Analyst(s):Rob Smith, Bryan Taylor, Manjunath Bhat, Chris Silva, Terrence Cosgrove
Enterprise mobility management suites connect mobile devices to enterprise workflows while supporting the perpetual growth in device numbers and types. I&O leaders responsible for mobile and endpoint strategies, must maintain focus on near- and long-term goals in this rapidly changing market.
This document was revised on 7 June 2017. The document you are viewing is the corrected version. For more information, see the Corrections page on gartner.com.
Enterprise mobility management (EMM) suites are the "glue" that connects mobile devices to their enterprise infrastructure. Organizations use EMM tools to perform the following functions for their users:
Provisioning: EMM suites configure devices and applications for enterprise deployment and use, manage updates, and assist with device upgrade and retirement.
Auditing, tracking and reporting: EMM suites can track device inventories, settings and usage to verify compliance with enterprise policies and manage assets.
Enterprise data protection: EMM suites mitigate data loss, theft, employee termination or other incidents by adding controls for data encryption, data access rights, shared devices, application wrapping and containment, and device lockdown.
Support: EMM suites help IT departments troubleshoot mobile device problems through inventory, analytics and remote actions.
Five core EMM technical capabilities help IT organizations perform these services, some of which overlap. Organizations may use some or all of these features, depending on their requirements:
Mobile device management (MDM): MDM is a platform-dependent life cycle management technology that provides inventory, OS configuration management, device provisioning and deprovisioning, remote wipe, and remote viewing/control for troubleshooting. MDM profiles, installed on the device, facilitate these functions. Several EMM players are moving upstream with products to manage workstation-class PCs and Macs.
Mobile application management (MAM): MAM applies management and policy control functionality to individual applications, which are then delivered via an app store and are managed locally on devices via the EMM console. MAM can also provide analytics capabilities to help administrators and application owners understand usage patterns. MAM functionality can include:
An enterprise app store, which can be used to deploy in-house-developed and commercially sourced applications for business purposes.
Support for the management and distribution of applications by using native OS APIs, such as Android for Work and iOS's Managed App Configuration, as well as the volume purchase of apps for Android, iOS and Windows.
Mobile identity (MI): EMM tools ensure that only trusted devices and users access enterprise applications by helping to manage identity and access management (IAM) functions, such as user and device certificates, authentication and single sign-on (SSO). EMM tools are increasingly using contextual information (such as location and time) to evaluate access decisions.
Mobile content management (MCM): EMM tools use MCM to manage access rules for content distribution on mobile devices. Advanced MCM tools are also often full-featured enterprise file synchronization and sharing (EFSS) suites, offering additional functionality, such as collaboration and more advanced policy management, but are bundled as part of the EMM product suite. The MCM function has three fundamental roles:
Policy enforcement: The EMM tool can enforce policies down to individual files, including device-independent encryption keys, authentication, file-sharing rules and copy/paste restriction. Examples include conditional access to attachments in email, files synced with a back-end repository or files synced with a cloud repository.
Content push: The EMM tool enforces rules for push-based file distribution, replacement and deletion.
Integration: Beyond basic file access policies, MCM tools are adding mobile compatibility for third-party rights management systems, as well as enterprise data loss protection (DLP) and enterprise digital rights management (EDRM) infrastructures.
Containment: EMM tools provide methods to encapsulate MDM, MAM, MI and/or MCM in quarantined environments designed to isolate business from personal usage, and to facilitate data and function isolation on shared multiuser devices. This capability is increasingly provided by mobile OS APIs. However, when built-in APIs are not available or are undesirable to use, containment within EMM tools is necessary to segment enterprise data. Containment can be a self-contained set of applications, such as a personal information management (PIM) client. This capability can improve cross-platform compatibility by removing app dependence on specific APIs, and can add self-defending/hardening features that are particularly advantageous for apps running on unmanaged devices — that is, an MDM profile may not need to be installed. Containment technology can include:
Preconfigured apps: EMM vendors provide proprietary mobile apps or integrate with particular third-party apps to provide enhanced levels of manageability and security for commonly requested functions, such as email calendaring and contact management, browsing, and file sharing.
Application extensions: These apply policies to applications through the use of a software development kit (SDK) or by wrapping individual apps with a security and management layer.
There are diverse vendor approaches to managing the mobile life cycle, with many focusing on identity and access, content security, and containment. To be classified as an EMM suite, Gartner requires inclusion of MDM, MAM and at least one of the following: MI, MCM or containment technologies. The most advanced suites will include all five technologies.
Source: Gartner (June 2017)
In 2016, BlackBerry completed the integration of Good Technology with BlackBerry Enterprise Server (BES). BlackBerry Enterprise Server v.12.6, which is now BlackBerry Unified Endpoint Manager (UEM), was released in December 2016. UEM signifies BlackBerry's effort to expand its existing capabilities for managing PCs, Macs and Internet of Things (IoT) devices in addition to mobile devices. BlackBerry has a single integrated offering with the BlackBerry Enterprise Mobility Suite, which includes BlackBerry UEM, BlackBerry Dynamics platform and apps, BlackBerry Enterprise Identity, and BlackBerry Workspaces.
The acquisition and successful integration of the Good Technology portfolio proved wise, as BlackBerry gained immediate credibility as a multiplatform mobility management tool and saw steady adoption throughout 2016. The rebranding of the Good Work secure PIM client as BlackBerry Work and the capabilities its Network Operations Center (NOC) provides, along with product improvements, have helped maintain its traditionally favored status with regulated and high-security customers, particularly finance. However, some clients have expressed concern over the planned end-of-life for Good for Enterprise, which is scheduled for August 2017.
BlackBerry brought to market one of the more credible offerings in the EMM-manageable IoT space among EMM vendors with the BlackBerry Radar product, an asset management solution built for the trucking industry for trailer, chassis and container management. Though a niche solution, it gives BlackBerry a foundation of experience for end-to-end IoT management. Although Gartner expects that only a small portion of the emerging EMM-manageable IoT market will be suitable for management with EMM, Radar provides a toehold in a market where most other vendors have only ambitions. BlackBerry UEM is a good fit for organizations with stringent security requirements, those in regulated industries, or those who need to offer apps and content without managing the entire device.
