Transcription

1 Page 1 of 16 for Mobile Device 8 August 2012 ID:G Analyst(s): Monica Basso, Phillip Redman VIEW SUMMARY Mobile device management offerings are expanding from traditional configurations, policy management, IT administration and reporting to deeper security with containerization, mobile application management and enterprise content management. Overview Key Findings The integration of native APIs on ios and Android enable corporate containerization in native clients, with encryption, selective wipe and data loss prevention (DLP). containerization on Android is possible also by third-party clients. Windows Phone (WP) has no API yet, making its management more difficult. The containerization of individual applications and files through policy wrapping locks down selected corporate content, avoiding restrictions to the user experience with native applications. Enterprise file distribution, sharing and syncing functionalities, associated with secure and managed folders at rest on devices, and private or public cloud services on the back end, are emerging as a new trend in many mobile device management (MDM) offerings. As-a-service MDM offerings are growing in the market, and are increasingly being adopted by organizations because of their greater flexibility, scalability and cost-effectiveness, compared with on-premises deployments. Recommendations Prioritize MDM requirements around consumer mobility and bring your own device (BYOD) deployments in the next two years, focusing on mobile application management (MAM), application containerization and enterprise content management. Prepare for MDM support across multiple device OS platforms, planning for an increase in Android use in the next 12 months. Keep Windows on the radar screen as well, as a range of new smartphones, media tablets and innovative form factors may hit the market in the coming months. Before MDM vendor/product selection, focus on mobility requirements, security and compliance constraints, and mobile user segmentation, and identify the range of policies needed to regulate new deployments. Select the MDM option that best supports your policies, considering not only features and technology, but also viability (e.g., delivery models and support). What You Need to Know The core capabilities of MDM, such as provisioning, policy enforcement, asset management, administration and reporting, are commoditizing across multiple offerings, and increasingly appear similar. However, differentiation is growing in new areas, such as containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Analysis This research provides quantitative ratings for a selection of enterprise MDM offerings, and evaluates them across seven critical capabilities in four typical use cases. (This research complements "Magic Quadrant for Mobile Device Software," which covers vendors and their relative positions in the market.) Enterprises should use this research, with its product ratings on critical capabilities in different use cases, to identify the most suitable MDM products and services for their context. CRITICAL CAPABILITIES METHODOLOGY " capabilities" are attributes that differentiate products in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions. This methodology requires analysts to identify the critical capabilities for a class of products. Each capability is then weighted in terms of its relative importance overall, as well as for specific product use cases. Next, products are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities overall, and for each use case, is then calculated for each product. s and summary scores range from 1.0 to 5.0: 1 = Poor: most or all defined requirements not achieved 2 = Fair: some requirements not achieved 3 = Good: meets requirements 4 = Excellent: meets or exceeds some requirements 5 = Outstanding: significantly exceeds requirements Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy and its ability to enhance and support a product over its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to its other product lines, its market direction and its business overall. Support includes the quality of technical and account support as well as customer experiences for that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale from poor to outstanding for each of these four areas, and it is then assigned an overall product viability rating. The critical capabilities Gartner has selected do not represent all capabilities for any product and, therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making an acquisition decision. Consumer mobility and BYOD programs are top priorities for most organizations in A range of new IT challenges from security, compliance and management to cost and human capital management hits organizations that often are forced to rapidly make investments in MDM products and services to enforce policies, regulate behaviors, contain costs and manage risks across device platforms. Thus, the MDM market has been growing, and will continue to grow in 2012, with the market size estimated at over $500 million, and more than 100 players. The level of demand and the fierce competition among these players are driving commoditization in this market. Traditional MDM capabilities, such as provisioning, policy enforcement, asset management, administration and reporting, are beginning to standardize across multiple offerings that increasingly provide similar capabilities. This increasingly drives price competition, and forces players to differentiate in new areas. Growing differentiation is developing in application and document containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. remains a paramount capability for highly regulated organizations under strong security and compliance requirements, which necessitates the separation of corporate and personal content on devices. The original approach of complete corporate containerization, provided by Good Technology, locks down the corporate footprint, with total separation of business from personal content. Managing the corporate container, instead of the device, grants isolation and protection of corporate

