G00230106 Critical Capabilities for Mobile Device Management Published: 8 August 2012 Analyst(s): Monica Basso, Phillip Redman Mobile device management offerings are expanding from traditional configurations, policy management, IT administration and reporting to deeper security with containerization, mobile application management and enterprise content management. Key Findings The integration of native APIs on ios and Android enable corporate email containerization in native email clients, with encryption, selective wipe and data loss prevention (DLP). Email containerization on Android is possible also by third-party clients. Windows Phone (WP) has no API yet, making its management more difficult. The containerization of individual applications and files through policy wrapping locks down selected corporate content, avoiding restrictions to the user experience with native applications. Enterprise file distribution, sharing and syncing functionalities, associated with secure and managed folders at rest on devices, and private or public cloud services on the back end, are emerging as a new trend in many mobile device management (MDM) offerings. As-a-service MDM offerings are growing in the market, and are increasingly being adopted by organizations because of their greater flexibility, scalability and cost-effectiveness, compared with on-premises deployments. Recommendations Prioritize MDM requirements around consumer mobility and bring your own device (BYOD) deployments in the next two years, focusing on mobile application management (MAM), application containerization and enterprise content management. Prepare for MDM support across multiple device OS platforms, planning for an increase in Android use in the next 12 months. Keep Windows on the radar screen as well, as a range of new smartphones, media tablets and innovative form factors may hit the market in the coming months.
Before MDM vendor/product selection, focus on mobility requirements, security and compliance constraints, and mobile user segmentation, and identify the range of policies needed to regulate new deployments. Select the MDM option that best supports your policies, considering not only features and technology, but also viability (e.g., delivery models and support). What You Need to Know The core capabilities of MDM, such as provisioning, policy enforcement, asset management, administration and reporting, are commoditizing across multiple offerings, and increasingly appear similar. However, differentiation is growing in new areas, such as containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Analysis This research provides quantitative ratings for a selection of enterprise MDM offerings, and evaluates them across seven critical capabilities in four typical use cases. (This research complements "Magic Quadrant for Mobile Device Management Software," which covers vendors and their relative positions in the market.) Enterprises should use this research, with its product ratings on critical capabilities in different use cases, to identify the most suitable MDM products and services for their context. Consumer mobility and BYOD programs are top priorities for most organizations in 2012. A range of new IT challenges from security, compliance and management to cost and human capital management hits organizations that often are forced to rapidly make investments in MDM products and services to enforce policies, regulate behaviors, contain costs and manage risks across device platforms. Thus, the MDM market has been growing, and will continue to grow in 2012, with the market size estimated at over $500 million, and more than 100 players. The level of demand and the fierce competition among these players are driving commoditization in this market. Traditional MDM capabilities, such as provisioning, policy enforcement, asset management, administration and reporting, are beginning to standardize across multiple offerings that increasingly provide similar capabilities. This increasingly drives price competition, and forces players to differentiate in new areas. Growing differentiation is developing in application and document containerization, MAM and enterprise content management, driven by a great demand for consumer mobility and BYOD adoption. Containerization remains a paramount capability for highly regulated organizations under strong security and compliance requirements, which necessitates the separation of corporate and personal content on devices. The original approach of complete corporate containerization, provided by Good Technology, locks down the corporate footprint, with total separation of business from personal content. Managing the corporate container, instead of the device, grants isolation and protection of corporate content, with no restrictions on personal usage. However, native email Page 2 of 47 Gartner, Inc. G00230106
