Revision of Comparison of MDM Providers from January 18, 2011 - 9:14am

I went to a Caper training today. They have some interesting features that may be worthwhile to put on the chart.

• Smart device groups, with E-mail notification on change (i.e., "All Roaming Phone")
• Education VPP integration
• Apple GSX integration for warranty lookup from serial number
• An API for querying and controlling the server from external sources
• Various forms of directory integration

Which of these should be in the comparison?

Each will approach the management interface & business process differently. (smart groups, VPP, GSX integration)

Some vendors even provide an SDK to incorporate into your in-house apps that will interact with your MDM server. (AirWatch, as an example)

it will really boil down to:

Q. Do they fully support all the MDM 4.0 capabilities or are only doing SCEP?
Q. Which backend Certificate Authority servers can they integrate?
- important if you plan to automate digital certificate generation for WIFI/VPN/EAS authentication
- Microsoft CA seems the easiest to integrate from what I've seen.
Q. SaaS / On-Premise ?
Q. Appliance / software (linux/Win) / do they provide a VM?
Q. perpetual license / subscription ?
Q. Microsoft BPOS integration? (big question mark for a lot of organizations looking to outsource email)
Q. Management - MMC snap-in, web interface? (does it require Flash or SilverLight?)
Q. Role-based admin management?
Q. Multi-tenant architecture?

Multi-tenant architecture is great question to ask. Organizations with decentralized IT group will want to give the tools each subsidiary/geo, with access to only their devices. Contoso Healthcare vs. Contoso Capital Bank.

Each sub may have their own iPhone Developer Enterprise Program membership (and corresponding MDM/APNS certificate)

Every MDM is on an equal playing field on how they interact with iOS 4.
What will set them apart?

It's going to be their reputation, customer service, experience within your vertical and enterprise technical support.

Perform your due diligence, filter down to 2-3, do the bake-off.

- Scoosh

Other differences I've noticed:

• Can send push notifications to the device? (I mean text messages to the user)
• Do profiles have start/end dates?
• Is there a revisioning system, change log, rollback for profiles?

I'll try to rework this chart this week.

That is true. But providers could also try to detect jailbreak from an app. I'm curious who is trying this, and how successful it could be.

It looks okta has option to integrate enterprise to cloud.

Identity & Access Management for the Cloud -
On-demand identity & access management for cloud/SaaS applications. Integrates with Active Directory and sets up in an hour.

I'm confused. This page says all of the providers here are able to "push" in-house apps out to users, but Apple's Enterprise Distribution documentation says that these are the only ways to install apps:

1. Distribute the app to your users for installation using iTunes.
2. Have an IT administrator install the app on devices using iPhone Configuration Utility
3. Post the app on a secure web server; users access and perform the installation wirelessly.

And Absolute Manage's documentation says this "By contrast to administered Mac OS X and Windows computers, you cannot push-install software on administered iOS devices – any instal- lation must be initiated by the local user of the device."

So how is it possible that any of these providers would be able to "push" in-house apps? Can anyone confirm that they are able to?

Thanks,
Tom

Awesome, thanks for the detailed confirmation!

I added what I know of McAfee, and I think I have everything correct as of version 9.5.

My confusion was that pretty much everyone has a check in the "Virtual Machine" category, but I doubt this is correct. Do they all have importable virtual machines that don't require you building one from scratch and installing an OS.

Are tooltips a possibility in the wiki? It seems like it would be the least intrusive to the rest of the chart.

My concern with adding them now is that they might alter the answers in the chart. The VM question is a good example... it seems to me that people were answering it as "can this run in a VM?", where I answered as "do they have a importable VM for VMWare or XenServer?"

I think it would be a great addition. Once it is released, that is.

Security professionals at large enterprises I know will not allow an MDM tool that could expose LDAP, or AD to security attacks such as DDoS that would persist once exposed. And a lot poo poo an APP to manage a device. Are not these perspectives common? If yes, should the database ask if a tool avoids that exposure? Via certificates or any other method?

I'm working on BoxTone implementation for iOS devices and here are some elements that are important to note:

1. SCEP is mandatory in order to send Configuration Profiles to iOS devices. It is not possible to generate a profile with iPCU and distribute it or within BoxTone (they implemented the same functionalities that iPCU is offering) and then send it by email.

