Critical Capabilities for Mobile Device 8 August 2012 ID:G00230106 Analyst(s): Monica Basso, Phillip Redman VIEW SUMMARY Mobile device management offerings are expanding from traditional configurations, policy management, IT administration and reporting to deeper security with containerization, mobile application management and enterprise content management. Overview Key Findings The integration of native APIs on ios and Android enable corporate email containerization in native email clients, with encryption, selective wipe and data loss prevention (DLP). Email containerization on Android is possible also by third-party clients. Windows Phone (WP) has no API yet, making its management more difficult. The containerization of individual applications and files through policy wrapping locks down selected corporate content, avoiding restrictions to the user experience with native applications. Enterprise file distribution, sharing and syncing functionalities, associated with secure and managed folders at rest on devices, and private or public cloud services on the back end, are emerging as a new trend in many mobile device management (MDM) offerings. As-a-service MDM offerings are growing in the market, and are increasingly being adopted by organizations because of their greater flexibility, scalability and cost-effectiveness, compared with on-premises deployments. Recommendations Prioritize MDM requirements around consumer mobility and bring your own device (BYOD) deployments in the next two years, focusing on mobile application management (MAM), application containerization and enterprise content management. Prepare for MDM support across multiple device OS platforms, planning for an increase in Android use in the next 12 months. Keep Windows on the radar screen as well, as a range of new smartphones, media tablets and innovative form factors may hit the market in the coming months. Before MDM vendor/product selection, focus on mobility requirements, security and compliance constraints, and mobile user segmentation, and identify the range of policies needed to regulate new deployments. Select the MDM option that best supports your policies, considering not only features and technology, but also viability (e.g., delivery models and support). What You Need to Know This document was revised on 21 August 2012. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com. The core capabilities of MDM, such as provisioning, policy enforcement, asset management, administration and reporting, are commoditizing across multiple offerings, and increasingly appear similar. However, differentiation is growing in new areas, such as containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. CRITICAL CAPABILITIES METHODOLOGY "Critical capabilities" are attributes that differentiate products in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions. This methodology requires analysts to identify the critical capabilities for a class of products. Each capability is then weighted in term s of its relative importance overall, as well as for specific product use cases. Next, products are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities overall, and for each use case, is then calculated for each product. Ratings and summary scores range from 1.0 to 5.0: 1 = Poor: m ost or all defined requirem ents not achieved 2 = Fair: some requirements not achieved 3 = Good: meets requirements 4 = Excellent: m eets or exceeds som e requirem ents 5 = Outstanding: significantly exceeds requirem ents Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy and its ability to enhance and support a product over its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to its other product lines, its market direction and its business overall. Support includes the quality of technical and account support as well as customer experiences for that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale from poor to outstanding for each of these four areas, and it is then assigned an overall product viability rating. The critical capabilities Gartner has selected do not represent all capabilities for any product and, therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making an acquisition decision. Analysis This research provides quantitative ratings for a selection of enterprise MDM offerings, and evaluates them across seven critical capabilities in four typical use cases. (This research complements "Magic Quadrant for Mobile Device Software," which covers vendors and their relative positions in the market.) Enterprises should use this research, with its product ratings on critical capabilities in different use cases, to identify the most suitable MDM products www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 1/19
and services for their context. Consumer mobility and BYOD programs are top priorities for most organizations in 2012. A range of new IT challenges from security, compliance and management to cost and human capital management hits organizations that often are forced to rapidly make investments in MDM products and services to enforce policies, regulate behaviors, contain costs and manage risks across device platforms. Thus, the MDM market has been growing, and will continue to grow in 2012, with the market size estimated at over $500 million, and more than 100 players. The level of demand and the fierce competition among these players are driving commoditization in this market. Traditional MDM capabilities, such as provisioning, policy enforcement, asset management, administration and reporting, are beginning to standardize across multiple offerings that increasingly provide similar capabilities. This increasingly drives price competition, and forces players to differentiate in new areas. Growing differentiation is developing in application and document containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Containerization remains a paramount capability for highly regulated organizations under strong security and compliance requirements, which necessitates the separation of corporate and personal content on devices. The original approach of complete corporate containerization, provided by Good Technology, locks down the corporate footprint, with total separation of business from personal content. Managing the corporate container, instead of the device, grants isolation and protection of corporate content, with no restrictions on personal usage. However, native email clients