Critical Capabilities for Mobile Device Management

29 July 2011 ID:G00213877
Analyst(s): Monica Basso, Phillip Redman

VIEW SUMMARY

This research provides quantitative ratings for a selection of enterprise mobile device management offerings, evaluating them in typical use cases, across 10 critical capabilities.

Overview

This research provides quantitative ratings for a selection of enterprise mobile device management (MDM) offerings, evaluating them in typical use cases, across 10 critical capabilities. Enterprises should use these critical capabilities, use cases and product ratings to identify the most suitable enterprise MDM products or services to meet their management and security requirements.

Key Findings

  • Not all MDM platforms provide device encryption if it is not supported natively on the device.
  • Although containerized approaches offer some of the highest security, restrictions to the user's experience with mobile email may limit the user's acceptability and viability on personal devices.
  • AirWatch, BoxTone, Fiberlink, MobileIron, Sybase and Zenprise use native Apple iOS 4 management APIs to implement functions such as over-the-air (OTA) software upgrades and certificate-based authentication.
  • Good for Enterprise is a mobility suite centered on wireless email; many management and security capabilities are available within their email client only.

Recommendations

  • Choose MDM offerings that support a lightweight management approach, with mobile agents and server-side platforms, when your security and management requirements are limited and deep control is not accepted by employees using personal devices. Examples include Zenprise, MobileIron, BoxTone, Fiberlink and AirWatch.
  • Choose MDM offerings that support a heavyweight approach to deliver secure and manageable corporate email to consumer and personal devices when strict security and compliance requirements apply. Containers can enforce stronger separation among personal and corporate content. Examples include Good Technology, Excitor and Sybase.
  • The iPhone 3GS and later hardware platforms ship with always-on hardware encryption. When iOS 4.2 was introduced, it added a new data protection class that allows third-party applications to manage their own encryption keys, reducing the risk of data leakage on a jailbroken device. The new data protection classes are activated upon the full installation of iOS 4 or later.

What You Need to Know

This document was revised on 24 August 2011. For more information, see the Corrections page on gartner.com.

Before making any effort to select the most appropriate tool for MDM, organizations need to understand their requirements and define clear policies for deployment, including corporate data and application protection on the device and back-end servers; isolation from personal content, if needed; and cost containment. Organization should evaluate different MDM offerings, focusing on the critical capabilities identified in this research.

Return to Top

Analysis

Introduction

The proliferation of consumer devices and a growing demand from employees are changing the ways in which organizations deliver mobility solutions to the workforce.

IT organizations are forced to create mobility programs to support corporate email and other applications on consumer products, such as iPhone, iPad and Android devices. "Bring your own device" and employee-liable programs are common, and we expect that 80% of organizations will have tablets by 2013 (see "Gartner's Top Predictions for IT Organizations and Users, 2011 and Beyond: IT's Growing Transparency").

These deployments bring a range of new challenges, from security, compliance and management, to cost and human capital management. Organizations address these challenges by defining policies that regulate the usage of consumer and personal mobility for employees, and they need the appropriate tools to enforce policies, regulate behaviors, contain costs and manage risks, across multiple device platforms.

Multiple options are available — the enterprise MDM market has more than 60 players with a wide range of products, services and capabilities. Gartner research (see "Magic Quadrant for Mobile Device Management Software") identifies a subset of 23 vendors that qualify as viable for investments. These offerings are progressively adding similar features, driven by fierce competition, and the market is going through a commoditization route.

IT organizations struggle to identify the right options for investment. On one hand, the rapid evolution of mobile devices and business requirements makes it difficult to identify a clear set of MDM requirements. On the other hand, the lack of differentiation confuses buyers and complicates investment decisions.

One major area of differentiation among MDM offerings is the technical approach to management (see "How to Support Corporate E-Mail and Other Applications on Personal Devices"):

  • Lightweight approach: Server-side product or service offerings may have a small mobile agent running on the device, and/or call native APIs provided by the mobile OS platform (e.g., iOS 4), but do not have a complete mobile management client. They can enforce policies on the server side, but cannot control the device and mobile user behavior in depth. They are used in combination with native mobile support in corporate email servers (e.g., Microsoft Exchange ActiveSync [EAS] in Microsoft Exchange Server or Notes Traveler in Lotus Notes/Domino) to enforce complementary policies to those provided by the server. Thus, they can preserve the native email client experience on iPhones and iPads, which are favorite choices for users. Relevant vendors with this approach include AirWatch, BoxTone Fiberlink, MobileIron and Zenprise.
  • Heavyweight approach: Client-side management software is available for every relevant mobile OS platform (either stand-alone or blended with a proprietary email client). The management client can enforce strong IT control on the device (e.g., local data encryption, selective wipe and containerization). Vendors with this approach are Good Technology, Excitor and Sybase. Good's product does not integrate with the email server's native mobile support (e.g., EAS) — actually, it replaces it, and it does not work with the device's native email client, but requires its own client, which can only connect to a corporate email server. Good Technology's approach prioritizes on IT control, limiting the user's choice and experience with the email client.

Another important element of differentiation among these offerings is the delivery model: cloud services versus on-premises versus host. While most mature products (such as those from Good Technology, Sybase and MobileIron) are on-premises, a growing range of cloud services offerings (such as those from AirWatch, Fiberlink and Tangoe) are starting to appeal to users because they are more economical. In fact, there are no upfront costs, and an inexpensive price per user per month and more flexibility to scale up services with growing mobility adoption or needs.

Before entering MDM product selection analysis, organizations need to identify the risks and benefits of introducing support for corporate applications on personal devices. They then need to identify the IT policies required to control deployments, manage risks and support users. Finally, they need to choose the appropriate management approach and the products and services that can help to enforce those policies in a cost-effective way.

Return to Top

Product Class Definition

Gartner defines MDM as a range of products and services that enables organizations to deploy and support corporate applications to mobile devices, such as smartphones and tablets, possibly for personal use — enforcing policies and maintaining the desired level of IT control across multiple platforms. Areas of functionalities include security, provisioning, software and inventory management, and decommissioning. See "Magic Quadrant for Mobile Device Management Software" for a complete description of the market and vendors that deliver these products or services. In this research, we focus on the capabilities and viability of a subset of offerings (products or services) from this market, which get the most attention and inquiries for advice from our client base.