clients and browsers are not available in the container, which could affect user acceptability. In addition, a growing range of products now offers less granularity in containerization for individual applications, folders and files (see Figure 1). These products provide software development kits (SDKs) to enforce credentials, encryption and other policies through application wrapping. They are commercially available in offerings from AirWatch, BoxTone and Symantec, but more vendors are due to launch these capabilities later in 2012. Figure 1. Heavyweight Versus Lightweight Management Styles Source: Gartner (August 2012) MAM is becoming increasingly important, as IT organizations need to deploy third-party and inhouse-developed applications to their mobile workforce. Software updates, public app store content blacklisting and enterprise app stores are progressively supported in MDM products. AirWatch, MobileIron and Zenprise currently have the most complete offerings. Enterprise file synchronization and sharing capabilities are needed, due to the growing adoption of media tablets, such as the ipad, and due to the availability of personal cloud services, such as Dropbox, icloud and Google Drive, which enable mobile workers via increased productivity, but could represent security and compliance threats. Some players, such as AirWatch and Fiberlink, already provide secure file management capabilities natively; others do this through partners such as Box and Accellion. More MDM vendors will launch these capabilities in future releases. Another important element of differentiation is the as-a-service delivery model, which gives enterprises more flexibility, scalability and cost-effectiveness. While many vendors have launched Gartner, Inc. G00230106 Page 3 of 47
as-a-service offerings in the past 12 months, AirWatch and Fiberlink have the most mature offerings and experience. More organizations are considering cloud-based MDM services, because they are more economical and flexible. One area where most MDM products still lag behind others is integration with PC configurations and management capabilities, as they focus predominantly on MDM. Exceptions are represented by products from IBM and Fiberlink. Lack of support across the full spectrum of mobile and client computing is a limitation for most IT organizations that aim to manage smartphones, media tablets and PCs in more integrated and efficient ways. We expect to see more convergence in the coming months in mobile and PC/system management. IT organizations struggle to identify the right options for investment. The large number of offerings with a lack of differentiation in basic management capabilities confuses buyers, and complicates investment decisions. One major area of differentiation among MDM offerings is their technical approach to management: Lightweight MDM: Server-side product and service offerings may (or may not) have a small mobile agent running on the device, and/or may integrate the mobile OS platform's native APIs or Microsoft Exchange ActiveSync [EAS] client implementation, but may not have a complete mobile management client on the device. These offerings can be used with native mobile support in corporate email servers (e.g., EAS in Microsoft Exchange Server or Lotus Notes Traveler in Lotus Notes and Domino) to enforce complementary policies, working with the device's native email client. However, they manage the device entirely, enforcing policies (e.g., on acceptable use, or application blacklists) that apply to the device anytime, including during personal usage. This may be a drawback in BYOD programs where extensive policies need to be enforced for business use. Relevant vendors include MobileIron, Zenprise and Fiberlink. Extended Lightweight MDM: Additional capabilities (through SDKs) are provided to enforce policies on applications, such as credentials, encryption and DLP. AirWatch, BoxTone (through Mocana) and Symantec (through Nukona) currently provide these capabilities through SDKs that recompile third-party or in-house applications to enforce policies such as credentials, encryption and limitations, and data sharing with other applications. More vendors are expected to launch these capabilities in future releases. Heavyweight MDM: Client-side management software is available for every relevant mobile OS platform (whether stand-alone or blended with a proprietary email client). The management client can enforce strong IT control on the device, including a full corporate container with encryption, selective wipe and DLP. Good Technology is the leading vendor taking this approach. Other vendors not covered in this research include Excitor and Little Red Wagon Technologies. This approach enforces complete separation between corporate and personal footprints on the device, offering smoother support for BYOD programs, because users have no limitation of use outside the container, and compliance can easily be proved in audits anytime. EAS alone is insufficient to manage mobile devices, despite the minimum set of policies provided, because it is not consistent across mobile platforms, does not detect jailbreaks, and cannot enforce device- or OS-level policies (it focuses only on email). Page 4 of 47 Gartner, Inc. G00230106
