A decade ago or so, organizations faced a serious challenge: Mobile devices had exploded in sophistication and capabilities and people increasingly were using them in their work life. In some cases, the use was sanctioned. In other cases, it wasn’t. In any case, a lot of valuable data was suddenly outside the corporate firewall. This kept many IT folks awake at night.
These developments – perhaps the sleepless nights most of all — were catalysts for an explosion of creative approaches to managing mobile devices. Ways needed to be found to do a number of tricky things, such as securing data on devices without harming employee data or taking liberties with the owner’s personal information, wiping devices clean of sensitive data if they go missing, ensuring that apps being downloaded were safe, empowering owners to download personal apps that weren’t secure without endangering corporate data, and so forth.
A flurry of similar sounding but different techniques, such mobile device management (MDM) and mobile application management (MAM), emerged. Those earlier approaches have been subsumed into the next generation, enterprise mobility management (EMM), which consolidates those earlier technologies in a way that simplifies and enhances efficiency. It also marries that management to identity tools in order to track and assess employees and usage.
EMM is not the end of the story. The next stop is unified endpoint management (UEM). The idea is to extend this growing collection of tools to non-mobile stationary devices. Thus, everything under the control of the organization will be managed on the same broad platform.
EMM is an important stop along the way. Adam Rykowski, the vice president of Product Marketing for VMware, told IT Business Edge that analytics, orchestration and value-added services are evolving to bolster the value of EMM and UEM.
“With the advent of modern management on PCs and MACs, they now have very similar management protocols [to mobile devices],” he said. “They don’t have to be on the local network. That enables the same management across all endpoints.”
The bottom line is to simultaneously broaden and simplify management. All devices – a PC in a corporate office, a Mac in a telecommuter’s home, a smartphone on a data center floor, or a tablet on a train – must be under the same umbrella. “The lines between mobile devices and the desktop and laptops have blurred, so we need a common way of accessing across file types and managing,” said Suzanne Dickson, Citrix’s senior director of Product Marketing for the Desktop and Application Group.
Petter Nordwall, Sophos’ director of Product Management, told IT Business Edge that the approaches the vendors take are similar due to the need to work with each operating system’s APIs. The playing field between vendors may be in user interfaces. Making life easier for end users and admins can be a significant challenge. Those that figure out the way to do so most effectively will have an advantage. “That can be night and day in terms of [admins] losing sleep or being able to manage devices without having to worry about it,” Nordwall said.
Benefits of EMM
Manage mobile and, increasingly, stationary devices
Organizations have a wide array of devices. Mobile devices are not always used on the road, while PCs and other large devices are not always only used in an office. The goal of EMM, which is shared with UEM, is to put as many of an organization’s devices under one umbrella as possible.
Protect corporate information
Whether an organization “officially” adopts BYOD or not, EMM uses MDM and other earlier classes of software management to protect corporate data. Indeed, doing this effectively meets the BYOD challenges that seemed overwhelming just a few years ago.
Protect employees’ information
Likewise, an employee will be resistant to using his or her device at work if there is a fear that private data will be compromised or disappear. EMM meets this challenge as well.
Collect analytics on usage
EMM platforms are comprehensive. Great amounts of data are collected and this data can enable organizations to work smarter and less expensively.
Control data on lost/stolen devices
Mobile devices are often lost and stolen. EMM – again, calling on the MDM tools that generally are part of the package – can wipe valuable data off the device. In most cases, wiping personal data is handled separately.
Set and control corporate policies flexibly
EMM is a powerful platform for establishing and implementing corporate policies. These policies can be changed on the fly and be customized according to department, level of seniority, geographically, or in other ways.
Control corporate applications
EMM platforms usually involve app stores. The overriding idea is that apps can be deployed quickly and securely. This flexibility enables an organization to take advantage of sudden opportunities and in other ways efficiently react to fast-changing conditions.
Keep security software up to date
Security postures change quickly — and employees are not always able or willing to keep their security up to date. EMM functionality can lead to a much more timely distribution of patches and, ultimately, a safer workplace.
