As recently as a year ago, many enterprises couldn't have imagined that the iPhone would now be second place in terms of security features that enterprises require, behind only the BlackBerry and ahead of Android and Microsoft's Windows Phone 7.
But at the end of 2010, that's how many enterprises regard the smartphone landscape. Over the next couple of years, experts predict that BlackBerry will hold onto the most security-conscious enterprises but that the other platforms will take up a growing share of the market.
The release of iOS4, the latest iPhone software that came out in June, marked a dramatic shift in the enterprise smartphone market. With that update, many CIOs grudgingly admitted that the iPhone had became "good enough" to meet the most basic security requirements that most enterprises need, said Tim Weingarten, CEO of Visage Mobile.
Visage Mobile's software manages 100,000 devices from U.S. corporations of every size. Among those devices, BlackBerrys still outnumber iPhones and Android phones 10 to one, he said.
Research In Motion currently has 51.2 percent market share in the enterprise, according to recent research from comScore. Apple follows with 22.7 percent and Android comes in third with 12.1 percent market share. Microsoft trails at 8.8 percent, comScore found.
In the wider market, RIM's share of the U.S. smartphone market dropped from 39.3 percent in July 2010 to 35.8 percent in October 2010, ComScore said.
The smartphone mix in an enterprise often depends on who actually buys the phones. Corporations that decide to standardize on a platform and issue phones to workers tend to go with BlackBerry, said Tony Kueh, senior director of enterprise mobility management for Sybase.
But when companies offer to subsidize the users' data plans and let workers buy their own phones, people are choosing iPhones, he said.
Updates to the iPhone since it first launched have allowed it to be an option for corporate workers.
"If you'd talked to someone in IT at a typical corporation prior to the launch of iOS 4, they would have said it was nowhere good enough and they weren't going to support it," Weingarten said. But there was "a sea change with iOS 4," he said.
Now the iPhone offers just enough security to make it palatable to most enterprises, he said. Onboard device encryption is built into the hardware and it supports remote wipe and kill as well as passwords. The iPhone supports 20 of about 40 policies built into ActiveSync, he said.
Android has improved with version 2.2 of the software, but most enterprises say it isn't there yet. "Android is a few steps behind the iPhone in terms of security capabilities," Kueh said.
Google has just released Android 2.3, which will first become available this week on the Nexus S phone. "I did not see any feature enhancements for enterprises in 2.3," said Ken Dulaney, an analyst at Gartner. "I suspect and hope there will be announcements for the enterprise in 3.0 because right now the Android system is about where iPhone 2 was."
Rehabcare, a company that owns and operates hospitals, is one organization holding off on Android. "We're still not satisfied with the security capabilities," said Dick Escue, CIO for Rehabcare. He mainly deploys iPhone.
Android 2.2 is the first version of the operating system to support meaningful enterprise security features, but it doesn't support as many as iOS does, Weingarten said. Currently about 43 percent of Android phones are running version 2.2.
IT administrators can enforce password policies and remotely wipe Android 2.2 phones.
But other important features are missing. For instance, file system encryption isn't available on Android, Kueh said. That means if users root their phones, they have access to the file system and can copy e-mail databases, he said. Even if there is app-level encryption, the key potentially could be found somewhere on the device, he said. "It's pretty hackable," he said.
Android presents additional problems for enterprises with its open application store. That makes employers worry that workers might accidentally download an application that contains malware that could corrupt corporate data.
In addition, Escue worries about the many different versions of the operating system on the market at any given time. "We are concerned about the fact that there are, and may always be, many different implementations of Android, which makes our ability to support them difficult," he said.
Experts have differing opinions on whether to expect Google to improve features that might appeal to enterprises. The release of Google Apps Device Policy, which allows for management of many phones including Android, indicates that Google is interested in and serious about serving enterprise customers, Weingarten said.
"Android is behind but it's going to catch up," he predicts.
Kueh didn't sound so sure. "I would hope future versions will beef it up, there is demand for it," he said. "The question is how committed Google is in terms of addressing the enterprise market."
Third-party vendors might help bring Android into the enterprise. Mobile-device-management software providers like Sybase helped the iPhone become more useable in the enterprise, said Kitty Weldon, an analyst with Current Analysis. She expects the same for Android.
Gregg Davis, CIO for Webcor Builders, primarily uses BlackBerry devices but has begun using Good Technology to control the Android phones he supports. That allows him to securely send e-mail, contacts and other data through the secure Good servers and also remotely manage and control the phones.
In addition, phone makers are adding their own features to Android, Weldon noted. For instance, Motorola's Droid Pro includes a number of features that other Android phones don't, including remote wipe of SD (Secure Digital) cards, the ability to force users to create new passwords after a set time, and a VPN.
Android 2.2 included device policy management APIs (application programming interfaces) that allow developers to write applications, which for example enforce minimum password strength, remotely set passwords, enforce regular password changes, remotely lock devices, set password complexity rules and wipe the phone after a set number of failed login attempts.
Despite Microsoft's reputation as an enterprise vendor, Windows Phone 7 is at the bottom of the list in terms of features for corporate users -- for now.
Of the 40 or so policies supported in ActiveSync, WP7 supports about 8. The phones are less secure than their predecessors running Windows Mobile 6.5.
"They did rip out almost everything enterprises would have used to develop apps and you can't manage it, other than the few things you can do through Exchange server," Kueh said.
WP7 devices are not compatible with Microsoft's System Center Mobile Device Manager, software that lets IT workers manage Windows Mobile 6.5 phones. Microsoft had already started de-emphasizing System Center for mobile "because it got a bad reputation of being cumbersome to deploy," Weldon said. It boosted ActiveSync capabilities slightly in response, she said.
Because WP7 applications must be built using Silverlight, developers must essentially re-write apps that previously worked on Windows Mobile 6.5. In addition, the phones no longer have a lightweight version of SQL, meaning there is no database access on the device, Kueh said.
Vendors and analysts expect Microsoft to add more features in future updates to the software.
In addition, if Microsoft succeeds in attracting consumers to WP7, that could drive more enterprise adoption, Weldon said. "If Windows Phone 7 takes off among consumers, then you have the same thing going on with the iPhone and Android. People will bring it into the enterprise and maybe that's the plan," she said.