BlackBerry's PIM client remains the strongest, most widely adopted PIM client among EMM offerings for those organizations that require PIM clients for security or compliance reasons.
The combined history, reputations and security capabilities of BlackBerry, WatchDox and Good Technology make BlackBerry a strong choice for regulated or security-conscious organizations.
BlackBerry Dynamics is a feature-rich, security and general-purpose SDK for securing third-party apps as well as apps developed internally by organizations that see value in an SDK approach.
Few references cited experience with the PC and Mac management capabilities of BlackBerry UEM. The feedback provided was generally positive, but a small number of data points means that organizations wishing to employ these capabilities should plan for extensive testing and piloting.
BlackBerry has discontinued its app wrapping capabilities; however, app wrapping is available from Appdome. Organizations should take account of this when planning a MAM strategy around the BlackBerry UEM product.
BlackBerry has limited support for third-party identity and access management as a service (IDaaS) vendors. Verify BlackBerry works with your existing identity solution before proceeding.
Cisco operates Meraki Systems Manager, its EMM solution, in the Meraki product line separate from its mainstream infrastructure solutions, with some points of integration into Cisco management. Meraki Systems Manager supports a wide range of platforms, from iOS and Android devices to full Windows and macOS systems.
Cisco is notable as the only network infrastructure vendor to offer an EMM that qualifies for this Magic Quadrant, while other infrastructure providers do not meet the criteria. Meraki Systems Manager will appeal most strongly to companies that have chosen to conduct basic MDM as a network operation task or who want a single-vendor Cisco solution.
References indicate that support is good and that Meraki Systems Manager is stable and reliable after installation. Full support is included in the purchase price.
The management interface and Active Directory integration are simple and easy to understand. Inventory tracking with geospecific policies is a prominent buyer selection criterion.
Meraki Systems Manager is often priced below other EMM products, making it disruptive in any competitive bid.
The integrative benefits of Meraki Systems Manager are only applicable if an organization uses Cisco/Meraki as its primary infrastructure.
Meraki labels a domain of managed devices as a network, which administrators consider confusing. Device management scales well within a single network, but references report that they need separate networks to manage multiple sites, which creates extra administrator work.
There is no solution or process to deal directly with unmanaged and bring your own (BYO) scenarios. Cisco provides support for Google Android native BYOD work profile, and Apple's native open-in management.
In 2017, while maintaining its XenMobile offering as an independent product, Citrix made a major partnership announcement with Microsoft aimed at marketing the XenMobile solution to customers migrating to or using Microsoft's Intune EMM product. In these scenarios, Citrix positions XenMobile EMM as an additive tool to Intune when the latter is deployed in a "without enrollment" configuration. Citrix's suite of containerized mobile apps can also now be managed using Microsoft Intune MAM controls. Citrix continues to add elements to its EMM offering, including integration of IoT management and analytics technology added to the Citrix portfolio through the acquisition of Octoblu.
Citrix's broader unified endpoint management capabilities focus on desktop environments and applications delivered through the Citrix virtualization offerings. While Citrix is positioned in the Visionary quadrant for 2017, Gartner believes it is well-positioned to execute as this market evolves. XenMobile remains a good fit for organizations with an existing investment in Citrix virtualization technology and the ShareFile collaboration offering, and for companies looking for a suite of containerized applications that are considering or actively migrating to Intune for mobile application management.
Citrix has taken a defensive stance to address the growing influence of Microsoft's Intune offering in the EMM space by creating a bridging strategy with its XenMobile product.
Citrix Secure Mail receives positive reviews from customers when compared to the retrofitted consumer offerings from some competitors.
Tight integration of network controls in NetScaler, data manipulation and protection in ShareFile, and the app and desktop virtualization offering from Citrix demonstrate strong product synergy.
Citrix demonstrated a functional gap in support for iOS 10.x and Android (formerly Android for Work) MDM features at the time of analysis.
Customers noted that addressing support issues and product requests can require direct access to executives, which is not available to all customers, especially smaller organizations.
Despite a strong focus on providing connectivity to desktops and desktop apps on mobile via virtualization offerings, the client management capabilities of XenMobile are weaker than market leaders' offerings.
IBM's EMM strategy has evolved from being very security-centric to becoming focused on user productivity as well. A big part of IBM's strategy is to take advantage of the broader IBM software and service functions, and establish a "better together" offering of MaaS360 with adjacent IBM products in areas such as mobile threat detection, cloud access security broker (CASB) and IAM. One of the most significant MaaS360 releases over the past year provided cognitive insights — a capability that combines Watson analytics with customer EMM data to help customers understand their mobile environment and make decisions.
IBM continues to transition from an EMM strategy to a UEM one by enhancing the integration between MaaS360 and IBM BigFix, offering one of the most feature-rich client management solutions. MaaS360 is a good fit for customers that want a SaaS-based EMM tool that has integrated mobile security.
MaaS360 provides the EMM administrator with useful insights regarding the state of the mobile environment. For example, the dashboard will identify policy violations and the associated vulnerabilities to which the organization is exposed.
MaaS360 has an agent that supports Windows 7, 8, 10 and macOS to provide traditional client management tool (CMT) as well as EMM features.
Customers have reported for several years that MaaS360 is easier to implement than many other EMM solutions.
MaaS360 is SaaS-only; it does not provide an on-premises management option. The solution does offer an on-premises access gateway for email and other applications.
Many advanced Windows and macOS management features require a combination of MaaS360 and BigFix, which are not fully integrated.
The MaaS360 iOS app, at approximately 96MB, is considerably larger than other iOS EMM apps; user enrollment can be challenging for users with slow internet connections.
Ivanti is the renamed company following the merger of Landesk and Heat Software. The merger does not have major EMM product implications aside from Heat Software's LANrev product, which will provide some additional iOS and Android capabilities. Over the past few years, Ivanti acquired several mobility management vendors, including Wavelink, which was originally the heart of its EMM strategy. However, over the past year, Ivanti switched its EMM product focus to the Landesk technology. Ivanti's strategy is to provide an offering that integrates UEM with endpoint protection, service desk and asset management. As a longstanding leading CMT vendor, Ivanti is a good fit for organizations looking for an EMM solution with best-of-breed CMT functionality.
Ivanti provides a self-service portal, at no additional charge, for Windows, Mac, iOS and Android, which provides application distribution along with service desk functions.
