1 Magic Quadrant for Enterprise Mobility Management Suites 8 June 2015 ID:G Analyst(s): Terrence Cosgrove, Rob Smith, Chris Silva, John Girard, Bryan Taylor VIEW SUMMARY Enterprise mobility management suites are the glue that connects mobile devices to their enterprise workflow. End-user computing leaders must consider short-term and long-term objectives amid rapid market changes. Market Definition/Description This document was revised on 9 June The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. Enterprise mobility management (EMM) suites help organizations integrate mobile devices into their security frameworks and systems and information technology life cycles. Organizations use EMM tools to perform the following functions for their users: Provisioning: EMM suites configure devices and applications for enterprise use. Auditing, tracking and reporting: These products audit mobile devices and applications to track compliance with enterprise policies. They also maintain inventory for cost and asset management purposes and are capable of tracking usage of services and apps. Defense of enterprise data: EMM suites apply technologies to encrypt data, control data flow and remotely revoke user access to mobile applications and information in the event the user or device becomes untrusted (for example, through device loss, unauthorized reconfiguration or employee termination). Support: EMM suites help IT departments troubleshoot mobile device problems through inventory, analytics and invoking remote actions. There are four core EMM technical categories that help IT organizations perform these services. There are some overlapping capabilities between the categories. Organizations may use some or all of these features, depending on their requirements: 1. Mobile device management (MDM): MDM is a platform life cycle management technology that provides inventory, OS configuration management, mobile app provisioning and deprovisioning, remote wipe, and remote viewing/control for troubleshooting. MDM profiles, installed on the device, facilitate these functions. 2. Mobile application management (MAM): MAM applies management and policy control functionality to individual applications, which are then delivered via enterprise app stores and managed locally on devices via the EMM console. This capability is necessary when the OS does not provide adequate management or security capability or when organizations elect not to install an MDM agent on the device. MAM can also provide analytics capabilities to help administrators and application owners understand usage patterns. MAM and MDM functions may also be used complementarily. There are two basic forms of MAM: Preconfigured applications: EMM vendors provide proprietary mobile apps or integrate with particular third-party apps to provide enhanced levels of manageability. These most commonly include productivity and collaboration applications, such as a secure personal information manager (PIM) for , calendaring and contact management, as well as a secure browser provided by the EMM provider or a third party. Application extensions: These apply policies to applications through the use of a software development kit (SDK) or by wrapping. 3. Mobile identity: EMM tools help ensure only trusted devices and users access enterprise applications. Mobile identity capabilities may utilize one or more use of the following technologies: user and device certificates, app code signing, authentication, and single signon. EMM tools are increasingly using contextual information (such as location and time) to help inform access decisions. 4. Mobile content management (MCM): MCM enables users to access content from their mobile EVALUATION CRITERIA DEFINITIONS Ability to Execute Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria. Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products. Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel. Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness. Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities. Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, servicelevel agreements and so on. Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Completeness of Vision Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision. Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
2 devices. The MCM function within EMM suites has four fundamental roles: A client-side app that enables a user to store content securely on a mobile device. The EMM can enforce policies such as authentication, file sharing and copy/paste restriction. Content comes from sources such as attachments in , files accessed from a back-end repository, or files accessed from a cloud repository. Content access: This is a connection to a back-end repository where users can pull content to their devices. Content push: These capabilities involve push-based file distribution, replacement and deletion. File-level protection: EMM tools are not full-blown data loss prevention (DLP) or information rights management (IRM) products, but they may apply file-level protections in certain mobile contexts, and they may integrate into larger frameworks. Magic Quadrant Figure 1. Magic Quadrant for Enterprise Mobility Management Suites Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base. Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements. Business Model: The soundness and logic of the vendor's underlying business proposition. Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets. Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or preemptive purposes. Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market. Source: Gartner (June 2015) Vendor and AirWatch by VMware Since AirWatch's acquisition by VMware in February 2014, AirWatch has become part of the End-User Computing business unit, but has largely operated as an independent entity. This is starting to change, as AirWatch is becoming integrated with various VMware technologies, most notably VMware's identity and access management and software-defined networking products. AirWatch's offering has comprehensive EMM functionality and as a result, appears most frequently in Gartner clients' EMM vendor shortlists. Previously, AirWatch was a closed system with limited support for third-party independent software vendor (ISV) mobile applications. However, this has changed under VMware with a large expansion of applications that now directly integrate with the product. Gartner hears of periodic code quality issues with the AirWatch product, which likely come as a result of attempting to provide a broad set of capabilities quickly. AirWatch is a good fit for organizations that require a comprehensive EMM feature set on a broad range of platforms.
