Comparing the leading mobile device management products
Expert Matt Pascucci examines the top mobile device management offerings to help you determine which MDM products are the best fit for your organization.
The mobile device management space is growing at a rapid pace, and MDM is widely used across the enterprise to manage and secure smartphones and tablets. Investing in this technology enables organizations to not just secure mobile devices themselves, but the data on them and the corporate networks they connect to, as well.
The market for MDM software is saturated now, and there are new vendors arriving in this vertical on a consistent basis. Many of the larger names in mobile security, meanwhile, have been buying up smaller vendors and integrating their technology into their mobile management offerings, while others have remained pure mobile device management companies from the beginning. So what are the best mobile device management products available today?
Since the mobile security market has become so crowded, it is harder than ever to determine what the best mobile device management products are for an organization's environment.
To make choosing easier for readers, this article evaluates five leading EMM companies offering MDM as a part of their bundles and their products against the most important criteria to consider when procuring and deploying mobile security in the enterprise. These criteria include MDM implementation, app integration, containerization vs. non-containerization, licensing models and policy management. The mobile management vendors covered are Good Technology Inc., VMware AirWatch, MobileIron Inc., IBM MaaS360, Sophos and Citrix.
That being said, there are also niche players -- such as BlackBerry -- that are attempting to move into the broader MDM market outside of just securing and managing their own hardware, in addition to free offerings from the likes of Google that have attempted to compete with the above list of MDM vendors by providing tools to assist in Android device management. Even Microsoft has a small amount of MDM built into its operating systems to manage mobile devices.
Today, the vast majority of mobile devices in use -- both smartphones and tablets -- run on either Apple's iOS or Google's Android OS. So while many of today's MDM products are also capable of managing Windows Phones, BlackBerry devices and so on, this article focuses mostly on their Apple and Android management and security capabilities.
Selecting the best mobile device management product for your organization isn't easy. By using the criteria presented in this feature and asking six crucial questions before buying MDM software, an organization will find it easier to procure the right mobile management and security products to satisfy its enterprise needs.
Criteria #1: Implementation of MDM
Organizations should understand and plan out their mobile device deployment and MDM requirements before looking at vendors. The installation criteria for MDM are normally based on a few things: resources, money and hardware. With that being said, there are two distinct installation possibilities when deploying an MDM product.
The first is an on-premises implementation that needs dedicated resources, both from a hardware and technical perspective, to assist with installing the system or application on a network. Vendors like Good Technology with it's Good For Enterprise suite require the installation of servers within an organization's DMZ. This will necessitate firewall changes and operating system resources to implement.
Editor's note:
This article discusses MDM, which was a stand-alone area for device management at the time of this article's original publication, but is now regarded as a part of EMM. Although some vendors still sell MDM independently, most offer MDM as a part of a broader EMM strategy. This article's focus is on MDM software and its features. For more information on EMM, follow this link to the EMM buyer's guide.
These systems will then need to be managed appropriately to verify that they're consistently patched and scanned for vulnerabilities, among other issues. In essence, this type of MDM deployment is treated as an additional server on an organization's network.
It's possible that a smaller business might shy away from an install of this nature due to the requirements and technical know-how it would take to get off the ground. On the other hand, if businesses are able to manage this type of mobile management and security product, it gives them complete ownership of these systems and the data that's on them.
The second installation type is a cloud-based service that enables an off premises installation of MDM, removing any concerns regarding management, technical resources and hardware. Vendors like VMware AirWatch and Sophos have the ability to let customers provision their entire MDM product in the cloud and manage the system from any internet connection. This is both a pro and a con: It provides companies with resource constraints -- like not having the experience or headcount -- with the ability to get an MDM product set up quickly, but it does so at the risk of having data reside outside the complete control of these organizations -- within the cloud.
Depending on an organization's resource availability, technical experience and risk appetite, these are the two options -- on-premises and cloud -- currently available for installing MDM.
Criteria #2: App integration
Apps are a major reason mobile device popularity and demand has increased exponentially over the years. Without the ability to have apps work properly and yet securely, the power of mobile devices and the ability for users to take full advantage of these tools becomes severely limited.
MDM companies have realized this need for functionality and security, so they've created business-grade apps that enable productivity without compromising the integrity of mobile devices, the data on them and the networks to which they connect.
Citrix XenMobile has created XenMobile Apps that are tied together and save data in a secure sandbox on mobile devices, so users don't need to use unapproved apps to send business data to potentially insecure apps out of an enterprise's control. The sandboxing technology works by securing, and even at times partitioning, the MDM app separately from the rest of the mobile OS -- essentially isolating it from the rest of the device, while allowing a user to have the ability to work securely and efficiently.
There are also third-party app vendors that MDM vendors have partnered with to create branded apps. Good Technology has, for example, partnered with many large vendors to accommodate the need to use their apps with a specific MDM environment. This integration between vendors is extremely helpful and adds to the synergy between both vendors to create better security and more productive users. Sophos also allows this with their Secure Workspace feature, which enables users to access files within a container while securing the access to these documents.
Whether you're using apps created by an MDM vendor for additional security, or apps that have been developed through the collaboration of an MDM vendor and a third-party vendor, it's important to know that most of the work on a mobile device is done via these apps, and securing the data that flows through them and is created on them is important.
Criteria #3: Container vs. non-container
There are two major operational options available when researching MDM products: MDM that uses the container approach and MDM that uses the non-container approach. This is a major decision that needs to be made before selecting a mobile management product, as most vendors only subscribe to one of these methods.
This decision, whether to go with the container or non-container method of mobile management, will guide the device policy, app installation policy, BYOD plans and data security for the mobile devices that an organization is looking to manage.
