If there’s anything keeping IT managers awake at night, it’s them fearing for their data’s safety. And because a growing number of headline-worthy data disasters have occurred due to the loss or breach of a mobile device, managing those clients securely is top of mind for IT managers this year. While the bring-your-own-device (BYOD) movement has great appeal to the average employee, it represents a significant attack vector to corporate security. It also represents both an opportunity and a challenge to facilitate the use of a personal device while keeping work and personal information and data separate.
One of the challenges in reviewing these products stems from the wide range of functionality each vendor offers. The line between mobile device management (MDM) and mobile application management (MAM) isn’t always clear—and simply because the industry has decided to house both those acronyms under the Enterprise Mobility Management (EMM) umbrella doesn’t make things easier. The focus of this review was primarily MDM although it was hard not to at least look at some of the other features available from the different vendors.
For this roundup, we looked at Amtel Telecom and Mobile Management System (TIMS), AppTec360 Enterprise Mobility Management, Citrix XenMobile, IBM MaaS360 (a Fiberlink Communications product), ManageEngine Mobile Device Manager Plus, Microsoft Intune, Radia Endpoint Manager, SOTI MobiControl, and VMware AirWatch. We had hoped to look at MobileIron for this roundup but they declined to participate.
What is MDM?
It’s obvious that a lost corporate mobile device represents a significant threat. Providing the ability to locate, lock, and potentially wipe lost devices must be available for a package to call itself an effective MDM tool. Automating that process is even better. All of the vendors we tested provide the ability to return the phone to the state it was in prior to enrolling in mobile management. This includes removing sensitive settings such as WiFi passwords, configuration settings, and sensitive or protected documents. A granular selective wipe, which is what we call out in our features table above, goes beyond that ability to allow administrators to remove only specifically selected information and data elements, such as WiFi passwords or specific documents, like corporate data versus personal documents the user may have stored on the device.
Many of the products we looked at provide a geofencing capability that can generate alerts and take action should a device cross a specific boundary. This works great for a company with a local workforce where the devices should never be more than some fixed number of miles away from the home office. This feature can be tweaked for traveling employees and, in many cases, can be time restricted as well.
Policy-based security is also standard across all of the products in this review. Configuring devices to lock with a personal identification number (PIN) is just one of many policies that can be set as mandatory, meaning that even if a device is owned by the employee in a BYOD scenario, once it’s registered it’ll require a PIN to open whether the user had it set that way or not. Other policies to restrict behavior or to lock down specific apps are also common. But the conflict between corporate-owned and personally-owned devices isn’t always so clear cut. Having the ability to restrict the gathering of location and other sensitive data from a personally-owned device helps keep employees happy while allowing them to use their own devices for company work. IT managers need to be careful and look for the ability to segment work and personal apps and data as much as possible.
Enrolling lots of devices might not seem like a big deal but can be a show stopper without some type of automated process. Providing a connection to a local Microsoft Active Directory domain to process users is one method. Most of the products also offered a way to import users and devices from a flat file to streamline enrollment in the case where either users or devices aren’t identified in a directory service. User self-registration is a key feature here, but be aware that this can be accomplished in different ways. Some of our contenders allow IT managers to create custom, branded user self-service portals that allow them to register their own devices, while others force them to go through third-party app stores to accomplish the same thing.
One of the biggest challenges in this roundup was drawing a line between MDM and any other functionality to include application management and delivery, security features like advanced threat management, and document protection.
For this review our goal was to focus on mobile management, which means testing across iOS, Android, and Windows Phone. To get a feel for different devices we used two phones and two tablets to evaluate the experience on different sized devices. Key pieces for testing come from this short list:
User and device self-registration,
Verify that policies, settings, updates can be pushed out,
Understand how the product deals with locating lost devices, and
How the product handles data security.
To test on different platforms, I used an LG G3 running Android 5.1.1, an iPad Air and first gen iPad mini plus a Lumia 640 running both Windows Phone 8.1, and the preview version of Windows 10 Mobile. Only a few of the products actually supported Windows 10, so I had to go back to the stock version of Windows Phone 8.1 using the Windows Software Recovery Tool. I also tested all device wipe actions on this phone as it was bought primarily for use as a test device and not my every day phone. Client software was removed and the device returned to its original state prior to testing a different product.
How to Buy
For this roundup, we focused on several key areas that can help with any evaluation. Enrollment can be a significant issue for a large number of devices. Any added capabilities to make that process easier goes a long way in judging a product as acceptable or not. That can spill over into the user enrollment experience as well. The products scored extra points by making users enter information either using a specific URL or a QR code.
At the administrator level it’s all about tracking down problems. Presenting a dashboard with easy access to key information and one that uses color to help quickly identify problem areas gets the highest marks. Another nice-to-have feature is the ability to customize the dashboard screen to present information of importance. The same goes for reporting when it comes to customization. Canned reports are all well and good, but everyone doesn’t necessarily want the exact same thing.
Ease of device control is another key feature, by that I mean being able to quickly find a device and then take some kind of action like lock the device or perform a secure wipe. If you get a phone call from an employee that just landed at a distant airport and they lost their mobile device, you want to be able to take action right away. Removing devices from MDM control shouldn’t be a big deal, especially when you allow employees to BYOD.
Data security is the final big item to evaluate, and this often is where the products take different approaches. Some vendors provide a secure file sharing and syncing capability while others go further to protect copy and paste of information from a corporate application such as email to a personal account. The same goes for moving data from a corporate location to a private storage service such as Dropbox.