Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

Comparing the best mobile device management products

Expert Matt Pascucci examines the top mobile device management offerings to help readers determine which MDM products may be the best fit for their organization.

The mobile device management (MDM) space is growing at a rapid pace, and is widely used across the enterprise to manage and secure smartphones and tablets. Investing in this technology allows organizations to not just secure mobile devices themselves, but the data on them and the corporate networks they connect to as well.

The market for MDM products is saturated now, and there are new vendors arriving in this vertical on a consistent basis. Many of the larger names in mobile security, meanwhile, have been buying up smaller vendors and integrating their technology into their mobile management offerings, while others have remained pure mobile device management companies from the beginning. So what are the best mobile device management products available today?

Since the mobile security market has become so crowded, it is harder than ever to determine what the best mobile device management products are for an organization's environment. To make choosing easier for readers, this article evaluates five leading MDM companies and their products against the most important criteria to consider when procuring and deploying mobile security in the enterprise. This criteria includes MDM implementation, app integration, containerization vs. non-containerization, licensing model and policy management, while the mobile management vendors covered are Good for Enterprise, Airwatch, MobileIron, IBM (previously FiberLink) and Citrix.

That being said, there are also niche players -- such as Blackberry -- that are attempting to move into the broader MDM market outside of just securing and managing their own hardware, as well as free offerings from the likes of Google that are trying to compete with the above list of MDM vendors by providing tools to assist in the management of Android devices. Even Microsoft has a small amount of MDM built into its operating systems that allow for the management of mobile devices.

Today, the vast majority of mobile devices in use (both smartphone and tablet) run on either Apple's iOS or Google's Android OS. So while many of today's MDM products are also capable of managing Windows phones, Blackberries and so on, this article focuses mostly on their Apple and Android management and security capabilities.

Selecting the best mobile device management product for your organization isn't easy. By using the criteria presented in this feature and asking the six questions outlined in our previous article in this series on mobile security, an organization will find it easier to procure the right mobile management and security product to satisfy its enterprise needs. Let's get started.

Criteria #1: Implementation of MDM

Organizations should understand and plan out their mobile device deployment and MDM requirements before looking into vendors. The installation criteria for MDM are normally based off a few things: resources, money and hardware. With that being said, there are two distinct installation possibilities when deploying an MDM product.

The first is an on-premises implementation that needs dedicated resources, both from a hardware and technical perspective, to assist with installing the system or application in a network. Vendors like Good For Enterprise require the installation of servers within an organization's DMZ. This will necessitate firewall changes and operating system resources to implement. These systems will then need to be managed appropriately to verify that they're consistently patched, scanned for vulnerabilities among other issues. In essence, this type of MDM deployment is treated as an additional server on an organization's network. It's possible that a smaller business might shy away from an install of this nature due to the requirements and technical know-how it would take to get off the ground. On the other hand, if businesses are able to manage this type of mobile management and security product, it gives them complete ownership of these systems and the data that's on them.

The second installation type is a cloud-based service that allows for an installation of MDM off-premises, removing any concerns regarding management, technical resources and hardware from becoming an issue for an organization. Vendors like AirWatch have the ability to let customers provision their entire MDM product in the cloud and manage the system from any Internet connection. This is both a pro and a con: It provides companies with resource constraints (like not having the experience or headcount) with the ability to get an MDM product set up quickly, but it does so at the risk of having data reside outside the complete control of these organizations -- within the cloud.

Depending on an organization's resource availability, technical experience and risk appetite, these are the two options (on-premises and cloud) currently available for installing MDM.

Criteria #2: App integration

Apps on a mobile device are a major reason their popularity and demand has increased exponentially over the years. Without the ability to have apps work properly and yet securely, the power of mobile devices and the ability for users to take full advantage of these tools becomes severely limited.

