2012 Evaluation Team Report: Mobile Device Management (MDM)
Definition and Key Product Considerations
As part of the evaluation process, the 2012 University MDM Evaluation Team presents the following definition of Mobile Device Management, outlines key considerations for determining the best MDM solution for environments. We make no specific product recommendations, but instead offer a set of considerations to help guide the process of choosing and implementing an MDM solution at the University. In addition, through the course of the evaluation, we reviewed several well-known products in the industry and include in our findings detailed summaries for each product, including key features and vendor contact information where available.
Defining Mobile Device Management
The needs met by Mobile Device Management (MDM) are diverse, but at its core, an MDM product establishes settings on a group of mobile devices to meet security or other needs. Common uses are application and content distribution, asset management, user support, and security policy application and enforcement. Policies and settings are often pushed to devices via Exchange ActiveSync (EAS), though some products and platforms use agents running on the mobile device.
For the most basic needs, MDM is already being done at the University: those accessing University email services via Exchange ActiveSync typically have security policies applied in accordance with the University's Policy on Server-Managed PDAs. These policies are applied by ISC's Exchange service, Wharton's Exchange service, and others. ISC's Zimbra service is capable of applying these policies, but is not yet doing so.
Beyond that, anyone considering using MDM should inventory their needs. Here are the top 3 questions to consider before choosing a mobile device management solution:
- Standalone, or integrated product?
In general, standalone products have more features, simpler interfaces, and function better. However, for those wanting to manage mobile and desktop clients, an integrated product is likely worth considering. Is a desktop management solution already in place, and if so, is there an MDM component available? If so, the benefits of a relatively quicker deployment and unified environment may outweigh the shortcomings compared to a dedicated product.
- What do you want to manage, and what will you want to manage?
What does the environment to be managed look like now? What will it look like in two years? An iOS-only environment can get by with iOS-focused tools, but those considering supporting Android, Windows Phone, or other mobile OSes should keep that in mind when choosing a product.
- Managing one group, or many?
Does the product need to apply one set of policies to a single group of users, or several sets of policies to several sets of users? Particularly in larger organizations, a product that can easily handle multi-tenancy is key.
Since they tend to be in very regular use, and are virtually always with the user, mobile devices are highly personal. Even when a device is provided by the organization, users regard the devices as theirs, and attempts to apply any restrictions or controls can often be unwelcome or unduly restrictive.
As such, expectations need to be established at the outset that some degree of management is requisite to using the devices. In general, the security policies applied have ample dividends when it comes to protecting user data, as well as corporate data, and this should be made clear. Users may not otherwise have a method of locating or wiping lost or stolen devices.
Full MDM solutions are not always necessary. If concerns are limited to ensuring email, contact, and calendaring data is properly synchronized and secured, solutions such as Divide, Good, and TouchDown exist to provide that functionality without otherwise impacting the device. This can simplify management, and reduce user frustration: Management only applies to the application or environment that contains the corporate data.
Absolute Manage Mobile Device Management software, by the Absolute Software Corporation, provides remote management capabilities for iOS, Android, and Windows Phone devices. The product can be integrated with their well-known Absolute Manage endpoint management solution for a fully integrated lifecycle management and mobile device solution.
In addition to basic mobile device management features, the Absolute Manage MDM solution provides mobile application management and mobile content management solutions. In addition, Absolute was one of the few products evaluated that provides device geotracking. The product is currently in use at the Graduate School of Education for a deployment of over 400 iPad devices.
Absolute is a full Mobile Device Management suite, allowing management of Android, iOS, and Windows Phone (7+) devices. Absolute's main console is an application that links into the organization's Absolute server, allowing for management from any machine that has the Admin application installed. It provides basic abilities to secure devices and push configuration profiles, as well as basic geo-tracking capabilities and asset inventory.
Absolute Manage MDM does not require that an agent be installed on a device for basic management and inventory functions, such as device querying, profile deployment and remote lock/wipe. However, the installation of the Absolute Apps app enables the distribution of apps through a self-service portal, device geo-tracking, deployment of in-house apps, on-demand configuration profiles, device messaging, and detection of jailbroken devices.