Return to Top

Critical Capabilities Definition

MDM offerings address a range of requirements from IT organizations aiming to deliver mobility experiences to their workforces or customers, while maintaining control and minimizing risks. They tend to bring a fairly complex set of functionalities, with progressively little differentiation among the competition. This research examines 10 critical capabilities that differentiate competing MDM products. The critical capabilities considered for enterprise MDM products are:

  • Device Diversity
  • Policy Enforcement
  • Security and Compliance
  • Containerization
  • Inventory Management
  • Software Distribution
  • Administration and Reporting
  • IT Service Management
  • Network Service Management
  • Delivery Model

Detailed information about each critical capabilities follows:

  • Device Diversity: the degree of diversity in mobile devices and mobile OS platforms that the considered MDM product can handle. This includes:
    • Support one or more OS platforms, such as Android, iOS, etc. (Note that support for Research In Motion [RIM] OS and Windows Phone 7 is rated as a plus because fewer vendors have added them.)
    • Support for media tablets
    • Support for ruggedized devices
    • Support for simpler phones
  • Policy Enforcement:
    • Enforce policies on eligible devices:
      • Detect OS platforms and versions, installed applications, and manipulated data.
      • Detect iOS jail-broken devices and rooted Android devices.
      • Filter (restrict) access from noncompliant devices to corporate servers (e.g., email).
    • Enforce application policies:
      • Restrict downloadable applications through whitelists and blacklists.
      • Monitor access to app stores and application downloads, and put prohibited applications on quarantine and/or send alerts to IT/managers/users about policy violations.
      • Monitor access to Web services, social networks and app stores, and send alerts to IT/managers/users about policy violations and/or cut off access.
    • Enforce mobile communications expense policies:
      • Monitor roaming usage.
      • Detect policy violations (e.g., international roaming) and, if needed, take action (e.g., disabling access to servers and/or send alerts to IT/managers/users about policy violations).
    • Enforce separation of personal versus corporate content:
      • Manage corporate apps on personal devices, and personal apps on corporate devices.
      • Tag content as personal or corporate through flags.
      • Detect violations of separation and, if needed, send alerts to IT/managers/users.
      • If a container is in use, prohibit exporting data outside the container (e.g., when opening an email attachment), and regulate interaction between different enterprise containers.
    • Restrict or prohibit access to corporate servers (e.g., to email server or email account) in case of policy violation.
  • Security and Compliance: a set of mechanisms to protect corporate data on a device, corporate back-end systems and preserve compliance with regulations:
    • Password enforcement (strong alphanumeric password)
    • Device lock (after a given number of minutes of inactivity)
    • Remote wipe, selective remote wipe (e.g., only corporate content); total remote wipe (hard wipe, data not recoverable after deletion)
    • Local data encryption (phone memory, external memory cards)
    • Certificate-based authentication (include device ID, OS version, phone number); certificate distribution
    • Monitoring device and data manipulation on device
    • Rogue app protection (e.g., application quarantine)
    • Firewall
    • Antivirus
    • Mobile VPN
    • Message archiving (SMS, IM, email, etc.) and retrieval; record historical event for audit trail and reporting
  • Containerization: a set of mechanisms to separate corporate from private content (data, applications) on a device and apply a range of actions to control the corporate footprint, such as:
    • Local data encryption
    • On-the-fly decryption
    • Selective remote wipe
    • No data export to other containers (data leakage prevention)
    • Controlled communication among containers
    • Application containerization (beyond email)
    • Containerization based on virtualization technology (e.g., Open Kernal Labs [OK Labs] OKL4, VMware MVP, ARM TrustZone)
  • Inventory Management: a set of mechanisms to provision, control and track devices connected to corporate applications and data:
    • Asset management and inventory
    • Device configuration and imaging
    • Device activation and deactivation
    • Provisioning (OTA):
      • Distribution (push)
      • Configuration (push):
        • Device configuration
        • iPhone profiles
    • Lockdown hardware features (e.g., enable/disable hardware, camera, removable media card, infrared [IR] port, Bluetooth, Wi-Fi)
    • Monitoring:
      • Performance
      • Battery Life
      • Memory
    • Lost-phone recovery
      • Locate and map
      • Restore and migrate
  • Software Distribution: a set of mechanisms to distribute applications and software upgrades to mobile users OTA, avoiding tethering to a PC:
    • Application discovery (e.g., through private app stores)
    • Software updates, for applications or OSs
    • Patches/fixes
    • Backup/restore
    • Background synchronization
    • File distribution
  • Administration and Reporting: capabilities for IT administrators to manage mobile deployments and users. This includes:
    • Single console
    • Web-based console
    • OTA provisioning
    • Role-based access
    • Group-based actions
    • Remote control (real-time or permission-based)
    • Enterprise platform integration (e.g., Exchange Active Sync; LDAP; BlackBerry Enterprise Server [BES]; certificate authority; trouble ticketing and help desk, such as Remedy; and network management, such as IBM Tivoli)
    • Business intelligence
    • Reporting
  • IT Service Management: capabilities to grant mobile service levels to mobile users, such as:
    • Help desk
    • User support with levels
    • User self-service (administration, etc.)
    • End-to-end real-time monitoring
    • Troubleshooting
    • Alerting
  • Network Service Management: specific capabilities to monitor and optimize mobility costs, such as:
    • Contract management
    • Expense management
    • Service usage management
  • Delivery Model: ways to deliver MDM capabilities to customers (e.g., on-premises, hosted, cloud). Complete cloud offerings are rated higher, because they allow organizations to acquire MDM capabilities without upfront investments. Pricing policies per users (as opposed to per device) are rated higher.
Return to Top

Use Cases

We have identified a number of use cases that come up fairly frequently in our client inquiries, and that help to highlight the best characteristics of selected MDM offerings under specific conditions:

  • Case A1 — Highly regulated organizations focusing on corporate email only:
    • Organizations aiming to support consumer personally owned devices, such as iPhone, iPad and Android devices
    • Organizations operating in sectors under severe regulatory constraints (e.g., financial, healthcare, military and defense) with strict security and compliance requirements, such as the Health Insurance Portability and Accountability Act (HIPAA; e.g., must enforce local data encryption on all devices connected to their email servers, required certifications, etc.)
    • Organizations focusing on the short term, only regarding corporate email support
  • Case A2 — Highly regulated organizations going beyond email:
    • Highly regulated organizations, as per Case A1, that want to deploy and support corporate applications beyond email, need to distribute software OTA, and need discovery mechanisms (such as for app stores, to block access, etc.)
  • Case B — Nonregulated organizations, mobility deployments:
    • Organizations operating in nonregulated sectors (e.g., retail, delivery services) that can live with basic security and management support, and that must enforce limited mobile policies to mobile users
    • Organizations with previous mobility experience and/or mobility skills
    • Support for consumer devices, such as iPhone, iPad, Android, BlackBerry devices; corporate or personal devices
    • Organizations focusing on email and/or other applications
  • Case C — Expense management focus:
    • Organizations that want to optimize mobility deployment expenses and that are less focused on security
    • Cost optimization
  • Case D — Service-level management:
    • Organizations with critical mobile applications or users, and mobile service-level agreements
    • All types of deployment sizes (most often midsize to large)
    • Need to monitor and control end-to-end mobile deployments
    • Troubleshooting

Table 1 looks at the weightings of all the use cases in this research. Each use case weighs the capabilities individually based on the needs of that case, which impacts the score. Each vendor may have a different position based on its capability and the weighting for each one. The overall use case is the general scoring for the vendor's product, with all weights being equal.

