Revision of Comparison of MDM Providers from January 18, 2011 - 8:14am
The revisions let you track differences between multiple versions of a post.
Backlinks
No backlinks found.
Recent Activity
-
Mobile Management Provider changed by Frank Klotz 1 year ago
-
Mobile Management Provider changed by bugfrisch 2 years ago
-
Mobile Management Provider changed by taylor 2 years ago
-
Mobile Management Provider changed by dmlarry 2 years ago
-
Mobile Management Provider changed by codeproof 2 years ago
-
Story added by Aaron Freimark 2 years ago
-
Mobile Management Provider changed by SteJohGbg 2 years ago
-
Story added by Aaron Freimark 2 years ago
-
Story added by Aaron Freimark 3 years ago
-
Mobile Management Provider changed by ZuluDesk 3 years ago
-
Wiki Page added by digitalmarketin... 3 years ago
-
Mobile Management Provider changed by Mahesh 3 years ago
-
Story added by Aaron Freimark 3 years ago
-
Mobile Management Provider changed by Neeraj 3 years ago
-
Story added by DaddyOfThr33 3 years ago
-
Story added by Aaron Freimark 3 years ago
-
Mobile Management Provider changed by sb-miradore 3 years ago
-
Story comment by Aaron Freimark 3 years ago
-
Story added by Aaron Freimark 3 years ago
-
Story added by Aaron Freimark 3 years ago
Share your ideas
Aaron Freimark
Criteria
What are the best criteria to differentiate the providers? Most are the same, of course. My point-of-view is probably skewed.
Any comments on these? What is missing?
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
More Criteria for comparing MDMs
I went to a Caper training today. They have some interesting features that may be worthwhile to put on the chart.
Which of these should be in the comparison?
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Scoosh
LDAP
Anyone can configure LDAP on iOS. (Active Directory, Open Directory, SunOne, et al.)
It can be done on-device, via Mobile Configuration profile, or delivered OTA by any of the MDM solutions.
The majority of organizations I've worked with don't provide LDAP access unless you are connected via VPN.
Some have gone the route of building an app (which authenticates the user) to provide more details, location, maps, etc.
Sidebar: Exchange ActiveSync does provide access to the Global Address List. It's only first/last name & email.
Scoosh
Each MDM is a different approach
Each will approach the management interface & business process differently. (smart groups, VPP, GSX integration)
Some vendors even provide an SDK to incorporate into your in-house apps that will interact with your MDM server. (AirWatch, as an example)
it will really boil down to:
Q. Do they fully support all the MDM 4.0 capabilities or are only doing SCEP?
Q. Which backend Certificate Authority servers can they integrate?
- important if you plan to automate digital certificate generation for WIFI/VPN/EAS authentication
- Microsoft CA seems the easiest to integrate from what I've seen.
Q. SaaS / On-Premise ?
Q. Appliance / software (linux/Win) / do they provide a VM?
Q. perpetual license / subscription ?
Q. Microsoft BPOS integration? (big question mark for a lot of organizations looking to outsource email)
Q. Management - MMC snap-in, web interface? (does it require Flash or SilverLight?)
Q. Role-based admin management?
Q. Multi-tenant architecture?
Multi-tenant architecture is great question to ask. Organizations with decentralized IT group will want to give the tools each subsidiary/geo, with access to only their devices. Contoso Healthcare vs. Contoso Capital Bank.
Each sub may have their own iPhone Developer Enterprise Program membership (and corresponding MDM/APNS certificate)
Every MDM is on an equal playing field on how they interact with iOS 4.
What will set them apart?
It's going to be their reputation, customer service, experience within your vertical and enterprise technical support.
Perform your due diligence, filter down to 2-3, do the bake-off.
- Scoosh
Aaron Freimark
For enrollment, I mean
I gues I wasn't clear. I meant what kind of directory service integration do they offer for the enrollment step.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
Other differences I've
Other differences I've noticed:
I'll try to rework this chart this week.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
forgetcomputers
jailbreak detection
I believe jailbreak detection was a function of MDM that Apple removed in the most recent update. The providers don't currently have a say in this.
Aaron Freimark
That is true. But providers
That is true. But providers could also try to detect jailbreak from an app. I'm curious who is trying this, and how successful it could be.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
forgetcomputers
Maybe
Although it's possible to detect a potentially jailbroken device by the presence of an app (Cydia for example), it also may be possible to hide the presence of this app. I'm curious as well if anyone is having success with this (and wish Apple would just add it back to MDM.)
Mobile Who
May be okta ?
It looks okta has option to integrate enterprise to cloud.
