hosted infrastructure.
  • Technology Partners – technology vendors (such as device manufacturers, software vendors, service providers, Original Equipment Manufacturers) with significant market share within their own industries, integrating their hardware or software systems with the AirWatch solution.
  • AppShield Partners – software vendors, third-party developers, Mobile Application Development Platform and app mobilisation partners whose products and services integrate with the AirWatch EMM platform and tie into its security and management framework. AppShield apps are available on the AirWatch Marketplace. Partners include Dropbox, Netskope, Splunk, Box, Cisco, and LG.

Are there areas for improvement?

AirWatch isn’t alone in focusing on creating a “frictionless environment” for end-users on their mobile devices and its strategy for delivering this relies on third-party apps (from partners, or elsewhere in the EMC Federation) as well as native technologies. Some of its partners, especially in the content management / collaboration space, are also intent on placing their own offerings at the heart of your content / collaboration environment. AirWatch needs to ensure its coverage of mobile management capabilities keeps its customers from shifting their centre of gravity to other (content management) providers as these vendors strengthen their mobility credentials.

What’s next?

VMWare’s End User Computing division overall is focusing on providing an integrated offering, catering for enterprise mobile management needs “from registration to wipe”. Its projects in development – Project A2, which expands management capabilities to physical desktops, and Project Enzo, which manages on-premise or cloud based app seamlessly – expand its mobile focus into other enterprise endpoints.

Another priority for 2016 is the partner ecosystem – with an emphasis on integrations (e.g. mobile security partnerships, for areas not currently served by the AirWatch suite; cloud providers, to widen the coverage of SaaS offerings; and system integrators, to help embed the products into custom solutions). The last point is in response to scenarios where digital services are presented as functionality buried within other applications, or users are able to respond to notifications and widgets without going into specific apps themselves. It’s all designed to make the end-user’s experience more ‘frictionless’, but comes with potentially a greater management headache. Strategic ecosystem partnerships represent one way the company is securing its EMM framework’s position within enterprise architectures as the lines between applications become more blurred.

AirWatch is poised to embed Microsoft rights management policy based on posture into its products, to update Digital Rights Management capabilities. It’s also enhancing the level of restrictions that IT teams can place on access to offline content (such as offering limited preview functionality offline, with editing rights returning only when the user’s credentials and device security posture can be re-checked).

Should I consider it?

The AirWatch perspective is that of the mobile worker in an enterprise setting. Its focus is on delivering them a frictionless experience, while providing IT teams with tools to ensure security, integration, and management considerations are met. If mobile scenarios feature large in your content management / collaboration use cases, then ‘working backwards from the glass’ by deploying Content Locker and relying on AirWatch’s suite either to provide suitable capabilities natively, or wrapping security features around other apps, will ensure that your content workflow is supported by integrated tools that are well aligned with secure mobile workstyles. The company views the importance of seamless identity integration as crucial to successful digital transformations, bundling Content Locker in with VMware Workspace ONE as well as the AirWatch management suites.

The extent to which this is the right approach for your organisation will depend on whether the focus of your content work is with mobile, or more on fixed managed endpoints within the enterprise boundary. From an EMM capabilities perspective though, AirWatch’s management suite tools – particularly privacy safeguards – make AirWatch Content Locker an ideal management tool in BYOD environments.

Beyond discussion of AirWatch’s product capabilities, however, is the current uncertainly surrounding the long-term future of parent VMware in the context of Dell’s acquisition of EMC (expected to close during 2016) – and whether any change in ownership or status this will have a material effect upon development priorities and partnerships. AirWatch’s strong performance within VMware’s End User Computing business would seem likely to protect it from ‘portfolio rationalisation’, but the company’s roadmap for 2017 and beyond is likely to need a refresh once the dust has settled on the Dell / EMC deal.

Download PDF version