Before conducting MDM product selection analysis, organizations must identify the risks and benefits of introducing support for corporate applications on personal devices. They then need to identify the IT policies required to control deployments, manage risks and support users. They also must choose the appropriate management approach, and products and services, that will help enforce the policies in a cost-effective way. Product Class Definition Gartner defines MDM as a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, enforcing policies and maintaining the desired level of IT control across multiple platforms. Mobile devices may be corporate and personal assets, as in BYOD programs. Areas of functionality include provisioning and decommissioning, inventory management, application management and security. The primary delivery model is on-premises, but MDM can also be offered as software as a service (SaaS), or through the cloud. See "Magic Quadrant for Mobile Device Management Software" for a complete description of the market, and the vendors delivering such products or services. This research focuses on a subset of commercial offerings in the market, encompassing the products and services that get the most attention and requests for advice from Gartner's client base. We highlight the capabilities and viability of these products. Critical Capabilities Definition The growing demand for MDM by IT organizations has motivated a large number of technology providers to enter the market with MDM offerings. These products and services enable IT organizations to maintain control, automate management and minimize risks, while delivering consumer mobility to the workforce. Regarding basic management functionalities (e.g., provisioning and inventory management), most offerings are progressively becoming similar, with little differentiation among competing vendors. They differentiate instead on enhanced capabilities, such as containerization, application management, document sharing and the cloud delivery model. This research examines seven critical capabilities that differentiate competing MDM products in different use cases: Policy enforcement and compliance Security Containerization Application management Document sharing and management Scalability As-a-service and cloud delivery models Gartner, Inc. G00230106 Page 5 of 47
Detailed information about each critical capabilities follows: Policy enforcement and compliance: This varies in capability by mobile OS, but includes: Enforce policies on eligible devices: Detect and enforce OS platforms and versions, installed applications and manipulated data. Detect ios jail-broken devices and rooted Android devices. Filter (restrict) access from noncompliant devices to corporate servers (e.g., email). Restrict the number of devices per user. Enforce application policies: Restrict downloadable applications through whitelists and blacklists. Monitor access to app stores and application downloads, put prohibited applications on quarantine, and/or send alerts to IT/managers/users about policy violations. Monitor access to Web services, social networks and app stores, send alerts to IT/ managers/users about policy violations, and/or cut off access. Enforce mobile communication expense policies in real time: Monitor roaming usage. Detect policy violations (e.g., international roaming), and take action if needed (e.g., disable access to servers, and/or send alerts to IT/managers/users about policy violations). Enforce separation of personal versus corporate content: Manage corporate applications on personal devices, and personal applications on corporate devices. Tag content as personal or corporate through flags. Detect separation violations, and send alerts to IT/managers/users if needed. If a container is in use, prohibit exporting data outside the container (e.g., when opening an email attachment), and regulate interactions among different enterprise containers. Restrict or prohibit access to corporate servers (e.g., to email servers and accounts) in case of policy violations. Security: This is a set of mechanisms to protect corporate data on a device and corporate back-end systems, and to preserve compliance with regulations: Password enforcement (complexity and rotation) Device lock (after a given time of inactivity) Page 6 of 47 Gartner, Inc. G00230106