Identity & Access Management for the Cloud -
On-demand identity & access management for cloud/SaaS applications. Integrates with Active Directory and sets up in an hour.
ApplePie
SAAS Mobile Iron
They have apparently suspended or discontined their SAAS service that was per a account rep. Unsure as to the reason.
echo
Push In-House Apps
I'm confused. This page says all of the providers here are able to "push" in-house apps out to users, but Apple's Enterprise Distribution documentation says that these are the only ways to install apps:
1. Distribute the app to your users for installation using iTunes.
2. Have an IT administrator install the app on devices using iPhone Configuration Utility
3. Post the app on a secure web server; users access and perform the installation wirelessly.
And Absolute Manage's documentation says this "By contrast to administered Mac OS X and Windows computers, you cannot push-install software on administered iOS devices – any instal- lation must be initiated by the local user of the device."
So how is it possible that any of these providers would be able to "push" in-house apps? Can anyone confirm that they are able to?
Thanks,
Tom
Cimarron
Delivery of "In-House" apps on IOS
There is no ability to "push" in-house apps to an IOS device without user prompt. Any MDM or other vendor that says otherwise is providing, at best, misleading information. There is class of platforms providing mobile application management (MAM), so if your major concern is creating secure native apps with authorization, authentication, in-app version checking, etc., these provide much more than MDM in app management.
The Apple specification for "Wireless Enterprise App Distribution" allows a developer to host a manifest file in XML format, and from this point a user to an IPA file for download of an app. (There are other requirements as well, such as description data and an icon file).
When a user clicks on the link, IOS will prompt with:
"abc.domain.com would like to install "Your Application Here"
[Cancel] [Install]
At this point, the user can choose to proceed.
With systems such as EASE (Enterprise App Services Environment) from Apperian, there is the added capability to install multiple apps - i.e., 2 or more - simultaneously. In this case the user sees a prompt such as:
"abc.domain.com would like to install x applications"
[Cancel] [Install]
In addition, if an app is installed for the first time against an enterprise cert there is an additional prompt asking for permission based on the signer of the cert. That only occurs once - and thereafter, any app built with a profile using that cert will not require any additional confirmation other than the standard download prompt.
echo
Awesome, thanks for the
Awesome, thanks for the detailed confirmation!
Peter Mohr
Try (and fail)
I know that the Afaria client will try to perform a series of actions that is only allowed if the device is jailbroken. That way it is not dependent on other apps to be present.
It would be a little difficult for Apple to deliver this detection since the jailbreak community would surely circumvent this so it would always report “Not jailbroken” I guess
andrer9999
VM?
I added what I know of McAfee, and I think I have everything correct as of version 9.5.
My confusion was that pretty much everyone has a check in the "Virtual Machine" category, but I doubt this is correct. Do they all have importable virtual machines that don't require you building one from scratch and installing an OS.
Aaron Freimark
Thanks for these additions.
Thanks for these additions. This is a tough chart to navigate.
Ideally we ought to have definitions for each point of comparison. Any ideas how we can do that?
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
andrer9999
Definitions
Are tooltips a possibility in the wiki? It seems like it would be the least intrusive to the rest of the chart.
My concern with adding them now is that they might alter the answers in the chart. The VM question is a good example... it seems to me that people were answering it as "can this run in a VM?", where I answered as "do they have a importable VM for VMWare or XenServer?"
Opportun
Mac OS X Lion Server - Profile Manager
Profile Manager should be added to this list of MDM solution. As a free MDM service within Mac OS X Server 10.7 ($50 add-on when Mac OS X Lion is installed for $30, so a $80 MDM solution!) that will use SCEP, it will be a very good alternative to commercial solution.
Aaron Freimark
I think it would be a great
I think it would be a great addition. Once it is released, that is.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
I like this idea. I propose
I like this idea. I propose we begin to develop MDM Comparison 2.0 Beta. After we are happy with it, I'll invite the providers to submit their entries again.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
TechCoach
Is not exposing LDAP is big NO NO?
Security professionals at large enterprises I know will not allow an MDM tool that could expose LDAP, or AD to security attacks such as DDoS that would persist once exposed. And a lot poo poo an APP to manage a device. Are not these perspectives common? If yes, should the database ask if a tool avoids that exposure? Via certificates or any other method?
enterpriseme
You don't have to expose LDAP :)
This is a big one. We had done a fair bit of research in this space and the only MDM vendor that doesn't require you to expose your internal authentication source externally is SilverbackMDM. We went with them because of this and because they could integrate into our Microsoft CA for client certificate generation & automated deployment.