3 AirWatch has proven large-scale deployments across most vertical markets. The administrative console is one of the easiest to use with embedded training videos, links and a wizard-like approach to help new administrators become productive quickly. AirWatch continues to push innovation with zero-day support of new operating systems and expansion into management of Internet of Things devices. Customers report that the Inbox application lacks maturity, causing customers to use third-party PIM products. AirWatch is working to improve the capabilities of the Inbox product. On-premises infrastructure components are based on Windows, SQL Server and Linux (not appliance-based), adding administrative overhead compared with other on-premises products. Product stability continues to be an issue with AirWatch. Gartner clients have reported several recent issues on both the console side and the agent side. BlackBerry BlackBerry released BlackBerry Enterprise Service 12 (BES12) in November BES12 provides improved non-blackberry OS support, and it consolidates the management of BlackBerry devices, which previously required separate versions of BlackBerry Enterprise Service, depending on the type of device. BlackBerry's strategy is to use BlackBerry Enterprise Service as the management platform for additional software products including split billing, identity and access management, its Internet of Things platform, and (most recently) its acquisition of WatchDox. WatchDox offers an enterprise file synchronization and sharing (EFSS) product with enhanced security and content collaboration features. BES12 is a more complete EMM product than prior versions, and it should meet many organizations' requirements for cross-platform management. Our research has found that uptake of BES12 to manage large numbers of non-blackberry devices is still low. BES12 is a good fit for organizations that plan to support BlackBerry devices for the foreseeable future and are satisfied with a capable EMM product for non-blackberry devices. BlackBerry Enterprise Service's MDM support for BlackBerry devices is the strongest in the market, including the ability to audit and log SMS messages. The BES12 console is very well-designed, and it provides good navigation and administration. The console's "filter grid" and "quick filters" make it easy to find users and devices, based on many attributes. BlackBerry support continues to get very positive feedback from customers. Customers cited usability problems with the Secure Work Space for BES12, particularly on Android. BlackBerry Enterprise Service MDM capabilities on non-blackberry devices have improved; the product still lags competitors in terms of completeness supporting new MDM features, such as Apple Device Enrollment Program (DEP) and certificate management. BES12 does not currently support Windows 8.1 or Mac OS X. Citrix In January 2015, Citrix released version 10 of its XenMobile product, which takes significant steps in simplifying the product's architecture and unifies the MDM and MAM console. In addition, XenMobile 10 added a self-service portal for users and support for Android for Work. ShareFile, Citrix's MCM product, is a full-featured EFSS product that is included in XenMobile Enterprise and remains among the best in the market. Citrix is a good fit for organizations that are looking to deliver a secure workspace comprising Windows, Web and mobile applications, as well as organizations that use ancillary technologies, such as XenApp, XenDesktop and NetScaler. Citrix gets high marks for user experience. WorxMail (Citrix's secure PIM product) added a weekly calendar view, zip file support and other new features with the XenMobile 10 release. Citrix ShareFile remains one of the strongest MCM products among EMM vendors. Citrix provides an integrated user experience between virtual Windows applications and native mobile applications. Though the product has sold reasonably well, Gartner was still unable to find many reference customers with very large current deployments (over 10,000 devices). XenMobile 10 console is separate from those of NetScaler and ShareFile. While NetScaler and ShareFile do not require a great deal of day-to-day administration, XenMobile administration is less streamlined, as well as a more demanding project, for organizations that do not already use NetScaler. Citrix released an upgrade tool to simplify the move from XenMobile 9 to XenMobile 10 in April
4 2015. However, the tool supports only MDM instances. Citrix has announced that it will release tools to migrate MAM and MDM-plus-MAM instances later in Globo Globo offers EMM through its GO!Enterprise Workspace suite, which includes its EMM solution, a mobile application development platform (MADP) tool, and a secure container for content and applications. Globo is unique in its offering of a full MADP component within its product suite for which no additional license beyond the GO!Enterprise suite is required; however, additional licensing of the secure container offering is required for any apps built on the MADP that an organization wishes to distribute, secure and manage. In June 2014, Globo announced the acquisition of Sourcebits to strengthen Globo's mobile application development capabilities. Additionally, Globo completed third-party National Institute of Standards and Technology (NIST) validation of its use of Federal Information Processing Standard data protections in its EMM solution in October Globo is a good fit for organizations seeking an application-centric EMM that offers a low barrier to entry into the MADP space. Globo remains one of three vendors in this analysis with a strong tie-in of mobile app development capabilities that go beyond an SDK or app wrapper offering. Administrators can create a comprehensive secure workspace, without the need for a configuration profile, including PIM, browsing, chat, camera, file access, and apps built using the Globo MADP. The ability to make use of app instrumentation through its MADP module provides Globo customers a potentially rich trove of app usage and