Table 1. Weighting for Critical Capabilities in Use Cases

Critical Product Capabilities

Overall

Regulated, Email (A1)

Regulated, Applications (A2)

Nonregulated (B)

Expense Optimization Objective (C)

Service-Level Management (D)

Device Diversity

10.0%

5.0%

1.0%

20.0%

1.0%

5.0%

Policy Enforcement

10.0%

5.0%

10.0%

5.0%

0.0%

5.0%

Security and Compliance

10.0%

5.0%

10.0%

5.0%

0.0%

5.0%

Containerization

10.0%

70.0%

5.0%

0.0%

0.0%

0.0%

Inventory Management

10.0%

5.0%

5.0%

9.0%

20.0%

15.0%

Software Distribution

10.0%

1.0%

55.0%

15.0%

0.0%

10.0%

Administration and Reporting

10.0%

1.0%

2.0%

40.0%

20.0%

20.0%

IT Service Management

10.0%

2.0%

10.0%

4.0%

5.0%

40.0%

Network Service Management

10.0%

5.0%

1.0%

1.0%

53.0%

0.0%

Delivery Model

10.0%

1.0%

1.0%

1.0%

1.0%

0.0%

Total

100.0%

100.0%

100.0%

100.0%

100.0%

100.0%

Source: Gartner (July 2011)

Return to Top

Inclusion Criteria

Products covered in this research come from vendors included in "Magic Quadrant for Mobile Device Management Software"; refer to it for a complete description of the market and vendors. The following criteria were used to qualify vendors for inclusion in the Magic Quadrant for MDM:

  • Support for enterprise-class (noncarrier), multiplatform support MDM: software or software as a service (SaaS), with an emphasis on mobility
  • Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messaging or security)
  • Security management, with at least these features:
    • Enforced password
    • Device wipe
    • Remote lock
    • Audit trail/logging
    • "Jailbreak" detection
  • At least mobile OS 3 platforms supported
  • Policy/compliance management
  • Software distribution, with at least these capabilities supported:
    • Application downloader
    • Application verification
    • Application update support
    • Application patch support
  • Inventory management, with at least these capabilities supported:
    • External memory blocking
    • Configuration change history
  • Managing at least 25,000 mobile lines
  • Five referenceable accounts
  • At least $1 million in MDM-specific revenue

Given the large number of players in this market and the complexity of the products, we have chosen to restrict this analysis to a subset of vendors whose offerings get the most interest and highest level of inquiries from Gartner's clients. This research focuses on products or services provided by AirWatch, BoxTone, Excitor, Fiberlink, FancyFon, Good Technology, Mobile Active Defense, McAfee, MobileIron,Sybase, Symantec, Tangoe and Zenprise. Vendors not included in this research are still valid options for consideration (see "Magic Quadrant for Mobile Device Management Software" for details), including: Capricode, Fixmo, IBELEM, Fromdistance, Motorola, Odyssey Software, Smith Micro Software, SOTI, The Institution and Ubitexx (acquired by RIM).

While most vendors specialize in management for smartphones and tablets, a subset provides specific capabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including SOTI, Odyssey Software and Motorola. We do not consider these vendors in a separate use case because specialized management tools for ruggedized devices generate limited Gartner client inquiries.

Return to Top

Critical Capabilities Rating

Each of the products that meet our inclusion criteria has been evaluated on the critical capabilities, on a scale of 1.0 to 5.0. To determine an overall score for each product in the use cases, the ratings in Figure 1 are multiplied by the weightings in Table 1. These scores are shown in Figure 2. Figure 3 shows the product score in the various use cases, and also provides our assessment of the viability of each product.

Figure 1. Product Rating on Critical Capabilities
Figure 1.Product Rating on Critical Capabilities

Source: Gartner (July 2011)

Return to Top
Figure 2. Overall Score for Each Vendor's Product Based on the Nonweighted Score for Each Critical Capability
Figure 2.Overall Score for Each Vendor's Product Based on the Nonweighted Score for Each Critical Capability

Source: Gartner (July 2011)

Return to Top
Figure 3. Product Score in Use Cases
Figure 3.Product Score in Use Cases

Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy and the vendor's ability to enhance and support a product throughout its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to the vendor's other product lines, its market direction and its business overall. Support includes the quality of technical and account support, as well as customer experiences with that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale from poor to outstanding for each of these areas, and it is then assigned an overall product viability rating.

Source: Gartner (July 2011)

Return to Top

Figure 4 represents the overall general use for MDM with all ratings equally weighed. This segments the vendors into three positions based on their product capabilities alone: Zenprise, Mobile Active Defense and MobileIron at the top; Good Technology, Symantec and McAfee at the bottom; and the bulk of the other vendors rated in the middle. Unlike the MDM Magic Quadrant, which rates companies in a broader context than by product alone, the MDM Critical Capabilities methodology solely assesses companies based on their products.

Figure 4. Overall Use Case
Figure 4.Overall Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 5 shows the vendors' product scores for Use Case A1.

Figure 5. Vendors' Product Scores for Regulated Email (A1) Use Case
Figure 5.Vendors' Product Scores for Regulated Email (A1) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 6 shows the vendors' product scores for Use Case A2.

Figure 6. Vendors' Product Scores for Regulated Application (A2) Use Case
Figure 6.Vendors' Product Scores for Regulated Application (A2) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 7 shows the vendors' product scores for Use Case B.

Figure 7. Vendors' Product Scores for Nonregulated Mobility Deployment (B) Use Case
Figure 7.Vendors' Product Scores for Nonregulated Mobility Deployment (B) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 8 shows the vendors' product scores for Use Case C.

Figure 8. Vendors' Product Scores for Expense Optimization Objective (C) Use Case
Figure 8.Vendors' Product Scores for Expense Optimization Objective (C) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 9 shows the vendors' product scores for Use Case D.

Figure 9. Vendors' Product Scores for Service-Level Management (D) Use Case
Figure 9.Vendors' Product Scores for Service-Level Management (D) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Vendors

AirWatch

AirWatch's Enterprise MDM offering puts emphasis on device security, life cycle management, application distribution and help desk controls. It supports a broad range of device platforms and integrates with enterprise platforms, such as LDAP, Active Directory, Microsoft Exchange Server, IBM Lotus Notes/Domino and IMAP-based email servers. It integrates with cloud-based email services, such as Gmail, Microsoft BPOS and Office 365. AirWatch's origins come from the wireless network management services and ruggedized device market. The vendor has found equal success providing MDM through either a cloud-based or on-premises distribution model (see Table 2).

Table 2. Critical Capabilities Rating for AirWatch's Enterprise MDM v.5.14

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

RIM OS, iOS, Android, Windows Mobile 6.x, Windows Phone 7, Symbian, webOS are supported.

4.5

Policy Enforcement

Profiles, monitoring, access restrictions, automated compliance policies and alerts for corporate and personal devices (but mostly for iOS, Android and Windows Mobile 6.x).

3.3

Security and Compliance

User and device authentication, password enforcement and device lock, remote wipe, and total wipe (but selective wipe only for iOS, Android, Windows Mobile 6.x). Local data encryption, application quarantine, whitelists/blacklists, Web filtering, auditing, mobile VPN, firewall support for selected platforms. No antivirus supported.