2 Page 2 of 16 content, with no restrictions on personal usage. However, native clients and browsers are not available in the container, which could affect user acceptability. In addition, a growing range of products now offers less granularity in containerization for individual applications, folders and files (see Figure 1). These products provide software development kits (SDKs) to enforce credentials, encryption and other policies through application wrapping. They are commercially available in offerings from AirWatch, BoxTone and Symantec, but more vendors are due to launch these capabilities later in Figure 1. Heavyweight Versus Lightweight Styles MAM is becoming increasingly important, as IT organizations need to deploy third-party and in-housedeveloped applications to their mobile workforce. Software updates, public app store content blacklisting and enterprise app stores are progressively supported in MDM products. AirWatch, MobileIron and Zenprise currently have the most complete offerings. Enterprise file synchronization and sharing capabilities are needed, due to the growing adoption of media tablets, such as the ipad, and due to the availability of personal cloud services, such as Dropbox, icloud and Google Drive, which enable mobile workers via increased productivity, but could represent security and compliance threats. Some players, such as AirWatch and Fiberlink, already provide secure file management capabilities natively; others do this through partners such as Box and Accellion. More MDM vendors will launch these capabilities in future releases. Another important element of differentiation is the as-a-service delivery model, which gives enterprises more flexibility, scalability and cost-effectiveness. While many vendors have launched as-a-service offerings in the past 12 months, AirWatch and Fiberlink have the most mature offerings and experience. More organizations are considering cloud-based MDM services, because they are more economical and flexible. One area where most MDM products still lag behind others is integration with PC configurations and management capabilities, as they focus predominantly on MDM. Exceptions are represented by products from IBM and Fiberlink. Lack of support across the full spectrum of mobile and client computing is a limitation for most IT organizations that aim to manage smartphones, media tablets and PCs in more integrated and efficient ways. We expect to see more convergence in the coming months in mobile and PC/system management. IT organizations struggle to identify the right options for investment. The large number of offerings with a lack of differentiation in basic management capabilities confuses buyers, and complicates investment decisions. One major area of differentiation among MDM offerings is their technical approach to management: Lightweight MDM: Server-side product and service offerings may (or may not) have a small mobile agent running on the device, and/or may integrate the mobile OS platform's native APIs or Microsoft Exchange ActiveSync [EAS] client implementation, but may not have a complete mobile management client on the device. These offerings can be used with native mobile support in corporate servers (e.g., EAS in Microsoft Exchange Server or Lotus Notes Traveler in Lotus Notes and Domino) to enforce complementary policies, working with the device's native client. However, they manage the device entirely, enforcing policies (e.g., on acceptable use, or application blacklists) that apply to the device anytime, including during personal usage. This may be a drawback in BYOD programs where extensive policies need to be enforced for business use. Relevant vendors include MobileIron, Zenprise and Fiberlink. Extended Lightweight MDM: Additional capabilities (through SDKs) are provided to enforce policies on applications, such as credentials, encryption and DLP. AirWatch, BoxTone (through Mocana) and Symantec (through Nukona) currently provide these capabilities through SDKs that recompile third-party or in-house applications to enforce policies such as credentials, encryption and limitations, and data sharing with other applications. More vendors are expected to launch these capabilities in future releases. Heavyweight MDM: Client-side management software is available for every relevant mobile OS platform (whether stand-alone or blended with a proprietary client). The management client can enforce strong IT control on the device, including a full corporate container with encryption, selective wipe and DLP. Good Technology is the leading vendor taking this approach. Other vendors not covered in this research include Excitor and Little Red Wagon Technologies. This approach enforces complete separation between corporate and personal footprints on the device, offering smoother support for BYOD programs, because users have no limitation of use outside the container, and compliance can easily be proved in audits anytime.

3 Page 3 of 16 EAS alone is insufficient to manage mobile devices, despite the minimum set of policies provided, because it is not consistent across mobile platforms, does not detect jailbreaks, and cannot enforce device- or OS-level policies (it focuses only on ). Before conducting MDM product selection analysis, organizations must identify the risks and benefits of introducing support for corporate applications on personal devices. They then need to identify the IT policies required to control deployments, manage risks and support users. They also must choose the appropriate management approach, and products and services, that will help enforce the policies in a cost-effective way. Product Class Definition Gartner defines MDM as a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, enforcing policies and maintaining the desired level of IT control across multiple platforms. Mobile devices may be corporate and personal assets, as in BYOD programs. Areas of functionality include provisioning and decommissioning, inventory management, application management and security. The primary delivery model is on-premises, but MDM can also be offered as software as a service (SaaS), or through the cloud. See "Magic Quadrant for Mobile Device Software" for a complete description of the market, and the vendors delivering such products or services. This research focuses on a subset of commercial offerings in the market, encompassing the products and services that get the most attention and requests for advice from Gartner's client base. We highlight the capabilities and viability of these products Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity on Definition The growing demand for MDM by IT organizations has motivated a large number of technology providers to enter the market with MDM offerings. These products and services enable IT organizations to maintain control, automate management and minimize risks, while delivering consumer mobility to the workforce. Regarding basic management functionalities (e.g., provisioning and inventory management), most offerings are progressively becoming similar, with little differentiation among competing vendors. They differentiate instead on enhanced capabilities, such as containerization, application management, document sharing and the cloud delivery model. This research examines seven critical capabilities that differentiate competing MDM products in different use cases: Policy enforcement and compliance management Document sharing and management Scalability As-a-service and cloud delivery models Detailed information about each critical capabilities follows: Policy enforcement and compliance: This varies in capability by mobile OS, but includes: Enforce policies on eligible devices: Detect and enforce OS platforms and versions, installed applications and manipulated data. Detect ios jail-broken devices and rooted Android devices. Filter (restrict) access from noncompliant devices to corporate servers (e.g., ). Restrict the number of devices per user. Enforce application policies: Restrict downloadable applications through whitelists and blacklists. Monitor access to app stores and application downloads, put prohibited applications on quarantine, and/or send alerts to IT/managers/users about policy violations. Monitor access to Web services, social networks and app stores, send alerts to IT/managers/users about policy violations, and/or cut off access. Enforce mobile communication expense policies in real time: Monitor roaming usage. Detect policy violations (e.g., international roaming), and take action if needed (e.g., disable access to servers, and/or send alerts to IT/managers/users about policy violations). Enforce separation of personal versus corporate content: Manage corporate applications on personal devices, and personal applications on corporate devices. Tag content as personal or corporate through flags. Detect separation violations, and send alerts to IT/managers/users if needed. If a container is in use, prohibit exporting data outside the container (e.g., when opening an attachment), and regulate interactions among different enterprise containers. Restrict or prohibit access to corporate servers (e.g., to servers and accounts) in case of policy violations. : This is a set of mechanisms to protect corporate data on a device and corporate backend systems, and to preserve compliance with regulations: Password enforcement (complexity and rotation)