performance data. Globo's presence is much more prominent in European markets than in U.S. markets, and the vendor does not enjoy the name recognition or customer base of many leaders outside of Europe. Therefore, identifying relevant reference customers when buying may prove challenging. The GO!Enterprise suite lacks some core components present in competitive offerings, such as remote view and control of apps or devices, as applicable, by platform and the ability to create dynamic policy groups based on device status, such as roaming state. GO!Enterprise has weak certificate management. It lacks certificate support for mobile applications. It also lacks its own certification authority and supports few third-party certification authorities. Good Technology Good Technology released Good Work, the successor to the Good for Enterprise PIM client, in Good Work is built on the Good Dynamics Secure Mobility Platform, inheriting the security and functional capabilities of that platform, such as single sign-on, multifactor authentication, workflows and presence. The transition from the legacy Good for Enterprise and AppCentral products to the current Good Work and Good Dynamics products has caused confusion among customers, as the current products do not yet contain all of the capabilities of the legacy products. In October 2014, Good acquired Macheen, a cloud application service provider specializing in device connectivity. Good has brought Macheen services into the Good Dynamics to add split data billing capabilities. Good Technology EMM is a good fit for organizations with stringent security requirements, those in regulated industries, or those with aggressive mobile app development plans that can benefit from the broad range of capabilities of the Good Dynamics SDK. Good's PIM functionality is the most advanced among the EMM vendors, including capabilities such as mail push notifications on ios/android/windows, presence, advanced search and contact history. Good's service management capabilities are among the best in class, with powerful reporting tools to facilitate remote support. The Good Dynamics platform has evolved from a security focus to a general-purpose collection of libraries that organizations developing their own apps will find attractive. Split-billing capabilities for data (implemented via Good Dynamics) are differentiating for bring your own device (BYOD) environments looking to implement this capability today. IBM The Good Work platform is new and has numerous end-user functional limitations on Android, ios and Windows Phone. Good's current grouping mechanism is primarily through user groups. It does not provide a good way of creating groups based on device properties. Good lags the competition in many MDM functions on ios, Android and Windows Phone.
5 IBM rebranded MaaS360 to "MobileFirst Protect" in 2015 to align EMM with the IBM MobileFirst strategy. MobileFirst Protect EMM manages the three popular mobile OSs: ios, Android and Windows Phone in addition to workstation systems based on Windows 7/8 and Mac OS X. MobileFirst Protect is part of the "Secure and Manage" practice, which represents the second of four practice areas in the MobileFirst portfolio, the others being "Build" tools for developing and testing mobile apps, "Engage" tools for analyzing and optimizing mobile customer experiences, and "Transform" tools to help build mobile business models. MobileFirst Protect is a good fit for organizations looking for an easy-todeploy EMM product and for those interested in the broader IBM MobileFirst strategy. IBM's mature shared-processing multitenant architecture is the best-in-class cloud among ranked EMM vendors. It allows easy separation of access for users, as well as separation of duties and scope for different levels of administrators and help desks. Reference customers consistently praise MobileFirst Protect for ease of deployment. Installations can be readily personalized to meet a company's needs, and extensive self-help is available for individual users. MobileFirst Protect provides a robust and extensive device monitoring and tracking system, which includes features that can be used for selective notifications based on geography. Several of IBM's clients have begun to use it as a basic emergency or mass notification service (EMNS). User feedback indicates that it is the original Fiberlink team that drives satisfaction with MobileFirst Protect. Interference has been minimal since the acquisition, but clients do note a slight drop in service. The uptake of MAM (app wrapping and securing apps using an SDK) with MobileFirst Protect is low, based on our research. It trails other products in some areas, particularly because of its lack of mobile app certificates (currently in development), its lack of SAML support, and its limited app analytics capabilities. We continue to get feedback from customers about console and administration issues. For example, records of retired devices remain in the system for a period of time, and there are sometimes issues in synchronizing data between the mobile gateway and the MobileFirst Protect console. Landesk Landesk is a longtime leader in client management with its Landesk Management Suite. The company's acquisition of Wavelink in 2012 resulted in the creation of two EMM products, Mobility Manager and Avalanche. Mobility Manager is the company's general-purpose EMM suite, while Avalanche carries forward Wavelink's focus on purpose-built and ruggedized devices (in addition to consumer-grade devices like smartphones and standard tablets). In addition to selling these products as stand-alone offerings, the company sells bundled offerings that include Mobility Manager tightly integrated into its adjacent client management, service desk and endpoint protection. Through its acquisition of LetMobile, Landesk also offers secure PIM and Web apps that allow these apps to be used without any local data on the device. Landesk is a good fit for ruggedized device management and unified endpoint management. Landesk has one of the strongest offerings for converged