MDM companies have realized this need for functionality and security, so they've created business grade apps that enable productivity without compromising the integrity of mobile devices, the data on them and the networks they connect to. Products like Citrix Xenmobile have created Worx apps that are tied together and save data in a secure sandbox on mobile device so users don't need to use unapproved apps to send business data to potentially insecure apps out of an enterprise's control. The sandboxing technology works by securing, and even at times partitioning, the MDM app separately from the rest of the mobile OS; essentially isolating it from the rest of the device, while allowing a user to have the ability to work securely and efficiently.

There are also third-party apps that MDM vendors have partnered with to create branded versions of these apps to use on their MDM. Good for Enterprise has, for example, partnered with many large vendors to accommodate the need to use their apps with their MDM. This integration between vendors is extremely helpful and adds to the synergy between both vendors to allow for better security and more productive users.

Whether you're using apps created by an MDM vendor to allow additional security, or apps that have been developed through the collaboration of the MDM vendor and third parties, it's important to know that most of the work on a mobile device is done via these apps, and securing the data that flows through and is created on them is important.

Criteria #3: Container vs. non-container

There are two major operational options available when researching MDM products; those are MDM that uses the container approach, and MDM that uses the non-container approach. This is a major decision that needs to be made before selecting a mobile management product, since most vendors only subscribe toward one of these methods. This decision, whether to go with the container or non-container method of mobile management, will guide the policy, installation of apps on the mobile devices, BYOD plans and data security of the mobile devices that an organization is looking for an MDM product to manage.

A containerized approach is one that keeps all the data and access to corporate resources contained within an app that's downloaded to mobile devices. This app will normally not allow access from data outside the mobile device into the app and vice versa. Both Good for Enterprise and IBM (Maas 360 Fiberlink) offer MDM products that allow customers to use a containerized approach. Large companies tend to benefit from this approach -- as do government agencies and financial institutions -- as is it tends to offer the highest-degree of protection for sensitive data. Once a container is removed from a mobile device, all organizational data is gone and the organization can be sure there was no leakage of data onto the mobile device that might be left over. This method is used to ensure, without a doubt, that data on this device was removed and there was no leakage of data to other areas of the device.

By contrast to the restricted tactic used by containerization, the non-container approach allows for a more fluid and seamless user experience on mobile devices. Companies like AirWatch and MobileIron are the leaders in this approach, which enables security on mobile device via policy and integrated apps. This means these systems rely on pushing policy to the native OS to rely on controlling their mobile devices. They also support multiple integrated apps (supplied with trusted vendors the MDM companies have partnered with) that assist with adding an additional layer of security to their data.

Many organizations, including startups and those in retail, lean toward the non-container approach for mobile management and security due to the speed and native familiarity that end users already have with their mobile devices -- with OS-bundled calendaring and mail apps, for example. However, keep in mind, in order to completely secure all data on mobile devices, the non-container approach requires the aforementioned tight MDM policy and integrated apps to enforce the protection of business's data.

Criteria #4: License models

The licensing model for MDMs has changed slightly in recent years. In the past, there was only a per device license model, which means organizations were pushed into licensing models that weren't very effective for them financially. Due to the emergence of tablets and users carrying multiple smartphones, there became the need to have a license model based off of the user (and not the individual device). All the MDM products covered in this article today offer similar, if not identical pricing models. The MDM vendors have all listened to the call of customers, and realized that end users in this day and age don't always have one device. Which licensing model -- per-device model and the user-based model -- an organization chooses all depends on the inventory that a company has in regards to their mobile devices.

The per-device model normally works well in a small company. In this model, every user would get a device that would go toward the organization's total license count. If a user has three devices, all of these would go toward the total license count that the business owns. These licenses are normally cheaper per seat, but can quickly become expensive if there are multiple devices requiring coverage per user.

The user-based pricing model, by contrast, takes into account the need for users to have multiple devices that all require MDM coverage. With this model, the user name is the bases of the license, and he can have multiple devices attached to his one license. This is the reason many larger organizations lean toward this model, or at least a hybrid approach of the two licensing models, to account for users who have multiple mobile devices in use.