4 Page 4 of 16 Device lock (after a given time of inactivity) Remote wipe, selective remote wipe (e.g., only corporate content), and total remote wipe (e.g., a hard wipe, with data not recoverable after deletion) Local data encryption (phone memory and external memory cards) Certificate-based authentication (includes device ID, OS version and phone number), and certificate distribution Monitoring devices, and data manipulation on devices Rogue application protection (e.g., application quarantine) Certifications (e.g., Federal Information Processing Standard [FIPS] 140-2) Firewalls Antivirus software Mobile virtual private network (VPN) Message archiving (SMS, IM, , etc.) and retrieval, and recording of historical events for audit trails and reporting : A set of mechanisms to separate corporate from personal content (data and applications) on devices. What differentiates the level of support for containerization in various products is the granularity of control, isolation and protection enforced through the policies. This can span simple applications and files, to the complete corporate footprint hosted in the corporate container, and can create a dual-persona device user experience. The strongest implementation includes a full corporate container with proprietary applications, such as the client and browser, as well as third-party and in-house applications developed through ad hoc SDKs, to make them part of the container. Additional methods include a container limited to proprietary applications, such as , calendars and contacts, and the browser. Methods can include smaller -granularity containers limited to one application or document. A number of policies can be enforced on the container to control the corporate footprint, such as: Local data encryption Selective remote wipe Data leakage prevention (no data is exported from the container, and there are cut-andpaste prohibitions) Controlled communication among containers Dual personas management: A set of mechanisms for over the air (OTA) software upgrades, application inventory and distribution, such as: discovery and private app store Apple Volume Purchase Program, or other enterprise volume purchasing program integration Software updates for applications or OSs Patches/fixes Backup/restore Background synchronization Document sharing and management: A set of mechanisms to support file synchronization and sharing, file distribution, and secure and manageable folders on mobile devices with policy enforcement: File synchronization and backup, transparent to the user File sharing with other employees, or among applications File distribution to a group of users, and those that are time sensitive and management policy enforcement Scalability: Of MDM deployments in mass volume: Platform scalability for over 20,000 units supported High-availability and disaster recovery techniques As-a-service and cloud delivery models: Ease of installation Pricing policies per user (as opposed to per device) rated higher its website, Use Cases This research identifies the four typical use cases discussed in Gartner client inquiries. These cases highlight the differences among selected products/services, and rate them differently under specific conditions. Case 1 Regulated Deployments: These organizations operate in severely regulated sectors, such as financial services, healthcare, military and defense, and government, that must be compliant anytime with sector-specific regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), and must pass periodical audits. These organizations have a strong focus on security and control, e.g., for culture or market competition. These organizations often aim to support BYOD programs with personal and corporate devices. In all cases, strong IT security and control requirements include local data encryption for corporate information, certificate-based authentication, and isolation of corporate from personal content. Case 2 Flexible Deployments: These organizations operate in nonregulated sectors (e.g., retail and delivery services) that do not require a complete corporate lockdown on devices, and can live with basic security and management support. BYOD programs often are required, in addition to supporting corporate devices.

5 Page 5 of 16 Employees are required to work with native applications, such as a native client and browser. Provisioning, inventory and policy enforcement extended to the entire device is a management priority. There is little or no demand for containerization. Case 3 Agile Deployments: These organizations operate in nonregulated sectors, planning to manage mobility through thirdparty service providers, rather than by deploying an on-premises infrastructure. Organizations aim to contain or optimize mobility costs, or to avoid big upfront costs. Organizations plan to support a small number of mobile users initially, and to grow incrementally over time to midsize and large deployments. BYOD programs often are required, in addition to supporting corporate devices. Case 4 Mass Deployments: These are large-scale deployments, from more than 20,000 up to hundreds of thousands, with related requirements for high availability, disaster recovery, quality of service, etc. There is a need to monitor and control end-to-end mobile deployments. The third and fourth use cases are not necessarily mutually exclusive of the first and second. A regulated organization may also look for agile or mass deployments. However, in this research, we want to capture the most common scenarios requiring MDM investment decisions to highlight the product capabilities. Clients that are comfortable with the security/compliance/containerization capabilities of vendors on their shortlists, but have doubts about scalability, should focus on Case 4 to assess their mass deployment capabilities. Case 3 is a likely fit for organizations that have initial experience with mobility, and Case 4 will work for organizations that already have mobility experience, and are about to scale up to big deployment volumes. Case 1 and 2 focus on the level of control and lockdown needed, and are mutually exclusive. Table 1 shows the weighting for all use cases in this research. Each use case weighs the capabilities individually based on the needs of that case, which impacts the score. Each vendor may have a different position based on its capability and the weighting for each. The overall use case is the general scoring for the vendor's product, with all weights being equal. Table 1. Weighting for in Use Cases Product Overall Regulated Deployments Flexible Deployments Agile Deployments Mass Deployments Policy enforcement and compliance 14.3% 5.0% 60.0% 5.0% 5.0% 14.3% 15.0% 20.0% 5.0% 5.0% 14.3% 45.0% 0.0% 5.0% 5.0% management Document sharing and management 14.3% 15.0% 10.0% 5.0% 5.0% 14.3% 15.0% 5.0% 5.0% 5.0% Scalability 14.3% 5.0% 0.0% 20.0% 55.0% As-a-service and cloud delivery models 14.2% 0.0% 5.0% 55.0% 20.0% Total 100.0% 100.0% 100.0% 100.0% 100.0% Inclusion Criteria This research considers the selection of MDM products and services offered by vendors included in "Magic Quadrant for Mobile Device Software." Please refer to the Magic Quadrant for a complete description of the market and vendors. Given the large number of players in this market (20 vendors were covered in the Magic Quadrant), we have chosen to restrict our analysis to offerings that gain the most interest during our interactions with Gartner clients, are visible on shortlists, and are largely considered leaders or challengers based on size, revenue or product portfolio. These include products and services provided by AirWatch, BoxTone, Fiberlink, Good Technology, MobileIron, SAP, Symantec and Zenprise. Vendors not included in this research are still valid options for consideration (see "Magic Quadrant for Mobile Device Software"). While most vendors specialize in management for smartphones and tablets, a subset provides specific capabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including Soti, Odyssey Software (now part of Symantec), Wavelink and Motorola. We do not consider these vendors in a separate use case, because specialized management tools for ruggedized devices generate limited Gartner client inquiries for those with fairly mature OSs. For completeness, we provide the list of criteria we used to qualify vendors for inclusion/exclusion in "Magic Quadrant for Mobile Device Software:" Support for enterprise-class (noncarrier), multiplatform support MDM: Software or SaaS, with an emphasis on mobility Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messaging or security) management, with at least these features:

6 Page 6 of 16 Enhanced abilities to download, monitor and revoke certificates for , applications, Wi-Fi, VPNs, etc. Enforced passwords Device wipe Remote lock Audit trail/logging, including the ability to verify device configurations from a central console Jailbreak/rooted detection At least three mobile OS platforms supported Policy/compliance management Software management, with at least these capabilities supported: downloader the ability to push or pull applications on a mobile device verification the ability to verify the origin of mobile applications update support patch support App store support the ability to list and manage enterprise and third-party applications Hardware management, with at least these capabilities supported: External memory blocking blocks all use of flash memory cards, and other external memory Configuration change history audits and trails for any changes made for hardware At least 75,000 licenses sold Five referenceable accounts No more than 70% of revenue in one main geographic region or market At least $1.5 million in MDM-specific revenue General availability by the middle of 1Q12 Each product or service that meets our inclusion criteria has been evaluated on several critical capabilities (see Table 2 and Figure 2), on a scale from 1.0 (lowest ranking) to 5.0 (highest ranking). Table 2. Product on Product AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Policy enforcement and compliance management Document sharing and management Scalability As-a-service and cloud delivery models Figure 2. Overall Score for Each Vendor's Product Based on the Nonweighted Score for Each Capability

7 Page 7 of 16 To determine an overall score for each product in the use cases, the ratings in Table 2 are multiplied by the weightings shown in Table 1. These scores are shown in Table 3. Table 3. Overall Score in Use Cases Use Cases AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Overall Regulated Deployments Flexible Deployments Agile Deployments Mass Deployments Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy, and the vendor's ability to enhance and support a product throughout its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to the vendor's other product lines, its market direction and its business overall. Support includes the quality of technical and account support, as well as customer experiences with that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale, from poor to outstanding, for each of the four areas, and it is then assigned an overall product viability rating. Table 4 shows the product viability assessment. Table 4. Product Viability Assessment Vendor/Product Name AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Product Viability Outstanding Excellent Outstanding Excellent Excellent Good Good The weighted capabilities scores for all use cases are displayed as components of the overall score. Figure 3 shows the overall use case.

8 Page 8 of 16 Figure 3. Overall Use Case Figure 4 shows the regulated deployments use case. Figure 4. Regulated Deployments Use Case Figure 5 shows the flexible deployments use case. Figure 5. Flexible Deployments Use Case

9 Page 9 of 16 Figure 6 shows the agile deployments use case. Figure 6. Agile Deployments Use Case Figure 7 shows the mass deployments use case. Figure 7. Mass Deployments Use Case

10 Page 10 of 16 Vendors AirWatch AirWatch's Enterprise MDM offering emphasizes device security, life cycle management, application and content distribution, and help desk controls. AirWatch has some of the market's largest MDM implementations, with several deployments of over 50,000 devices. The company supports a broad range of device platforms, and integrates with enterprise platforms, such as Lightweight Directory Access Protocol (LDAP), Active Directory, Microsoft Exchange Server, IBM Lotus Notes/Domino and Internet Message Access Protocol (IMAP)-based servers. It has comprehensive certificate management, managing all certificates deployed on the mobile device, and automating the full life cycle of enrolling and deploying the certificate, integrating with back-office systems to set up trust and user mapping of certificates, monitoring and tracking of the certificates, renewing expired and soon-toexpire certificates, and revoking the certificates when a device is compromised or needs access removed. AirWatch integrates with cloud-based services, such as Gmail, Microsoft Business Productivity Online Standard (BPOS) and Office 365. The company's origins are in the wireless network management service and ruggedized device market. Although most of its MDM deployments are in the cloud and SaaS, it also has an on-premises-based option (see Table 5). Table 5. for AirWatch Enterprise MDM v.5.17 Policy Enforcement Acceptable use, centralized administration, OTA provisioning, profiles, monitoring, automated compliance policies, and alerts for corporate and personal devices, for ios, Android, BlackBerry, WP 7, Symbian, Mac OS X and Windows Mobile. Data backup for BlackBerry and Android. Dictate use of networks for ios and Android. Full support for Open Mobile Alliance (OMA) device management 1.2. Access restrictions, password enforcement, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, media encryption, remote lock, remote wipe, user authentication, device authentication, total device wipe, jail-broken/rooted devices, VPN, secure configuration profiles, autotrail/logging, identity management, and system-level API/access signing or certificates supported for ios, Android, BlackBerry and WP 7. Selective wipe for ios, Android and BlackBerry. Firewall for ios and Android. Antivirus for Android. Enhanced compliance enforcement functions, such as recording historical events for audit trail and reporting. Single-application wrapping with policy enforcement through SDK (including data leakage prevention and encryption). Policy enforcement on corporate files (Secure Content Locker). No complete corporate container with proprietary apps, data encryption and DLP. No full container with dual personas. For , AirWatch uses a combination of OS controls and native features to tag data, access control and configuration, and content as employee versus corporate data. For ios, it uses the ios 4.x-plus native APIs to containerize corporate in the native client. For Android, AirWatch integrates NitroDesk TouchDown or Samsung SAFE. Downloader, verification, whitelists/blacklists, version detection and updates. downloader (device), application verification, control enterprise applications, whitelist/blacklist enterprise applications, control nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, and full application or OS updates (major update) for ios, Android and