Absolute integrates with the Apple Store Volume Purchase program for application deployment and third-party apps deployed via the product can be managed to prevent local data backups and to enforce app removal upon the device's removal from the MDM.
In addition to basic management and tracking, Absolute, through a recently released product called "AbsoluteSafe" (available through the apps store), allows for mobile content management on iOS devices. Documents and media can be pushed to devices through the Absolute Safe app and can be set to prevent the files from being emailed, printed, or even accessed at certain times. In addition, the AbsoluteSafe app allows for automatic deletion of files.
Absolute Manage excels at iOS management, and has historically supported new iOS versions on the day of release. Volume Purchasing Program compatibility is a core functionality, and in addition to automating VPP app deployments, provides options for deployed apps to prevent data-backups to the device and to remove the app when the device is removed from the MDM management. In addition, with the release of the "AbsoluteFind" app for iOS, administrators can view current and historical geo-tracking information, query device information, directly message, lock and wipe managed devices enrolled in Absolute MDM.
Absolute supports the full suite of Android devices and boasts a feature set comparable to its iOS support. The product allows for the distribution of Google Play/Android Market apps to mobile users. In addition, as of Absolute Manage 6.1, released in May 2012, provides additional capabilities for ultra-portable devices, such as enhanced Mobile Application Management which includes silent installation and removal of apps so that apps are installed or removed automatically based on device status and/or the user's role within the organization.
Absolute is flexible and can be deployed either through a Software as a Service model offered through Absolute or can installed and setup on local servers. The software is dual-platform and can be installed on either Mac OS X Server or Windows Server 2008. In either case, Absolute offers installation services.
Absolute integrates with Active Directory, LDAP, and other methods of user management and enrollment.
Determined by type of installation, whether purchasing standalone or as part of the Absolute suite, and by number of managed devices on a client-by-client basis.
- Absolute Manage provides a solution for mobile device content management via the Absolute Safe app
- Absolute offers both hosted and local installation solutions
- Absolute MDM offers device geo-tracking for managed devices
NotifyMDM is a lesser known but feature-complete Mobile Device Management solution by Notify Corp. While Notify is more known for their cost-effective contact and email sync applications, NotifyMDM is a reasonable solution for those seeking a low-cost solution for a small to medium scale deployment.
The administration console is browser-based, and functions well in Firefox and Internet Explorer, though it occasionally has problems with Chrome. NotifyMDM is multi-tenancy capable, and can interface with multiple Exchange or Zimbra servers on the back-end.
NotifyMDM has a reasonable array of features, and is produced by a company that, though unfamiliar with the higher education market, is willing to work with the University to make sure solutions are implemented properly. SAS has done some work with Notify for their NotifyLink product, and found vendor support to be decent, though they did encounter some minor problems.
The product can do full management of Android, iOS, and supports what management hooks are available in Windows Phone 7. BlackBerry management is possible, but works best when paired with NotifySync, the company's Exchange ActiveSync client for BlackBerrys.
The product features a basic, though somewhat dated interface that uses one of three methods for assigning policy suites: Policies can be determined by a wizard, toggling sliders, or manually specifying options. Privacy controls are built in, and certain sensitive information such as location and SMS tracking can be disabled at the admin level. Additionally, the product features an administrator audit trail that tracks the recent management actions of individual accounts.
At-a-glance deployment status is possible via a graphical Activity Monitor, which has a series of charts that can show device activation status, software version, policy application, and more. Synchronization schedules can be defined, allowing for customized behaviors for peak and off-peak hours. The product allows for differentiated management on a per-user and/or per-device basis, allowing different settings to be applied to a personal device vs. corporate device, and a staff versus a student.