A containerized approach is one that keeps all the data and access to corporate resources contained within an app on a mobile device. This app normally won't allow access to the app from outside the mobile device and vice versa.
Both the Good for Enterprise suite and MaaS360 offer MDM products that enable customers to use a containerized approach. Large companies tend to benefit from this approach -- as do government agencies and financial institutions -- as it tends to offer the highest degree of protection for sensitive data.
Once a container is removed from a mobile device, all organizational data is gone, and the organization can be sure there was no data leakage onto the mobile device
In contrast to the restricted tactic used by containerization, the non-container approach creates a more fluid and seamless user experience on mobile devices. Companies like VMware AirWatch, Sophos and MobileIron are the leaders in this approach, which enables security on mobile devices via policies and integrated apps. This means these systems rely on pushing policies to the native OS to control their mobile devices. They also support multiple integrated apps -- supplied by trusted vendors the MDM companies have partnered with -- that assist in adding an additional layer of security to their data. These companies also allow the use of containers and help bridge the gap between customer needs.
Many organizations, including startups and those in retail, lean toward the non-container approach for mobile management and security due to the speed and native familiarity that end users already have with their mobile devices -- with OS-bundled calendaring and mail apps, for example. However, keep in mind, in order to completely secure all the data on mobile devices, the non-container approach requires the aforementioned tight MDM policies and integrated apps to enforce the protection of data.
Criteria #4: License models
The licensing model for MDMs has changed slightly in recent years. In the past, there was only a per device license model, which meant organizations were pushed into using licensing models that weren't very effective for them financially. Due to the emergence of tablets and users carrying multiple smartphones, there became the need to have a license model based on the user -- and not the individual device.
All the MDM products covered in this article offer similar, if not identical, pricing models. MDM vendors have listened to the customers and realized that end users in this day and age don't always have one device. Which licensing model an organization chooses -- per device or user based -- depends on the company's mobile device inventory.
The per-device model normally works well for small companies. In this model, every user gets a device that counts against the organization's total license count. If a user has three devices, all of these go against the total license count of the business. These licenses are normally cheaper per seat, but can quickly become expensive if there are multiple devices per user requiring coverage.
The user-based pricing model, by contrast, takes into account the need for users to have multiple devices that all require MDM coverage. With this model, the user name is the basis of the license, and the user can have multiple devices attached to his one license. This is the reason many larger organizations lean toward this model, or at least a hybrid approach of the two licensing models -- to account for users who use multiple mobile devices.
MDM criteria #5: Policy management
This is an important feature of mobile device management, and one that organizations need to review with either a request for proposal (RFP) or something that outlines the details of what mobile device policies they require. Mobile policies enable organizations to make granular changes to a mobile device to limit certain features -- the camera and apps, among others -- push wireless networks, create VPN tunnels and whitelist apps. This is the nuts and bolts of MDM, and a criterion that should be reviewed heavily during the proof-of-concept stage with specific vendors.
This ability to push certain features of a policy to mobile devices is certainly required, as is the ability to wipe devices remotely if the need occurs should they be lost or stolen. While all the MDM products covered in this article provide the ability to remotely wipe mobile devices, in the case of Good for Enterprise and IBM MaaS360, organizations have the option to wipe mobile devices completely or to just remove the container.
Also important for MDM products is the ability to perform actions such as VPN connections, wireless network configurations and certificate installs, which AirWatch can accomplish. Sophos also offers the ability to manage policies from a security perspective by enforcing antiphishing, antimalware and web protection.
You must assert these options in an RFP beforehand to determine what part of the mobile device policy you're looking to secure. Evaluating what policy changes you can push to a mobile device and what functions an organization might want to see within a policy will help provide insight for an educated decision on the best mobile device management products.
Most times there will be multiple policies created that allow certain users to receive a particular policy, while allowing someone with other needs to receive a completely different MDM policy. This is a standard function within all MDMs, but it should be understood that a single policy for all users is not always plausible.
Finding the best mobile device management product for you
There are many vendors in this saturated market, but following these five criteria should assist organizations in narrowing the field down to find the best mobile device management products available today. There is much overlap between vendors, but finding the right one that can secure an organization's data completely and offer full coverage, with the ability to manage all the aspects needed in a policy, is what businesses should be aiming for in MDM products.
Many large companies, especially those in the financial or government sector, are running Good for Enterprise due to the extra layer of security it provides by leveraging a container and integrated apps developed by vendors with whom they partnered.
IBM MaaS360, on the other hand, offers both a container and non-container approach to mobile security and management, which makes it suitable for larger enterprises that require some flexibility in terms of operational method deployment. This gives IBM MaaS360 the ability to play to both sides and gives them some leverage over competitors by attracting customers from both mindsets.
Many midsize companies don't have to meet the level of security imposed by large financial clients, though, and thus aren't running to boost their mobile device security. We've seen that, many times, compliance will bring an extra layer of required security, however, thereby making these organizations more conscience at times about securing data on mobile devices.
Midsize to large companies -- those outside of the financial sector -- tend to run AirWatch, Sophos or MobileIron MDM due to their abilities to keep the native feel of mobile devices intact, while being able to push custom policies that secure mobile devices to the clients.
As for app integration, Citrix has performed very well in this area with XenMobile, having shown that it's pushing the boundaries of this area. These apps are selling points to many customers who want to integrate their data onto a mobile device, but want the flexibility to manage the data these mobile apps are consuming. By dispensing these approved apps to managed mobile devices and writing policy for their data to be used on these apps, MDM products, such as Citrix's, assist with adding an extra layer of data control for the company and ease of use for the user.
As mobile devices become more indispensible for business users, the MDM market will keep expanding in response to the growing need for mobile security.