11 Page 11 of 16 Document Sharing and Scalability BlackBerry. Patches for BlackBerry and Android. quarantine, Web filtering, app store management, secure folder for enterprise applications and secure transfer of enterprise data/applications for ios, Android, BlackBerry and WP 7. Enterprise software licensing management for ios and Android (via TouchDown). Volume purchasing program for ios. Identify root access applications for Android. Secure Content Locker to securely distribute, track, manage and encrypt files and documents on a device. Include time-sensitive file distribution and geofencing. Usage management to detect roaming and apply business rules, send alerts and restrict data downloads. AirWatch's servers can be horizontally scaled behind a network load balancer to support 100,000-plus devices by adding servers, as needed, to scale to capacity. Multiple deployments with tens of thousands of devices. 4.5 As-a-Service and Cloud Delivery Models There is no software to install by the client. AirWatch offers shared and dedicated cloud solutions. 4.5 BoxTone BoxTone's offering focuses on mobile service-level management and includes three modules: MDM with MAM, mobile support management and mobile operation management. Through its Enterprise Mobility (EMM) partner network, BoxTone provides deep integration with enterprise mobility software platforms, system management and monitoring platforms, and integrates with technology vendors such as Aruba Networks, Appthority, Mocana and Good Technology. BoxTone supports BlackBerry, ios, Android, Windows Mobile and WP. Beyond MDM, BoxTone supports service desk management, incident management, problem management and application performance management (see Table 6). Table 6. for BoxTone v.6.5 Policy Enforcement Document Sharing and Acceptable use, centralized administration, OTA provisioning, profiles and data backup are supported for BlackBerry, ios, Android and WP 7. Dictate use of networks for ios, Android and WP 7. Real-time monitoring. Automated policy management, compliance management, configuration and change management, and application management are integrated into Active Directory for enterprise group IT policy management and enforcement. No integration of OMA device management policies. All functions listed here are supported for ios, Android and BlackBerry, and partly for WP 7. Access restriction, enforced password, password complexity choice, inactivity timeout, core encryption support, media encryption, remote lock, remote wipe, user authentication, device authentication, total device wipe, selective wipe, jail-broken/rooted devices, VPN, firewall, anti-malware/virus, secure configuration profiles, autotrail/logging, identity management, and system-level API/access signing or certificates. Enhanced compliance enforcement functions, such as record historical events for audit trail and reporting. Firewall not supported. Single-application wrapping with policy enforcement through SDKs, through technology embedded from Mocana. Central policy enforcement on third-party file sharing products/services (e.g., Box and Accellion), but data-level policy controls are managed by them. No complete corporate container with proprietary apps, data encryption and DLP. No full container with dual personas. downloader (device), application verification, control enterprise apps, whitelist/blacklist enterprise applications, control of nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, full application or OS updates (major update), Web filtering, app store management, secure folder for enterprise applications and enterprise software licensing management for BlackBerry, ios and Android. quarantine for ios and Android. Volume purchasing program for ios. No patches or identify root access applications. File synchronization and sharing supported through third-party services (e.g., Accellion). No native capability, and no time-sensitive file distribution Scalability BoxTone can scale on a single instance on one server, two servers and across N- tier distributed single instances all having one unified database and end-to-end mobile enterprisewide controls, scaling beyond 100,000 devices. BoxTone's cloud services offering, powered by partners like Xerox and HP, are optimized for highscale, high-availability environments. As-a-Service and Cloud Delivery Models Fiberlink Cloud services offered based on Xerox, HP and CSC. 3.0 Fiberlink's MaaS360 is a pure, MDM cloud services offering for organizations aiming to support corporate and personal devices. It's a multitenant platform. Existing embedded platforms (BlackBerry Enterprise Server [BES], EAS and IBM Lotus Notes Traveler) are included in MaaS360 management via a single cloud extender agent deployed in the LAN. Beyond BES and EAS integration, if device-side APIs are available, the device management is done through that (e.g., Apple MDM protocol). If no deviceside MDM API is present, there is a native agent for that platform (e.g., Android; see Table 7).