NotifyMDM's self-administration portal can be accessed via mobile or desktop browser, and allows users to perform basic management such as provisioning, device location and locking, remote wipe, and more. These capabilities differ by platform, but the basic suite of EAS capabilities is generally available.
iOS policies can be determined by an iOS-only console, separate from the main management interface. This console supports specification of FaceTime, Siri, Photostream, iCloud, and other settings. Additionally, the admin or self-service portal can handle device location, lock, selective wipe (of EAS data), passcode clearing, and certificate installation. Additionally, NotifyMDM allows for basic management of apps purchased via the Apple Volume Purchase Plan.
Android management is more limited than iOS, and only supports EAS management. Device location, lock, and wipe is possible. NotifyMDM can check to see if Android devices have been rooted, and will prompt administrators when rooted devices are detected. Additionally, for those desiring "sandboxed" email on Android, the product integrates with TouchDown.
NotifyMDM runs on Windows 2008, Microsoft SQL Server, and IIS. It is available in either off-premise or on-premise configurations, and can interact with Exchange and Zimbra, as well as handling user importation via LDAP.
While particular prices were not discussed with Notify, all indicators are that they could offer very competitive rates.
- Hands-off open user enrollment, with enrollment determined by email address or Exchange domain
IBM Tivoli Endpoint Manager for Mobile Devices is the newest module of the desktop management solution product from IBM released June of this year. The Endpoint Manager tool is built on BigFix technology and was acquired by IBM in late 2011. IBM has come late to the game and does not seem to be as fully featured as many of its competitors, but it has incorporated all of the basic functions of a MDM product within its main console for the convenience of its current user base.
The administration is a module within the Tivoli Endpoint Manger Console and includes a self-service portal for end user convenience. Tivoli Endpoint Manager for Mobile Devices is multi-tenancy capable and has Exchange and iOS extenders to allow for management of email on mobile devices.
Tivoli Endpoint Manager for Mobile Devices has a modest feature set, developed by BigFix but now owned by IBM, a powerhouse in the industry and Higher Ed markets. TSS has already implemented Tivoli Endpoint Manager for desktop management and uses the multi-tendency capability to offer the product as a service to several departments across campus, but has not deployed MDM at all. Support overall has been good, technical support being much higher than licensing and sales support, but again, the overall experience being positive.
The product has two different forms of management, Agent-based management and ActiveSync-based management. Agent-based management supported devices include: Apple iOS 4,5, including iPhone, iPad, and iPod Touch, Android (ARM) versions 2.2, 2.3.x, 3.x, 4.x, including phones and tablets, and Windows Mobile 5.x, 6.x. ActiveSync-based management are devices connecting through Microsoft Exchange Server 2007 or 2010 using ActiveSync protocol including Apple iOS, Android, Symbian, Windows Phone, Windows Mobile, and other devices supported by MS Exchange. It also supports Lotus Traveler, since it is an IBM product.
The product features the same interface that the Tivoli Endpoint Manager Console uses, which is user friendly and intuitive. To view devices, there are panes that can be viewed in several ways including in groups or as individual devices complete with pictures of the devices themselves along with specs and information. There are tabs for installed applications, iOS profiles/Android settings, Security information, and Management commands.
At-a-glance deployment status is possible via the same view for all Tivoli Endpoint Manager actions, which shows the different states any action is in. Actions can be scheduled as well. The product allows for differentiated management on a per-user and/or per-device basis, allowing different settings to be applied to a personal device vs. corporate device, and a staff versus a student.
The Tivoli Endpoint Manager for Mobile Devices self-administration portal can be accessed via a browser, and allows users to perform basic management.
iOS policies can be determined in several ways and supports the standard iOS settings including battery usage information and checking if the device is jail broken. Additionally, the admin or self-service portal can handle device location, lock, selective wipe (of EAS data), full wipe back to factory settings, passcode clearing, and certificate installation. Additionally, Tivoli Endpoint Manager for Mobile Devices allows for basic management of apps purchased via the Apple Volume Purchase Plan as well as having the option to deploying â€œmanaged appsâ€ that can be removed from the device if removed from management.