endpoint management, with tight integration between Landesk Management Suite and Mobility Manager. Mobility Manager is one of the few products in the market to offer integrated EMM and service desk. LetMobile's unique architecture allows for delivery of while keeping all data in the data center and off the device, an approach that appeals to some organizations for enabling highly secure access for BYOD users, boards of directors or business partners. MDM policy support still lags leading EMM products for both ios and Android devices. MCM remains basic and is limited to content push and storage on the device. Mobility Manager does not provide access to back-end content stores or file share and sync. Gartner did not find customers using the MAM or MCM capabilities of Mobility Manager. References were using only the MDM module. Microsoft Microsoft's EMM product is the Enterprise Mobility Suite (EMS), which includes Microsoft Intune, Azure Active Directory Premium and Azure Rights Management. Microsoft Intune provides the core EMM capabilities of MDM and MAM. Intune's strengths are its support of Office 365 and integration of System Center Configuration Manager (ConfigMgr). Microsoft also recently developed a secure PIM capability based on the Outlook mobile app for ios and Android. This will rival secure PIM offerings available from other EMM vendors. While the end-user functionality of the Outlook mobile app looks compelling, it was not generally available at the time of this report. The EMS represents a comprehensive mobility security and management vision, and it positions Microsoft well for the
6 future in this market. Currently, Intune adoption is low, and the product is still maturing. Organizations that should consider Intune are those that want to extend the Office 365 services to mobile devices and ConfigMgr customers that value client management and EMM integration over best-of-breed EMM functionality. Intune has unique technical capabilities to manage the Office Mobile apps on ios and Android devices, including "conditional access," app-level authentication and copy/paste control. The Intune license includes entitlement to ConfigMgr, allowing organizations to manage PCs and mobile devices through the same license and console. The combination of Azure Active Directory Premium, Azure Rights Management and Intune addresses some useful mobile scenarios, for example, changing an Active Directory password from a mobile device. Intune has two modes: "standalone" and "hybrid" with ConfigMgr. The "hybrid" mode creates dependencies between Intune and ConfigMgr. Advanced administrative functionality requires Intune to be connected to ConfigMgr. However, new Intune functionality is not immediately available when Intune is connected to SCCM, and changes to ConfigMgr can affect its ability to work with Intune. The next major version of ConfigMgr plans to address this issue. Intune supports most of the generic Android MDM APIs, as well as some Samsung Knox capabilities. It does not support MDM APIs of Android for Work or other handset manufacturers (such as LG and HTC). Intune's MAM has limited compatibility with third-party mobile application development tools, and it is behind most competitive products on containerization and analytics features. MobileIron MobileIron became a publicly traded company in June MobileIron is one of the few stand-alone EMM vendors, and it faces the challenge of increasingly competing with large IT infrastructure and operations vendors. The company has continued to demonstrate growth in the number of customers and the sophistication of its EMM deployments. MobileIron's strategy continues to be to enable an "open" ecosystem of devices and mobile applications, and to protect access and information through server-side functions. This strategy can also add cost and complexity for customers that prefer a single-vendor solution for EMM along with other mobile-relevant products, such as EFSS, collaboration and anti-malware. MobileIron continues to receive high marks for its ability to scale to multiple-hundred-thousand-device deployments with few or no issues in architecture. Organizations that want a comprehensive EMM product, particularly to enable a diverse range of mobile applications, should consider MobileIron. MobileIron's MCM product, can encrypt and delete files, allowing organizations to protect individual files even when they are in unmanaged content repositories. MobileIron's MAM product, AppConnect, has good compatibility across a wide range of MADP tools, and reference customers this year reported heavy use of AppConnect. MobileIron gets very positive feedback from customers for its certificate management capabilities, with a built-in certificate authority, support for a long list of public app store apps, and single sign-on to enterprise systems. MobileIron's infrastructure is appliance-based and more difficult to monitor for availability and performance than many competitive products. MobileIron has a SaaS version of its EMM product as well as an on-premises version, and there is not feature parity between the two versions. Reporting is a challenge with MobileIron, in terms of building customized reports and scheduling. SAP SAP Mobile Secure is a suite of products that includes Afaria (on-premises MDM), SAP MDM (SaaSbased MDM), SAP Mobile App Protection by Mocana (for MAM) and SAP Mobile Documents (for MCM and EFSS). SAP also released a SaaS edition of SAP Mobile Secure in Mobile Secure benefits from SAP's breadth of assets, including SAP business intelligence, to deliver a unique administrator dashboard experience. SAP Mobile Secure's primary differentiation lies in its ability to integrate and support SAP products. SAP Mobile Secure is a good fit for companies that own SAP products and value the extension of those products within a single vendor's offering, although the product does not require an existing SAP back end. Organizations can build and wrap certificate-signed SAP Fiori apps and custom apps built on SAP Mobile Platform or SAP Hana Cloud Platform mobile services.