Secure PIM functionality provides administrators with enhanced email security capabilities (e.g., authentication into email and remote display attachments), while enabling users to employ the native email app on iOS, Android and Windows Phone.
Administrators can use a single workflow to deploy an application to PCs and mobile devices. For example, an administrator can deploy the PC, Mac and mobile versions of an application through one operation.
Ivanti's strategy is to meet most EMM requirements, but customers with best-of-breed needs may need to use alternative EMM products.
Ivanti has limited mobile app containerization capabilities (e.g., app wrapping).
While workable, account management for kiosk or shared devices is awkward. The Ivanti account on the device has to be assigned to a person, requiring administrators to create a pseudo account in Active Directory.
Matrix42's EMM product, Matrix42 Unified Endpoint Management, resulted from the acquisition of Silverback in 2014. Matrix42's product, through its combination of UEM and IT service management, provides more comprehensive and advanced user self-service capabilities including approval workflows, and service catalog integration.
While Matrix42 has unified certain aspects of the EMM and CMT capabilities, full user interface integration is not yet complete, and the release of an updated UEM user interface is one of Matrix42's highest priorities. Customers have consistently reported good experiences with Matrix42 support services. Organizations primarily located in Europe and Australia that want an easy-to-use EMM for PCs and mobile devices should consider Matrix42.
Matrix42's integration between its EMM and service desk products allows help desk personnel to quickly support mobile device issues.
Matrix42 provides a UEM bundle through user-based licensing, for an unlimited number of devices per user, for managing PCs and mobile devices through a single management console.
Matrix42 MyWorkspace provides integrated IDaaS capabilities to control access to SaaS applications, as well as native mobile applications.
The administrative console is missing some features that provide administrative flexibility in areas such as dashboard customization and managing complex policies.
The vast majority of Matrix42's customers are in Europe and Asia. The company has very little presence in the Americas, which can present challenges in terms of support and finding implementation partners.
Matrix42 does not provide its own app SDK or app-wrapping solution. Matrix42 takes a mobile-OS-platform-centric approach to securing apps.
In 2016, Gartner saw the widespread interest in Enterprise Mobility + Security (EMS) translate into an increasing number of deployments as the product continued to evolve in features and functionality. Migration of tenants to the Azure platform, which began in December 2016 as "Intune in the Azure Portal Preview" and was made generally available in May 2017, was a key milestone that enabled Microsoft to address many of the historic weaknesses of the product. Key among these improvements is the long-anticipated replacement of the Silverlight-based Intune Admin portal and fragmented admin experience with the Azure portal, which includes improved administrative delegation capabilities and full support for managed configuration options for Google Play store apps. Clients with hybrid deployments (integrated with System Center Configuration Manager [SCCM]) are not impacted by this update. New stand-alone customers will have access to these features immediately.
Intune APIs are now included in the Microsoft Graph. The APIs, in beta now, will provide an interface for integration for third-party EMM vendors to manage Office 365 applications via proxy, but will still require an Intune or EMS license. Microsoft has made significant feature enhancements, but still lags behind leading EMMs in some areas.
Intune is a good fit for customers who have a Microsoft Enterprise Agreement and view Microsoft as a strategic partner; who will primarily support productivity-oriented use cases based on Microsoft Office 365; and who have deployed or will deploy Azure AD as their IAM solution.
Microsoft's proprietary integration with Office 365 mobile apps makes it the only EMM suite that can natively manage the DLP settings of these apps.
The widespread use of a Microsoft Enterprise Agreement in shops larger than 250 users makes Intune licensing highly attractive for such customers.
Strong integration with Azure AD and Advanced Threat Protection makes rich security telemetry available in the mobile environment.
Customers continue to report difficulties with initial configuration and set up of Intune. It is therefore recommended that this should be done in cooperation with the included Microsoft FastTrack support directly.
Customers with investments in third-party IAM products should be aware that Intune currently provides full integration only with Azure AD for IAM.
Intune is available only as a cloud service and does not offer an on-premises or hybrid local access gateway, requiring clients who need local access to look for alternate solutions.
MobileIron is a publicly traded company that continues to be one of the few stand-alone EMM vendors and is the only one that is also a Leader in this Magic Quadrant. MobileIron EMM continues to offer zero-day full support for iOS, Android and Windows 10, but falls short on macOS. As of today, MobileIron has focused on managing smartphones, tablets and PCs, rather than emerging devices.
MobileIron is typically used as the central integration point for mobile policies due to its broad integration capabilities with third-party infrastructure components, such as certificate authorities, security information and event management (SIEM), network access controls (NACs), mobile threat defense tools and the AppConfig ecosystem. MobileIron has expanded its footprint in the regulated industry due to significant strides on the security front through certifications such as Common Criteria Certification for Mobile Device Management Protection Profile Version 2.0 (MDMPP V2.0), Federal Risk and Authorization Management Program (FedRAMP) and support for derived credentials.
During evaluation, customers and prospects should note that MobileIron adds support for new platform features (for example, macOS) to its cloud suite first, followed by on-premises. Organizations that want an up-to-date, scalable and proven EMM product that integrates with a diverse ecosystem should consider MobileIron.
MobileIron customers cite improvement in the overall level of customer support in the past year. The company has proactively reached out to on-premises customers to ensure that they get the latest patches, and notifies its cloud customers about scheduled outages.
MobileIron has focused on both the security and user experience aspects of its solution. It secured multiple certifications to comply with regulations and enhanced the user experience of its end-user-facing apps, such as its enterprise app storefront and Email+.
MobileIron Cloud is known to scale, with customers managing over 100,000 mobile devices in production.
As a stand-alone EMM vendor, competitive pressure from vendors with broader suites of products poses a long-term threat as organizations look to reduce their overall vendor footprint.
The solution does not have ready-to-use customizable reporting and analytics built into the admin dashboard.
Customers using AppConnect should take into account some limitations — AppConnect on Android does not support an SDK like it does on iOS. Android AppConnect is a wrapper-only solution.
Headquartered in Beijing, NationSky offers an EMM solution through its NQSky EMM product. NQSky EMM supports both an on-premises and a cloud deployment. Compared to last year, Gartner sees an increase in the number of customers using the cloud version, but the on-premises solution still dominates most NQSky deployments.