Remote wipe, selective remote wipe (e.g., only corporate content), and total remote wipe (e.g., a hard wipe, with data not recoverable after deletion) Local data encryption (phone memory and external memory cards) Certificate-based authentication (includes device ID, OS version and phone number), and certificate distribution Monitoring devices, and data manipulation on devices Rogue application protection (e.g., application quarantine) Certifications (e.g., Federal Information Processing Standard [FIPS] 140-2) Firewalls Antivirus software Mobile virtual private network (VPN) Message archiving (SMS, IM, email, etc.) and retrieval, and recording of historical events for audit trails and reporting Containerization: A set of mechanisms to separate corporate from personal content (data and applications) on devices. What differentiates the level of support for containerization in various products is the granularity of control, isolation and protection enforced through the policies. This can span simple applications and files, to the complete corporate footprint hosted in the corporate container, and can create a dual-persona device user experience. The strongest implementation includes a full corporate container with proprietary applications, such as the email client and browser, as well as third-party and in-house applications developed through ad hoc SDKs, to make them part of the container. Additional methods include a container limited to proprietary applications, such as email, calendars and contacts, and the browser. Methods can include smaller-granularity containers limited to one application or document. A number of policies can be enforced on the container to control the corporate footprint, such as: Local data encryption Selective remote wipe Data leakage prevention (no data is exported from the container, and there are cut-andpaste prohibitions) Controlled communication among containers Dual personas Application management: A set of mechanisms for over the air (OTA) software upgrades, application inventory and distribution, such as: Application discovery and private app store Gartner, Inc. G00230106 Page 7 of 47
Apple Volume Purchase Program, or other enterprise volume purchasing program integration Software updates for applications or OSs Patches/fixes Backup/restore Background synchronization Document sharing and management: A set of mechanisms to support file synchronization and sharing, file distribution, and secure and manageable folders on mobile devices with policy enforcement: File synchronization and backup, transparent to the user File sharing with other employees, or among applications File distribution to a group of users, and those that are time sensitive Security and management policy enforcement Scalability: Of MDM deployments in mass volume: Platform scalability for over 20,000 units supported High-availability and disaster recovery techniques As-a-service and cloud delivery models: Ease of installation Pricing policies per user (as opposed to per device) rated higher Use Cases This research identifies the four typical use cases discussed in Gartner client inquiries. These cases highlight the differences among selected products/services, and rate them differently under specific conditions. Case 1 Regulated Deployments: These organizations operate in severely regulated sectors, such as financial services, healthcare, military and defense, and government, that must be compliant anytime with sectorspecific regulations, such as the U.S. Health Insurance Portability and Accountability Act (HIPAA), and must pass periodical audits. These organizations have a strong focus on security and control, e.g., for culture or market competition. These organizations often aim to support BYOD programs with personal and corporate devices. Page 8 of 47 Gartner, Inc. G00230106
In all cases, strong IT security and control requirements include local data encryption for corporate information, certificate-based authentication, and isolation of corporate from personal content. Case 2 Flexible Deployments: These organizations operate in nonregulated sectors (e.g., retail and delivery services) that do not require a complete corporate lockdown on devices, and can live with basic security and management support. BYOD programs often are required, in addition to supporting corporate devices. Employees are required to work with native applications, such as a native email client and browser. Provisioning, inventory and policy enforcement extended to the entire device is a management priority. There is little or no demand for containerization. Case 3 Agile Deployments: These organizations operate in nonregulated sectors, planning to manage mobility through third-party service providers, rather than by deploying an on-premises infrastructure. Organizations aim to contain or optimize mobility costs, or to avoid big upfront costs. Organizations plan to support a small