and browsers are not available in the container, which could affect user acceptability. In addition, a growing range of products now offers less granularity in containerization for individual applications, folders and files (see Figure 1). These products provide software development kits (SDKs) to enforce credentials, encryption and other policies through application wrapping. They are commercially available in offerings from AirWatch, BoxTone and Symantec, but more vendors are due to launch these capabilities later in 2012. Figure 1. Heavyweight Versus Lightweight Styles MAM is becoming increasingly important, as IT organizations need to deploy third-party and inhouse-developed applications to their mobile workforce. Software updates, public app store content blacklisting and enterprise app stores are progressively supported in MDM products. AirWatch, MobileIron and Zenprise currently have the most complete offerings. Enterprise file synchronization and sharing capabilities are needed, due to the growing adoption of media tablets, such as the ipad, and due to the availability of personal cloud services, such as Dropbox, icloud and Google Drive, which enable mobile workers via increased productivity, but could represent security and compliance threats. Some players, such as AirWatch and Fiberlink, already provide secure file management capabilities natively; others do this through partners such as Box and Accellion. More MDM vendors will launch these capabilities in future releases. Another important element of differentiation is the as-a-service delivery model, which gives enterprises more flexibility, scalability and cost-effectiveness. While many vendors have launched as-a-service offerings in the past 12 months, AirWatch and Fiberlink have the most mature offerings and experience. More organizations are considering cloud-based MDM services, because they are more economical and flexible. One area where most MDM products still lag behind others is integration with PC configurations and management capabilities, as they focus predominantly on MDM. Exceptions are represented www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 2/19
by products from IBM and Fiberlink. Lack of support across the full spectrum of mobile and client computing is a limitation for most IT organizations that aim to manage smartphones, media tablets and PCs in more integrated and efficient ways. We expect to see more convergence in the coming months in mobile and PC/system management. IT organizations struggle to identify the right options for investment. The large number of offerings with a lack of differentiation in basic management capabilities confuses buyers, and complicates investment decisions. One major area of differentiation among MDM offerings is their technical approach to management: Lightweight MDM: Server-side product and service offerings may (or may not) have a small mobile agent running on the device, and/or may integrate the mobile OS platform's native APIs or Microsoft Exchange ActiveSync [EAS] client implementation, but may not have a complete mobile management client on the device. These offerings can be used with native mobile support in corporate email servers (e.g., EAS in Microsoft Exchange Server or Lotus Notes Traveler in Lotus Notes and Domino) to enforce complementary policies, working with the device's native email client. However, they manage the device entirely, enforcing policies (e.g., on acceptable use, or application blacklists) that apply to the device anytime, including during personal usage. This may be a drawback in BYOD programs where extensive policies need to be enforced for business use. Relevant vendors include MobileIron, Zenprise and Fiberlink. Extended Lightweight MDM: Additional capabilities (through SDKs) are provided to enforce policies on applications, such as credentials, encryption and DLP. AirWatch, BoxTone (through Mocana) and Symantec (through Nukona) currently provide these capabilities through SDKs that recompile third-party or in-house applications to enforce policies such as credentials, encryption and limitations, and data sharing with other applications. More vendors are expected to launch these capabilities in future releases. Heavyweight MDM: Client-side management software is available for every relevant mobile OS platform (whether stand-alone or blended with a proprietary email client). The management client can enforce strong IT control on the device, including a full corporate container with encryption, selective wipe and DLP. Good Technology is the leading vendor taking this approach. Other vendors not covered in this research include Excitor and Little Red Wagon Technologies. This approach enforces complete separation between corporate and personal footprints on the device, offering smoother support for BYOD programs, because users have no limitation of use outside the container, and compliance can easily be proved in audits anytime. EAS alone is insufficient to manage mobile devices, despite the minimum set of policies provided, because it is not consistent across mobile platforms, does not detect jailbreaks, and cannot enforce device- or OS-level policies (it focuses only on email). Before conducting MDM product selection analysis, organizations must identify the risks and benefits of introducing support for corporate applications on personal devices. They then need to identify the IT policies required to control deployments, manage risks and support users. They also must choose the appropriate management approach, and products and services, that will help enforce the policies in a cost-effective way. Product Class Definition Gartner defines MDM as a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, enforcing policies and maintaining the desired level of IT control across multiple platforms. Mobile devices may be corporate and personal assets, as in BYOD programs. Areas of functionality include provisioning and decommissioning, inventory management, application management and security. The primary delivery model is on-premises, but MDM can also be offered as software as a service (SaaS), or through the cloud. See "Magic Quadrant for Mobile Device Software" for a complete description of the market, and the vendors delivering such products or services. This research focuses on a subset of commercial offerings in the market, encompassing the products and services that get the most attention and requests for advice from Gartner's client base. We highlight the capabilities and viability of these products. Critical Capabilities Definition The growing demand for MDM by IT organizations has motivated a large number of technology providers to enter the market with MDM offerings. These products and services enable IT organizations to maintain control, automate management and minimize risks, while delivering consumer mobility to the workforce. Regarding basic management functionalities (e.g., provisioning and inventory management), most offerings are progressively becoming similar, with little differentiation among competing vendors. They differentiate instead on enhanced capabilities, such as containerization, application management, document sharing and the cloud delivery model. This research examines seven critical capabilities that differentiate competing MDM products in different use cases: www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 3/19