Android management seems to be equal to that of iOS. The standard settings are the same, however there is no volume purchasing or managed apps option since there is no control over the Good Marketplace like there is for the App Store in iOS. Tivoli Endpoint Manager for Mobile Devices can check to see if Android devices have been rooted.
The backend of Tivoli Endpoint Manager runs on Windows 2008 r2, Microsoft SQL Server. The Console runs on Windows XP, Vista, 7 and 8 (not supported at this time but is being tested). The client can be bought at the market place or App store and the profile deployed from the Tivoli Endpoint Manager for Mobile Devices module via the Tivoli Endpoint Manager Console.
Determined by volume by IBM on a client-by-client basis. There is an education discount.
- Integrated into the Tivoli Endpoint Manager Console
AirWatch is an industry leading product with a compelling feature list, dedicated Education team, and flexible deployment model. The product scales up to manage the world's largest mobile device deployments, but also functions well within smaller environments. The company is highly responsive to technology changes and is well regarded within the industry. Management is performed via an HTML5 web application, which looked to be one of the best of the products the team considered. Additionally, a rich reporting mechanism allows extensive insight into device usage and costs.
Of the products the team considered, AirWatch was considered perhaps the most compelling full Mobile Device Management solution, and the vendor's Education team seemed both eager and very familiar with the Higher Education market. The company's dedication of nearly half of their employees to research and development was promising, resulting in a highly refined, exceptionally current feature list.
AirWatch is a full and mature Mobile Device Management suite, allowing full management of Android and iOS, with additional management of BlackBerry and Windows Phone devices. AirWatch has recently adopted support for OS X management, though the team did not see this demonstrated. The product is the industry leader, and is used in some of the world's largest deployments by companies such as Coca-Cola, GE, and Home Depot. Gartner regards AirWatch as a leader in the MDM Magic Quadrant.
The product is comprehensive, and geared to managing devices throughout the entire lifecycle. It allows for role-based access, and integrates well into a multi-tenancy environment in which different LSPs could easily be delegated authority over specific groups of users. Users with multiple devices, and those carrying both personal and corporate devices, are easily handled by AirWatch.
AirWatch has a strong automated monitoring and compliance mechanism which requires a minimum amount of configuration thanks to pre-populated reports. The product can be configured to perform actions based on device status, and can notify users of required actions, as well as escalate to an administrator when requirements are not met. The client can also be configured to lock or wipe devices out of compliance, or just remove AirWatch-managed sensitive information.
The product has additional strength in asset management and had the best Telecom Expense Management (TEM) of the products considered.
AirWatch excels at iOS management, and has historically supported new iOS versions on the day of release. Volume Purchasing Program compatibility is a core functionality, and has the ability to automate VPP app deployments and revocations.
AirWatch supports the full suite of Android management APIs, and was the only company to mention additional capabilities for heavily modified devices such as the Kindle Fire. Android management is performed via an agent that can be installed from the Google Play Store, Amazon Appstore, or distributed via email or a portal. The product can force Android devices into â€œKiosk Modeâ€, which limits access to applications and settings.
AirWatch is flexible and can be deployed in one of three models:
- Cloud-hosted Software as a Service (60% of their customers use this model)
- On premise appliance deployment (40% of their customers use this model)
- Hybrid deployment with management primarily from the cloud-based SaaS console, with a local appliance for redundancy.
AirWatch integrates with Active Directory, LDAP, and other methods of user management and enrolment. They were unsure if full compatibility with the University's CoSign implementation was possible, but were optimistic that it could work.
While particular pricing would be negotiated for an actual deployment, AirWatch told the team that costs start at $9 per device per year, and could be substantially lower with a University-wide license. A one-time fee perpetual license model is also possible.
- AirWatch provides access to the AirWatch API, which allows applications to be built with AirWatch technology at the core.
- A self-service portal can be configured to allow users to login to perform functions such as locating devices, make them sound a tone, and track their location history.
- A secure content locker provides access to pushed content and prevents it from being accessed from outside of the app if so configured. AirWatch does not presently integrate with Box.