12 Page 12 of 16 Table 7. for Fiberlink MaaS360* Policy Enforcement Document Sharing and Scalability As-a-Service and Cloud Delivery Models Acceptable use, centralized administration, OTA provisioning, profiles, monitoring, data backup are supported for ios, Android, WP 7 and BlackBerry. Dictate use of networks for ios and Android. Additional policy enforcement for ios and Android include dynamically changing policies (e.g., , Wi-Fi and restrict VPNs), or taking a remediation action (e.g., wiping device), based on device context (e.g., location) or a recent event (e.g., removed SIM). Automatic provisioning of policies to devices discovered on corporate servers. Access restriction, enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, remote lock, remote wipe, user authentication, device authentication, total device wipe, secure configuration profiles, autotrail/logging, identity management for ios, Android, BlackBerry and WP 7 (through EAS). Media encryption, selective wipe, jail-broken/rooted devices and VPN for ios, Android and BlackBerry. Anti-malware/antivirus, system-level API/access signing or certificates for ios. Firewall not supported. Single-document containerization through policy enforcement. Limited policy enforcement on third-party applications through SDK, but no application wrapping (integration with a third-party wrapper is possible). No complete corporate container, and no dual personas. Through integration with native APIs, restriction to the native client can be enforced (attachments and forwarding) on ios 5. OS version detection, enterprise software licensing management for ios, Android, BlackBerry and WP 7. downloader (on the device), enterprise app store, multiplatform app stores, app store management for ios, Android and WP 7. verification, full application or OS updates (major updates), patches, application quarantine, identify root access applications and secure folder for enterprise applications for ios and Android. Control enterprise applications, whitelist/blacklist enterprise applications, control of nonenterprise applications, Web filtering and enterprise software licensing management for BlackBerry, ios and Android. Volume purchasing program for ios. Document container to synchronize corporate documents to mobile devices, storing them encrypted and separate from personal documents. Policies can be applied to either allow sharing or restrict sharing of documents. If a restricted sharing policy is used, the documents cannot be moved to other applications, ed or have screen captures performed. Any document distributed can be centrally removed from the device individually, or in bulk. MaaS360 is automatically load balanced and supports large implementations, with deployment sizes of many tens of thousands of devices. No extra steps are needed for customers to grow from one device to 100,000 devices. Elastic and instant scalability, and low maintenance and rollout costs. MaaS360 runs on a cloud-based, virtualized, multitenant server farm in Fiberlink -operated data centers. Pricing is available per device or per user, and free service is available for all companies for 30 days. User-based bundled pricing is available for an unlimited number of devices per user at a flat monthly fee *There is no specific version number, because the deployment and maintenance model is completely SaaS. Good Technology Good for Enterprise (GfE) is a mobility suite providing security and management support as part of a mobile collaboration and application development framework. Good Technology offers the strongest form of corporate containerization across multiple mobile device OSs including ios, Android and WP 7 supporting complete isolation of the corporate footprint from personal content. Good focuses on managing the corporate container, rather than the entire device, by enforcing policies to the container, such as encryption, data leakage prevention (e.g., prohibiting the saving of attachments outside the container) and selective remote wipe. The main components of the GfE suite include Good Mobile Control for MDM, Good Mobile Access for secure access to corporate data, and Good Mobile Messaging for secure wireless (see "Magic Quadrant for Enterprise Wireless Market"). GfE management and security capabilities work in combination with Good's proprietary client and browser, but not with those native on the device. In June 2012, Good launched a stand-alone management product (Good Mobile Manager) that works without a container, and integrates EAS and the device's native management APIs, but this product is not covered in this assessment (see Table 8). Table 8. for Good Technology GfE v.6.x Policy Enforcement Acceptable use, centralized administration, OTA provisioning, profiles and monitoring for ios and Android. Data backup and dictate use of networks for ios. Does not rely on a local EAS agent on the device for policy implementation, but provides its own policy implementation. No support for BlackBerry devices. No integration of OMA device management policies. Enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support for data at rest and