Starting with version 4.2, the EMM suite includes support for a native SDK to manage third-party mobile apps through the EMM policies for both managed and unmanaged use cases. NQSky EMM SDK focuses on providing a common baseline across the fragmented ecosystem of Android OEMs in China. Note that Google Play is not available in China thus making Android management infeasible in the country.
NQSky added support for Windows 10 management this year, including passcode, encryption and device restrictions. NQSky is prebundled with a secure PIM client (BeMail), instant messaging (BeTalk), a lightweight rapid mobile app development (RMAD) tool (AppNest), and an MCM app for secure document viewing and editing. NQSky EMM is a good fit for organizations in China that are looking for a scalable, general-purpose EMM with local language customer support.
NQSky EMM console is easy to navigate for administrators who can view and act on compliance violations and notifications about the most critical device, app, license and user information. The console also allows creation of custom roles with granular permissions tied to each.
NationSky continues to earn customer appreciation for strong technical support and customer focus.
The EMM SDK supports DLP restrictions such as preventing copy/paste and screen capture even when the device is not managed. The SDK can limit containerized apps to specific Wi-Fi service set identifiers (SSIDs) without MDM.
For Android apps, NQSky EMM does not support linking to public app stores and app distribution is limited to uploading the application binary to the administrator console.
macOS is not yet supported. While Windows 10 PCs can be managed via NQSky EMM, it does not support configuring Wi-Fi and VPN profiles on the device at the time of this writing.
NQSky EMM does not support Google-approved Android management due to lack of Google Play services in China. But it integrates with Android OEM customizations such as Emotion UI (EMUI from Huawei) and Mi UI (MIUI from Xiaomi).
Headquartered in Stockholm, Sweden, Snow Software provides an EMM solution through its Snow Device Manager (SDM). Snow did not release any major version of SDM in the past 12 months; however, SDM did introduce new features such as a Volume Purchase Program (VPP) and support for iOS 10, Android 7 and Windows 10 platforms, as well as a new web interface for device enrollment and service desk handling.
SDM continues to be one of the few EMM products that integrates tightly with a software asset management (SAM) tool. SDM is also bundled with a self-service portal (called Snow Automation Platform) available for end users as a device life cycle management utility. This portal allows users to place hardware requisitions in addition to requests for software applications.
Snow has now expanded its customer base to two new regions — Brazil and Australia. The company's focus has been more on optimizing the use of software licenses to reduce IT procurement costs and less on device policy management. Snow Device Manager is a good fit for small to midsize organizations looking for a basic, cost-effective EMM solution, with a focus on application license management and asset inventory in the workplace.
SDM supports a VPP across iOS, Android and Windows 10. The VPP allows Snow to complement license management capabilities with distribution and management of public apps.
SDM's integration with Snow License Manager (SLM) allows IT to ensure compliance with software licensing audits along with basic security policies.
Customers report very high satisfaction with SDM self-service functionality, which allows end users to order devices and apps and to request maintenance services and device repairs.
Snow's pace of innovation in device management capabilities has slowed, demonstrated by the absence of a major SDM version release this year.
Customers report decline in support quality with the transition from phone calls to an email-based system that now results in longer wait times.
SDM's main administration console continues to be a Windows desktop application with an outdated look and feel. Moreover, SDM, SLM and SAM currently execute as three separate Windows applications. Lightweight administration can be carried out in Snow Mobility Manager's web-based console with several updates to it expected this year.
Sophos Mobile is offered as a stand-alone, on-premises or cloud solution that will integrate with Sophos's broader line of security products, particularly its endpoint protection platform (EPP). The company is aggressively pursuing nonsignature detection methods, as well as DLP and EDRM extended across server, workstation and mobile devices.
Sophos sells its EMM solution mainly to small businesses (72% have fewer than 500 managed devices); however, it can scale to 50,000 devices. Sophos is distinguished in this Magic Quadrant for being one of only two EPP vendors that met the inclusion criteria. The other is Microsoft. Sophos is a good fit for organizations looking to consolidate EPP and EMM, and for push-type tasks that involve a self-managed secure container.
Sophos Mobile's console uses reconfigurable live tiles to create a multimodal dashboard display. For mixed skill administrators, user self-help and wizard features are available to help speed through common maintenance tasks.
Sophos Secure Email Gateway (which is licensed from Virtual Solution) is the first PIM client to be certified for the German government's BSI security standard and is one of the best PIM clients available. It offers an easy-to-use interface and runs as part of the Sophos Container, along with Sophos Secure Workspace for secure documents and a corporate browser.
Sophos Mobile provides a platform-independent container, but, for maximum portability, files can be automatically wrapped with encrypted HTML5 packages at time of transfer. This presentss an opportunity to force a user to perform an authentication of rights to view individually encrypted files.
Windows MDM is supported but not well-labeled in the management system. Prospective buyers may wish to ask for better documentation during product evaluations.
Top-tier support is not available 24/7. Enterprises that perform major updates and configuration changes on nights and weekends should inquire about availability.
Sophos does not have a solution for unmanaged devices. Independently contained/wrapped files will help, but they will not prove effective for constant workflow situations.
SOTI continues to develop unique capabilities in the management of Android devices as well as rugged and consumer device use cases, while expanding the relevance of its MobiControl product to address management of more endpoint types. Despite a continued strength in the special-purpose device areas, Gartner has not witnessed the vendor make significant inroads in new or existing customers to manage the broader fleet of smartphones and tablets of knowledge workers.
SOTI is working to further expand the capabilities of its software portfolio, in areas adjacent to EMM, such as mobile help desk support and RMAD. SOTI remains a strong choice for organizations with heavy Android deployments, those seeking management of devices with legacy OSs, and those looking for a single console to manage nontraditional mobile devices, such as mobile printers and purpose-built IoT endpoints.
SOTI continues to broaden the gap between its solution and other vendors' offerings in Android management, specifically in remote control and field support.
SOTI excels in providing remote control for mobile devices and PCs, including those that are not enrolled in the EMM console.
SOTI leads in both the support of legacy devices, such as those running Windows CE, and in EMM-manageable IoT devices.
Gartner has received feedback from SOTI clients regarding its ability to provide either consistent global execution or engagement during deployment.
SOTI has partnerships for, but lacks natively in its product, both a secure PIM tool and a true, bidirectional EFSS capability.