7 SAP Mobile Secure's reporting is strong. It provides nice visualizations and intuitive ways to create custom reports. SAP has good Android for Work support, including the ability to wrap applications with Android for Work security capabilities for pre-android L devices. The SAP Mobile Secure administrative interface is disjointed, with MDM, MAM and MCM residing in separate consoles. Several of the references using Afaria were running older versions of software due to their experience of challenges with Afaria updates. SAP Mobile Secure lacks a proprietary secure PIM capability. Sophos Sophos' EMM product is part of a broader strategy aimed at securing PCs and mobile devices through a combination of endpoint and network-based technologies. Sophos Cloud provides this broad set of capabilities, although Sophos also sells EMM as a stand-alone offering through Sophos Mobile Control (SMC). SMC is one of the few products to provide a form of digital rights management as a core component in its MCM. Gartner frequently sees SMC deployments with small and midsize businesses, but rarely in large enterprise customers' sites. Sophos is a good fit for organizations looking for integrated endpoint protection and EMM from the same console. Sophos' MCM encrypts files leaving a PC or mobile device to prevent data leakage. This integrates with third-party file storage providers and enables companies to securely use lowcost third-party storage. Most of Sophos' references cited ease of administration and use as a significant product strength. SMC directly integrates security capabilities, such as anti-malware, Web security, unified threat management (UTM) gateways from Sophos, Cisco integrated development environment (IDE), and Check Point for easier enablement of remote access. Sophos can be slower to support the latest advancements in mobile technology than the leading vendors' technology; for example, it does not plan to support Android for Work until later in SMC has limited role-based administration, which can be an issue, particularly for large organizations. Sophos MAM functionality is limited to a mobile SDK. Therefore, organizations looking to deploy third-party developed apps must build in additional security that other EMM vendors provide as a core portion of their products. Soti Soti has deep roots in the dedicated-purpose device management space. Its MobiControl Android+ technology, which allows MobiControl to manage Android devices with a high degree of control and configuration management capability, remains a differentiator. The company has maintained its affinity for the Android platform in version 12.1 with same-day support for Android for Work, and its comprehensive management of this platform solidifies Soti's position as a leading EMM product for Android environments. Soti is used less frequently as an EMM product where BYOD is the predominant scenario, and we sometimes find Soti customers using another EMM products for ios, Windows Phone and Mac OS X devices. Soti is a good fit for organizations that require broad EMM capabilities, especially those making a heavy investment in Android mobile devices. Soti's extensive experience with and comprehensive support for Android makes it one of the strongest EMM solutions for this platform. MobiControl has strong remote support capabilities, with full remote control for Android devices and remote viewing for SDK-enabled ios apps. MobiControl implements sophisticated geofencing capabilities based on polygonal perimeters, depending on devices in use. While Soti has strong support for Android (and legacy Windows Mobile), it has a relatively small percentage of ios devices under management. While 24/7 support is available to "Advantage" and "Enterprise Support" customers, direct support from named technical account managers is available only weekdays from 9 a.m. to 5 p.m. in the customer's local time zone. The published SLAs for escalations during off hours and weekends for any issue that requires product development to be involved are tied to business hours of Soti headquarters.