Meet compliance requirements
Policy enforcement is an important EMM benefit. Taking that a step further is the ability to help mobile devices meet compliance standards. A doctor taking home patient imaging on her tablet or a CEO with sensitive corporate financial data on his phone must have end-to-end infrastructure proven to be safe and secure. EMM can help.
Simplification of management, security and other functions
The mobile world in general and BYOD in particular grew in enterprise importance very quickly. The resulting security and management challenges were great and generated tremendous creativity in software. The current era is characterized to some extent in integrating those tools into broader platforms. EMM is a key step in this evolution.
Key Features to Consider in EMM Software
Quick and not complex to deploy
EMM is about automation. To be effective, it puts a premium on being quick and simple to deploy. The idea is to come as close as possible to “out-of-the-box” configuration.
Serve multiple OSes
In most cases, the EMM platforms work on all (or at least most) OSes. The idea, simply, is that most environments are mixed. Serving only a limited number of platforms will be a strike against the platform.
On-premises and in the cloud
As is common in today’s environment, EMM generally can be located on-premises or in the cloud.
Inclusive of MDM, MAM and other forms of software management
Increasingly, common software tools, such as MDM and MAM, are becoming part of broad EMM platforms. EMM platforms, in turn, are evolving to be UEM suites that more fully incorporate non-mobile devices such as PCs and Macs.
Confront the BYOD challenge
The explosion of management software aimed at mobile devices was the birth of BYOD. Suddenly, organizations didn’t know where their valuable data was. Consequently, MDM, MAM and other approaches were meant to meet the BYOD challenge. EMM is a recent iteration of that trend, with UEM not far behind.
Produce analytics that can be useful in planning
EMM platforms generate data. A whole lot of data. This input is useful in creating policies that best serve the mobile workforce. The data can also lead to lower telecommunications costs and other advantages. Knowledge is power.
Help with compliance
Finance, health care and other industries make exacting demands on how data is handled. These demands become even harder when the data is traveling to and from, and being stored in, a mobile device. EMM can help ensure that rules are being followed and data is not being compromised.
Going beyond mobile devices
Vendors tweak category definitions in ways that shine the light brightest on their products. At the same time, there is no crystal-clear line between a generation of software and the next. UEM is thought to be the next generation in management software because it incorporates mobile and stationary equipment. EMM is sort of a prequel and offers some of these features.
Secure increasingly valuable data
Needless to say, the key element of any mobile management platform is to keep data and apps secure.
Team with identity software to create a more comprehensive view of employees
Increasingly, EMM platforms are being connected to identity functionality. This is a vital step in managing complex networks. It also helps the organization create a more accurate profile of employees and, collectively, how the workforce uses their devices. There likely are surprises that lead to greater efficiencies, cost savings and new services and approaches.
Top EMM Vendors and Solutions Reviewed
Jamf Pro manages Apple devices in the enterprise. It offers zero-touch deployment with workflows that enable devices to be drop-shipped. Configurations are automatic when devices are first powered on. Smart Groups enable precise device batching. Configuration Profiles deliver key management payloads for management of one device, a group of devices or all devices. Jamf Pro supports Apple’s first-party security functionality featuring Gatekeeper and FileVault and Lost Mode for tracking device location and alert creation when a device is missing.
· User Initiated Enrollment allows use of consumer iOS and macOS devices in a secure manner.
· Jamf Pro offers top-level menu options such as Smart Groups and Inventory. Deeper management is offered by LDAP integration and User Initiated Enrollment.
· Jamf Connect integrates into the broader platforms without requiring authentication across multiple systems.
· Smart Groups segments devices by department, building, management status, operating system version and other differentiators.
Citrix Endpoint Management secures an entire device, enables inventory of all the software, and prevents enrollment if the device is jailbroken, rooted or has unsafe software installed. It enables role-based management, configuration, security and support for corporate and employee-owned devices. Users enroll devices, enabling IT to provision policies and apps to those devices automatically, blacklist or whitelist apps, detect and protect against jailbroken devices, troubleshoot devices and apps, and fully or partially wipe devices that are missing or out of compliance.
Citrix Endpoint Management ensures compliance and secures content on the device. Admins can choose to secure select apps or the entire device.
Citrix Endpoint Management is a quick set-up service that integrates with the Citrix Workspace for “single pane of glass” functionality.