3.6

Containerization

Application containerization with data leakage prevention for iOS. Monitor and enforce compliance of OS-based encryption. No email container outside native OS capabilities.

2

Inventory Management

OTA provisioning, lockdown hardware, monitoring of battery life and other hardware resources, and inventory. Supports monitoring, diagnostics, remote control, performance, memory and battery status, and device location.

4.4

Software Distribution

Downloader, verification, whitelists/blacklists, version detection, updates.

3.5

Administration and Reporting

AirWatch's communication layer includes a complete infrastructure for API integration to third parties, as well as APIs, Web services, single sign-on and authentication protocols. Its platform also supports multiple protocols for information sharing, such as SSH and SNMP.

Can authenticate device users through a basic authentication process or by integrating directly with enterprise directory services (LDAP).

3.7

IT Service Management

Integrated case management, user support levels, self-service portal, mobile service usage monitoring, alerting.

3.3

Network Service Management

Usage management to detect roaming and apply business rules, send alerts, and restrict data downloads. No contract or expense management.

2

Delivery Model

Available on-premises, as a software appliance or SaaS.

4.5

Source: Gartner (July 2011)

BoxTone

BoxTone's offering focuses on mobile service-level management and includes three modules: MDM, mobile support management and mobile operation management. It provides deep integration with enterprise mobility software platforms and many popular system management and monitoring platforms (e.g., BES, EAS and Good Technology). BoxTone supports BlackBerry, iOS, Android, Windows Mobile, webOS, and Windows Phone 7. Beyond MDM, BoxTone supports service desk management, incident management, problem management and application performance management (see Table 3).

Table 3. Critical Capabilities Rating for BoxTone v.6.1

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

RIM OS, iOS, Android, Windows Mobile 6.x., webOS. Symbian and MeeGo are not supported.

4.2

Policy Enforcement

Profiles, monitoring, access restriction. Automated policy management, compliance management, configuration management and application management are integrated into Active Directory for enterprise group IT policy management and enforcement.

4.2

Security and Compliance

User and device authentication, password enforcement and device lock, remote wipe and total wipe, and selective wipe on iOS, BlackBerry and Android. Filter server access to noncompliant devices. Local data encryption for RIM OS, iOS and Android devices, and memory cards, including individual certificate-based encryption and control of Android applications. Application quarantine, whitelists/blacklists and mobile VPN for supported platforms. Web filtering for RIM OS and Android. Firewall supported for BlackBerry only. No antivirus supported. Enhanced compliance enforcement functions, such as record historical events for audit trail and reporting.

3.9

Containerization

Not available.

1

Inventory Management

OTA provisioning, lockdown hardware, device configuration, monitoring service quality, battery life and other hardware resources, and inventory. Change history tracking of each device, including timestamped details for audit or reproducing specific state and status at a given time for troubleshooting or other change management.

4.4

Software Distribution

Private app store, software upgrades, OS updates, background synchronization, patches, fixes, file distribution.

4.2

Administration and Reporting

Integration with enterprise mobility platforms, such as BES, Good Messaging and EAS. Integration (in a single console) with the most widely used system management platforms (through prebuilt connectors and software development kits [SDKs]/APIs), such as Microsoft SCOM, HP Operations Manager, BMC Software, CA Technologies and IBM-BigFix. BoxTone can also integrate with other management platforms via SNMP technology. Web console. Role-based access. Remote control only for BlackBerry and Windows Mobile 6.x. Analytics tools.

3.7

IT Service Management

Strong help desk, user support, service-level management. Real-time status transaction flow for most enterprise mobile servers, plus automated problem or fault detection. Integrated knowledgebase with alerting mechanisms, etc. Self-service and self-provisioning support for supported platforms.

4.3

Network Service Management

Not available. BoxTone partners with telecom expense management (TEM) vendors, such as ProfitLine and Rivermine, and integrates with their products (but not directly reselling or embedding).

1

Delivery Model

Mostly sold as on-premises, but managed and cloud services are also available.

4

Source: Gartner (July 2011)

Excitor

Excitor's DME Mobile Device Manager focuses on MDM and security. It does not rely on Exchange Active Sync policies to manage devices, but instead implements its own policies within their mobile management client. It supports standards such as OMA DM. Simple containerization is supported, but only in combination with Excitor's DME email product (see Table 4).

Table 4. Critical Capabilities Rating for Excitor's DME Mobile Device Manager v.3.5.x

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

RIM OS, iOS, Android, Symbian,Windows Mobile 6.x, Windows Phone 7, webOS and MeeGo are not supported.

4.5

Policy Enforcement

Profiles, monitoring, access restriction. Control access to app store. Control on enterprise applications for Symbian, iOS and Android.

3.9

Security and Compliance

User and device authentication, password enforcement and device lock. Remote wipe, plus total wipe and selective wipe for selected platforms. Filter server access to noncompliant devices. Local data encryption supported for BlackBerry, Symbian, iOS, Android and Windows Mobile 6. Application quarantine on devices is supported for iOS and Android. Whitelists/blacklists, Web filtering and mobile VPN for selected platforms. No native antivirus or firewall capabilities are provided, but it can nicely integrate with other products, such as Symantec.

3.4

Containerization

Containerization of email, in combination with the DME email client. Supported on iOS and Symbian. BlackBerry, Android and Windows Phone 7 support will be added in the next releases. Containerization extended to other applications, downloaded from the DME-based private app store, in the DME enterprise container. Data leakage prevention for email attachments and email copy/paste, limited to iOS.

3.3

Inventory Management

OTA provisioning, inventory, lockdown hardware, monitoring of battery life and other hardware resources for selected platforms.

3.8

Software Distribution

Private app store for iOS, Android, BlackBerry, Symbian, Windows Mobile 6, Windows Phone 7. Software upgrades, OS updates, patches and fixes are limited to some platforms.

3.3

Administration and Reporting

No integration with BES, Good Messaging and EAS (i.e., DME email client connects to DME server only). Integration (in a single console) with system management platforms via Web services. Web console and role-based access. No remote control. Business intelligence, analytics and reporting tools are supported natively.

3

IT Service Management

Provides first-line and second-line support through help desk capability to customers through excitor.com. Check device status and configuration.

2.5

Network Service Management

Basic capabilities provided in the DME Cost Control module. Additional TEM capabilities through external TEM providers (such as Teleopti and Pridis).

3

Delivery Model

On-premises, managed and cloud services.

4.5

Source: Gartner (July 2011)

FancyFon

FancyFon's Mobility Center (FAMOC) is a centralized platform to manage the mobile device life cycle, from OTA provisioning to configuration, application updates, security and troubleshooting. It provides remote support for a range of mobile devices, either as a hosted or an on-site solution. FAMOC supports iPad, Android tablets and RIM Playbook through a dedicated media tablet application available in respective app stores. It also supports ruggedized devices and not typical mobile devices (e.g., GPSs) through Windows CE and Windows Mobile support, and Java-based feature phones with basic management, such as backup/restore, remote configuration and security (see Table 5).

