The COVID-19 pandemic has upended traditional work models. In the wake of the global shift to a work-from-anywhere model, the stakes for managing access to valuable enterprise data are even higher. As businesses seek to unlock new levels of productivity from a dispersed workforce already armed with a host of mobile devices, enterprise mobility management (EMM) is playing a more significant role than ever in protecting enterprises from potential security breaches.
Benefits of EMM
Historically, organizations faced a serious challenge: Mobile devices had exploded in sophistication and capabilities and people increasingly were using them in their work life. In some cases, the use was sanctioned. In other cases, it wasn’t. In the process, a lot of valuable data was suddenly outside of the corporate firewall.
These developments were catalysts for an explosion of creative approaches to managing mobile devices. Ways needed to be found to do a number of tricky things, such as securing data on devices without harming employee data or taking liberties with the owner’s personal information, wiping devices clean of sensitive data if they go missing, ensuring that apps being downloaded were safe, and empowering owners to download personal apps that weren’t secure without endangering corporate data.
A flurry of similar sounding but different techniques, such mobile device management (MDM) and mobile application management (MAM), emerged. Those earlier approaches have been subsumed into the next generation, enterprise mobility management (EMM), which consolidates those earlier technologies in a way that simplifies and enhances efficiency. It also marries that management to identity tools in order to track and assess employees and usage.
Enterprise mobility management allows for:
- Management of mobile and stationary devices. Organizations have a wide array of devices. Mobile devices are not always used on the road, while PCs and other large devices are not always only used in an office. The goal of EMM is to put as many of an organization’s devices under one umbrella as possible.
- Protection of corporate information. Whether an organization “officially” adopts BYOD or not, EMM uses MDM and other earlier classes of software management to protect corporate data. Indeed, doing this effectively meets the BYOD challenges that seemed overwhelming just a few years ago.
- Protection of employees’ information. Likewise, an employee will be resistant to using his or her device at work if there is a fear that private data will be compromised or disappear. EMM meets this challenge as well.
- Collection of analytics on usage. EMM platforms are comprehensive. Great amounts of data are collected and this data can enable organizations to work smarter and less expensively.
- Control of data on lost/stolen devices. Mobile devices are often lost and stolen. EMM, calling on the MDM tools that generally are part of the package, can wipe valuable data off of the device. In most cases, wiping personal data is handled separately.
- Setting and control of corporate policies flexibly. EMM is a powerful platform for establishing and implementing corporate policies. These policies can be changed on the fly and be customized according to department, level of seniority, geographically, and many other ways.
- Control of corporate applications. EMM platforms usually involve app stores. The overriding idea is that apps can be deployed quickly and securely. This flexibility enables an organization to take advantage of sudden opportunities and in other ways efficiently react to fast-changing conditions.
- Keeping security software up to date. Security postures change quickly — and employees are not always able or willing to keep their security up to date. EMM functionality can lead to a much more timely distribution of patches and, ultimately, a safer workplace.
- Meeting compliance requirements. Policy enforcement is an important EMM benefit. Taking that a step further is the ability to help mobile devices meet compliance standards. A doctor taking home patient imaging on her tablet or a CEO with sensitive corporate financial data on his phone must have end-to-end infrastructure proven to be safe and secure. EMM can help.
- Simplification of management, security, and other functions. The mobile world in general and BYOD in particular grew in enterprise importance very quickly. The resulting security and management challenges were great and generated tremendous creativity in software. The current era is characterized to some extent in integrating those tools into broader platforms. EMM is a key step in this evolution.
Key Features to Consider in EMM Software
Here are key features to consider when comparing and purchasing EMM software:
- Quick and easy deployment. EMM is about automation. To be effective, it puts a premium on being quick and simple to deploy. The idea is to come as close as possible to “out-of-the-box” configuration.
- Serve multiple operating systems. In most cases, the EMM platforms work on all (or at least most) OSes. The idea, simply, is that most environments are mixed. Serving only a limited number of platforms will be a strike against the platform.
- On-premises and in the cloud. EMM generally can be located on-premises or in the cloud.
- Inclusive of MDM, MAM and other forms of software management. Increasingly, common software tools, such as MDM and MAM, are becoming part of broad EMM platforms. EMM platforms, in turn, are evolving to be unified endpoint management (UEM) suites that more fully incorporate non-mobile devices such as PCs and Macs.
- Confront the BYOD challenge. The explosion of management software aimed at mobile devices was the birth of BYOD. Suddenly, organizations didn’t know where their valuable data was. Consequently, MDM, MAM and other approaches were meant to meet the BYOD challenge. EMM is a recent iteration of that trend, with UEM not far behind.
- Produce analytics that can be useful in planning. EMM platforms generate data. This input is useful in creating policies that best serve the mobile workforce. The data can also lead to lower telecommunications costs and other advantages.
- Help with compliance. Finance, healthcare, and other industries make exacting demands on how data is handled. These demands become even harder when the data is traveling to and from, and being stored in, a mobile device. EMM can help ensure that rules are being followed and data is not being compromised.