Citrix Endpoint Management leverages users’ identities from Active Directory or other directories to instantly provision/de-provision app and data access, set granular access controls based on the device and user scenario. Through the unified app store, users get single sign-on to their approved apps and can request access to apps for which they are not authorized. Once approval is obtained, they get immediate access.
Citrix Endpoint Management can manage, secure and inventory a broad range of device types within a single management console.
· Uses a common set of device policies to manage supported devices.
· Protects business information with strict security for identity, corporate-owned and BYOD, apps, data, and network.
· Delivers any app to end users, regardless of device or operating system.
· Protects information at the app level and ensures enterprise-grade mobile application management.
· Uses provisioning and configuration controls including enrollment, policy application and access privileges.
· Uses security and compliance controls to create a customized security baseline with actionable triggers such as locking, wiping, and notifying a device that it is non-compliant.
· Uses OS update controls to prevent or enforce operating system updates.
· Admins can manage user assignments based on delivery group roles.
Citrix Endpoint Management’s unified app store, available from Google Play or the Apple App Store, provides a single place for users to access apps for mobile, Web, SaaS and Windows.
Citrix Endpoint Management can be purchased as a stand-alone cloud or as a Citrix Workspace. As a stand-alone, Citrix Endpoint Management prices start at $4.17/user/month.
VMware Workspace ONE
Workspace ONE manages the lifecycle of any mobile, desktop, rugged and IoT device across all major operating systems in a single management console. It delivers secure access to cloud, mobile, web and virtual Windows apps/desktops on any smartphone, tablet or laptop through a single catalog and a consumer-simple single sign-on (SSO) experience.
Workspace ONE protects corporate apps and data using a layered and comprehensive security approach encompassing the user, endpoint, app, data and network. The platform optimizes desktop OS lifecycle management for a mobile workforce.
The Workspace ONE console is a single, web-based resource enabling quick addition of devices and users to the fleet. It manages profiles, distributes apps and configures system settings. All account and systems settings are unique to each customer.
Workspace ONE features:
· Data loss prevention (DLP) capabilities for apps and endpoints directly built into the platform. It is deployed as a centrally administrated and integrated access control, application management and multi-platform endpoint management solution.
· Identity context policies team with device compliance policies to create conditional access policies that proactively prevent data leakage.
· DLP policies across productivity apps allow IT to disable copy/paste and encrypt data on mobile devices running different OSes.
· Integration with Windows Information Protection and BitLocker encryption protect data on Windows 10 endpoints. Has DLP support for Chrome OS.
· Workspace ONE Trust Network features integration with the leading antivirus/antimalware/endpoint protection solutions.
· Management of mobile phones, PCs, rugged and IoT devices.
· Management of MDM, EMM and UEM.
Workspace ONE connects siloed solutions for security focus areas, including policy management, access and identify management and patching.
Workspace ONE provides a layered and comprehensive management and security approach that encompasses the user, endpoint, app, data and network. Workspace ONE Intelligence uses artificial intelligence and machine learning capabilities and tools to analyze device, app and employee data in order to enable predictive security.
· For IT: The web-based Workspace ONE console allows IT admins to view and manage EMM deployment. Users can quickly and easily add devices and manage profiles, distribute apps and configure system settings. Customers can create several IT admin views so groups within IT have access to the settings and tasks most relevant to them. Different departments, geographies, etc. can be given their own tenant, and can access in their local language. The look of the Workspace ONE UEM portal can be customized.
· For End Users: Workspace ONE provides employees with single, secure catalog to access their most critical business apps and devices across Windows, macOS, Chrome OS, iOS and Android.
Workspace ONE is available as both per-user and per-device subscription licensing. Perpetual licensing and support is available for on-premises customers. Available features vary based on whether the customer purchases Workspace ONE Standard, Advanced or Enterprise tiers. The lowest tiered offer that includes unified endpoint management (UEM) features is available in Workspace ONE Standard, which starts at $3.78/device/month. For SMB/mid-market customers, a per-device MDM offer made available as AirWatch Express is priced at $2.68/device/month.