Table 5. Critical Capabilities Rating for FancyFon's FAMOC v3.3

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

RIM OS, iOS, Android, Symbian, webOS and Windows Mobile 6.x and Java are supported. Limited support for Windows Phone 7, MeeGo and bada.

4.5

Policy Enforcement

Profiles, monitoring, access restriction, acceptable use for selected platforms. Limited control on personal and corporate apps (FAMOC configuration management).

3.7

Security and Compliance

User, media and device authentication; password enforcement and device lock; and remote, full and selective wipe for iOS and Android. Auditing, filters access to inappropriate devices, Web filtering on selected platforms. Whitelists/blacklists supported for RIM OS, iOS, Symbian and Windows Mobile 6.x. Antivirus, firewall and mobile VPN are supported.

4.1

Containerization

Not available.

1

Inventory Management

Rich OTA provisioning, inventory, lockdown hardware. Check memory space, diagnostics and monitory battery life for selected platforms (FAMOC configuration management).

4.4

Software Distribution

Downloader, verification, version detection, software upgrades, OS updates, patches, fixes and updates (FAMOC Application Management).

4.5

Administration and Reporting

OMA DM (Nokia, Sony Ericsson, Windows Mobile devices), OMA CP, OpenSCEP (Apple), Apple MDM API, BES, SyncML, EAS support.

FAMOC is compatible and makes use of BES, Microsoft Exchange Server, Lotus Domino, Microsoft Active Directory, LDAP and Funambol. Support for role-based and group-based access. Single console, business intelligence, analytics and reporting tools available.

2.8

IT Service Management

Help desk and user support. Rich self-service. Device monitoring, file management and remote access control are supported.

3

Network Service Management

Limited invoice management, limited contract information. Usage monitoring and alerting (FAMOC Asset Management).

2

Delivery Model

On-premises-based; others (managed, SaaS) provided by partners.

4.3

Source: Gartner (July 2011)

Fiberlink

Fiberlink's MaaS360 Platform is a pure MDM cloud services offering, for organizations aiming to support both corporate and personal devices. It's a multitenant platform (see Table 6). Existing embedded platforms (BES, EAS and IBM Lotus Notes Traveler) are included in MaaS360 management via a single "cloud extender" agent that is deployed in the LAN. If device-side APIs are available, then device support beyond BES and EAS is done via API (e.g., Apple MDM protocol). If no device-side MDM API is present, then there is a native agent for that platform (e.g., Android).

Table 6. Critical Capabilities Rating for Fiberlink's MaaS360 Platform (internal v.10.6; service available as of 21 June 2011)

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Complete support for BlackBerry, iOS, Android, Symbian, webOS, Windows Mobile 6.x. Limited support for Windows Phone 7. No support for MeeGo.

4.5

Policy Enforcement

Profiles, monitoring, access restriction. Control access to app store, and control on enterprise applications. Acceptable use policies. Additional policy enforcement for iOS APIs include dynamically changing policy (e.g., restrict VPN) or taking a remediation action (e.g., wipe device), based on device context (e.g., location) or a recent event (e.g., removed SIM); automatic provisioning of policies to devices discovered on corporate email servers.

3.7

Security and Compliance

User and device authentication, password enforcement and device lock; remote and total wipe (plus selective wipe for iOS and Android). Local data encryption (only core, no media). Can filter access to inappropriate devices for Symbian only. Whitelists/blacklists supported for iOS and Android. No support for rogue application protection (e.g., application quarantine) or Web filtering. No antivirus or firewall supported. MaaS360 provides mobile VPN as a managed service, and adds MDM profile lockdown for iOS and Android (prohibits users from removing management software).

2.8

Containerization

Document distribution and database updates through Apple enterprise application distribution; it provides data leakage prevention within encrypted applications and reporting for audit. Same capabilities provided on Android.

2

Inventory Management

OTA provisioning, inventory, lockdown hardware. Check memory space. Diagnostics and monitoring of battery life for iOS and Android.

4.2

Software Distribution

Cross-platform application catalog, software distribution and updates.

3.5

Administration and Reporting

Integration with BES, EAS and Lotus, with certificate authority. For desktop management, integration with management consoles from IBM, Check Point, Iron Mountain, Lumension Security and others. Other MDM platforms (e.g., MobileIron) can be integrated and controlled from inside MaaS360 to include PC management in the same console. Rich Web console and role-based access. Business intelligence, analytics and reporting tools available. Fiberlink offers a remote control service as part of its 24/7 global help desk at no additional cost. Technicians can take control of a problematic device via SMS and perform user context actions on BlackBerry, Windows Mobile, Symbian and Android.

4.2

IT Service Management

Rich help desk and user support. Self-service support. Device monitoring is supported, but not end-to-end monitoring (extended to BES, Exchange, etc.). Limited troubleshooting support.

4

Network Service Management

Roaming detection, automated restrict policy (Wi-Fi, VPN and email).

2

Delivery Model

Completely cloud-based model, with pricing per device or per user, and free service up to 25 users. User-based bundled pricing is available for an unlimited number of devices per user at a flat monthly fee.

4

Source: Gartner (July 2011)

Good Technology

Good for Enterprise is a mobility suite that supports mobile collaboration with strong support for security and management (see Table 7). The main components of the suite include: Good Mobile Control, for MDM; Good Mobile Access, for secure access to corporate data; Good Mobile Messaging, for secure wireless email (see "Critical Capabilities for Enterprise Wireless E-Mail Software"; this document has been archived, and some of its content may not reflect current conditions). Good Technology's MDM and security capabilities are sold as part of the entire mobility suite (i.e., not sold as individual products) and require the adoption of Good Mobile Messaging product for wireless email, including Good's email client. It replaces the email server's native mobile support. Through its native email client, it enforces separation between corporate and personal data; however, many MDM capabilities are available in the email client only. Good Technology provides the strongest implementation of containerization for the email client, on iOS, Android and Symbian devices. It also supports data leakage prevention (e.g., prohibiting the saving of email attachments outside the container).

Table 7. Critical Capabilities Rating for Good Technology's Good for Enterprise v.6.3.1.x

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Support though proprietary email, calendar and contact client, with security and management capabilities (at both the application and device levels) for iOS, Android, Symbian and Windows Mobile 6.x. No support for RIM OS and MeeGo.

3.5

Policy Enforcement

Mobile OS version detection, profiles, monitoring, access restriction for iOS, Android, Symbian, Windows Mobile 6.x. Detect jailbroken/rooted devices. Filter access to corporate systems to noncompliant devices. Control on personal and corporate apps for supported platforms. Support for acceptable use and audit trail. Does not rely on a local EAS agent on the device for policy implementation, but provides its own policy implementation. Using "whole device" management APIs on iOS, Android, Symbian and Windows Mobile 6.x. Reporting for installed applications, provisioning profiles installed and certificates installed through iOS MDM API will be released later in 2011.