8 Customers have reported product stability to be an occasional issue with Soti. Vendors Added and Dropped We review and adjust our inclusion criteria for Magic Quadrants and MarketScopes as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant or MarketScope may change over time. A vendor's appearance in a Magic Quadrant or MarketScope one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor. Added Microsoft Dropped Symantec: Symantec did not have the revenue necessary for inclusion. We believe Symantec will continue to support current EMM customers but will focus R&D on adjacent mobile security technologies, such as DLP, authentication and identity management. Tangoe: Tangoe focuses on the telecom expense management (TEM) and managed mobility services (MMS) markets. As the EMM market continues to move quickly, Tangoe has decided to partner with EMM vendors to provide an integrated MMS-TEM offering. Absolute Software: Absolute is a strong player in the client management tool space and sees MDM as a component of its Absolute Manage product. The EMM market has been moving quickly on the MAM and MCM fronts, and Absolute has not invested aggressively in these areas. Absolute Software is still a good choice for organizations looking to extend MDM from their client management tool consoles. Inclusion and Exclusion Criteria More than 100 vendors offer EMM functions. We developed inclusion criteria involving a combination of business metrics and technical capabilities. Each vendor in the Magic Quadrant must meet the following criteria: The vendor must have at least $12 million in 2014 EMM revenue. There must be five references from organizations using the EMM product in production. The vendor must offer EMM support for ios, Android and Windows Phone. The vendor must provide MDM, MAM through app wrapping or an SDK, and MCM. Many EMM products provide functions beyond those already listed. Some features were considered optional and not necessarily critical criteria for comparison. For example: Advanced MAM that manages PIMs, browsers and other applications Support for Mac OS X and Windows Mobile identity and access through capabilities such as certificate management, enabling single sign-on on mobile devices, and executing "contextual authentication" through dynamic conditions, such as time, location, user and device posture Mobile analytics to understand usage trends and support troubleshooting File-level protections to protect data consumed or created in a mobile context Many vendors were considered for the Magic Quadrant but did not qualify because they did not meet the business metrics or the technical capabilities required for inclusion. The following are a few vendors that have increased their investments in EMM but lacked the product completeness or established track record to qualify for inclusion: Centrify has offered a free EMM for several years, with an option to buy into a fully supported product. During 2014, Centrify was endorsed by Samsung as a Knox EMM provider. During the review period for this report, Centrify was unable to meet sales thresholds for market size inclusion. Centrify is separately pursuing secure server connections as alternatives to per-app VPNs. Cisco's EMM offering is marketed under the Meraki brand and has garnered significant interest for organizations early in the process of selecting an MDM with little or no prior experience of deploying one. Cisco does not currently have a MAM module and did not meet the revenue inclusion requirements. Oracle, a leading global ISV and database company that acquired Bitzer Mobile, offers basic EMM, app wrapping, per-app mobile VPN and scalable mobile identity management. Pricing is attractive, and the mobile framework integrates well with Oracle business apps. Oracle's mobility solution has been available for too short a time to qualify for inclusion based on market presence, but is expected to be increasingly competitive in Support needs to be expanded to more platforms; currently, it is available only for ios and a limited number of Android models.
9 Evaluation Criteria Ability to Execute The Ability to Execute axis measures the vendors' ability to meet the current needs of EMM buyers, as well as their ability to succeed in this market by gaining market share and achieving revenue growth. Product/Service: What features are provided, and does the vendor have customers using these features successfully in production environments? Overall Viability: This criterion evaluates the size of the vendor and its financial performance. We also evaluated the size and growth of the vendor's EMM business. Sales Execution/Pricing: This criterion was influenced by the frequency of the vendor's appearance on buyers' shortlists. We also evaluated the degree to which the vendor has a presence in North America, Europe, Latin America and the Asia/Pacific region. Market Responsiveness/Record: We evaluated execution on delivering products consistently and in a timely fashion, the agility to meet new market demands, and how well the vendor received customer feedback and quickly built it into the product. We looked at the vendor's ability to meet promised timelines. Marketing Execution: This is a measure of brand and mind share through client references and channel partner feedback. We evaluated the degree to which customers and partners have positive identification with the EMM product, and whether the vendor has credibility in this market. We also used search hits on gartner.com for the vendor and product as a measure of brand recognition and market awareness. Customer Experience: We assessed the vendor's reputation in the market based on customer feedback regarding customers' experiences working with the vendor, whether they were glad they chose the vendor's product and whether they planned to continue working with the vendor. Operations: This refers to the ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis. Table 1. Ability to Execute Evaluation Criteria Evaluation Criteria Weighting Product or Service Overall Viability Sales Execution/Pricing Market Responsiveness/Record Marketing Execution Customer Experience Operations Source: Gartner (June 2015) Standard Standard None Completeness of Vision The Completeness of Vision scale provides an aggregate measure of a vendor's likelihood of future success in the EMM market. We evaluated vendors' statements about product direction, the degree to which current capabilities map to future demands, and the vendor's focus on EMM requirements. Market Understanding: This criterion evaluated vendor capabilities against future market requirements. It takes into consideration the evolution of the buyer for EMM suites, and whether the vendor will remain focused on meeting the buyer's needs. Marketing Strategy: This criterion considered how EMM technology and value are positioned. The marketing strategy must be aligned with the evolution of the EMM buying center and its requirements. Sales Strategy: This criterion evaluated the vendor's route to market (for example, direct versus indirect sales) and the strength of the offerings that go to market with the vendor's EMM tools (for example, endpoint management, file sync and share, desktop virtualization, and endpoint security). We also evaluated the vendor's pricing models and whether they map to customer requirements.