Sophos Mobile offers three ways to manage a mobile device: Full control of all settings, apps, permissions of the device, according to what iOS, Android, macOS or Windows offer; corporate data containerization using the device management API, or configuring a corporate workspace on the device using iOS-managed settings or the Android Enterprise Work Profile; or container-only management where all management is done on the container. The device itself is not affected.
Devices can be enrolled through the self-service portal, by the admin via the console, or be force enrolled after rebooting using tools such as Apple DEP, Android ZeroTouch or Knox Mobile Enrolment.
After enrollment, the system pushes out configured policy options, installs apps, or sends commands to the device. Those actions can be combined into Task Bundles by mimicking the images used for PC management.
Configuration settings include security options (passwords or encryption), productivity options (email accounts and bookmarks) and IT settings (Wi-Fi configurations and access certificates).
Sophos Central’s UEM platform integrates mobile management, Windows management, macOS management, next-gen endpoint security and mobile threat defence. It serves as a pane of glass for management of endpoint and network security.
Sophos Mobile offers various ways to structure the devices:
· Device list
· Device groups
· Devices per user
· Smart folders (by OS, last sync, app installed, health, customer property, etc.). Admins can easily create new smart folders for their management needs.
Sophos Mobile offers an admin portal for managing all devices and a self-service portal for users.
Standard and advanced licences are exclusively sold by Sophos channel partners. Pricing varies by organization size. No perpetual license, all sold by subscription.
Ivanti’s Unified Endpoint Management Offers:
· EMM and client management capabilities to manage mobile devices, PCs, servers and IoT devices from a single console. It supports Android, iOS, macOS, Windows 10, ChromeOS, Linux, tvOS and Raspbian.
· Management of all devices associated with a user, self-enrollment and user targeting to push a profile/configuration.
· Exchange of active sync and MDM policy configuration including forced encryption, forced usage of passcode and/or passcode length, Wi-Fi access, Exchange access.
· User restrictions from corporate resources such as email unless they are enrolled in MDM. Enrolled users have restrictions and requirements. When the user no longer wants to be managed or leaves the company, Ivanti selectively wipes corporate rights and data.
· User-based targeting abstracts the platform by applying configurations to a user that are used for the appropriate platform. Individual configurations can be used across platforms to ensure consistent user experience.
Ivanti’s unified IT approach to managing corporate environments harnesses data from UEM tools and configurations. It is part of a larger effort to manage and secure assets, identity governance and leverage service and configuration tools to manage and audit the entire process. Ivanti’s integration across these systems enables complete management and oversight.
Ivanti policies apply specifically to OS, job role or geo-location of the device. The platform offers co-management of Windows and macOS devices to manage device with EMM policies that can be supplemented by more complex management via Ivanti agents on the device.
The platform manages PCs and mobile devices. The solution includes an analytics and dashboarding tool with default content enabling simple report and dashboard creation. The tool also allows users to import data in real time from other sources, enabling a view of all business analytics in a single dashboard.
Ivanti provides a single interface for managing mobile devices, PCs, servers and IoT devices.
Pricing varies from $56/device/year to $99/user/year.
ManageEngine Mobile Device Manager Plus
ManageEngine Mobile Device Manager Plus:
· Governs which apps and their versions must be present on the device and restricts built-in device features.
· Controls how devices access and share data, enable admins to disable/delete unapproved apps.
· Ensures that devices connect only to secure Wi-Fi.
· Routes all network communications through secure proxies.
· Ensures that devices run the most secure OS version.
· Prevents unauthorized sharing/backup of corporate data and restricts basic device features such as cameras.
Management functions in Mobile Device Manager Plus:
· Automated device provisioning and access controls.
· Automated enrollment brings mobile devices under management before unboxing them
· Enrolled devices can be auto-assigned to groups based on internal departments.
· All security policies, access controls and apps associated with these groups can automatically be applied to these devices.
· Data leak prevention enforces customizable corporate security policies for mobile data at rest, in use, and in transit. It secures sensitive business data including information on missing devices.
· Containerization protects corporate apps, data and policies without touching personal data. A customizable TOS is displayed to end users during enrollment. Geo-fencing ensures that devices are only managed within business premises.
· Offers mobile device management (MDM), mobile content management (MCM), mobile application management (MAM), mobile security management (MSM), app wrapping and containerization.