Policy enforcement and compliance Security Containerization management Document sharing and management Scalability As-a-service and cloud delivery models Detailed information about each critical capabilities follows: Policy enforcement and compliance: This varies in capability by mobile OS, but includes: Enforce policies on eligible devices: Detect and enforce OS platforms and versions, installed applications and manipulated data. Detect ios jail-broken devices and rooted Android devices. Filter (restrict) access from noncompliant devices to corporate servers (e.g., email). Restrict the number of devices per user. Enforce application policies: Restrict downloadable applications through whitelists and blacklists. Monitor access to app stores and application downloads, put prohibited applications on quarantine, and/or send alerts to IT/managers/users about policy violations. Monitor access to Web services, social networks and app stores, send alerts to IT/managers/users about policy violations, and/or cut off access. Enforce mobile communication expense policies in real time: Monitor roaming usage. Detect policy violations (e.g., international roaming), and take action if needed (e.g., disable access to servers, and/or send alerts to IT/managers/users about policy violations). Enforce separation of personal versus corporate content: Manage corporate applications on personal devices, and personal applications on corporate devices. Tag content as personal or corporate through flags. Detect separation violations, and send alerts to IT/managers/users if needed. If a container is in use, prohibit exporting data outside the container (e.g., when opening an email attachment), and regulate interactions among different enterprise containers. Restrict or prohibit access to corporate servers (e.g., to email servers and accounts) in case of policy violations. Security: This is a set of mechanisms to protect corporate data on a device and corporate back-end systems, and to preserve compliance with regulations: Password enforcement (complexity and rotation) Device lock (after a given time of inactivity) Remote wipe, selective remote wipe (e.g., only corporate content), and total remote wipe (e.g., a hard wipe, with data not recoverable after deletion) Local data encryption (phone memory and external memory cards) Certificate-based authentication (includes device ID, OS version and phone number), and certificate distribution Monitoring devices, and data manipulation on devices Rogue application protection (e.g., application quarantine) Certifications (e.g., Federal Information Processing Standard [FIPS] 140-2) Firewalls Antivirus software Mobile virtual private network (VPN) Message archiving (SMS, IM, email, etc.) and retrieval, and recording of historical events for audit trails and reporting Containerization: A set of mechanisms to separate corporate from personal content (data and applications) on devices. What differentiates the level of support for containerization in various products is the granularity of control, isolation and protection enforced through the policies. This can span simple applications and files, to the complete corporate footprint hosted in the corporate container, and can create a dual-persona device user experience. The strongest implementation includes a full corporate container with proprietary applications, such as the email client and browser, as well as third-party and in-house applications developed through ad hoc SDKs, to make them part of the container. Additional methods include a container limited to proprietary applications, such as email, calendars and contacts, and the browser. Methods can include smaller-granularity containers limited to one application or document. A number of policies can be enforced on the container to control the corporate footprint, such as: Local data encryption www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 4/19
Selective remote wipe Data leakage prevention (no data is exported from the container, and there are cutand-paste prohibitions) Controlled communication among containers Dual personas management: A set of mechanisms for over the air (OTA) software upgrades, application inventory and distribution, such as: discovery and private app store Apple Volume Purchase Program, or other enterprise volume purchasing program integration Software updates for applications or OSs Patches/fixes Backup/restore Background synchronization Document sharing and management: A set of mechanisms to support file synchronization and sharing, file distribution, and secure and manageable folders on mobile devices with policy enforcement: File synchronization and backup, transparent to the user File sharing with other employees, or among applications File distribution to a group of users, and those that are time sensitive Security and management policy enforcement Scalability: Of MDM deployments in mass volume: Platform scalability for over 20,000 units supported High-availability and disaster recovery techniques As-a-service and cloud delivery models: Ease of installation Pricing policies per user (as opposed to per device) rated higher Use Cases This research identifies the four typical use cases discussed in Gartner client inquiries. These cases highlight the differences among selected products/services, and rate them differently under specific conditions. Case 1 Regulated Deployments: These organizations operate in severely regulated sectors, such as financial