3.5

Security and Compliance

Multiple security and compliance features, but these are made available for selected platforms only. User and device authentication, password enforcement, device lock, remote and total wipe, and selective wipe for all supported platforms. Authentication between device and network operations center [NOC], then between NOC and corporate back end. Core encryption for all supported platforms. Media encryption supported for Symbian, Windows Mobile, Palm OS and Android (Dell Streak). Data encryption at rest and in transport (container only). Filter access to inappropriate devices for all supported platforms. Web filtering for all supported platforms. Whitelists for all supported platforms. Blacklists for Symbian and Windows Mobile. No support for rogue application protection (e.g., application quarantine), antivirus, firewall and mobile VPN. Only supports VPN over Wi-Fi on iOS platforms. Other features include device monitoring with coverage history and last message sent/received, NOC-based architecture, and secure browser for intranet access.

3.4

Containerization

Clean separation of personal and corporate data, including email, calendar, contacts and attachments. Based on mobile OS sandbox mechanism. Best implementation, with data leakage prevention. Only email and browser client application so far. Main features include: enable/disable download of attachments and block by attachment size/type; disable sync of contacts and/or limit sync of specific fields only; disable cut/copy/paste between personal and corporate data; detect last time connected to corporate data and wipe if exceeds policy; control intranet sites that users have access to via secure browser.

4.2

Inventory Management

OTA provisioning and basic inventory capabilities for all supported platforms. Lockdown hardware, check memory space, diagnostics and monitoring of battery life for selected platforms (Symbian, iOS, Windows Mobile 6.x)

3.3

Software Distribution

Downloader, application verification, updates and patches for all supported platforms. Private app store supported for iOS, Android and Windows Mobile.

3.3

Administration and Reporting

No integration with EAS, and no support for OMA DM. Integration through Active Directory with third-party management systems and portals. Partnerships with monitoring vendors (e.g., BoxTone).

2.8

IT Service Management

Help desk and user support through portal. Good Technology has monitoring capabilities for the device, but no end-to-end monitoring (extended to BES, Exchange, etc.) and troubleshooting. No BlackBerry support.

3

Network Service Management

Not available.

1

Delivery Model

On-premises and managed.

3.5

Source: Gartner (July 2011)

McAfee

McAfee is a prominent global security player with strong positions in desktop and laptop antivirus, encryption, and comprehensive endpoint management. McAfee has entered MDM through the 2010 acquisition of Trust Digital. It combines its Enterprise Mobility Management (EMM) platform with security support, and its virus/malware protection software (via the McAfee ePolicy Orchestrator [ePO] console) with other McAfee products (see Table 8).

Table 8. Critical Capabilities Rating for McAfee's EMM

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Android, Apple iOS, Nokia S60, webOS, Windows Mobile 5 and 6.x, and Windows Phone 7 are supported.

3

Policy Enforcement

Sets password policies, restricts device features and applications, and requires strong authentication.

3

Security and Compliance

The combined products of Mobile Security for Enterprise, ePO Integration and compliance sets are needed to enforce and report on compliance, based on device configuration, OS levels, security and jailbroken status. Full and selective wipe. Anti-malware integration with EMM and whitelist/blacklist for Android to be added in future releases.

2.8

Containerization

Not available.

1

Inventory Management

Provisioning, distribution and configuration OTA and lockdown hardware. Limited feature management: It collects key information about the device, including user, phone number, device ID, device status, device carrier, and application list. No monitoring (e.g., of battery life).

3.4

Software Distribution

Policy-based app distribution, downloader, verification, whitelists/blacklists, version detection, updates.

3

Administration and Reporting

Same centralized visibility and control over the mobile devices on your network as with desktops and laptops. Can configure ePO dashboard for a customized view of devices by platform, domain, and group. Supports LDAP and SQL Server integration.

2.8

IT Service Management

Help desk support. Simple end-user provisioning. Basic self-service portal.

2.5

Network Service Management

Not available yet. Signed TEM partnership agreement. ePO integration planned for 3Q11.

1

Delivery Model

On-premises-based software only.

3

Source: Gartner (July 2011)

Mobile Active Defense

Mobile Active Defense's Mobile Enterprise Compliance and Security (MECS) provides mobile security and compliance cloud-based services for organizations to support corporate email and other applications on consumer and personal devices, enforcing security and compliance policies. It can integrate with e-mail servers and/or cloud services (including personal accounts). MECS is a clientless, zero-footprint product available on-premises, or as hosted or cloud services. E-mail is delivered through the device's native e-mail client through a secure VPN connection with encrypted data transmission. The mobile security server supports anti-spam and content filtering, controlling any messages that are being synchronized on the devices. It enforces security policies on a personal device connecting to corporate email, preserving regulatory compliance (e.g., with ISO 27001 or HIPAA). Mobile Active Defense extends controls beyond email by forcing all traffic over the VPN from applications to the browser — including content filtering, geolocation-based firewall rules, application inspection and remediation, and jailbreak remediation. It is also used in combination with hosted virtual desktop infrastructure (e.g., Citrix Receiver) to provide a secure VPN connection from iPads into the corporate application servers (see Table 9).

Table 9. Critical Capabilities Rating for Mobile Active Defense's MECS Server v.1.1

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Complete support for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x. No support for Windows Phone 7, webOS and MeeGo.

4

Policy Enforcement

Mobile OS version detection, profiles, monitoring, access restriction, control on personal and corporate apps, acceptable use, and audit trail. Location-based policy enforcement.

4

Security and Compliance

User and device authentication, password enforcement and device lock; remote, selective and total wipe. Core and media encryption (except for Windows Phone 7; that is under development), and auditing. Filter access to inappropriate devices and Web filtering, whitelists/blacklists on selected platforms, application quarantine. Antivirus, firewall and mobile VPN supported. Location-based firewall enforcement. Automatic remediation options, including jail break detection, hostile malware behavior and evolving mobile threats. Policy-driven reactions include notification, remote wipe and network disconnect.

4.6

Containerization

Not implemented, but personal and corporate content is tagged, and a selective wipe can be applied to corporate content only.

2

Inventory Management

OTA provisioning, lockdown hardware, check memory space, diagnostics and monitoring of battery life and inventory for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x.

4.2

Software Distribution

Application downloader, application verification, updates and patches, app store management, private app store support.

4

Administration and Reporting

MECS has an EAS installed on it, and supports OMA DM. It can integrate with third-party management systems. It can generate aggregated access reports with Syslog.

2.8

IT Service Management

Help desk and user support, remote control, and self-service. Device monitoring.

3.3

Network Service Management

Invoice management, contract information. Mobile usage monitoring and alerting.

3

Delivery Model

On-premises, managed and cloud services.

4.5

Source: Gartner (July 2011)

MobileIron

MobileIron launched its product in September 2009, and has seen very quick growth in sales, mind share and market share, outselling most MDM platforms in the past year. Built from the ground up, it is solely focused on mobility management, incorporating the Virtual Smartphone Platform (VSP) architecture to support security, data visibility, application management and access control. It does not provide encryption or VPN capabilities outside of what is provided on the device. MobileIron was one of the first vendors to combine MDM with network service management (see Table 10).

