Mobile device management tools are design to control who can access your
enterprise network and applications from particular phones and tablets. To
effectively evaluate these products, you should first identify what you're
trying to control: the apps on particular devices, the pairing of a user with
his device, the device itself, or the files on each device.
There were six products evaluated: AirWatch, Apperian EASE, BlackBerry
Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology's Good for Enterprise.
Each has a somewhat different perspective and different strengths in
terms of what it can control best.
All support Android and iOS devices, and some also support BlackBerry’s,
Windows Phones, and in the case of AirWatch, desktops. Pricing varied between
$20 to $75 per user or per device per year, and will depend on the particular
features, with quantity discounts typically available. The most transparent
pricing schemes came from AirWatch
and BlackBerry. The other pricing
methods were rather opaque.
For example, some of the solutions we tested work with Active
Synch so that you can save deployment time and use your existing security
policy frameworks in Active Directory. But your own Active Directory
implementation may not have any of these fields itemised, so this may not be
as useful as it sounds.
If you have a variety of mobile phones from various vendors running
vintage OSs, you will quickly run into installation issues. In this test a
Kindle Fire was used to test the concept of an oddball Android version.
Some devices have some quirky issues: First,
for iOS in particular, you can't have more than one vendor's profile active at
any given time. This means if your phone or tablet has to traverse two or more
networks that are using different MDMs, you are going to have problems. Second,
while these products can identify once a phone has been rooted, they can't "unroot"
it: you'll have to go through the process on each phone individually.
No winners
This was an assessment not a competition, each product had pro's and con's.
For example, AirWatch had the widest phone/tablet/desktop support. But
it also requires a messy collection of different downloaded apps that are confusing to use.
Fixmo doesn't support many device OS versions and its cloud
server still needs a supplemental VPN to be secure. However, if
you’re going the secure container route, Fixmo is a potential solution.
BES10 supports Android and iOS
devices, but the integration is being rapidly developed to smooth out some of the
complications. Network world recommended that BlackBerry should be on a
CTO’s short list if his primary goal is protecting the messaging
infrastructure.
Good Technology is a mature product that
features email security, fast device enrolment, extensive security policies and
wide device support. But Good has weak support for sharing files and apps and
has not got the bullet proof end to end security of BES10.
Divide had the most appealing management
console and overall simple setup routines, and also supports licensing
unlimited devices per user. It features the best overall approach to MDM and is
the easiest to operate, but has the most limited device OS version support.
Apperian does a great job with setting up a
protected app portal, but falls down on some basic MDM issues. Network world
recommended Apperian if you have developed a large collection of your own apps
and want a consistent set of security policies when deploying them.
The Nuts and bolts
BlackBerry Enterprise Server
(BES) v10.1
BES is the original MDM platform developed by the "Artist Formerly Known As Research In Motion ". Until recently, BES was designed to manage BlackBerry devices. Now it is capable of managing both Android and iOS too, via a new
Universal Device Service. The extension into managing its competitors is full
of solid advantages, but at the moment it is somewhat complex to administer.
Network World state that BES, along with
Good, are probably the two best MDM solutions that were tested and can securely
lock down your mobile email. If this is a primary concern then it was
recommended that it should be considered just on that alone. Second, BES has a
solid collection of iOS/Android device management policies that you wouldn't
expect from an early product release.
The policies cover everything from password
policies to turning off specific phone peripherals (and not just disabling the
camera itself but more subtle things like being able to hide the icon on the
phone desktop or disable screen captures). There are policies to wipe the phone
or to require particular iOS or Android versions. For each policy, you can see
which version of iOS or Android is relevant right on the screen: that is a nice
touch and Network world opined that they wished other vendors were as
forthcoming in documenting this.
BES will remake Android and iOS phones
as close to the security model of the BlackBerry as it can and they have two
scenarios: one called "Balanced" which divides the phone into
personal and business sections, and one called Secure that locks the phone 100%
into a corporate and protected device. The Balanced selection is only available
on more recent devices and BES10 servers, with the exception of iOS7. All
communication is encrypted between the device and BES, and then from BES to the
appropriate enterprise services, so no VPN is required. If BES detects a
rooted/jail broken device, it will shut down all communications.
With all the negative press surrounding
BlackBerry in recent years it is sometimes forgotten that BlackBerry has more
security certifications from more government agencies than any other MDM
vendor. BlackBerry is also the only vendor to date to be awarded an ‘Authority
to Operate’ certification from the US Department of Defence.
Furthermore it should be noted that 87% of
the Fortune 500 use BlackBerry services.
There are over 30,000 BES10 commercial and test servers installed to
date and a global enterprise customer base exceeding
80,000 customer.
BES10 is reasonably priced at $19 per
device per year, with an additional $99 per user per year for its secure
workspace features for Android and iOS devices. BlackBerry offers BES10 as a
60-day free trial including 50 secure workspace licenses and 50 device
licenses. The company offers (or will soon offer) a subset of the on-premises
BES features in a cloud version.