Opportun
BoxTone elements
I'm working on BoxTone implementation for iOS devices and here are some elements that are important to note:
1. SCEP is mandatory in order to send Configuration Profiles to iOS devices. It is not possible to generate a profile with iPCU and distribute it or within BoxTone (they implemented the same functionalities that iPCU is offering) and then send it by email.
2. BoxTone accept only self-signed certificate for the server, not able to leverage another CA. It may changed with new versions.
3. Installation of software (BoxTone) is not straight forward. Some files (folders) were missing after installation and needed to be added manually after the installation process.
4. iOS devices are monitored regularly (like every 15 minutes) in order to update the information. That's why SCEP is mandatory. The delay between every check may be configured, I'm not sure.
5. Do not support multiple iOS configuration profile. Only one profile can be created. It may changed with future versions.
6. BoxTone rely on Oracle (OEM version), Apache, OpenSSL, Flash, Ruby, Active Directory, Exchange (2007 or 2010) with ActiveSync, and BES (BlackBerry Enterprise Server). An HP OpenView plug-in is available.
Conclusion, if you don't have BB devices and BES to manage and troubleshoot, BoxTone is not the right solution for iOS devices as a MDM solution. iOS device management seem to be an ad-on, not a core functionality.
david_mayor
What about Mobiquant ?
Hello,
I don't see Mobiquant in the list, which is unfortunate because it is quite a big player. But I don't have enough visibility on their product to know how they compete with others.
Cheers.
cy2k
formatting issue
The menus at the right are cutting off the far right portion of the top table. I'm seeing it on both my iPad and using Chrome on my laptop.
Just FYI
pranav4290
Why not MaaS360?
I am surprised not seeing MaaS360 by Fiberlink in the list.
It has very simple and robust provisioning of MDM services across almost all the platforms like iOS,Android, BB, Win7.
Moreover, MaaS360 provides desktop management solutions along with MDM leveraging simple upgrade workflows.
Pretty interesting...
http://www2.maas360.com/services/mdm_trial.php?A=pk
Also, MaaS360 was named as 'Clear Choice Winner' by NetworkWorld amongst big MDM players.
http://tinyurl.com/3qf5k3e
edwinvan52
The menus at the rig
The menus at the right are cutting off the far right portion of the top table. I'm seeing it on both my iPad and using Chrome on my laptop.
Just FYI
best n router
Aaron Freimark
Better formatting now
I fixed the formatting so you can actually see the entire table.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Chuck
Good?
Before this turns into Abbott & Costello, Good really is a company w/ an MDM tool. I was hoping someone might know about it.
(http://www.good.com)
Thanks,
Chuck
cy2k
I agree, Good is trying to
I agree, Good is trying to become a real MDM product now as well. It would be great to see them on the list.
grimesdr
Take a look at DME from Excitor.com
DME should be part of the Sandbox Environments for an alternative or complement to MDM
Aaron Freimark
Please help us out
Hi David. The Comparison table is now backed by a database. I encourage you to add what you know about Mobiquant yourself. Hopefully it is pretty easy, but let me know.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
Maas360
Maas360 is now part of the database. Please add your comments to its page.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
The table is now a database.
The table is now a database. I encourage you to add Good as best you can!
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
bcarton
Excitor's DME
is now part of the tab. A real MDM solution but corpoarte partition or sandbox and integrated Enterprise App Platform.
sj54fighting
Apple Profile Manager
Why does the Apple Profile Manager have question marks (?) for some categories?
Aaron Freimark
Why are there question marks?
Why are there question marks? Because I didn't know the answers. Luckily the site is built on a wiki. Anyone who wants to can improve the data by editing the Profile Manager page.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
hainder singh
MDM provider comparison
Well very nice information and it will surely help anyone to make a choice between different providers
Another criteria of comparison could also be the name of the clients of the different MDM providers
Mobile Device Management
PaulHoran
Not "Push", but "Prompt/Pull"
You're correct - there's no "unattended push" available for the iOS platform. There's also no blacklisting of apps either (e.g., we don't want our employees to install Angry Birds).
What Afaria does is provide a "private App Store" experience, where each registered device user sees only the apps that Afaria administrators have authorized them to download. (These are known as "Package Policies" in Afaria). Afaria admins create the package policy by staging the .IPA file on the Afaria server, and assigning the Package policy to selected groups of device users. So the Executive Leadership Team can see one set of apps, and my front-line field workers see a different list. As users change roles, leave the company, etc., their policy assignments change (or are revoked), and the apps get disabled. If you wipe the device, the apps are also disabled.