services, healthcare, military and defense, and government, that must be compliant anytime with sector-specific regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), and must pass periodical audits. These organizations have a strong focus on security and control, e.g., for culture or market competition. These organizations often aim to support BYOD programs with personal and corporate devices. In all cases, strong IT security and control requirements include local data encryption for corporate information, certificate-based authentication, and isolation of corporate from personal content. Case 2 Flexible Deployments: These organizations operate in nonregulated sectors (e.g., retail and delivery services) that do not require a complete corporate lockdown on devices, and can live with basic security and management support. BYOD programs often are required, in addition to supporting corporate devices. Employees are required to work with native applications, such as a native email client and browser. Provisioning, inventory and policy enforcement extended to the entire device is a management priority. There is little or no demand for containerization. Case 3 Agile Deployments: These organizations operate in nonregulated sectors, planning to manage mobility through third-party service providers, rather than by deploying an on-premises infrastructure. Organizations aim to contain or optimize mobility costs, or to avoid big upfront costs. Organizations plan to support a small number of mobile users initially, and to grow incrementally over time to midsize and large deployments. BYOD programs often are required, in addition to supporting corporate devices. Case 4 Mass Deployments: www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 5/19
These are large-scale deployments, from more than 20,000 up to hundreds of thousands, with related requirements for high availability, disaster recovery, quality of service, etc. There is a need to monitor and control end-to-end mobile deployments. The third and fourth use cases are not necessarily mutually exclusive of the first and second. A regulated organization may also look for agile or mass deployments. However, in this research, we want to capture the most common scenarios requiring MDM investment decisions to highlight the product capabilities. Clients that are comfortable with the security/compliance/containerization capabilities of vendors on their shortlists, but have doubts about scalability, should focus on Case 4 to assess their mass deployment capabilities. Case 3 is a likely fit for organizations that have initial experience with mobility, and Case 4 will work for organizations that already have mobility experience, and are about to scale up to big deployment volumes. Case 1 and 2 focus on the level of control and lockdown needed, and are mutually exclusive. Table 1 shows the weighting for all use cases in this research. Each use case weighs the capabilities individually based on the needs of that case, which impacts the score. Each vendor may have a different position based on its capability and the weighting for each. The overall use case is the general scoring for the vendor's product, with all weights being equal. Table 1. Weighting for Critical Capabilities in Use Cases Critical Product Capabilities Overall Regulated Deployments Flexible Deployments Agile Deployments Mass Deployments Policy enforcement and compliance 14.3% 5.0% 60.0% 5.0% 5.0% Security 14.3% 15.0% 20.0% 5.0% 5.0% Containerization 14.3% 45.0% 0.0% 5.0% 5.0% management Document sharing and management 14.3% 15.0% 10.0% 5.0% 5.0% 14.3% 15.0% 5.0% 5.0% 5.0% Scalability 14.3% 5.0% 0.0% 20.0% 55.0% As-a-service and cloud delivery models 14.2% 0.0% 5.0% 55.0% 20.0% Total 100.0% 100.0% 100.0% 100.0% 100.0% Inclusion Criteria This research considers the selection of MDM products and services offered by vendors included in "Magic Quadrant for Mobile Device Software." Please refer to the Magic Quadrant for a complete description of the market and vendors. Given the large number of players in this market (20 vendors were covered in the Magic Quadrant), we have chosen to restrict our analysis to offerings that gain the most interest during our interactions with Gartner clients, are visible on shortlists, and are largely considered leaders or challengers based on size, revenue or product portfolio. These include products and services provided by AirWatch, BoxTone, Fiberlink, Good Technology, MobileIron, SAP, Symantec and Zenprise. Vendors not included in this research are still valid options for consideration (see "Magic Quadrant for Mobile Device Software"). While most vendors specialize in management for smartphones and tablets, a subset provides specific capabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including Soti, Odyssey Software (now part of Symantec), Wavelink and Motorola. We do not consider these vendors in a separate use case, because specialized management tools for ruggedized devices generate limited Gartner client inquiries for those with fairly mature OSs. For completeness, we provide the list of criteria we used to qualify vendors for inclusion/exclusion in "Magic Quadrant for Mobile Device Software:" Support for enterprise-class (noncarrier), multiplatform support MDM: Software or SaaS, with an emphasis on mobility Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messaging or security) Security management, with at least these features: Enhanced abilities to download, monitor and revoke certificates for email, applications, Wi-Fi, VPNs, etc. Enforced passwords Device wipe Remote lock www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 6/19