MDM criteria #5: Policy management

This is a large and important feature within mobile device management, and one that needs to be reviewed by an organization selecting the MDM with either an RFP or something that outlines the details of what type of mobile device policies it requires. Mobile policies have the ability to let organizations make granular changes to a mobile device and allow it to limit certain features (camera, apps, among others), push wireless networks, create VPN tunnels, whitelist apps and so on to a mobile device. This is the nuts and bolts of MDM, and a criterion that should be reviewed heavily during the proof of concept stage with specific vendors.

This ability to push certain features of a policy to mobile devices is certainly required, as is the ability to wipe devices remotely if the need occurs should they be lost or stolen. While all the MDM products covered in this article provide the ability to remotely wipe mobile devices, in the case of Good for Enterprise and IBM, organizations have the option to wipe mobile devices completely or just remove the container.

Also important is for MDM products to include the ability to perform options such VPN connections, wireless network configurations and certificate installs (which AirWatch does a great job of). These options need to be asserted in an RFP beforehand to determine what part of the mobile device policy you're looking to secure within mobile devices. Evaluating what policy changes can be pushed to a mobile device, and what functions an organization might want to see within a policy will help guide it toward making an educated decision on the best mobile device management products for it.

Most times there will be multiple policies created that allow certain users to receive a particular policy, while allowing someone with other needs to receive a completely different MDM policy. This is a standard function within all MDMs, but it should be understood that a single policy for all users is not always plausible.

Finding the best mobile device management product for you

There are many vendors in this very saturated market, but following these five criteria should assist organizations with narrowing the field down to find the best mobile device management products available today. There is much overlap between vendors, but finding the right one that secures an organization's data completely and allows full coverage with the ability to manage all the aspects needed in a policy, are what businesses should be aiming for in MDM products.

Many large companies, especially those in the financial or government sector, are running Good for Enterprise due to the extra layer of security it provides by leveraging a container and integrated apps developed by vendors they partner with. IBM Maas 360, on the other hand, offers both a container and non-container approach to mobile security and management, which makes it suitable to larger enterprises that require some flexibility in terms of operational method deployment. This gives IBM Maas 360 the ability to play toward both sides and gives them some leverage against competitors by being able to attract customers from both mindsets.

Many midsize companies don't have to meet the level of security imposed by large financial clients, for example, and thus aren't running toward boosting their mobile device security. We've seen that many times compliance will bring an extra layer of required security, however, thereby making these organizations more conscience at times about securing data on mobile devices. Midsize to large companies (those outside of the financial sector) tend to run Airwatch or MobileIron MDM, due to the abilities of these mobile security platforms to keep the native feel of mobile devices intact while being able to push custom policies to the clients that secure the mobile devices.

As for the MDM apps and the ability to have them integrated into the offering, Citrix is performing very well in this area with their Xenmobile Worx apps, having shown that its pushing the boundaries within this area. These apps are selling points to many customers who want to integrate their data onto a mobile device, but want the flexibility to manage the data these mobile apps are consuming. By dispensing these approved apps to managed mobile devices and writing policy for their data to be used on these apps, MDM products such as Citrix's assist with adding an extra layer of data control for the company and ease of use for the user.

In conclusion, the MDM market is expanding exponentially each year and mobile devices have become an indispensable tool for users within a business. With this continued growth in mobile, organizations need to be able to protect these mobile devices and the data they hold to make sure that the growth that they've assisted in doesn't become an organization's downfall.

Next Steps

In part 1 of this series, learn about the basics of mobile device management products in the enterprise

In part 2 of this series, find out about the enterprise scenarios for MDM products

In part 3 of this series, read about the questions to ask before buying enterprise MDM products

Exploring the mobile trends of 2016

This was last published in September 2015

Dig Deeper on BYOD and mobile device security best practices



Find more PRO+ content and other member only offers, here.

Join the conversation

1 comment

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

What mobile device management products does your organization use? What MDM products do you want to use?