Click here if you are Technically minded
Click here if you are Technically minded
AirWatch
AirWatch supported the largest collection
of devices, and was the only product that had both mobile and desktop
management support. It supports iOS7 and the MDM API that Apple developed for
its latest mobile OS, and it has an app in the BlackBerry World app store as
well.
The bad news is that AirWatch sells three
different products: one for MDM, one for mobile content management and one for
mobile applications management. They use a single integrated management
console, but have different client pieces for each mobile device. All of this
software is delivered from the cloud, although they will work with companies
that want on-premises servers or virtual appliances.
Network World had some initial confusion
over separating out administrative and user accounts, but once that was
resolved, getting all the various tasks completed was mostly obvious.
AirWatch's workflow and set-up process was reported as pretty good.
AirWatch has a decent collection of policy
settings, down to the minimum sub-version of Android OS allowed, being able to
disable a device's camera, adding geo-fencing or being able to restrict a
device to a particular Wi-Fi network.
It has a particularly rich pass-code policy
that can override the device OS defaults. These various elements are spread
across about a dozen sub-menus in the policy section of the product, where you
would set up specific policies for each particular device type. When you create
a policy, you can either apply it to the device itself or to a group of users,
which is nice. When you are finished, you save and publish your profile
settings to your device collection with a click.
There are three different services for
AirWatch: the base MDM and a second service to secure files (called Content
Locker) and a third to run protected apps. Each service works with its own downloaded
app on your device. That’s a lot of apps to download and add to your phone, and
it can get confusing to keep switching among them. One caveat: these
supplementary apps will require at least iOS v5 or later, although the base
AirWatch MDM works on iOS v4 devices.
AirWatch's pricing is very transparent and
published on its website. Each of the three modules (MDM, content, and apps)
are priced a la carte either as a perpetual license with a one-time, per-device
fee, or on a subscription basis, also on a per-device but monthly fee.
The MDM starts at $48 per device per year
and the other modules can triple this annual cost. There is also a free 30-day
trial for 50 devices that offers full functionality. AirWatch plans to begin
selling a lighter-weight version called Pro that will have fewer features and
be lower priced.
Click here if you are technically minded
Click here if you are technically minded
Apperian EASE
Apperian is all about the apps. While it
sells its product with its own MDM, it is very lightweight in terms of device
and user control. If you have a lot of corporate mobile apps and you want to
wrap them in a very secure mechanism to keep track of who uses them on what
particular devices, then this is the product for you
Apperian has two separate functional
modules: an application control system and a built-in MDM. The MDM module doesn't
support BlackBerry’s, they are just supported on the app module. It has fewer
features than the other MDM products reviewed, although you can do the basics
including wiping data from the phone, rootkit detection, controlling copy/paste
from the mobile's clipboard, and some rudimentary password control on your
devices.
Initially, you don't download anything to
your phone, instead you use your phone's Web browser to bring up the enrolment
link and download a customized app store for your particular device and user
name. However, this simple process is balanced with a tedious app wrapping
process to add your security layer.
Click here if you are technically minded
Click here if you are technically minded
Divide
Divide (the company recently changed its
name from Enterproid) supports both iOS and Android devices but nothing else.
Getting each device enrolled is very straightforward and involves downloading
the app from iTunes or Google Play and registering your email address that will
be used for that phone. Multiple devices can use the same email address, which
is handy if you want to share information (such as contacts or files) among
them
However, Divide is somewhat particular about its iOS and Android
support: while it appeared to have installed successfully on the older Android
phone (running v2.3.4), the app wouldn't execute at all, and didn't even
install on the Kindle Fire. It did work fine on an Android phone running v4.3.
It supports devices running at least iOS v6.
Divide creates a separate and protected container and workspace on your
phone where all business-related apps are launched. These include a wide range
of their own contact manager, email, calendar, task list, and other items that
share content with each other but not outside the protected environment.
You are limited to a single container per device. If you use a
cloud-based email service for your business and you don't want your end users
to download messages to an unprotected device, you will have to set your email
provider to disable Web, POP and IMAP access and use a proxy server that points
to the MDM server.
It doesn't support the free version of Google Apps, you will have to
make use of the paid accounts because they are the only ones to support use of
Active Synch. This is how Divide distributes its policies and apps. You can
bulk add users via uploading a CSV, and download a list via a CSV as well.
It also has its own protected file system and it integrates with Box.com
so you can download files from your Box account that could be viewed on the
protected client. However, to make this work properly, you need a helper app to
view the files, such as Mobi.office. In my opinion this badly compromises
Divide's security, given how insecure Box could be.
According to Network world its device password policies weren't up to the standards of some of the other products we used, such as forcing a device-wide PIN to be used. In my opinion its reliance on a cloud-based manager to handle all devices, apps, and enterprise settings id particularly risky for Enterprise.
According to Network world its device password policies weren't up to the standards of some of the other products we used, such as forcing a device-wide PIN to be used. In my opinion its reliance on a cloud-based manager to handle all devices, apps, and enterprise settings id particularly risky for Enterprise.
Divide's pricing of $60 per year per user
includes unlimited devices for each user, something that may be of interest if
your users have a lot of phones and tablets.
Fixmo
Fixmo is a Canadian company and boasts that many
of its top people worked at Blackberry. It originally came from the government
compliance reporting space and it shows with its approach to device security.