Audit trail/logging, including the ability to verify device configurations from a central console Jailbreak/rooted detection At least three mobile OS platforms supported Policy/compliance management Software management, with at least these capabilities supported: downloader the ability to push or pull applications on a mobile device verification the ability to verify the origin of mobile applications update support patch support App store support the ability to list and manage enterprise and third-party applications Hardware management, with at least these capabilities supported: External memory blocking blocks all use of flash memory cards, and other external memory Configuration change history audits and trails for any changes made for hardware At least 75,000 licenses sold Five referenceable accounts No more than 70% of revenue in one main geographic region or market At least $1.5 million in MDM-specific revenue General availability by the middle of 1Q12 Critical Capabilities Rating Each product or service that meets our inclusion criteria has been evaluated on several critical capabilities (see Table 2 and Figure 2), on a scale from 1.0 (lowest ranking) to 5.0 (highest ranking). Table 2. Product Rating on Critical Capabilities Product Rating AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Policy enforcement and compliance 4.3 4.3 4.0 3.7 4.7 3.5 3.8 4.0 Security 4.2 4.1 4.0 3.7 3.9 3.3 3.6 4.4 Containerization 3.0 2.5 2.5 4.6 1.4 2.0 3.0 3.0 management Document sharing and management 4.3 4.0 4.0 3.5 4.4 3.7 3.9 4.4 4.2 2.2 3.1 3.0 2.0 1.0 3.0 4.2 Scalability 4.5 4.0 4.3 4.0 2.5 4.0 3.0 3.0 As-a-service and cloud delivery models 4.5 3.0 4.8 1.0 3.0 2.0 2.0 3.5 Figure 2. Overall Score for Each Vendor's Product Based on the Nonweighted Score for Each Critical Capability www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 7/19
To determine an overall score for each product in the use cases, the ratings in Table 2 are multiplied by the weightings shown in Table 1. These scores are shown in Table 3. Table 3. Overall Score in Use Cases Use Cases AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Overall 4.1 3.4 3.8 3.4 3.1 2.8 3.2 3.8 Regulated Deployments Flexible Deployments Agile Deployments Mass Deployments 3.7 3.1 3.2 4.0 2.5 2.5 3.3 3.7 4.3 4.1 4.0 3.5 4.3 3.3 3.6 4.1 4.4 3.3 4.4 2.3 3.0 2.6 2.6 3.5 4.4 3.7 4.2 3.3 2.8 3.3 2.9 3.4 Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy, and the vendor's ability to enhance and support a product throughout its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to the vendor's other product lines, its market direction and its business overall. Support includes the quality of technical and account support, as well as customer experiences with that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale, from poor to outstanding, for each of the four areas, and it is then assigned an overall product viability rating. Table 4 shows the product viability assessment. Table 4. Product Viability Assessment Vendor/Product AirWatch BoxTone Fiberlink Good MobileIron SAP Symantec Zenprise www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 8/19
Name Technology Product Viability Outstanding Excellent Outstanding Excellent Excellent Good Good Excellent The weighted capabilities scores for all use cases are displayed as components of the overall score. Figure 3 shows the overall use case. Figure 3. Overall Use Case Figure 4 shows the regulated deployments use case. Figure 4. Regulated Deployments Use Case www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 9/19
Figure 5 shows the flexible deployments use case. Figure 5. Flexible Deployments Use Case Figure 6 shows the agile deployments use case. Figure 6. Agile Deployments Use Case www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 10/19
Figure 7 shows the mass deployments use case. Figure 7. Mass Deployments Use Case Vendors AirWatch AirWatch's Enterprise MDM offering emphasizes device security, life cycle management, application www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 11/19
and content distribution, and help desk controls. AirWatch has some of the market's largest MDM implementations, with several deployments of over 50,000 devices. The company supports a broad range of device platforms, and integrates with enterprise platforms, such as Lightweight Directory Access Protocol (LDAP), Active Directory, Microsoft Exchange Server, IBM Lotus Notes/Domino and Internet Message Access Protocol (IMAP)-based email servers. It has comprehensive certificate management, managing all certificates deployed on the mobile device, and automating the full life cycle of enrolling and deploying the certificate, integrating with backoffice systems to set up trust and user mapping of certificates, monitoring and tracking of the certificates, renewing expired and soon-to-expire certificates, and revoking the certificates when a device is compromised or needs access removed. AirWatch integrates with cloud-based email services, such as Gmail, Microsoft Business Productivity Online Standard (BPOS) and Office 365. The company's origins are in the wireless network management service and ruggedized device market. Although most of its MDM deployments are in the cloud and SaaS, it also has an onpremises-based option (see Table 5). Table 5. Critical Capabilities Rating for AirWatch Enterprise MDM v.5.17 Critical Capabilities Brief Description Rating Policy Enforcement Security Containerization Document Sharing and Scalability As-a-Service and Cloud Delivery Models Acceptable use, centralized administration, OTA provisioning, profiles, monitoring, automated compliance policies, and alerts for corporate and personal devices, for ios, Android, BlackBerry, WP 7, Symbian, Mac OS X and Windows Mobile. Data backup for BlackBerry and Android. Dictate use of networks for ios and Android. Full support for Open Mobile Alliance (OMA) device management 1.2. Access restrictions, password enforcement, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, media encryption, remote lock, remote wipe, user authentication, device authentication, total device wipe, jail-broken/rooted devices, VPN, secure configuration profiles, autotrail/logging, identity management, and system-level API/access signing or certificates supported for ios, Android, BlackBerry and WP 7. Selective wipe for ios, Android and BlackBerry. Firewall for ios and Android. Antivirus for Android. Enhanced compliance enforcement functions, such as recording historical events for audit trail and reporting. Single-application wrapping with policy enforcement through SDK (including data leakage prevention and encryption). Policy enforcement on corporate files (Secure Content Locker). No complete corporate container with proprietary apps, data encryption and DLP. No full container with dual personas. For email, AirWatch uses a combination of OS controls and native features to tag data, access control and configuration, and content as employee versus corporate data. For ios, it uses the ios 4.x-plus native APIs to containerize corporate email in the native email client. For Android, AirWatch integrates NitroDesk TouchDown or Samsung SAFE. Downloader, verification, whitelists/blacklists, version detection