· Customized corporate security policies, role-based access controls and monitoring levels are based on the specific needs of internal departments.
· Supports device clustering of departments into groups, ensuring consistent configurations and apps. Groups are created based on Active Directory, the OS running on the devices, or whether the device is corporate- or employees-owned.
Mobile Device Manager Plus UI:
· The home page overviews mobile endpoint status.
· The device management module is a centralized location to configure and distribute device security policies.
· Encyclopedic information is available from the inventory tab, where security commands are executed.
· The enrollment tab provides details about device onboarding.
· The reports tab collates all the data in the inventory tab into comprehensive reports.
· There are out-of-the-box reports and customization options.
· The admin tab provides a holistic view of available features.
Mobile Device Manager Plus is available in the cloud and on-premises. The Cloud Edition starts at $1.28 per device/per month for 50 devices. The platform is hosted on the ManageEngine cloud servers.
The On-Premises Edition starts at $9.90 per device/per year for 50 devices. Mobile Device Manager Plus is also available on Azure and AWS.
IBM MaaS360 with Watson
IBM MaaS360 with Watson management and security features:
· Operating system-based policies for all device form factors, including Windows, iOS, macOS, Android and Chrome OS. These policies include manufacturer APIs to control device hardware and software.
· The APIs, integrations and partnerships allow everything from app approval and delivery to threat and identity management.
· MaaS360 Advisor, powered by Watson, reports on all device types, provides insights into out-of-date OSes, potential threats and other risks and opportunities.
· Policies and compliance rules are available for all OSes and device types. Workplace persona policies dictate container function to protect corporate data, enforce lockdowns of where that data can live and from which applications it can be transmitted.
· Other security measures include MaaS360 Advisor’s risk insights, Wandera for mobile threat defense, Trusteer for mobile malware detection, and Cloud Identity for out-of-the-box single sign-on (SSO) and integrated conditional access with an organization’s directory service.
Identity tools within the platform gatekeep corporate data by understanding and enabling control of which users are accessing data and from which devices, while Trusteer scans ensure that enrolled personal devices are not carrying malware. Wandera scans for network, app and device-level threats such as phishing and cryptojacking.
MaaS360 integrates with Android Profile Owner (PO) mode to deliver a secure workplace to user-owned Android devices if the container is not the go-to strategy.
MaaS360 also incorporates privacy tools to limit the amount of personally identifiable information (PII) collectable from a personal device. MaaS360 does not typically collect PII (such as name, username, password, email, photos and call logs). It does track location and apps installed, both of which can be blinded for personal devices.
MaaS360 operates on the principle of use cases, delivering UEM covering digital trust concerns, threat defense and risk strategy concerns. The focus is about the user: how they access data, if the correct user is accessing, where they access from, what risks are associated, what threats they introduce into an environment, and how to mitigate this through a unified approach.
The MaaS360 platform is an open platform that can integrate with much of an organization’s existing infrastructure. It can:
· Provide conditional access and quarantining of unauthorized users.
· Integrate MaaS360’s out-of-the-box identity tools with existing tools such as Okta or Ping to provide additional conditional access capabilities.
· Allow SAML-based solutions to be the primary SSO tool via the platform in a simplified manner.
MaaS360 can work in conjunction with other endpoint management tools to deliver modern management functions and additional patching capabilities on top of the CMT functions already being utilized.
Devices can be managed by existing directory group or organizational unit, by department, by manually created group, by geo via geofencing tools, by operating system, and by device type.
MaaS360’s UI is multi-faceted, with an initial home screen displaying a custom alerts center and mini-audit trail tracking all activity taken within the portal. Advisor offers real-time insights based on the devices, apps and data within the platform. The top ribbon then links to multiple sections, including policy, apps, inventory and reporting. Each of these includes sub-sections. Examples include:
· Compliance rules, policy types and patch management under the “policies” tab
· Different application tracking and delivery methods under “apps”
· All enrolled devices and groups under “inventory”
· Multiple report formats under “reports”
MaaS360 ranges from $4 for Essentials to $9 for Enterprise (per client/per month). User-based licensing is two times device pricing per user.