2. BoxTone accept only self-signed certificate for the server, not able to leverage another CA. It may changed with new versions.

3. Installation of software (BoxTone) is not straight forward. Some files (folders) were missing after installation and needed to be added manually after the installation process.

4. iOS devices are monitored regularly (like every 15 minutes) in order to update the information. That's why SCEP is mandatory. The delay between every check may be configured, I'm not sure.

5. Do not support multiple iOS configuration profile. Only one profile can be created. It may changed with future versions.

6. BoxTone rely on Oracle (OEM version), Apache, OpenSSL, Flash, Ruby, Active Directory, Exchange (2007 or 2010) with ActiveSync, and BES (BlackBerry Enterprise Server). An HP OpenView plug-in is available.

Conclusion, if you don't have BB devices and BES to manage and troubleshoot, BoxTone is not the right solution for iOS devices as a MDM solution. iOS device management seem to be an ad-on, not a core functionality.

The menus at the right are cutting off the far right portion of the top table. I'm seeing it on both my iPad and using Chrome on my laptop.

Just FYI

The menus at the right are cutting off the far right portion of the top table. I'm seeing it on both my iPad and using Chrome on my laptop.
Just FYI

Before this turns into Abbott & Costello, Good really is a company w/ an MDM tool. I was hoping someone might know about it.

(http://www.good.com)

Thanks,
Chuck

DME should be part of the Sandbox Environments for an alternative or complement to MDM

Maas360 is now part of the database. Please add your comments to its page.

is now part of the tab. A real MDM solution but corpoarte partition or sandbox and integrated Enterprise App Platform.

Why are there question marks? Because I didn't know the answers. Luckily the site is built on a wiki. Anyone who wants to can improve the data by editing the Profile Manager page.

You're correct - there's no "unattended push" available for the iOS platform. There's also no blacklisting of apps either (e.g., we don't want our employees to install Angry Birds).

What Afaria does is provide a "private App Store" experience, where each registered device user sees only the apps that Afaria administrators have authorized them to download. (These are known as "Package Policies" in Afaria). Afaria admins create the package policy by staging the .IPA file on the Afaria server, and assigning the Package policy to selected groups of device users. So the Executive Leadership Team can see one set of apps, and my front-line field workers see a different list. As users change roles, leave the company, etc., their policy assignments change (or are revoked), and the apps get disabled. If you wipe the device, the apps are also disabled.
Apps can be marked as "Required" or "Optional" - and required apps will download as soon as the user clears the "Afaria would like to install app " prompt, but they still must access the Afaria client to initiate this process.

The inventory reporting features of Afaria report back the full hardware/software profile of the device, so even though you can't stop your users from installing Angry Birds, you can write a policy that denies them access to their mobile email or VPN (for example), until the app is removed.

-Paul Horan-

Just in reply to the comment on SDK. I don't believe Airwatch currently have an SDK for IOS Enterprise App integration.
Currently only SOTI's solution has this. The SDK gives the ability to remote view the Enterprise app and to pull back information on it.

Hi recently had access to this link following a handset vendor recommending this to our customers. Concept looks great, however I would flag on the accuracy.

What is the true definition of SaaS? As many MDM providers state they offer SaaS on this site but in reality don't. Such as Good and Mobile Iron (although MI suggest its round the corner). Both have a dedicated server based solution the only true SaaS provider I'm aware of is AirWatch.

Good also does not provide Windows Desktop support and would not be able to offer BlackBerry etc.

Geat question. In addition to the chart, each MDM provider has its own page. I would add more subjective feedback to the page comments, or even to the copy of the page.

Hello,

I noticed that Casper does not have "Bulk Upload" checked off in the feature set comparison. JAMF does provide a tool called "JSS Computer Importer - Cocoa" which is used to enroll machines into Casper. I have used this tool to enroll over 5500 Macs in Casper, so this product does indeed provide this capability on the Mac platform. I am not sure about iOS enrollment, and will have to clarify this with JAMF.

-Dan

Is there a downloadable copy of this anywhere? It's really good and it would be nice if I could download it to show others and it not require an internet connection.

Regards,

Mike