and updates. downloader (device), application verification, control enterprise applications, whitelist/blacklist enterprise applications, control nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, and full application or OS updates (major update) for ios, Android and BlackBerry. Patches for BlackBerry and Android. quarantine, Web filtering, app store management, secure folder for enterprise applications and secure transfer of enterprise data/applications for ios, Android, BlackBerry and WP 7. Enterprise software licensing management for ios and Android (via TouchDown). Volume purchasing program for ios. Identify root access applications for Android. Secure Content Locker to securely distribute, track, manage and encrypt files and documents on a device. Include time-sensitive file distribution and geofencing. Usage management to detect roaming and apply business rules, send alerts and restrict data downloads. AirWatch's servers can be horizontally scaled behind a network load balancer to support 100,000-plus devices by adding servers, as needed, to scale to capacity. Multiple deployments with tens of thousands of devices. There is no software to install by the client. AirWatch offers shared and dedicated cloud solutions. 4.3 4.2 3.0 4.3 4.2 4.5 4.5 BoxTone BoxTone's offering focuses on mobile service-level management and includes three modules: MDM with MAM, mobile support management and mobile operation management. Through its www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 12/19
Enterprise Mobility (EMM) partner network, BoxTone provides deep integration with enterprise mobility software platforms, system management and monitoring platforms, and integrates with technology vendors such as Aruba Networks, Appthority, Mocana and Good Technology. BoxTone supports BlackBerry, ios, Android, Windows Mobile and WP. Beyond MDM, BoxTone supports service desk management, incident management, problem management and application performance management (see Table 6). Table 6. Critical Capabilities Rating for BoxTone v.6.5 Critical Capabilities Brief Description Rating Policy Enforcement Security Containerization Document Sharing and Scalability Acceptable use, centralized administration, OTA provisioning, profiles and data backup are supported for BlackBerry, ios, Android and WP 7. Dictate use of networks for ios, Android and WP 7. Real-time monitoring. Automated policy management, compliance management, configuration and change management, and application management are integrated into Active Directory for enterprise group IT policy management and enforcement. No integration of OMA device management policies. All functions listed here are supported for ios, Android and BlackBerry, and partly for WP 7. Access restriction, enforced password, password complexity choice, inactivity timeout, core encryption support, media encryption, remote lock, remote wipe, user authentication, device authentication, total device wipe, selective wipe, jail-broken/rooted devices, VPN, firewall, antimalware/virus, secure configuration profiles, autotrail/logging, identity management, and system-level API/access signing or certificates. Enhanced compliance enforcement functions, such as record historical events for audit trail and reporting. Firewall not supported. Single-application wrapping with policy enforcement through SDKs, through technology embedded from Mocana. Central policy enforcement on thirdparty file sharing products/services (e.g., Box and Accellion), but data-level policy controls are managed by them. No complete corporate container with proprietary apps, data encryption and DLP. No full container with dual personas. downloader (device), application verification, control enterprise apps, whitelist/blacklist enterprise applications, control of nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, full application or OS updates (major update), Web filtering, app store management, secure folder for enterprise applications and enterprise software licensing management for BlackBerry, ios and Android. quarantine for ios and Android. Volume purchasing program for ios. No patches or identify root access applications. File synchronization and sharing supported through third-party services (e.g., Accellion). No native capability, and no time-sensitive file distribution. BoxTone can scale on a single instance on one server, two servers and across N-tier distributed single instances all having one unified database and end-to-end mobile enterprisewide controls, scaling beyond 100,000 devices. BoxTone's cloud services offering, powered by partners like Xerox and HP, are optimized for high-scale, high-availability environments. 4.3 4.1 2.5 4.0 2.2 4.0 As-a-Service and Cloud Delivery Models Fiberlink Cloud services offered based on Xerox, HP and CSC. 3.0 Fiberlink's MaaS360 is a pure, MDM cloud services offering for organizations aiming to support corporate and personal devices. It's a multitenant platform. Existing embedded platforms (BlackBerry Enterprise Server [BES], EAS and IBM Lotus Notes Traveler) are included in MaaS360 management via a single cloud extender agent deployed in the LAN. Beyond BES and EAS integration, if device-side APIs are available, the device management is done through that (e.g., Apple MDM protocol). If no device-side MDM API is present, there is a native agent for that platform (e.g., Android; see Table 7). Table 7. Critical Capabilities Rating for Fiberlink MaaS360* Critical Capabilities Brief Description Rating Policy Enforcement Acceptable use, centralized administration, OTA provisioning, profiles, monitoring, data backup are supported for ios, Android, WP 7 and BlackBerry. Dictate use of networks for ios and Android. Additional policy enforcement for ios and Android include dynamically changing policies (e.g., email, Wi-Fi and restrict VPNs), or taking a remediation action (e.g., wiping 4.0 www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 13/19