13 Page 13 of 16 Document Sharing and Scalability in transport, remote lock, remote wipe, total device wipe, selective wipe and autotrail/logging for ios, Android and WP 7. Access restriction, user authentication, device authentication, jail-broken/rooted devices, firewall, anti-malware/antivirus, and secure configuration profiles for ios and Android. Other features include device monitoring with coverage history and last message sent/received, network operations center (NOC)-based architecture and secure browser for intranet access. Authentication between device and NOC, then between NOC and corporate back end. Identity management, system-level API/access signing or certificates, and mobile VPN only partially for ios. Full corporate container with dual-persona support for clean separation of personal and corporate data. Container based on the native sandbox mechanism provided by the mobile OS, and extended with policies such as encryption, selective remote wipe and data leakage prevention. Corporate , calendar, contacts and browsing containerization through proprietary applications. of third-party applications through application wrapping with policy enforcement (via SDKs). In-house application development with containerization through a complete development platform (Good Dynamics). Corporate document folder containerization through policy enforcement. policies include enable/disable download of attachments and block by attachment size/type, disable sync of contacts and/or limit sync of specific fields only, disable cut/copy/paste between personal and corporate data, detect last time connected to corporate data and wipe if exceeds policy, and control intranet sites users have access to via a secure browser. of native clients is not supported. downloader (on the device), application verification, whitelist/blacklist enterprise applications, OS version detection, enterprise app store, multiplatform app stores, app store management and secure folder for enterprise applications for ios and Android. Control enterprise applications and Web filtering for ios. Identify root access applications for Android. Control of nonenterprise applications, application quarantine, enterprise software licensing management and volume purchasing program are not supported. Good supports secure document management with file synchronization and sharing, policy enforcement on documents at rest through partners such as Box, Accellion and GroupLogic. Through Accellion, it can offer certified solutions for HIPAA regulations. Good has multiple deployments of over 20,000 concurrent seats. The Good server architecture allows virtualization and independent scaling of all major components, including Good Mobile Control, Good Mobile Messaging and Good Mobile Access. Components may be centralized or distributed, depending on the organization and network topology As-a-Service and Cloud Delivery Models MobileIron This is not supported. 1.0 MobileIron launched its product in September 2009, and has seen fast growth in sales, mind share and market share, outselling most MDM platforms in the past year. Built from the ground up, it is focused solely on mobility management, incorporating the Virtual Smartphone Platform (VSP) architecture to support security, data visibility, application management and access control. It does not provide encryption or VPN capabilities outside of what is provided on the device. MobileIron was one of the first vendors to combine MDM with network service management. The new release, coming in September 2012, will bring new capabilities in containerization for application and document security through policy enforcement (see Table 9). Table 9. for MobileIron VSP v.4.5 Policy Enforcement Centralized administration with monitoring for ios, Android, BlackBerry and WP 7. Acceptable use, OTA provisioning and profiles for ios and Android. Data backup, dictate use of networks and certificates for ios and Android. Other policies include real-time roaming detection and automatic group creation, as it autogenerates groups based on ownership so that IT can easily apply differentiated policies. Certificate-based authentication capabilities. Enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, remote lock, remote wipe, total device wipe, autotrail/logging and identity management for ios, Android, BlackBerry and WP 7. User authentication, device authentication, selective wipe (including , Wi-Fi settings, VPN settings and in-house apps) and secure configuration profiles for ios, Android and BlackBerry. Access restriction for ios, Android and WP 7. Core encryption support, jail-broken/rooted devices, VPN, antimalware/antivirus, and system-level API/access signing or certificates for ios and Android. Media encryption for Samsung Android

14 Page 14 of 16 Document Sharing and Scalability Firewalls are not supported. Personal versus corporate tagging for files and applications supported to selectively wipe corporate content. Separate management of corporate connectivity (Wi-Fi and VPNs). Policy enforcement for corporate on ios 5, through native APIs and on Android through NitroDesk's TouchDown. Single-application and document containerization through SDKs are not supported. Corporate container and dual personas are not supported. downloader (on-device), application verification, control enterprise applications, whitelist/blacklist enterprise applications, control of nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, app store management, full application or OS updates, and patches for ios, Android and BlackBerry. Identify root access applications, secure folder for enterprise applications, enterprise software licensing management for ios and Android (TouchDown). Volume purchasing program application inventory monitoring, quarantine and removal (for ios). Web filtering is not supported. No native capability supported, and no time-sensitive file distribution. Partners with Box, Accellion and GroupLogic for file synchronization, and sharing with their cloud services. Supports 20,000 devices per virtual or hardware appliance with central console to combine appliances. New application delivery network (based on Akamai) allows unbounded application size (up to 1GB) and simultaneous downloads. It addresses previously reported issues on mass-volume scalability As-a-Service and Cloud Delivery Models SaaS service (MobileIron Connected Cloud) available with per user-pricing as well as per device. Low-end version for smaller businesses, through service providers. 3.0 SAP Afaria is SAP's MDM and security product, and it is also delivered as cloud services within SAP Managed Mobility (or as hosted services through partners such as Verizon and Orange). SAP does not require a proprietary client, but instead offers integrated secure control over a third-party solution (for Android, via its partner NitroDesk). Afaria provides rich support for software distribution, policy enforcement, inventory management and security. It is one of the oldest MDM products in the market (see Table 10). Table 10. for SAP Afaria v.7 Policy Enforcement Acceptable use, centralized administration, OTA provisioning, profiles and integration of OMA device management policies for ios, Android and BlackBerry. Data backup and dictate use of networks not supported. Access restriction, enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, user authentication, device authentication, selective wipe, jail-broken/rooted devices, VPN, secure configuration profiles, autotrail/logging, identity management, system-level API/access signing or certificates for ios and Android. Remote lock, remote wipe and total device wipe for ios, Android and BlackBerry. Media encryption for Android. Firewall and anti-malware/antivirus are not supported. Does not support WP 7. Integration with native APIs on ios and Android to control files and application configurations. SDK with an application runtime library for policy enforcement on applications built with Sybase Unwired Platform. No corporate container or dual personas. downloader (on-device), OS version detection and secure transfer of enterprise data/applications for ios, Android and BlackBerry. verification, control enterprise applications, whitelist/blacklist enterprise applications, enterprise app store, app store management, full application or OS updates, patches, application quarantine, identify root access applications and enterprise software licensing management for ios and Android. Control of nonenterprise applications for Android. Volume purchasing program for ios. Multiplatform app stores, Web filtering and secure folder for enterprise applications are not supported. The application management functionality allows enterprises to seamlessly configure applications (users should not have to enter URLs and ports) Document Sharing and This is not supported. 1.0 Scalability The Afaria solution is highly scalable, and can support large installations. It supports highly available instances, and can synchronize content across distributed servers located in separate physical locations. Many deployments, with tens of thousands devices. As-a-Service and Cloud Delivery Models SAP offers a new cloud MDM service through Amazon Web Services (AWS), where customers can sign up for a service with perpetual or subscription pricing. SAP also offers managed mobility services through partners, but this is not rated here. 2.0