Table 10. Critical Capabilities Rating for MobileIron's VSP

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Android, Apple iOS, RIM OS, Nokia S60, webOS, Windows Mobile 6.x and Windows Phone 7 are supported.

4.5

Policy Enforcement

Detects OS platforms and versions, installed applications, manipulated data, and jail-broken devices. Profiles, monitoring, access restriction to email server. Identifies whitelist/blacklist violations and takes quarantine or other actions. Control on personal and corporate applications. Real-time roaming detection. Automatic group creation: Autogenerates groups based on ownership so IT can easily apply differentiated policies.

4

Security and Compliance

Password enforcement and device lock, total and selective remote wipe. On iOS devices, selective wipe includes email, Wi-Fi settings, VPN settings and in-house apps. On other platforms, like the BlackBerry, it provides a selective wipe of files (through visibility into the phone's file system, as dictated by the MobileIron privacy policy applied to that phone). Certificate-based authentication, filter server access to noncompliant devices, rogue application protection (e.g., application quarantine) and whitelists/blacklists of apps. Local data encryption not supported if not natively provided by the device. VPN client not provided, but VPN can be remotely configured and secured through certificates. Web filtering, firewall and antivirus not supported. MobileIron Mobility API allows external systems to trigger MobileIron MDM actions through a Web services request.

3.4

Containerization

Privacy policy gives granular control over what device data (files, usage, SMS, apps, location, etc.) is monitored by MobileIron. Policies can be set by device or groups of users/devices.

2

Inventory Management

OTA provisioning, lockdown hardware, check memory space, diagnostics and monitoring of battery life, and inventory. Ownership designation: Tags each device managed by MobileIron as either employee- or company-owned.

4.1

Software Distribution

Full mobile software management and support. Software and OS updates, patches, and fixes. Private app store. Firmware updates not supported.

3.5

Administration and Reporting

Prepackaged integration with EAS, LDAP, BES, certificate authorities and email archive systems. Enable integration to multiple systems through the MobileIron API. Provides a list view of all devices under management and all devices accessing enterprise email, and reporting. No prepackaged adaptor for other management consoles/systems, but the platform is designed to integrate with external systems. Integration with IT provisioning and management systems, as well as business intelligence databases, is possible through MobileIron APIs.

4.2

IT Service Management

Help desk, user roles, end-user self-service, monitoring of mobile infrastructure, and troubleshooting/alerting for the mobile device and connections.

3.3

Network Service Management

Wireless Expense Management with Mobile Activity Intelligence gives IT, finance and the end-user a detailed, real-time view of phone usage (voice, SMS and data activity), cost drivers and service quality (e.g., to catch high-cost items, like international roaming and excess usage, as they happen, to control costs). Traditional TEM services, such as contract management and bill analysis, not supported.

3.1

Delivery Model

On-premises and hosted (by partners) in production. SaaS service (MobileIron Connected Cloud).

4

Source: Gartner (July 2011)

Sybase

Afaria is Sybase's MDM and security product, also delivered as cloud services within Sybase Managed Mobility (or as hosted services through partners such as Verizon and Orange). Sybase does not require a proprietary email client, but instead offers integrated secure control over a third-party email solution (for Android, via partner NitroDesk). Afaria provides rich support for software distribution, policy enforcement, inventory management and security. It is one of the oldest MDM products (see Table 11).

Table 11. Critical Capabilities Rating for Sybase's Afaria v.6.6

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Support for iOS, Android, Symbian, Windows Mobile 6.x, Windows CE and OMA DM. Partial support for RIM OS. No support for Windows Phone 7, webOS and MeeGo.

3.5

Policy Enforcement

Afaria Advanced Enterprise Security (AES) for Android adds more than 80 device management policies for Samsung Android devices.

4

Security and Compliance

Password enforcement and device lock; remote, selective and total wipe for RIM OS, Symbian, iOS, Android and Windows Mobile 6.x. Core and media encryption for Symbian, iOS and Windows Mobile 6.x. User and device authentication, filters access to inappropriate devices, Web filtering, whitelists/blacklists, and application quarantine for limited platforms. Mobile VPN support. Limited support for antivirus and firewall. Support on iOS and Android application portal for enterprise application management.

3.3

Containerization

Granular control over files, application configurations and management tasks on devices, so that administrators can only affect corporate data. In iOS and Android, this separation is built on the sandbox; in Windows Mobile, the separation is built on OS hooks. There is no data leakage prevention.

2.5

Inventory Management

OTA provisioning, lockdown hardware, check memory space, diagnostics, monitoring of battery life, and inventory for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x.

3.7

Software Distribution

Application downloader, application verification, updates and patches, app store management. Limited private app store support.

4

Administration and Reporting

Comprehensive set of system APIs that allow database access to collected information from other management products. No integration for BES, Good Technology and EAS.

3.1

IT Service Management

Help desk and user support, remote control, self-service, and device monitoring for RIM OS, Symbian, iOS and Android.

3.3

Network Service Management

Invoice management, and contract information for RIM OS, Symbian, iOS, Android, Windows Mobile 6.x, Windows Phone 7 and OMA DM. Mobile usage monitoring and alerting are under development.

3.1

Delivery Model

On-premises, managed and cloud services.

4.5

Source: Gartner (July 2011)

Symantec

Symantec is a prominent global security player with strong positions in desktop and laptop antivirus, encryption, and comprehensive endpoint management. Symantec has offered MDM support in Altiris since 2004. Although Symantec has offered MDM for years, Gartner analysts have not seen evidence of competitive public visibility until recently, and cannot verify a significant presence through our client references. Symantec has successfully obtained all the pieces for a strong MDM platform, but its strong focus on security causes a diminution in understanding of the business and operational requirements for mobile device life cycle management. Symantec integrates its Mobile Endpoint 6.0 solution for security (anti-malware) with its Mobile Management 7.0 offering, which focuses on software, inventory and application management (see Table 12).

Table 12. Critical Capabilities Rating for Symantec Mobile Management 7.0

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Android, BlackBerry, Apple iOS, Windows Mobile 6.x are supported. No support for Windows Phone 7 and MeeGo.

3.8

Policy Enforcement

Symantec Endpoint Protection Mobile Edition 6.x detects OS and versions for supported platforms. Detects installed applications, manipulated data and jail-broken devices, Filters or restricts access to corporate servers for noncompliant devices. Restricts application download. Enforces expense policies. No Web filtering.

3.5

Security and Compliance

Password enforcement, device lock, remote wipe, selective remote wipe (e.g., only corporate content), total remote wipe and local data encryption. Certificate-based authentication, Monitoring device and data manipulation on device. Rogue app protection (e.g., application quarantine), firewall, antivirus and mobile VPN.

4.1

Containerization

Not currently supported.

1

Inventory Management

Moderate number of features supported; varies by platform.