device), based on device context (e.g., location) or a recent event (e.g., removed SIM). Automatic provisioning of policies to devices discovered on corporate email servers. Security Containerization Access restriction, enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, remote lock, remote wipe, user authentication, device authentication, total device wipe, secure configuration profiles, autotrail/logging, identity management for ios, Android, BlackBerry and WP 7 (through EAS). Media encryption, selective wipe, jail-broken/rooted devices and VPN for ios, Android and BlackBerry. Anti-malware/antivirus, system-level API/access signing or certificates for ios. Firewall not supported. Single-document containerization through policy enforcement. Limited policy enforcement on third-party applications through SDK, but no application wrapping (integration with a third-party wrapper is possible). No complete corporate container, and no dual personas. Through integration with native APIs, restriction to the native email client can be enforced (attachments and email forwarding) on ios 5. OS version detection, enterprise software licensing management for ios, Android, BlackBerry and WP 7. downloader (on the device), enterprise app store, multiplatform app stores, app store management for ios, Android and WP 7. verification, full application or OS updates (major updates), patches, application quarantine, identify root access applications and secure folder for enterprise applications for ios and Android. Control enterprise applications, whitelist/blacklist enterprise applications, control of nonenterprise applications, Web filtering and enterprise software licensing management for BlackBerry, ios and Android. Volume purchasing program for ios. 4.0 2.5 4.0 Document Sharing and Scalability As-a-Service and Cloud Delivery Models Document container to synchronize corporate documents to mobile devices, storing them encrypted and separate from personal documents. Policies can be applied to either allow sharing or restrict sharing of documents. If a restricted sharing policy is used, the documents cannot be moved to other applications, emailed or have screen captures performed. Any document distributed can be centrally removed from the device individually, or in bulk. MaaS360 is automatically load balanced and supports large implementations, with deployment sizes of many tens of thousands of devices. No extra steps are needed for customers to grow from one device to 100,000 devices. Elastic and instant scalability, and low maintenance and rollout costs. MaaS360 runs on a cloud-based, virtualized, multitenant server farm in Fiberlink-operated data centers. Pricing is available per device or per user, and free service is available for all companies for 30 days. User-based bundled pricing is available for an unlimited number of devices per user at a flat monthly fee. 4.2 4.3 4.8 *There is no specific version number, because the deployment and maintenance model is completely SaaS. Good Technology Good for Enterprise (GfE) is a mobility suite providing security and management support as part of a mobile collaboration and application development framework. Good Technology offers the strongest form of corporate containerization across multiple mobile device OSs including ios, Android and WP 7 supporting complete isolation of the corporate footprint from personal content. Good focuses on managing the corporate container, rather than the entire device, by enforcing policies to the container, such as encryption, data leakage prevention (e.g., prohibiting the saving of email attachments outside the container) and selective remote wipe. The main components of the GfE suite include Good Mobile Control for MDM, Good Mobile Access for secure access to corporate data, and Good Mobile Messaging for secure wireless email (see "Magic Quadrant for Enterprise Wireless Email Market"). GfE management and security capabilities work in combination with Good's proprietary email client and browser, but not with those native on the device. In June 2012, Good launched a stand-alone management product (Good Mobile Manager) that works without a container, and integrates EAS and the device's native management APIs, but this product is not covered in this assessment (see Table 8). Table 8. Critical Capabilities Rating for Good Technology GfE v.6.x Critical Capabilities Brief Description Rating Policy Acceptable use, centralized administration, OTA provisioning, profiles and 3.7 www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 14/19
Enforcement monitoring for ios and Android. Data backup and dictate use of networks for ios. Does not rely on a local EAS agent on the device for policy implementation, but provides its own policy implementation. No support for BlackBerry devices. No integration of OMA device management policies. Security Containerization Document Sharing and Scalability Enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support for data at rest and in transport, remote lock, remote wipe, total device wipe, selective wipe and autotrail/logging for ios, Android and WP 7. Access restriction, user authentication, device authentication, jailbroken/rooted devices, firewall, anti-malware/antivirus, and secure configuration profiles for ios and Android. Other features include device monitoring with coverage history and last message sent/received, network operations center (NOC)-based architecture and secure browser for intranet access. Authentication between device and NOC, then between NOC and corporate back end. Identity management, system-level API/access signing or certificates, and mobile VPN only partially for ios. Full corporate container with dual-persona support for clean separation of personal and corporate data. Container based on the native sandbox mechanism provided by the mobile OS, and extended with policies such as encryption, selective remote wipe and data leakage prevention. Corporate email, calendar, contacts and browsing containerization through proprietary applications. Containerization of third-party applications through application wrapping with policy enforcement (via SDKs). In-house application development with containerization through a complete development platform (Good Dynamics). Corporate document folder containerization through policy enforcement. Containerization policies include enable/disable download of attachments and block by attachment size/type, disable sync of contacts and/or limit sync of specific fields only, disable cut/copy/paste between personal and corporate data, detect last time connected to corporate data and wipe if exceeds policy, and control intranet sites users have access to via a secure browser. Containerization of native email clients is not supported. downloader (on the device), application verification, whitelist/blacklist enterprise applications, OS version detection, enterprise app store, multiplatform app stores, app store management and secure folder for enterprise applications for ios and Android. Control enterprise applications and Web filtering for ios. Identify root access applications for Android. Control of nonenterprise applications, application quarantine, enterprise software licensing management and volume purchasing program are not supported. Good supports secure document management with file synchronization and sharing, policy enforcement on documents at rest through partners such as Box, Accellion and GroupLogic. Through Accellion, it can offer certified solutions for HIPAA regulations. Good has multiple deployments of over 20,000 concurrent seats. The Good server architecture allows virtualization and independent scaling of all major components, including Good Mobile Control, Good Mobile Messaging and Good Mobile Access. Components may be centralized or distributed, depending on the organization and network topology. 