10 Offering (Product) Strategy: This describes the degree to which vendors have plans to deliver differentiated functionality and have a timely roadmap to provide that functionality. Business Model: This considers the vendor's business model for its EMM product and whether it ensures future investment and success in the EMM market. Innovation: This evaluated the vendor's plans to meet customer needs that extend beyond conventional EMM technology. Geographic Strategy: This refers to the vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the vendor's home or native geography, either directly or through partners, channels and subsidiaries, as appropriate for the geography and market. Table 2. Completeness of Vision Evaluation Criteria Evaluation Criteria Weighting Market Understanding Marketing Strategy Sales Strategy Offering (Product) Strategy Business Model Vertical/Industry Strategy Innovation Geographic Strategy Source: Gartner (June 2015) Standard Standard Not Weighted Standard Quadrant Descriptions Leaders Leaders have the highest product revenue in the EMM market, several years of proven customer implementations, customer mind share, and extensive partnerships with channel and other technology providers. They have the most complete products in the EMM market. Their companies are aligned with the trends of the EMM market. They possess product roadmaps that (if executed upon) would establish continued differentiation in the market. Leaders also demonstrate commitment to the EMM market. Overall, they have a strategy that creates a high likelihood of success in this market. Challengers Challengers possess a strong ability to execute, demonstrated by high product revenue and a large customer base. The vendor's considerable resources ensure long-term viability. Challengers may have solid products but lack the product commitment to lead the market. They are not as closely aligned with the most important EMM market trends, and they do not have a roadmap that demonstrates compelling differentiation from other EMM products. Visionaries Visionaries have unique capabilities in certain aspects of EMM. They meet the requirements of customers that place a high priority in certain critical EMM areas. They may not have the product completeness, support capability, business performance, mind share or track record compared with leading vendors. Niche Players Niche Players are often excellent choices for organizations. Niche Players do not have the product completeness, revenue, mind share and track record of Leaders or Challengers. Their product roadmaps typically represent a strategy of following the market, rather than leading it. In some cases, this is due to a vendor's lack of resources. Often, many of the niche EMM products are extensions of other management, security or mobility products from those vendors. If a customer does not require best-of-breed capability, it may be best served by a Niche Player that may have an easier or less expensive way to meet EMM requirements, compared with Leaders or Challengers, for example. Context Organizations use EMM tools to integrate mobility into their business workflow. There are many factors that determine the appropriate vendor and product for your organization. The vendor must demonstrate the ability to keep up with the fast pace of mobile device change. Organizations must
11 also factor the EMM vendor's ability to support the enterprise's critical mobile applications and integrate with its IT infrastructure (for example, public-key infrastructure [PKI], VPN, wireless networking, identity and access management platforms). EMM product requirements change as mobile platforms change. Keep abreast of these changes; engage Gartner analysts regularly to understand the changing mobile device landscape and the implications for mobility management. Best practices are to create your requirements first, consider all the possible mobile scenarios you may have in your organization, such as BYOD and use cases specific to your organization, and then create a shortlist of vendors. Do not choose vendors simply on the basis of their position in the Magic Quadrant. Market Overview Gartner estimates that the average enterprise has deployed between eight and 15 mobile applications to its employees. Where mobile strategy previously consisted wholly of basic, horizontal productivity tools like , contacts and calendar, role-specific and mission-critical apps and data are increasingly the bulk of what is being pushed to users' mobile devices. As this trend matures, the need for application-level controls and reporting along with the ability to deliver and consume a growing number of content types is at the heart of many mobile strategies. The tools to manage mobility are no longer sufficient if their purpose is solely to manage device hardware functions. An ability to provide managed access, deliver and manage mobile apps, and facilitate access to content on tablets and smartphones is the expanded set of core features demanded of EMM tools. Mobile Identity and Access Users no longer have a single device. They now frequently have a smartphone, a tablet and a laptop and, more often than not, they want to use devices as part of a BYOD program. As a result, it has become important to determine not just who is connected to the network but whether they are connected with a corporate-authorized device. This is why Gartner recognizes mobile identity as a key pillar in EMM. Mobile identity is typically done using digital certificates but can be accomplished with a variety of other technologies, including biometric and token-based authentication. The next wave of mobile identity is contextually