How does the software actually work?

The software is a custom version of Android, so it would be loaded onto the smartphone that you want to lock down, such as a Nexus S. Once the software is on the Android device, multiple security features can be enabled and disabled from a remote location. For example, we can force specific phones to require 2-factor authentication, where a user needs both an ID badge and a password to unlock the device. In a military domain, these badges would obviously be unique and personal security badges. Additionally, we are working with multiple technologies on the phone to determine where the phone is physically. The GPS is used occasionally, but we are focusing on more fine-grained localization methods such as Bluetooth proximity, near-field communication [NFC], or using light/sound as a data transfer medium. As the user enters or leaves a "secure" location, there are thousands of policies that we can enforce that change vanilla Android behavior - we can selectively enable/disable the camera, the GPS, the settings on the phone, installing or uninstalling applications, using various applications, allowing copy/paste in some applications and not in others, etc. Technologically, we do this by applying interceptors to key services. If a user attempts to do something restricted, the phone simply ignores that attempt, alters it or reports it. More secure versions could naturally react to an attempt to do something insecure more strictly, such as logging the attempt or locking the phone. 

Additionally, we have created a data jail to secure email, SMS, contacts, etc. -- secure data can be loaded remotely from servers on entry into a room and automatically wiped without trace (it never touches disk) on exit from the room, meaning that if the phone is shut off the data is erased. These applications can simply integrate the secure data with the unsecure, thereby requiring no change to the user workflow. For example, secure emails show up in the standard email application, listed along with unsecure emails -- the only change is a tiny lock icon indicating each secure email. The users interact with the application as normal.  

What was the key breakthrough in developing this technology?

Adding interceptors to the Android services and the creation of a custom "data jail" technology to ensure that app doesn't get transferred to another process or stored on disk. They enable us to allow or reject thousands of user behaviors on Android, while the device is running. Additionally, the policy for allowed/disallowed behaviors can be pushed from a remote server and changed while the phone is executing, which does not interrupt the user's current workflow at all.  How does this technology compare to existing commercial offerings?