Its software is part of the Android Knox platform that Samsung uses on most of
its smartphones. It also supports iOS, although didn't have an iOS7 client at
the time of the tests, and it only works on iOS v5 or v6.
 |
| Fixmo co-founder Rick Segal loving his BlackBerry |
Fixmo is betting that
consumers, especially in the wake of the NSA Prism scandal, will demand
BlackBerry-like encryption on non-BlackBerry devices. The company, it seems,
has more than a passing idea of how to do this, with much of its top talent
having served under RIM co-CEOs Mike Lazaridis and Jim Balsillie.
Fixmo’s Chief MRM Architect, Jonas
Gyllensvaan, founded Conceivieum Business Solutions, Inc., which specialized in
the development and marketing of BlackBerry mobile platform management
solutions, before moving to Fixmo. And Fixmo’s Chief Marketing Officer, Tyler
Lessard, was once Vice President of BlackBerry Global Alliances and Developer
Relations at RIM, again specializing in nurturing the BlackBerry ecosystem by
launching BlackBerry App World. Lee Cocking, Fixmo’s VP of Corporate Strategy,
spent a decade working at RIM where he managed core components of the
BlackBerry Enterprise Solution.
Setup of the solution is relatively
straightforward via Fixmo's cloud service. There is also an on-premises Windows
server that has additional features, with a web front end. You add users and
devices and services via the menus, and these produce a series of emails with
QR codes and URLs that direct the user to install the necessary configuration
profiles for each device. Fixmo uses three profiles: one for MDM, one for
passcodes, and one for its self-service portal.
Network world reported that this can get a bit tedious, compared to
some of the other MDM products, but like others you can also bulk import and
export users using CSV files. Network world reported some problems with reading
the QR codes because the Fixmo server wants to see the link sent coming from
the phone's Web browser. Some of the QR readers open their own browser – Network
world needed to use an app that allowed them to open the URL in Safari or
Chrome.
The cloud server doesn't support end-to-end
secure sessions, requires a supplemental VPN.
Each policy can have one of three actions:
send an email alert to an administrator, lock the device, or wipe the device.
The Fixmo client automatically does a jailbreak/root detection upon launch. If
it finds your phone has been compromised, it won't allow you access to its
secure container. There is also a feature where you can automatically wipe the
container with a time bomb if it hasn't called home within a certain interval,
which is nice for lost or stolen phones.
Fixmo has services that it licenses
separately, including the SafeZone secure container for iOS/Android, its MDM
and security service called Integrity (which is also available for
BlackBerries). Fixmo pricing for a full 250-user configuration is $18,000 per
year. Each device is licensed separately starting at one service at $12 per
month with quantity discounts and multiple-service discounts available.
Click here if you are technically minded
Click here if you are technically minded
Good Technology for Enterprise
Good for Enterprise has been around for a
while now and was originally envisioned as a protected messaging environment
that expanded into the MDM sphere. You can tell its longevity by the platforms
it supports: in addition to Android and iOS devices, Good also supports Windows
Mobile and even Palm OS devices. Noticeably absent is any support for
BlackBerries, but also notable is its inclusion of the Kindle Fire. They have
well developed integrations with Boxtone, Sailpoint and others, showing the
maturation of their product.
Good actually has an additional product, for
file sharing called Good Share. This is more of a mobile collaboration tool. It
wasn’t tested it, but it allows you to view files and connect to a SharePoint
server. The main Good for Enterprise client has rudimentary file storage, but
the files you save to your device aren't sharable, unlike some of the other
MDMs.
Enrolment is very straightforward and like
other MDMs, you can bulk add users via uploading a CSV.
Like Fixmo, you can have its client connect
with its servers on a regular basis, and wipe the phone clean if the phone
isn't used or is stolen. Other MDMs block file attachments from being
downloaded: with Good you can block specific file types as well as set a size
limit (up to 32MB). After you make changes to your policies, you are brought to
a summary screen that shows you which devices have been affected.
Good sells its server for Windows, but it
is managed via a Web browser. The UI is very straightforward, although some of
the policy details are tucked away in odd places. It has extensive password
policies including smartcard support for second factor authentication. It
also has solid online help that is quite searchable.
One downside is that the Good
client has limited app sharing: while it is supported, it isn't as useful as
some of the other products. There is
also a small question about its security credentials. Open Security Research (http://blog.opensecurityresearch.com)
reported a hack method to
Identify the Good Enterprise
Server
Determine the Good
Administrator
Obtain the Good Administrator
Credentials
Access the Management Interface
(Good Mobile Control)
Provision devices and read emails (Note: don’t
try this at home, it is illegal!)
I am not linking to the article as that
would be rude but you can find it yourself if you want.
Good for Enterprise costs $60 per user per
yearClick here if you want more information
Sources
David Strom
http://www.networkworld.com/reviews/2013/120913-mobile-device-management-test-276534.htmlhttp://searchconsumerization.techtarget.com/tip/Pros-and-cons-of-mobile-device-management-software
The websites of all the vendors listed
No comments:
Post a Comment