Product pricing for basic MDM trends higher, with lower average discounting compared to other EMM offerings, making SOTI difficult to justify if unique features such as remote control or specialized device support are not in play.
In September 2016, Dell Technologies completed the acquisition of EMC, which included the independently operated and publicly traded VMware. Over the past year, AirWatch has been completely merged into VMware's End-User Computing business unit and has becomes more integrated with various VMware technologies, most notably VMware's IAM and software-defined networking (SDN) products, forming a joint solution known as Workspace One. However, this joint solution has little adoption due to its short time on the market.
VMware AirWatch has made substantial strides toward becoming a full-featured UEM, with significant advances in managing Windows 10 and macOS in a single console. The console itself is one of the easiest to use, with embedded training videos, links and a wizard-like approach to help new administrators become productive quickly. VMware has expanded into IoT with a new product called VMware Pulse IoT Center, which leverages the AirWatch technology as well as extended functionality to support a wide range of IoT edge systems and connected devices.
The combination of VMware AirWatch, EMC's data management, and Dell's service and hardware capabilities puts VMware in a strong position to handle the challenges of UEM from a single source. VMware AirWatch appears most frequently in Gartner clients' EMM vendor shortlists. VMware AirWatch is a good fit for organizations that require a comprehensive EMM feature set on a broad range of platforms including mobiles, tablets, PCs and advanced IoT devices.
AirWatch has proven large-scale deployments across most vertical markets.
AirWatch continues to push innovation with zero-day support of new OSs and with a unique solution for unmanaged devices.
Workspace One competitively positions VMware AirWatch as a broader solution to expand past EMM-only installations.
Gartner continues to receive complaints about support for VMware AirWatch from clients who do not have a direct Technical Account Manager (TAM). Clients who have purchased the TAM option do not report issues with service. VMware has also added direct enterprise support known as "pods" to address support quality for larger installations.
Customers still on the legacy AirWatch Inbox email application continue to report issues in application functionality and stability. However, those who have migrated to the new Boxer client are satisfied. Support for Secure Multipurpose Internet Mail Exchange (S/MIME) in Boxer is brand new and could not be verified regarding its quality at the time of this writing.
Gartner continues to hear of periodic code quality issues with the VMware AirWatch product, which are likely to be result of attempts to provide a broad set of capabilities quickly.
We review and adjust our inclusion criteria for Magic Quadrants as markets change. As a result of these adjustments, the mix of vendors in any Magic Quadrant may change over time. A vendor's appearance in a Magic Quadrant one year and not the next does not necessarily indicate that we have changed our opinion of that vendor. It may be a reflection of a change in the market and, therefore, changed evaluation criteria, or of a change of focus by that vendor.
Ivanti — Former Landesk product renamed after Landesk merged with Heat Software.
Landesk — Merged with Heat Software and renamed Ivanti.
SAP — SAP no longer met the inclusion criteria to qualify for the 2017 Enterprise Mobility Management Magic Quadrant.
More than 100 vendors offer EMM functions. We developed inclusion criteria involving a combination of business metrics and technical capabilities. To qualify for inclusion in the Magic Quadrant, each vendor must meet the following criteria:
The vendor must have at least $8 million in 2016 EMM revenue.
There must be at least five new references, with a maximum of 10, from organizations using the EMM product in production, with at least one that has multiple operating systems under management and one with 10,000 or more installed seats.
The vendor must offer EMM support for at least iOS, Android and Windows 10.
The vendor must provide an EMM suite that contains MDM, MAM and at least one of the following: MI, MCM or containment technologies.
Exchange ActiveSync (EAS) is not considered as supporting management of an OS. A vendor must support the OS MDM controls to qualify as having management support.
Many EMM products provide functions beyond those already listed. Some features were considered optional and not necessarily critical criteria for comparison. For example:
Advanced MAM that manages PIMs, browsers and other applications.
Support for macOS and Windows.
Mobile identity and access through capabilities such as certificate management, enabling single sign-on on mobile devices and executing "contextual authentication" through dynamic conditions, such as time, location, user and device posture.
Mobile analytics to understand usage trends and support troubleshooting.
File-level protections to protect data consumed or created in a mobile context.
Many vendors were considered for the Magic Quadrant but did not qualify because they did not meet the business metrics or the technical capabilities required for inclusion. The following are a few vendors that have increased their investments in EMM, but lacked the product completeness or established track record to qualify for inclusion:
42Gears specializes in EMM functionality better-suited to kiosk lockdown and digital signage solutions across all mobile platforms — iOS, Android and Windows. In addition, SureLock extends kiosk capabilities to wearables such as Android smartwatches. SureVideo provides an easy-to-deploy, cost-effective solution for digital signage. 42Gears was unable to meet the minimum EMM revenue requirements for inclusion in the Magic Quadrant. 42Gears should be considered by small or midsize businesses (SMBs) that need to manage corporate-owned mobile devices in restricted mode.
Apperian is a leader in stand-alone MAM and app security solutions that also offers full EMM functionality. However, it did not meet all of the Windows support requirements for inclusion. Although it has only basic MDM functionality, Apperian's MAM and containment functionality are strong. Apperian is the vendor Gartner sees most frequently for stand-alone MAM deployments. Apperian should be considered by clients looking to deploy applications without the need to manage the entire device.
Google offers management of mobile devices, both Android and iOS, in its G Suite Admin console. With basic device management and configuration, app management and distribution, and the ability to manage mobile content through Google Drive and third-party apps, the console provides a reasonable slate of MDM and MAM features at no additional cost for organizations using G Suite. Gartner recommends its use for organizations that have adopted G Suite and require basic mobile management. Its management capabilities also extend to Chrome desktop OS; however, it currently lacks full support for Windows management and configuration, which excludes it from consideration in the 2017 Magic Quadrant.
Jamf's EMM solution, Jamf Pro, offers full UEM capabilities for Apple devices including device management, MAM, inventory management, security and deployment within a single console. Jamf Pro is frequently used in education environments and organizations that standardize on Apple equipment. Jamf did not qualify for this Magic Quadrant due to the lack of support for Android and Windows. Jamf is ideal for any organization with a large Apple estate looking for a solution focused exclusively on Apple.