number of mobile users initially, and to grow incrementally over time to midsize and large deployments. BYOD programs often are required, in addition to supporting corporate devices. Case 4 Mass Deployments: These are large-scale deployments, from more than 20,000 up to hundreds of thousands, with related requirements for high availability, disaster recovery, quality of service, etc. There is a need to monitor and control end-to-end mobile deployments. The third and fourth use cases are not necessarily mutually exclusive of the first and second. A regulated organization may also look for agile or mass deployments. However, in this research, we want to capture the most common scenarios requiring MDM investment decisions to highlight the product capabilities. Clients that are comfortable with the security/compliance/containerization capabilities of vendors on their shortlists, but have doubts about scalability, should focus on Case 4 to assess their mass deployment capabilities. Case 3 is a likely fit for organizations that have initial experience with mobility, and Case 4 will work for organizations that already have mobility experience, and are about to scale up to big deployment volumes. Case 1 and 2 focus on the level of control and lockdown needed, and are mutually exclusive. Table 1 shows the weighting for all use cases in this research. Each use case weighs the capabilities individually based on the needs of that case, which impacts the score. Each vendor Gartner, Inc. G00230106 Page 9 of 47
may have a different position based on its capability and the weighting for each. The overall use case is the general scoring for the vendor's product, with all weights being equal. Page 10 of 47 Gartner, Inc. G00230106
Table 1. Weighting for Critical Capabilities in Use Cases Critical Product Capabilities Overall Regulated Deployments Flexible Deployments Agile Deployments Mass Deployments Policy enforcement and compliance 14.3% 5.0% 60.0% 5.0% 5.0% Security 14.3% 15.0% 20.0% 5.0% 5.0% Containerization 14.3% 45.0% 0.0% 5.0% 5.0% Application management 14.3% 15.0% 10.0% 5.0% 5.0% Document sharing and management 14.3% 15.0% 5.0% 5.0% 5.0% Scalability 14.3% 5.0% 0.0% 20.0% 55.0% As-a-service and cloud delivery models 14.2% 0.0% 5.0% 55.0% 20.0% Total 100.0% 100.0% 100.0% 100.0% 100.0% Source: Gartner (August 2012) Gartner, Inc. G00230106 Page 11 of 47
Inclusion Criteria This research considers the selection of MDM products and services offered by vendors included in "Magic Quadrant for Mobile Device Management Software." Please refer to the Magic Quadrant for a complete description of the market and vendors. Given the large number of players in this market (20 vendors were covered in the Magic Quadrant), we have chosen to restrict our analysis to offerings that gain the most interest during our interactions with Gartner clients, are visible on shortlists, and are largely considered leaders or challengers based on size, revenue or product portfolio. These include products and services provided by AirWatch, BoxTone, Fiberlink, Good Technology, MobileIron, SAP, Symantec and Zenprise. Vendors not included in this research are still valid options for consideration (see "Magic Quadrant for Mobile Device Management Software"). While most vendors specialize in management for smartphones and tablets, a subset provides specific capabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including Soti, Odyssey Software (now part of Symantec), Wavelink and Motorola. We do not consider these vendors in a separate use case, because specialized management tools for ruggedized devices generate limited Gartner client inquiries for those with fairly mature OSs. For completeness, we provide the list of criteria we used to qualify vendors for inclusion/exclusion in "Magic Quadrant for Mobile Device Management Software:" Support for enterprise-class (noncarrier), multiplatform support MDM: Software or SaaS, with an emphasis on mobility Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messaging or security) Security management, with at least these features: Enhanced abilities to download, monitor and revoke certificates for email, applications, Wi- Fi, VPNs, etc. Enforced passwords Device wipe Remote lock Audit trail/logging, including the ability to verify device configurations from a central console Jailbreak/rooted detection At least three mobile OS platforms supported Policy/compliance management Software management, with at least these capabilities supported: Application downloader the ability to push or pull applications on a mobile device Page 12 of 47 Gartner, Inc. G00230106