3.7 4.6 3.5 3.0 4.0 As-a-Service and Cloud Delivery Models This is not supported. 1.0 MobileIron MobileIron launched its product in September 2009, and has seen fast growth in sales, mind share and market share, outselling most MDM platforms in the past year. Built from the ground up, it is focused solely on mobility management, incorporating the Virtual Smartphone Platform (VSP) architecture to support security, data visibility, application management and access control. It does not provide encryption or VPN capabilities outside of what is provided on the device. MobileIron was one of the first vendors to combine MDM with network service management. The new release, coming in September 2012, will bring new capabilities in containerization for application and document security through policy enforcement (see Table 9). Table 9. Critical Capabilities Rating for MobileIron VSP v.4.5 Critical Capabilities Brief Description Rating Policy Centralized administration with monitoring for ios, Android, BlackBerry and 4.7 www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 15/19
Enforcement Security Containerization Document Sharing and Scalability WP 7. Acceptable use, OTA provisioning and profiles for ios and Android. Data backup, dictate use of networks and certificates for ios and Android. Other policies include real-time roaming detection and automatic group creation, as it autogenerates groups based on ownership so that IT can easily apply differentiated policies. Certificate-based authentication capabilities. Enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, remote lock, remote wipe, total device wipe, autotrail/logging and identity management for ios, Android, BlackBerry and WP 7. User authentication, device authentication, selective wipe (including email, Wi-Fi settings, VPN settings and in-house apps) and secure configuration profiles for ios, Android and BlackBerry. Access restriction for ios, Android and WP 7. Core encryption support, jail-broken/rooted devices, VPN, antimalware/antivirus, and system-level API/access signing or certificates for ios and Android. Media encryption for Samsung Android. Firewalls are not supported. Personal versus corporate tagging for files and applications supported to selectively wipe corporate content. Separate management of corporate connectivity (Wi-Fi and VPNs). Policy enforcement for corporate email on ios 5, through native APIs and on Android through NitroDesk's TouchDown. Single-application and document containerization through SDKs are not supported. Corporate container and dual personas are not supported. downloader (on-device), application verification, control enterprise applications, whitelist/blacklist enterprise applications, control of nonenterprise applications, OS version detection, enterprise app store, multiplatform app stores, app store management, full application or OS updates, and patches for ios, Android and BlackBerry. Identify root access applications, secure folder for enterprise applications, enterprise software licensing management for ios and Android (TouchDown). Volume purchasing program application inventory monitoring, quarantine and removal (for ios). Web filtering is not supported. No native capability supported, and no time-sensitive file distribution. Partners with Box, Accellion and GroupLogic for file synchronization, and sharing with their cloud services. Supports 20,000 devices per virtual or hardware appliance with central console to combine appliances. New application delivery network (based on Akamai) allows unbounded application size (up to 1GB) and simultaneous downloads. It addresses previously reported issues on mass-volume scalability. 3.9 1.4 4.4 2.0 2.5 As-a-Service and Cloud Delivery Models SaaS service (MobileIron Connected Cloud) available with per user-pricing as well as per device. Low-end version for smaller businesses, through service providers. 3.0 SAP Afaria is SAP's MDM and security product, and it is also delivered as cloud services within SAP Managed Mobility (or as hosted services through partners such as Verizon and Orange). SAP does not require a proprietary email client, but instead offers integrated secure control over a thirdparty email solution (for Android, via its partner NitroDesk). Afaria provides rich support for software distribution, policy enforcement, inventory management and security. It is one of the oldest MDM products in the market (see Table 10). Table 10. Critical Capabilities Rating for SAP Afaria v.7 Critical Capabilities Brief Description Rating Policy Enforcement Security Acceptable use, centralized administration, OTA provisioning, profiles and integration of OMA device management policies for ios, Android and BlackBerry. Data backup and dictate use of networks not supported. Access restriction, enforced password, password complexity choice, password retry limit with choice of action, inactivity timeout, core encryption support, user authentication, device authentication, selective wipe, jailbroken/rooted devices, VPN, secure configuration profiles, autotrail/logging, identity management, system-level API/access signing or certificates for ios and Android. Remote lock, remote wipe and total device wipe for ios, Android and BlackBerry. Media encryption for Android. Firewall and antimalware/antivirus are not supported. Does not support WP 7. 3.5 3.3 Containerization Integration with native APIs on ios and Android to control files and 2.0 www.gartner.com/technology/reprints.do?id=1-1bnr0n0&ct=120809&st=sb 16/19