15 Page 15 of 16 Symantec Symantec is a prominent, global security player with strong positions in desktop and laptop antivirus, encryption and comprehensive endpoint management. It has offered MDM support in Altiris since Although Symantec has offered MDM for years, Gartner analysts have not seen evidence of competitive public visibility until recently, and cannot verify a significant presence through our client references. Symantec has successfully obtained all the pieces for a strong MDM platform, including its recent acquisitions of Odyssey and Nukona. But its focus on security, and lack of a unified product to date, means that it needs to integrate Mobile, Content, Cloud Access, Secure Sync & Share, and Device, because the lack of focus makes it hard to understand the business and operational requirements for mobile device life cycle management. Symantec integrated Mobile v.7.2 for security (anti-malware) with Mobile 7.2, which focuses on software, inventory and application management. Symantec plans to enhance application wrapping through its Nukona acquisition (now branded Symantec) and additional features, such as dynamic policies and an SSL tunnel for each application, and typically sells the product combined with Symantec Mobile 7.2, which is why this is rated here. Symantec's recent launch of 7.2 extends its capabilities to Android as well as ios (see Table 11). Table 11. for Symantec Mobile v.7.2 and Symantec App Center v.3.1 Policy Enforcement Document Sharing and Scalability Symantec's Mobile product includes security policy and configuration management for ios, Android and Windows Mobile 7 platforms. Symantec's product has specific enhancements, such as geolocation for location-based policies. The main security features include antivirus technology, a stateful firewall functionality to automatically configure and control inbound and outbound network traffic by network address, port and protocol, and an SMS anti-spam solution, as well as FIPS certified encryption for ios devices. With its recent acquisition of Nukona, Symantec allows application containerization using the binary of an app, without source code changes. A corporate container and dual personas are not supported. Symantec supports the basics on ios and Android, including application downloading, version support and updates. Its enterprise mobility platform enables secure usage of cloud apps from mobile devices using Symantec O3 and managed public-key infrastructure (PKI) services. It provides an IOzone client for each mobile device, an internal app store and a content library, as well as policies on a per-application/-file or group basis. As part of Symantec Mobile, Symantec supports secure, mobile file distribution. Symantec Mobile utilizes the Symantec Platform (SMP), a server environment also used for Altiris, IT Analytics, Symantec System Recovery and other security products. SMP provides a Web-based console, an extensible configuration management database (CMDB), plug-in connectors to a number of enterprise systems (e.g., Active Directory, help desk systems, etc.), standardized and customized reporting, alerting, IT analytics, online analytical processing (OLAP) reporting, and an extensible Symantec Workflow Engine. The Mobile server system has been scalability-tested to manage 20,000 device agents, and a simultaneous 20,000 Altiris Client Suite agents, using one SMP server (a back-end server), with one SQL server and one Mobile Site Server (a front-end server) three servers in total As-a-Service and Cloud Delivery Models Mostly on-premises based. Some components are commercially offered, and are supported as SaaS services (managed PKI) through partners. 2.0 Zenprise Zenprise provides management and security mobile device solutions across platforms such as ios, Android, BlackBerry, Windows Mobile and Symbian. Zenprise MobileManager is one of the more innovative platforms available, combining a strong mobile VPN solution with the use of location-based technologies. It has a clear interface, and solid reporting capability. The solution leverages a common server push communication framework for Android, Windows Mobile and Symbian devices. On Android, Zenprise has leveraged manufacturer APIs to provide additional capabilities, such as native configuration of and installation, and removal of mobile apps. Zenprise supports Microsoft BPOS and Office 365 messaging deployments, and secure document distribution with Office 365 SharePoint via profile configuration and deployment, as well as Google Mail (see Table 12). Table 12. for Zenprise Mobile Manager v.6.5 and Zencloud v.6.5 Policy Enforcement Good interface for standard policy enforcements; administration and user profiles are available. Zenprise has integrated with Blue Coat Systems and Palo Alto Networks to provide enhanced security for mobile devices. Zenprise can enable the distribution of device identity and user identity certificates, in conjunction with MDM profile configuration. The Zenprise Universal PKI Web services interface provides the flexibility to integrate with enterprise PKI solutions, including Microsoft Certificate Services, RSA Certificate Manager, OpenSSL and virtually any third-party PKI solution. 4.4

16 Page 16 of 16 Document Sharing and Document containerization exists for secure file access on ios and Android devices. policies include encryption, file access restriction based on device identity, policy compliance, certificates, etc. Data leakage prevention policies enforced to file in the container. wrapping is not available. On ios, Zenprise can remotely remove blacklisted applications, and prevent user launching of certain blacklisted apps, such as a camera, App Store and Safari browser. Zenprise can remotely remove ios profiles, such as Wi-Fi, VPN, and certificates. With Zenprise Mobile Data Loss Prevention, customers can securely synchronize documents with SharePoint 2010 or Office 365. This capability provides access to corporate information, while enabling granular data control to protect corporate documents Scalability Zenprise supports Windows 2003 Server, Windows 2008 and Windows 2008 R2. The solution supports 10,000 concurrent devices on one server, and scales linearly to support large implementations. Zenprise also supports active-active clustering and network load balancing to enable large enterprise deployments, and provide high availability. 3.0 As-a-Service and Cloud Delivery Models Launched within the past year, most deployments are on-premises based About Gartner Careers Newsroom Policies Site Index IT Glossary Contact Gartner