- Remote troubleshooting and configure devices. IT teams have the ability to assess and fix problems (including jailbroken and rooted devices), remotely wipe and revoke devices, and enforce security measures.
- Teams up with identity software to create a more comprehensive view of employees. This is a vital step in managing complex networks. It also helps the organization create a more accurate profile of employees and, collectively, how the workforce uses their devices. There likely are surprises that lead to greater efficiencies, cost savings and new services and approaches.
Best Enterprise Mobility Management Solutions
VMware Workspace ONE
VMware has evolved its unified endpoint management technology, formerly known as Airwatch, into a digital workspace platform that combines Airwatch technology with the company’s VMWare Horizon platform for delivering and authenticating virtual desktops and apps across the hybrid cloud. Workspace ONE allows organizations to manage their cloud and mobile assets from one platform and offers single sign-on (SSO) access to cloud, mobile and web apps. The platform also allows IT admins to enforce conditional access and compliance policies, automates onboarding and laptop and mobile device configuration as well as delivers integrated insights.
IT teams can deploy VMware Workspace ONE on-premises, in the cloud, and hybrid with different components deployed on-premises and in the cloud.
- Supports a vast array of devices, including mobile operating systems, wearables, 3D graphics workstations, and more
- Supports several device management approaches, including BYOD, choose-your-own, corporate owned, locked down, etc.
- Intelligent Hub app provides simple, adaptive device management for end users logging in on a BYO devices
- Offers several network access control provisions, including conditional access policies, advanced data leak protections, and detailed real-time visibility with application, device and console events and reports.
- Automated app management to enable better security and compliance
- Supports integration with Active Directory and with LDAP directories such as OpenLDAP
- Allows first time users to try the platform for free, but follows a three-tiered (Standard, Advanced, Enterprise) pricing model as well as offers perpetual licenses.
- Ease of use.
- Clean user interface.
- Good customer support and service.
- Grows expensive over time.
- Admin console can be confusing.
- Training on features of the platform is costly.
Citrix Endpoint Management
Formerly Xenmobile, Citrix Endpoint Management is part of the ecosystem of Citrix Workspace tools that unifies client management and enterprise mobility management. A comprehensive solution, the platform offers users single-click access to all of their apps within Citrix Workspace, while allowing IT to easily configure, manage and secure an array of devices, including smartphones, tablets, laptops, IoT devices and more.
- Offers management and configuration of corporate and BYO devices through their lifecycle
- Supports major platforms, including iOS, Android, Windows, MacOs, Chrome, and more
- Integrates with LDAP in real-time to perform user authentication and to manage group policies
- Policy integration includes passcodes, device ownership, apps and device resources, platform-specific policies, encryption, device status and location
- Ensures end-to-end security and compliance across device platforms, including pre-enrollment device checks, geo-fencing and tracking, rooting and jailbreak detection
- Selective wipe of devices initiate automated compliance actions when devices deviate from policy
- Provides rapid over-the-air provisioning and self-service enrollment with one-time passcodes and server auto-discovery
- Allows for seamless integration with IT infrastructures, including LDAP, PKI, VPN, Wi-Fi, Microsoft Exchange, SIEM and more
- Offers multifactor single sign in via pin authentication, Touch ID, RSA tokens, certificates, and more.
- Licensing is based on a per-user or per-device model.
- Customizable dashboard.
- Remote support and troubleshooting.
- Self-service web portal.
- Integration and deployment can be time consuming.
- Performance is sometimes slow.
- Maybe cost prohibitive for smaller enterprises.
Jamf Pro manages Apple devices in the enterprise. It offers zero-touch deployment with workflows that enable devices to be drop-shipped. Configurations are automatic when devices are first powered on. Smart Groups enable precise device batching. Configuration Profiles deliver key management payloads for management of one device, a group of devices or all devices. Jamf Pro supports Apple’s first-party security functionality featuring Gatekeeper and FileVault and Lost Mode for tracking device location and alert creation when a device is missing.
- Zero-touch deployment that allows automatic enrollment and configuration of devices without IT support.
- Mac imaging offers a hands-on approach to deploying computers for traditionalists.
- Manage BYOD with user initiated enrollment that allows secure use of consumer iOS and macOS devices.
- Jamf Connect integrates into the broader platforms without requiring authentication across multiple systems.
- Ensures account provisioning with single-identity access
- Offers identity management
- Password sync keeps account credentials in sync between Mac and cloud-identity provider
- Smart groups segment devices by department, building, management status, operating system version and other differentiators.
- JamF Now for small enterprises offers MDM functionality without software, training or documentation.
- JamF Protect offers endpoint protection for Mac.
- The ability to push applications to devices.
- Highly customizable.
- Good community support.
- Exclusively for Apple devices.
- Larger enterprises have reported some lag in performance.
- Time between OS updates and platform updates can be slow.
ManageEngine Mobile Device Manager Plus
ManageEngine Mobile Device Manager Plus is a comprehensive MDM platform that allows management of smartphones, laptops, tablets, and desktops and multiple operating systems, including iOS, Android, Windows, macOS, and Chrome OS.
- Governs which apps and their versions must be present on the device and restricts built-in device features.