Apps can be marked as "Required" or "Optional" - and required apps will download as soon as the user clears the "Afaria would like to install app " prompt, but they still must access the Afaria client to initiate this process.
The inventory reporting features of Afaria report back the full hardware/software profile of the device, so even though you can't stop your users from installing Angry Birds, you can write a policy that denies them access to their mobile email or VPN (for example), until the app is removed.
-Paul Horan-
MDM Advice
Reply
Multi-Tenant is available on several offerings. Each will currently do this is slightly different methods.
This can be done by having a different environment for each or the easier option being User permission driven. EG limiting visibility and user function through permission groups. SOTI and Airwatch being examples
Can you clarify reseller friendly. Again most offerings work through resellers as a main revenue maker.
Web clips can be described as different things. Example, you can have a web clip that points to a website giving access to company website or say a survey website etc. For Enterprise apps and App store apps then you look at solutions like SOTI MobiControl who use an App Catalog device side to deliver these functions.
MDM Advice
SDK reply
Just in reply to the comment on SDK. I don't believe Airwatch currently have an SDK for IOS Enterprise App integration.
Currently only SOTI's solution has this. The SDK gives the ability to remote view the Enterprise app and to pull back information on it.
JasonF
Subjective Feedback?
The feature comparisons are great. Is there any consideration of adding Subjective feedback sections from users of the systems? Areas might include management experience, user impact, "bugginess", etc.
This would be very helpful in further guiding selections for those of us about to dive into the MDM space.
Stevo
How accurate is this data?
Hi recently had access to this link following a handset vendor recommending this to our customers. Concept looks great, however I would flag on the accuracy.
What is the true definition of SaaS? As many MDM providers state they offer SaaS on this site but in reality don't. Such as Good and Mobile Iron (although MI suggest its round the corner). Both have a dedicated server based solution the only true SaaS provider I'm aware of is AirWatch.
Good also does not provide Windows Desktop support and would not be able to offer BlackBerry etc.
Aaron Freimark
Accuracy is a function of community involvement
Stevo (and all others),
You ask a great question about the confidence you can have in the data. Most of the data about MDM providers has been submitted by the providers themselves. Sometimes this comes from the technical side, but just as often it comes from marketing. (To tell the difference see if every box is ticked
.)
This sounds hopeless. But technology may come to our rescue.
It turns out that every MDM page (and nearly every other page on the site) is editable by ANY registered user. So if you are pretty sure Good has overstated their support, you can fix this. Edit this page, and tick the "No" or "Coming Soon" box. Your change will be published immediately. The revision will be noted in the sidebar to the page. And other authors and editirs will be emailed, just in case they want to discuss.
This method of community edititing works pretty well for Wikipedia. Maybe it can work here as well?
Aaron
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
Aaron Freimark
Subjectivity has its place
Geat question. In addition to the chart, each MDM provider has its own page. I would add more subjective feedback to the page comments, or even to the copy of the page.
--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO
jswade
Device Location Integration with Maps
I would like to see a new category of feature called "Map Integration" with information about products that support real-time device location display with popular Internet mapping engines (Google, Bing, etc...) I know at least one of the products supports this feature (Absolute Manage MDM). Of course "Find my iOS device" is free from Apple, but an account is limited to 100 devices max and using Apple IDs for tracking is ridiculously messy for an enterprise.
Thanks!
Daniel Greening
Casper Bulk Upload Capability
Hello,
I noticed that Casper does not have "Bulk Upload" checked off in the feature set comparison. JAMF does provide a tool called "JSS Computer Importer - Cocoa" which is used to enroll machines into Casper. I have used this tool to enroll over 5500 Macs in Casper, so this product does indeed provide this capability on the Mac platform. I am not sure about iOS enrollment, and will have to clarify this with JAMF.
-Dan
Drew_P
MDM for Windows CE
We deal with a lot of industrial type of mobile devices from the likes of Intermec & Motorola. These typically run Windows CE aka Windows Embeded Handheld (WEH), and connect via WiFi. However there is still a very real need to manage these mobile devices in much the same manner as mobile phones and tablets, etc. So it would be nice to include Win Ce/WEH as a characteristic to comapre in the Other Devices section.
My research suggests there are very few MDM vendors who support these operating systems but would be nice to find out who does. For the record Motorola Solutions do have MSP which does support these operating systems and in version 4 they have also included support for Apple iOS. See www.motorolasolutions.com/msp
So be nice to see Motorola MSP included in the comparison. Does anyone know someone at Motorola to do this?
mtaggart
MDM Comparison chart
Is there a downloadable copy of this anywhere? It's really good and it would be nice if I could download it to show others and it not require an internet connection.
Regards,
Mike