Okta is best-known as a provider of popular identity, access and SSO solutions. Originally developed in response to requests from its identity management customers, Okta Mobility Management has evolved into a respectable EMM product in its own right. However, it failed to meet the minimum EMM revenue requirements for inclusion in this Magic Quadrant. Okta Mobility Management provides integration with the range of Okta identity and access management products, and supports full native management of iOS and Android devices for the majority of common use cases, as well as more limited support for Windows and macOS devices. Okta Mobility Management is best-suited for businesses with investments in one or more of Okta's identity-related products and particularly for whom iOS is the predominant target platform.
Virtual Solution's product, SecurePIM, is a PIM client that offers an easy-to-use interface that has an email client, file and intranet access, app delivery, basic device management, and security. All functionality is offered without the need for an MDM profile on the device. SecurePIM also offers unique functionality to allow the use of S/MIME with no understanding of how to set up or configure it, giving organizations easy access to enable encrypted email. SecurePIM was unable to meet sales thresholds for market size and platform support for inclusion in this Magic Quadrant. SecurePIM should be considered for any organization that needs high-security data containment to support secure email, file and intranet access on mobile devices without requiring an MDM profile on the device.
The Ability to Execute axis measures the vendors' ability to meet the current needs of EMM buyers, as well as their ability to succeed in this market by gaining market share and achieving revenue growth. Vendors were evaluated based on the following criteria:
Product/Service: This evaluates the features that are provided and if the vendor has customers using these features successfully in production environments.
Overall Viability: This criterion evaluates the size of the vendor and its financial performance. We also evaluated the size and growth of the vendor's EMM business.
Sales Execution/Pricing: This criterion reflects the frequency of the vendor's appearance on buyers' shortlists. We also evaluate the degree to which the vendor has a presence in North America, Europe, Latin America and the Asia/Pacific region.
Market Responsiveness/Record: Gartner evaluates execution on delivering products consistently and in accordance with promised timelines, the agility to meet new market demands and how well the vendor received customer feedback and quickly built it into the product.
Marketing Execution: This is a measure of brand and mind share based on client references and channel partner feedback. Gartner evaluates the degree to which customers and partners have positive identification with the EMM product, and whether the vendor has credibility in this market. We also used search data on gartner.com for the vendor and product as a measure of brand recognition and market awareness.
Customer Experience: Gartner assesses the vendor's reputation in the market based on customers' feedback regarding their experiences working with the vendor, if they are glad they chose the vendor's product and whether they plan to continue working with the vendor.
Operations: This refers to the ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure including skills, experiences, programs, systems and other attributes that enable the organization to operate effectively and efficiently.
Product or Service
Source: Gartner (June 2017)
The Completeness of Vision scale provides an aggregate measure of a vendor's likelihood of future success in the EMM market. Gartner evaluates vendors' statements about current and future market direction, innovation, customer needs and competitive forces, and how well they map to Gartner's view of the market.
Market Understanding: This criterion evaluates vendor capabilities against future market requirements. It takes into consideration the evolution of the buyer for EMM suites, and whether the vendor will remain focused on meeting the buyer's needs.
Marketing Strategy: This criterion considers how EMM technology and value are positioned. The marketing strategy must be aligned with the evolution of the EMM buying center and its requirements.
Sales Strategy: This criterion evaluates the vendor's route to market (for example, direct versus indirect sales) and the strength of the offerings that go to market with the vendor's EMM tools (for example, unified endpoint management, EFSS, mobile identity, IoT and endpoint security). We also evaluate the vendor's pricing models and whether they map to customer requirements.
Offering (Product) Strategy: This describes the degree to which vendors have plans to deliver differentiated functionality and a timely roadmap to provide that functionality.
Business Model: This considers the vendor's business model for its EMM product and whether it ensures future investment and success in the EMM market.
Vertical/Industry Strategy: Gartner evaluates how the EMM vendor meets industry-specific challenges and how it is using these opportunities to expand into the Internet of Things.
Innovation: This criterion evaluates the vendor's plans to meet customer needs that extend beyond conventional EMM technology.
Geographic Strategy: This evaluates the vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the vendor's "home" or native geography, either directly or through partners, channels and subsidiaries, as appropriate for the geography and market.
Offering (Product) Strategy
Source: Gartner (June 2017)
Leaders have the highest product revenue in the EMM market, several years of proven customer implementations, customer mind share, and extensive partnerships with channel and other technology providers. They have the most complete products in the EMM market. Their companies are aligned with the trends of the EMM market. They possess product roadmaps that (if executed upon) would establish continued differentiation in the market. Leaders also demonstrate commitment to the EMM market. Overall, they have a strategy that creates a high likelihood of success in this market.
Challengers possess a strong ability to execute, demonstrated by high product revenue and a large customer base. The vendor's considerable resources ensure long-term viability. Challengers may have solid products, but they lack the product commitment to lead the market. They are less closely aligned than Leaders with the most important EMM market trends, and they do not have a roadmap that demonstrates compelling differentiation from other EMM products.
Visionaries have unique capabilities in certain aspects of EMM. They meet the requirements of customers that place a high priority in specific critical EMM areas. They may not have the product completeness, support capability, business performance, mind share or track record often exhibited by leading vendors.
Niche Players are often excellent choices for organizations. Niche Players do not have the product completeness, revenue, mind share and track record of Leaders or Challengers. Their product roadmaps typically represent a strategy of following the market rather than leading it. In some cases, this is due to a vendor's lack of resources. Often, many of the niche EMM products are extensions of other management, security or mobility products from those vendors. If a customer does not require best-of-breed capability, it may be best-served by a Niche Player that, compared with Leaders or Challengers, may have an easier or less expensive way to meet EMM requirements.
Organizations use EMM tools to integrate mobility into their business workflow. Many factors determine the appropriate vendor and product for your organization. The vendor must demonstrate the ability to keep up with the fast pace of mobile device change. Organizations also must consider the EMM vendor's ability to support the enterprise's critical mobile applications and integrate with its IT infrastructure — for example, public-key infrastructure (PKI), VPN, wireless networking, identity and access management platforms.
EMM product requirements change as mobile platforms change. Keep abreast of these changes; engage Gartner analysts regularly to understand the changing mobile device landscape and the implications for mobility management. Best practices are to create your requirements first, consider all the possible mobile scenarios you may have in your organization (such as BYOD and use cases specific to your organization) and then create a shortlist of vendors. Do not choose vendors simply on the basis of their position in the Magic Quadrant.