based, with authentication identifying not only the user and device, but where and how a user connects to the network (that is, in the office, at home, on a public Wi-Fi, or out of the country), and based on these contextual values, granting the user different levels of access. Over the next three years, Gartner expects contextually based mobile identity to become standard functionality within EMM products. EMM Executes File-Level Protection at the Edge Protecting enterprise data on mobile devices has traditionally been based on a multipronged approach of encryption of data at rest, in use and in motion, as well as device- and app-level policies, such as screen lock timeouts, PIN enforcement and "open in" restrictions. However, these oblique protection approaches are incomplete, because once data leaves managed devices and networks, such protection schemes are rendered moot. Users can and often do get around such controls by ing enterprise data to outside parties or personal accounts, or copying data to their PCs, where open-in restrictions are absent. In response, there is a growing need to protect data intrinsically, and/or implement a rights-management-based approach to mobile data protection. File-level encryption products encrypt the individual files themselves (rather than simply encrypting stored data and network tunnels) and facilitate managed file access through PKI, such that data can be protected wherever it is stored or accessed. No one without the encryption keys can access files protected in this manner. Rights management products extend identity and access management frameworks to allow control over file operations, in addition to file access. These products allow an organization to restrict, for instance, who has permissions to read, edit or delete a file, or forward a file via . Such products typically also facilitate file-level encryption as part of their mobile data protection schemes. Effective data classification is thus critical in making a rights management approach work in a given environment. Some EMM vendors are building file-level protection and/or rights management capabilities as adjuncts to their core products, while others are tightly integrating their EMM systems with generalpurpose identity and access management products synergistically to enable this. As with device-, app- or content-level policies, EMM should provide a single point of administration for encryption and access/rights policies where these capabilities are present. EMM Is the "Glue" EMM is the starting point, if you are planning to opt into managing anything on a mobile platform. Since it is the presumptive foothold agent, EMM is the logical choice to broker policies for other services and tools on the platform. EMM provides a common, cross-platform baseline to set, contain, validate, enforce and update device policies for gateways, proxies, VPNs, network access controls and certificates, application certificates, content and rights management systems, identity and access management, version controls, backups, system updates, device initialization as well as wipe, and countless other practice areas that enter the mobile space from adjacent markets. As a single point of policy and accountability, EMM provides the opportunity to avoid agent bloat, which is so
12 often seen on PCs, where an endless parade of add-on utilities steal local resources, duplicate, and complicate the task of policy coordination for system administrators. PCs have the resources to cope with this situation, but users of small mobile devices and particularly BYOD cannot succeed with so much unnecessary complexity. Unified Endpoint Management Organizations have historically used different management tools for PCs and mobile devices. IT organizations are increasingly consolidating their PC and mobile device support groups and treating their devices as "endpoints." Meanwhile, the PC and mobile architectures continue to fuse together, blurring the boundaries between the EMM and client management tool capabilities. This trend continues with Windows 10, which added to the MDM APIs introduced with Windows 8.1. This presents organizations with the potential to manage PCs with either EMM tools or agent-based client management tools. Large organizations will adopt both approaches based on user segmentation. As Win32 applications decline in number, organizations will manage PCs, smartphones and tablets with the same toolset. This is easier said than done, as Win32 applications still provide many critical functions for the majority of organizations today. It will take several years for most organizations to get to this point. Once organizations have retired their Win32 applications, the descriptor "unified" will not be necessary, at which point, the term will be "endpoint management." Unified endpoint management is not limited to PCs, tablets and smartphones. Smart devices, broadly grouped as the "Internet of Things" (IoT), will increasingly become included in unified endpoint management. Devices such as Apple TVs, printers and smartwatches are identifiable examples of IoT devices managed by EMM tools today. Not all IoT objects will fall under the realm of EMM tools, however. Some devices may be managed directly by manufacturers. Other types of devices will have proprietary management tools. And many devices will not need to be managed at all. However, it is clear that the diversity and number of devices will continue to grow, and IT organizations must be ready Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see Guiding Principles on Independence and Objectivity. About Gartner Careers Newsroom Policies Site Index IT Glossary Contact Gartner