- Controls how devices access and share data, enable admins to disable/delete unapproved apps.
- Ensures that devices connect only to secure Wi-Fi.
- Routes all network communications through secure proxies.
- Ensures that devices run the most secure OS version.
- Prevents unauthorized sharing/backup of corporate data and restricts basic device features such as cameras.
- Automated device provisioning and access controls.
- Automated enrollment brings mobile devices under management before unboxing them
- Enrolled devices can be auto-assigned to groups based on internal departments.
- All security policies, access controls and apps associated with these groups can automatically be applied to these devices.
- Data leak prevention enforces customizable corporate security policies for mobile data at rest, in use, and in transit. It secures sensitive business data including information on missing devices.
- Containerization protects corporate apps, data and policies without touching personal data.
- Offers mobile device management (MDM), mobile content management (MCM), mobile application management (MAM), mobile security management (MSM), app wrapping and containerization.
- Customized corporate security policies, role-based access controls and monitoring levels are based on the specific needs of internal departments.
- Supports device clustering of departments into groups, ensuring consistent configurations and apps.
- Customizable interface.
- Easy of use and deployment.
- Interface can become cluttered.
- Customer service can be improved.
IBM MaaS360 with Watson
Powered by IBM’s AI platform, Watson, MaaS360 is a unified endpoint management (UEM) offering that integrates MDM, EMM, and IoT management. With Watson integration, the platform delivers AI insights, contextual analytics, and cloud-sourced benchmarking capabilities while providing management of iOS, Android, and Windows devices. Identity tools within the platform gatekeep corporate data by understanding and enabling control of which users are accessing data and from which devices, while Trusteer scans ensure that enrolled personal devices are not carrying malware. Wandera scans for network, app and device-level threats such as phishing and cryptojacking.
MaaS360 operates on the principle of use cases, delivering UEM covering digital trust concerns, threat defense and risk strategy concerns. The focus is about the user: how they access data, if the correct user is accessing, where they access from, what risks are associated, what threats they introduce into an environment, and how to mitigate this through a unified approach.
- The APIs, integrations and partnerships allow everything from app approval and delivery to threat and identity management.
- MaaS360 Advisor, powered by Watson, reports on all device types, provides insights into out-of-date OSes, potential threats and other risks and opportunities.
- Policies and compliance rules are available for all OSes and device types.
- Workplace persona policies dictate container functions to protect corporate data, enforce lockdowns of where that data can live and from which applications it can be transmitted.
- Other security measures include MaaS360 Advisor’s risk insights, Wandera for mobile threat defense, Trusteer for mobile malware detection, and Cloud Identity for out-of-the-box single sign-on (SSO) and integrated conditional access with an organization’s directory service.
- Integrates with Android Profile Owner (PO) mode to deliver a secure workplace to user-owned Android devices if the container is not the go-to strategy.
- Incorporates privacy tools to limit the amount of personally identifiable information (PII) collectable from a personal device. MaaS360 does not typically collect PII (such as name, username, password, email, photos and call logs). It does track location and apps installed, both of which can be blinded for personal devices.
- Provides conditional access and quarantining of unauthorized users.
- Integrate MaaS360’s out-of-the-box identity tools with existing tools such as Okta or Ping to provide additional conditional access capabilities.
- Allow SAML-based solutions to be the primary SSO tool via the platform in a simplified manner.
- Devices can be managed by existing directory group or organizational unit, by department, by manually created group, by geo via geofencing tools, by operating system, and by device type.
- Comprehensive device management, including IoT devices and PCs.
- Excellent documentation.
- Setup and deployment can be complicated.
- Confusing user interface.
- License re-allocation for devices can be difficult.
Sophos Central’s UEM platform integrates mobile management, Windows management, macOS management, next-gen endpoint security and mobile threat defence. It serves as a pane of glass for management of endpoint and network security.
Sophos Mobile offers three ways to manage a mobile device:
- Full control of all settings, apps, permissions of the device, according to what iOS, Android, macOS or Windows offer
- Corporate data containerization using the device management API, or configuring a corporate workspace on the device using iOS-managed settings or the Android Enterprise Work Profile
- Container-only management where all management is done on the container. The device itself is not affected.
The platform also offers an admin portal for managing all devices and a self-service portal for users.
- Devices can be enrolled through the self-service portal, by the admin via the console, or be force enrolled after rebooting using tools such as Apple Business Manager, Android ZeroTouch or Knox Mobile Enrollment.
- After enrollment, the system pushes out configured policy options, installs apps, or sends commands to the device. Those actions can be combined into Task Bundles by mimicking the images used for PC management.
- Configuration settings include security options (passwords or encryption), productivity options (email accounts and bookmarks) and IT settings (Wi-Fi configurations and access certificates).
- Sophos Mobile offers various ways to structure the devices including device list, device groups, device per user, and smart folders.
- Easy of deployment.
- Extensive ecosystem of UEM product integration.
- Good customer service and support.
- User interface can be improved.
- Setup can be complicated.
This guide was updated by IT Business Edge‘s Managing Editor Llanor Alleyne.