EMM continues to be a very broad and diverse set of tools working together to form a complete suite for total life cycle management of devices, apps and data. The needs of clients vary greatly across sectors, with most clients using MDM and MAM functionality. However, advanced features, such as MI, MCM and containment, are used by a smaller percentage, with few clients using all five components of EMM. This has resulted in an average use of only 10% of total EMM functionality across organizations, although what functionality is used varies greatly by type of organization. The most advanced EMM deployments are typically using between 30% to 40% of total EMM functionality, but this is unusual for most organizations.
If you are planning to manage anything on a mobile platform, EMM is the starting point. Because it is the presumptive foothold agent, EMM is the logical choice to broker policies for other services and tools on the platform. EMM provides a common, cross-platform baseline to set, contain, validate, enforce and update device policies for:
Network access controls and certificates
Content and rights management systems
Identity and access management
Version controls and backups
Device initialization and wipe
As a single point of policy and accountability, EMM provides the opportunity to avoid agent bloat — which is so often seen on PCs — where an endless parade of add-on utilities steals local resources, complicating the task of policy coordination for system administrators. PCs have the resources to cope with bloat, but users of small mobile devices and particularly BYOD cannot succeed with so much unnecessary complexity.
MDM is the key enabler to the glue of EMM. MDM has changed from being a stand-alone product category doing basic policy management, such as passcode enforcement and device wipe, to a required feature within EMM suites. MDM controls have evolved across all operating systems and have expanded into traditional desktop management with Windows 10 and macOS. In addition, Gartner has seen the expansion of management to include advanced IoT devices and Linux. Each OS offers similar basic controls, but advanced controls — such as OS version control for Windows 10 devices, automatic device staging for iOS with Device Enrollment Program (DEP), and the ability to apply different policies to work and personal environments with Android for Work and Samsung's Knox — vary greatly.
Gartner considers MDM a key requirement for enterprise-owned devices. However, we are seeing increased user push-back regarding MDM around privacy and legal concerns, which are often based on a user's misunderstandings of MDM's capabilities.
MAM facilitates the deployment and operational life cycle management of mobile apps. This includes administrative push, user-initiated deployment and updating of custom and public (app store) apps, and management of associated app licenses. User-initiated deployment is facilitated via an enterprise app store, which typically is presented as a web-based portal or a mobile app. License management should support the major enterprise or volume-licensing mechanisms, such as Apple's VPP. MAM also includes the ability to identify or tag apps as "managed" enterprise apps (versus personal apps in BYOD and corporate-owned, privately enabled [COPE] use cases), apply management and security policies to these apps, and selectively wipe them and any associated data from the device.
Policies commonly applied to enterprise apps include security and DLP policies, such as:
Requiring initiation of per-app VPN connections on app launches.
Being able to enroll a cert for a specific app.
Being able to remotely and selectively wipe an app.
Being able to blacklist an app.
Encrypting enterprise app data at rest (or at the file level, in some cases), sometimes with stronger encryption than that used by the underlying OS.
Restricting "open in" and similar app data exchange only to managed (enterprise) apps.
Requiring conditional launch or access — for example, device in approved state, no jailbreak or rooting detected.
Differentiating features of MAM are seen in several areas. Enterprise app stores, for example, range from rudimentary to highly functional, some approaching the usability and features of major commercial app stores, such as Apple's App Store or Google Play. At the low end, these products may be little more than rudimentary web portals or simple apps that present all available apps to all users, provide no feedback or app-rating mechanisms, and are poor tools to help users discover apps.
Moreover, differentiation can manifest in OS support or the support of different MAM enablement mechanisms. App policies can be applied by leveraging one of three common mechanisms:
Native OS MAM APIs.
Proprietary SDKs compiled into apps during development.
App wrappers (code injection into the binary postdevelopment).
An EMM vendor may support all three mechanisms across all major mobile OSs, while another supports only a subset. As an example, a vendor may include support for Apple's built-in MAM APIs, but no support for Google's Android built-in MAM APIs.
Although the term is used in several ways in the industry, "containment" here is shorthand for an extended set of capabilities that facilitate separation of business and personal data, including PIM clients, preconfigured public or independent software vendor (ISV)-provided mobile apps, and application extensions, such as SDKs or app wrappers:
PIMs: PIMs are mobile apps that provide business email, calendaring and contact management, typically with security and manageability features that native email clients may lack. Although used by fewer organizations than in previous years, PIM is still often a requirement in regulated or high-security verticals, such as finance, healthcare and the public sector.
Preconfigured applications: EMM vendors provide proprietary mobile apps or integrate with particular third-party apps to provide enhanced levels of manageability. These most commonly include productivity and collaboration applications, as well as secure browsers provided by the EMM provider or a third party.
Application extensions: These proprietary tools provide the ability to make mobile apps manageable via EMM. SDKs provide libraries that can be compiled with mobile apps by organizations or ISVs to enable a specific EMM vendor's policies to be applied to them. Wrappers typically use a form of code injection into the executable binaries of mobile apps to enable a specific EMM vendor's policies to be applied. SDKs and/or wrappers are required for "MAM only" use cases, in which managed apps must be delivered to devices that aren't (or can't be) enrolled in EMM (unless the ISV has used the specific EMM vendor's SDK). Some vendors support both SDK and app-wrapping approaches. Others may support only one or the other.
Gartner defines "MAM only" use cases as containment, to avoid confusion with basic MAM terminology. Such containment use cases must leverage controls built into the application, SDKs or wrappers, because the native OS APIs can't be accessed without the "trusted relationship" of an EMM enrollment (see "Market Guide for Mobile Application Management" ).
Most users no longer have only one device. They frequently have a smartphone, a tablet and a laptop; and, more often than not, they want to use these devices as part of a BYOD program. As a result, organizations must be able to determine not only who is connected to the network, but also whether they are connected with a corporate-authorized device. This is why Gartner recognizes MI as a key capability of EMM. MI typically is done using digital certificates, but also can be accomplished with other technologies, including biometric and token-based authentication.