4.3

Software Distribution

Application delivery capabilities with application self-healing, and on-demand or scheduled updating of running applications. Private app store to enable distribution of applications, files, links and media. Software updates, fixes and patches for supported platforms.

3.5

Administration and Reporting

Integrate Mobile Management with Altiris Client Management Suite to extend Symantec system management capabilities to manage mobile devices. Web console, OTA provisioning, and role- and group-based access.

3

IT Service Management

Help desk, user support levels and alerting. Symantec's solution provides these capabilities holistically across all endpoints (mobile, laptop, desktop and server): Mobile management is integrated with endpoint management and security solutions through the Symantec Management Platform. No troubleshooting, but integration with other products is supported.

2.2

Network Service Management

Not available.

1

Delivery Model

On-premises-based software.

3

Source: Gartner (July 2011)

Tangoe

Tangoe is a fast-growing communications life cycle management company with TEM and MDM capabilities. Although the primary revenue source is through TEM, the vendor also has seen the adoption of its MDM platform (acquired from InterNoded) grow during the past 18 months. Tangoe has done a good job of integrating TEM and MDM, and offering MDM as a service, although its offering has not yet matured. The Tangoe Mobile Device Management platform focuses more on security compliance and policy management, versus adding encryption for the content or authentication for the device. Tangoe's MDM solution is typically sold in a bundle with TEM services, and is delivered in multiple ways: as SaaS or behind the firewall, hosted or as a managed service (see Table 13).

Table 13. Critical Capabilities Rating for Tangoe's Mobile Device Manager v.5.2.11.1

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Android, BlackBerry, Apple iOS, webOS, Windows Mobile 6.x., Symbian, Windows Phone 7 and Gobi 2000 are supported.

4.4

Policy Enforcement

Supports applying any EAS policy. The limitations are based on the device's OS and manufacturer. Role-based policy management.

4

Security and Compliance

Provides a granular role-based security model that can restrict all components and actions within MDM.

3.1

Containerization

Not available.

1

Inventory Management

Mobile Device Manager supports the full features of inventory management.

4.5

Software Distribution

Deploys or removes corporate applications, and provides a private app store. Support for updates, patches and fixes.

2.7

Administration and Reporting

A central management console delivers real-time statistics across devices, platforms and domains, managing all stages of deployment. Integrates with BES, Good Mobile Messaging and EAS.

3.6

IT Service Management

Help desk and user support. Support for a self-service portal and device monitoring of applications, SMS, and voice and data activity against carrier plans.

2.7

Network Service Management

Specialized capabilities on TEM (e.g., ordering, provisioning and expense management for simpler phones).

4.2

Delivery Model

On-premises-based software and managed services.

4

Source: Gartner (July 2011)

Zenprise

Zenprise's Mobile Manager is one of the more innovative platforms available, combining a strong mobile VPN solution with the use of location-based technologies. It has a clear interface and solid reporting capability. It is a small company focused on MDM. It recently acquired Sparus Software, a small, French security and MDM company, to better support mobile security and encryption (see Table 14).

Table 14. Critical Capabilities Rating for Zenprise's Mobile Manager

Critical Capabilities

Product/Service Name and Brief Description

Rating

Device Diversity

Android, BlackBerry, Apple iOS, webOS, Windows Mobile 6.x. and Windows Phone 7 are supported.

4.7

Policy Enforcement

Zenprise Security Manage provides a smartphone audit feature to enforce compliance with corporate policies. Ensures that all smartphones are running only the latest software patches and firmware. Policy and password enforcement, and content encryption.

4

Security and Compliance

Zenprise Security manager tracks policies applied to the device, and identifies missing or removed policies. Provides detailed reports of potential security problems. Zenprise Mobile Manager includes four layers of security operating at device, application and network tiers, providing end-to-end security: Dynamic Defense (device security), AppTunnel (application security), Secure Mobile Gateway (controls access to corporate networks, application quarantine) and Mobile Network Intelligence (enterprise wireless network traffic). IFIPS compliance certification process is ongoing.

4.4

Containerization

Not available.

1

Inventory Management

Zenprise Device Manager provides visibility and control of end users' smartphones. Offers remote control capabilities to troubleshoot smartphone problems.

4.4

Software Distribution

Private app store for users' application discovery, and for IT administrators to silently configure and provision enterprise applications on smartphones and tablets. Software updates, patches and fixes for selected platforms; backup/restore, background synchronization and file distributions. Dashboard displays version, configuration and memory use information for mobile applications across all connected devices.

3.7

Administration and Reporting

Unified Web console, and role-based and group-based access. Remote control (real time or permission-based) for BlackBerry, Windows Mobile and Android, including the ability to initiate chat and voice over Internet Protocol between the administrator and user, or to remotely view and kill processes running on the devices. Offers more than 50 performance reports to aid in your infrastructure planning. Offers profiles of real-time and historical performance of BES, Exchange, EAS, Active Directory and SQL servers. Integrates with Remedy, Microsoft Systems Center, IBM Tivoli, HP OpenView and BMC Patrol

3.8

IT Service Management

Zenprise Expense Manager offers smartphone security audits that help avoid costly litigation or compliance lapses.

4.3

Network Service Management

Zenprise offers network service management consistent with the described criteria features.

3

Delivery Model

Primarily on-premises-based software.

4

Source: Gartner (July 2011)

Critical Capabilities Methodology

"Critical capabilities" are attributes that differentiate products in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions.

This methodology requires analysts to identify the critical capabilities for a class of products. Each capability is then weighted in terms of its relative importance overall, as well as for specific product use cases. Next, products are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities overall, and for each use case, is then calculated for each product.

Ratings and summary scores range from 1.0 to 5.0:

1 = Poor: most or all defined requirements not achieved

2 = Fair: some requirements not achieved

3 = Good: meets requirements

4 = Excellent: meets or exceeds some requirements

5 = Outstanding: significantly exceeds requirements

Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy and its ability to enhance and support a product over its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular product fits in relation to its other product lines, its market direction and its business overall. Support includes the quality of technical and account support as well as customer experiences for that product. Execution considers a vendor's structure and processes for sales, marketing, pricing and deal management. Investment considers the vendor's financial health and the likelihood of the individual business unit responsible for a product to continue investing in it. Each product is rated on a five-point scale from poor to outstanding for each of these four areas, and it is then assigned an overall product viability rating.

The critical capabilities Gartner has selected do not represent all capabilities for any product and, therefore, may not represent those most important for a specific use situation or business objective. Clients should use a critical capabilities analysis as one of several sources of input about a product before making an acquisition decision.

© 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not be reproduced or distributed in any form without Gartner’s prior written permission. If you are authorized to access this publication, your use of it is subject to the Usage Guidelines for Gartner Services posted on gartner.com. The information contained in this publication has been obtained from sources believed to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors, omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed as statements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legal issues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and its shareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include senior managers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds or their managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity.”
About Gartner | Careers | Newsroom | Policies | Site Index | IT Glossary | Contact Gartner