Application verification the ability to verify the origin of mobile applications Application update support Application patch support App store support the ability to list and manage enterprise and third-party applications Hardware management, with at least these capabilities supported: External memory blocking blocks all use of flash memory cards, and other external memory Configuration change history audits and trails for any changes made for hardware At least 75,000 licenses sold Five referenceable accounts No more than 70% of revenue in one main geographic region or market At least $1.5 million in MDM-specific revenue General availability by the middle of 1Q12 Critical Capabilities Rating Each product or service that meets our inclusion criteria has been evaluated on several critical capabilities (see Table 2 and Figure 2), on a scale from 1.0 (lowest ranking) to 5.0 (highest ranking). Gartner, Inc. G00230106 Page 13 of 47
Table 2. Product Rating on Critical Capabilities Product Rating AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Policy enforcement and compliance 4.3 4.3 4.0 3.7 4.7 3.5 3.8 4.0 Security 4.2 4.1 4.0 3.7 3.9 3.3 3.6 4.4 Containerization 3.0 2.5 2.5 4.6 1.4 2.0 3.0 3.0 Application management 4.3 4.0 4.0 3.5 4.4 3.7 3.9 4.4 Document sharing and management 4.2 2.2 3.1 3.0 2.0 1.0 3.0 4.2 Scalability 4.5 4.0 4.3 4.0 2.5 4.0 3.0 3.0 As-a-service and cloud delivery models 4.5 3.0 4.8 1.0 3.0 2.0 2.0 3.5 Source: Gartner (August 2012) Page 14 of 47 Gartner, Inc. G00230106
Figure 2. Overall Score for Each Vendor's Product Based on the Nonweighted Score for Each Critical Capability Product Rating Chart AirWatch Fiberlink Zenprise BoxTone Good Technology Symantec MobileIron SAP 0 5 10 15 20 25 30 35 Policy enforcement and compliance Containerization Document sharing and management As-a-service and cloud delivery models Security Application management Scalability Source: Gartner (August 2012) To determine an overall score for each product in the use cases, the ratings in Table 2 are multiplied by the weightings shown in Table 1. These scores are shown in Table 3. Gartner, Inc. G00230106 Page 15 of 47
Table 3. Overall Score in Use Cases Use Cases AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Overall 4.1 3.4 3.8 3.4 3.1 2.8 3.2 3.8 Regulated Deployments 3.7 3.1 3.2 4.0 2.5 2.5 3.3 3.7 Flexible Deployments 4.3 4.1 4.0 3.5 4.3 3.3 3.6 4.1 Agile Deployments 4.4 3.3 4.4 2.3 3.0 2.6 2.6 3.5 Mass Deployments 4.4 3.7 4.2 3.3 2.8 3.3 2.9 3.4 Source: Gartner (August 2012) Page 16 of 47 Gartner, Inc. G00230106
Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy, and the vendor's ability to enhance and support a product throughout its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to the vendor's other product lines, its market direction and its business overall. Support includes the quality of technical and account support, as well as customer experiences with that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale, from poor to outstanding, for each of the four areas, and it is then assigned an overall product viability rating. Table 4 shows the product viability assessment. Gartner, Inc. G00230106 Page 17 of 47
Table 4. Product Viability Assessment Vendor/Product Name AirWatch BoxTone Fiberlink Good Technology MobileIron SAP Symantec Zenprise Product Viability Outstanding Excellent Outstanding Excellent Excellent Good Good Excellent Source: Gartner (August 2012) Page 18 of 47 Gartner, Inc. G00230106
The weighted capabilities scores for all use cases are displayed as components of the overall score. Figure 3 shows the overall use case. Figure 3. Overall Use Case Overall Use Case AirWatch Fiberlink Zenprise BoxTone Good Technology Symantec MobileIron SAP 0.00 1.00 Worst Fit to Use Case 2.00 3.00 4.00 5.00 Best Fit to Use Case Policy enforcement and compliance Security Containerization Application management Document sharing and management Scalability As-a-service and cloud delivery models Source: Gartner (August 2012) Figure 4 shows the regulated deployments use case. Gartner, Inc. G00230106 Page 19 of 47
Figure 4. Regulated Deployments Use Case Regulated Deployments Use Case Good Technology AirWatch Zenprise Symantec Fiberlink BoxTone MobileIron SAP 0.00 1.00 Worst Fit to Use Case 2.00 3.00 4.00 5.00 Best Fit to Use Case Policy enforcement and compliance Security Containerization Application management Document sharing and management Scalability As-a-service and cloud delivery models Source: Gartner (August 2012) Figure 5 shows the flexible deployments use case. Page 20 of 47 Gartner, Inc. G00230106
Figure 5. Flexible Deployments Use Case Flexible Deployments Use Case MobileIron AirWatch Zenprise BoxTone Fiberlink Symantec Good Technology SAP 0.00 1.00 Worst Fit to Use Case 2.00 3.00 4.00 5.00 Best Fit to Use Case Policy enforcement and compliance Security Containerization Application management Document sharing and management Scalability As-a-service and cloud delivery models Source: Gartner (August 2012) Figure 6 shows the agile deployments use case. Gartner, Inc. G00230106 Page 21 of 47