Gartner has seen the initial convergence of EMM with IAM tools. This has resulted in several EMM vendors enabling IAM functionality, such as SSO and acting as identity providers. Gartner also has seen the converse, with several IDaaS vendors now offering basic EMM functionality.
The next wave of mobile identity will be context-based, with authentication identifying not only the user and device, but also where and how a user connects to the network (that is, in the office, at home, on a public Wi-Fi or out of the country). Based on these contextual values, MI will grant the user different levels of access. Gartner also expects to see artificial intelligence (AI) used to make critical access decisions. Over the next two years, Gartner expects context-based mobile identity to become standard functionality within EMM products.
Protecting enterprise data on mobile devices traditionally has been based on a multipronged approach of encryption of data at rest, in use and in motion, as well as device- and app-level policies, such as screen lock timeouts, PIN enforcement and open-in restrictions. However, these oblique protection approaches are rendered useless once data leaves managed devices and networks. Users can and often do get around such controls by emailing enterprise data to outside parties or personal email accounts, or by copying data to their PCs, where open-in restrictions are absent. In response, there is a growing need to protect data intrinsically and/or implement a rights-management-based approach to mobile data protection.
File-level encryption products encrypt the individual files themselves (rather than simply encrypting stored data and network tunnels) and facilitate managed file access through PKI, such that data can be protected wherever it is stored or accessed. No one without the encryption keys can access files protected in this manner.
Rights management products extend IAM frameworks to provide control over file operations for frequently used file types, in addition to file access. These products enable an organization to restrict who has permission to read, edit or delete a file, or forward a file via email. Such products typically also facilitate file-level encryption as part of their mobile data protection schemes. Effective data classification, therefore, is critical to making a rights management approach work.
Some EMM vendors are building file-level protection and/or rights management capabilities as adjuncts to their core products; whereas others are enabling file-level protection by synergistically and tightly integrating their EMM systems with general-purpose IAM products. As with device-, app- or content-level policies, EMM should provide a single point of administration for encryption and access/rights policies where these capabilities are present.
Although this is the fourth year of the EMM Magic Quadrant, Gartner still gets frequent inquiry calls about MDM from users who are unaware of the term EMM. Even though EMM is designed to take clients' needs past basic MDM, EMM is quickly no longer meeting the requirements for organizations as client computing merges with mobile computing to form end-user computing groups. This has created the need for a single solution to manage both traditional client devices as well as mobile devices. Both Apple and Microsoft have been adding MDM APIs in their platforms to facilitate this convergence. The biggest challenge to implementing UEM today is that organizations usually have legacy requirements, namely complex Win32 applications and Windows Group Policy Objects (GPOs) that cannot currently be addressed with EMM tools. However, there are changes happening that will increasingly allow EMM tools to manage PCs. First, Microsoft continues to enhance the MDM APIs in Windows 10, closing the gap with GPOs. Second, EMM vendors are providing proprietary capabilities to address those gaps in areas such as security policy, managing scripts and deploying Win32 applications. These developments are increasing the number of scenarios for which organizations can use EMM tools to manage PCs.
Also evolving in this space is the need for some IoT devices to also be managed under the same end-user computing group. Gartner defines a single solution to manage traditional, mobile and EMM-manageable IoT devices as unified endpoint management. We expect this definition to evolve over the next several years as devices continue to change and drive new management requirements. It is important to also note that not all IoT objects will fall under the realm of EMM tools, some devices may be managed directly by manufacturers. Other types of devices will have proprietary management tools. And many devices will not need to be managed at all. However, it is clear that the diversity and number of devices will continue to grow, and IT organizations must be ready.
Product/Service: Core goods and services offered by the vendor for the defined market. This includes current product/service capabilities, quality, feature sets, skills and so on, whether offered natively or through OEM agreements/partnerships as defined in the market definition and detailed in the subcriteria.
Overall Viability: Viability includes an assessment of the overall organization's financial health, the financial and practical success of the business unit, and the likelihood that the individual business unit will continue investing in the product, will continue offering the product and will advance the state of the art within the organization's portfolio of products.
Sales Execution/Pricing: The vendor's capabilities in all presales activities and the structure that supports them. This includes deal management, pricing and negotiation, presales support, and the overall effectiveness of the sales channel.
Market Responsiveness/Record: Ability to respond, change direction, be flexible and achieve competitive success as opportunities develop, competitors act, customer needs evolve and market dynamics change. This criterion also considers the vendor's history of responsiveness.
Marketing Execution: The clarity, quality, creativity and efficacy of programs designed to deliver the organization's message to influence the market, promote the brand and business, increase awareness of the products, and establish a positive identification with the product/brand and organization in the minds of buyers. This "mind share" can be driven by a combination of publicity, promotional initiatives, thought leadership, word of mouth and sales activities.
Customer Experience: Relationships, products and services/programs that enable clients to be successful with the products evaluated. Specifically, this includes the ways customers receive technical support or account support. This can also include ancillary tools, customer support programs (and the quality thereof), availability of user groups, service-level agreements and so on.
Operations: The ability of the organization to meet its goals and commitments. Factors include the quality of the organizational structure, including skills, experiences, programs, systems and other vehicles that enable the organization to operate effectively and efficiently on an ongoing basis.
Market Understanding: Ability of the vendor to understand buyers' wants and needs and to translate those into products and services. Vendors that show the highest degree of vision listen to and understand buyers' wants and needs, and can shape or enhance those with their added vision.
Marketing Strategy: A clear, differentiated set of messages consistently communicated throughout the organization and externalized through the website, advertising, customer programs and positioning statements.
Sales Strategy: The strategy for selling products that uses the appropriate network of direct and indirect sales, marketing, service, and communication affiliates that extend the scope and depth of market reach, skills, expertise, technologies, services and the customer base.
Offering (Product) Strategy: The vendor's approach to product development and delivery that emphasizes differentiation, functionality, methodology and feature sets as they map to current and future requirements.
Business Model: The soundness and logic of the vendor's underlying business proposition.
Vertical/Industry Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of individual market segments, including vertical markets.
Innovation: Direct, related, complementary and synergistic layouts of resources, expertise or capital for investment, consolidation, defensive or pre-emptive purposes.
Geographic Strategy: The vendor's strategy to direct resources, skills and offerings to meet the specific needs of geographies outside the "home" or native geography, either directly or through partners, channels and subsidiaries as appropriate for that geography and market.