- AirWatch features richer Telecom Expense Management (TEM) than other products considered.
Additional Mobile Device Management Products
While the team did not have time to review each of the many mobile device management products, a familiarity was developed with a number of additional MDM tools. Summary notes on those products appear below.
Bomgar's product focus is remote support, but also includes basic MDM capabilities. Bomgar sells all of their solutions packaged together for a single price, and pricing for educational institutions is very favorable. Bomgar operates from an on-premise "Bomgar Box", and does not support multi-tenancy. Due to the architecture, traffic is kept local, which results in low latency and quick management.
For support, Bomgar is well regarded and is notably used as Apple's internal support mechanism. It bears noting that the MDM component is essentially untested, as that portion is new. The company is willing to deploy a test implementation for a trial.
BoxTone was originally a BlackBerry monitoring utility that has more recently branched out into Android, iOS, and Windows Phone management. In addition to the usual suite of MDM tools, BoxTone includes service desk integration, allowing for integration with support tools. Additionally, containerization is supported via Good across most platforms, or TouchDown for Android.
The Support Management component features two sections: A user self-support portal, giving end users access to a number of frequently asked questions and self-diagnosis procedures, and a Service Desk. The web-based service desk provides access to device metrics such as software version, battery and wireless state, timeline of events, etc. Additionally, a diagnosis engine automates many repairs.
Divide, by Enterproid, is a free alternative to the built-in Android and iOS Exchange ActiveSync clients. The product runs as a secure, containerized, and heavily encrypted EAS client that mimics the look and feel of the native applications. Operating in a 'dual persona' environment, the product aims to allow users to switch from the 'work persona' to the 'personal persona', without mingling data between the two. On Android, the 'work persona' essentially runs as a virtual, independent device. Divide is a supported client at the University, and more information is available from ISC's Divide page.
While the client is available un-managed from Google's Play store and Apple's App Store, the Divide Manager allows administrators of the email domain to do basic management like pushing certificates, set security policies for access to the application, and remote wipe the 'work persona'. The University has an agreement with Enterproid that provides free access to the Divide Manager, which is suitable for light MDM.
Good a product aimed less at device management and more at data management. The product was the most expensive that the team considered. Good's primary purpose is a security product that compartmentalizes enterprise data within a container, securing it from other applications. The product is currently unique in featuring FIPS 140-2 certification.
The product regards mobile devices as insecure endpoints, and whenever possible, acts as a window to data left on the server, rather than pulling data to the device itself. This ardent focus on security makes Good popular among financial firms, government agencies, and security companies.
Good's primary benefit is robust security, and provides secure connections to the server for messaging, access to corporate data, and device management traffic. Additionally, Good has deep integration for additional security technologies such as S/MIME for email encryption. APIs are available for integration into other products. The client runs on Android, iOS, and Windows Phone 7. Notably, the iOS client does not support push notifications.
Good lacks a cloud-based product, and runs on-premise. Management is done via a web based console.
MobileIron is a comprehensive MDM tool with extensive partnerships and sizable market share. While the company does not have a Higher Education team, their presence at a number of other Universities ensures that they are not entirely unfamiliar with the environment.
MobileIron's product excels at device lifecycle management, and capably handles management of corporate and personal device management. The product has app distribution, management, and inventory built in as a core feature. It most capably handles Android and iOS management, can integrate with a BES for BlackBerry management, and can also do some level of OS X, and Windows Phone management. The company is usually fairly quick to support new releases, though other products (notably AirWatch) are quicker.
The MobileIron management client is browser-based, and can handle all normal MDM functions such as remote wipe and device location, as well as more advanced features such as 'data boundaries' which control data usage. MobileIron has a small set of APIs that allow for extraction of metrics from devices and integration into Telecom Expense Management products, though MobileIron does not do TEM itself.
MobileIron can run as a cloud product, on-premise, or in a hybrid model. The on-premise solution involves running an appliance, or an ESX virtual machine.