critical capabilities for mobile device management

24
3/29/12 8:54 AM Critical Capabilities for Mobile Device Management Page 1 of 24 http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg Critical Capabilities for Mobile Device Management 29 July 2011 Monica Basso, Phillip Redman Research Note G00213877 This research provides quantitative ratings for a selection of enterprise mobile device management offerings, evaluating them in typical use cases, across 10 critical capabilities. Overview This research provides quantitative ratings for a selection of enterprise mobile device management (MDM) offerings, evaluating them in typical use cases, across 10 critical capabilities. Enterprises should use these critical capabilities, use cases and product ratings to identify the most suitable enterprise MDM products or services to meet their management and security requirements. Key Findings Not all MDM platforms provide device encryption if it is not supported natively on the device. Although containerized approaches offer some of the highest security, restrictions to the user's experience with mobile email may limit the user's acceptability and viability on personal devices. AirWatch, BoxTone, Fiberlink, MobileIron, Sybase and Zenprise use native Apple iOS 4 management APIs to implement functions such as over-the-air (OTA) software upgrades and certificate-based authentication. Good for Enterprise is a mobility suite centered on wireless email; many management and security capabilities are available within their email client only. Recommendations Choose MDM offerings that support a lightweight management approach, with mobile agents and server- side platforms, when your security and management requirements are limited and deep control is not accepted by employees using personal devices. Examples include Zenprise, MobileIron, BoxTone, Fiberlink and AirWatch. Choose MDM offerings that support a heavyweight approach to deliver secure and manageable corporate email to consumer and personal devices when strict security and compliance requirements apply. Containers can enforce stronger separation among personal and corporate content. Examples include Good Technology, Excitor and Sybase. The iPhone 3GS and later hardware platforms ship with always-on hardware encryption. When iOS 4.2 was introduced, it added a new data protection class that allows third-party applications to manage their own encryption keys, reducing the risk of data leakage on a jailbroken device. The new data protection classes are activated upon the full installation of iOS 4 or later. What You Need to Know This document was revised on 24 August 2011. For more information, see the Corrections page on gartner.com. Before making any effort to select the most appropriate tool for MDM, organizations need to understand their requirements and define clear policies for deployment, including corporate data and application protection on the device and back-end servers; isolation from personal content, if needed; and cost containment. Organization should evaluate different MDM offerings, focusing on the critical capabilities identified in this research. Return to Top Analysis Introduction Critical Capabilities Methodology "Critical capabilities" are attributes that differentiate products in a class in terms of their quality and performance. Gartner recommends that users consider the set of critical capabilities as some of the most important criteria for acquisition decisions. This methodology requires analysts to identify the critical capabilities for a class of products. Each capability is then weighted in terms of its relative importance overall, as well as for specific product use cases. Next, products are rated in terms of how well they achieve each of the critical capabilities. A score that summarizes how well they meet the critical capabilities overall, and for each use case, is then calculated for each product. Ratings and summary scores range from 1.0 to 5.0: 1 = Poor: most or all defined requirements not achieved 2 = Fair: some requirements not achieved 3 = Good: meets requirements 4 = Excellent: meets or exceeds some requirements 5 = Outstanding: significantly exceeds requirements Product viability is distinct from the critical capability scores for each product. It is our assessment of the vendor's strategy and its ability to enhance and support a product over its expected life cycle; it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, execution and investment. Strategy includes how a vendor's strategy for a particular

Post on 19-Oct-2014

3.944 views

Category:

Documents


2 download

DESCRIPTION

Zenprise MDM, Mobile Device Management, 2012

TRANSCRIPT

Page 1: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 1 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Critical Capabilities for Mobile Device Management29 July 2011

Monica Basso, Phillip Redman

Research Note G00213877

This research provides quantitative ratings for a selection of enterprise mobile device management offerings,evaluating them in typical use cases, across 10 critical capabilities.

Overview

This research provides quantitative ratings for a selection of enterprise mobile device management (MDM)offerings, evaluating them in typical use cases, across 10 critical capabilities. Enterprises should use thesecritical capabilities, use cases and product ratings to identify the most suitable enterprise MDM products orservices to meet their management and security requirements.

Key FindingsNot all MDM platforms provide device encryption if it is not supported natively on the device.

Although containerized approaches offer some of the highest security, restrictions to the user's experiencewith mobile email may limit the user's acceptability and viability on personal devices.

AirWatch, BoxTone, Fiberlink, MobileIron, Sybase and Zenprise use native Apple iOS 4 management APIsto implement functions such as over-the-air (OTA) software upgrades and certificate-based authentication.

Good for Enterprise is a mobility suite centered on wireless email; many management and securitycapabilities are available within their email client only.

RecommendationsChoose MDM offerings that support a lightweight management approach, with mobile agents and server-side platforms, when your security and management requirements are limited and deep control is notaccepted by employees using personal devices. Examples include Zenprise, MobileIron, BoxTone, Fiberlinkand AirWatch.

Choose MDM offerings that support a heavyweight approach to deliver secure and manageable corporateemail to consumer and personal devices when strict security and compliance requirements apply.Containers can enforce stronger separation among personal and corporate content. Examples includeGood Technology, Excitor and Sybase.

The iPhone 3GS and later hardware platforms ship with always-on hardware encryption. When iOS 4.2 wasintroduced, it added a new data protection class that allows third-party applications to manage their ownencryption keys, reducing the risk of data leakage on a jailbroken device. The new data protection classesare activated upon the full installation of iOS 4 or later.

What You Need to Know

This document was revised on 24 August 2011. For more information, see the Corrections page ongartner.com.

Before making any effort to select the most appropriate tool for MDM, organizations need to understand theirrequirements and define clear policies for deployment, including corporate data and application protection onthe device and back-end servers; isolation from personal content, if needed; and cost containment.Organization should evaluate different MDM offerings, focusing on the critical capabilities identified in thisresearch.

Return to Top

Analysis

Introduction

Critical Capabilities Methodology"Critical capabilities" are attributes thatdifferentiate products in a class interms of their quality and performance.Gartner recommends that usersconsider the set of critical capabilitiesas some of the most important criteriafor acquisition decisions.

This methodology requires analysts toidentify the critical capabilities for aclass of products. Each capability isthen weighted in terms of its relativeimportance overall, as well as forspecific product use cases. Next,products are rated in terms of how wellthey achieve each of the criticalcapabilities. A score that summarizeshow well they meet the criticalcapabilities overall, and for each usecase, is then calculated for eachproduct.

Ratings and summary scores rangefrom 1.0 to 5.0:

1 = Poor: most or all definedrequirements not achieved

2 = Fair: some requirements notachieved

3 = Good: meets requirements

4 = Excellent: meets or exceeds somerequirements

5 = Outstanding: significantly exceedsrequirements

Product viability is distinct from thecritical capability scores for eachproduct. It is our assessment of thevendor's strategy and its ability toenhance and support a product over itsexpected life cycle; it is not anevaluation of the vendor as a whole.Four major areas are considered:strategy, support, execution andinvestment. Strategy includes how avendor's strategy for a particular

Page 2: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 2 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

IntroductionThe proliferation of consumer devices and a growing demand from employees are changing the ways in whichorganizations deliver mobility solutions to the workforce.

IT organizations are forced to create mobility programs to support corporate email and other applications onconsumer products, such as iPhone, iPad and Android devices. "Bring your own device" and employee-liableprograms are common, and we expect that 80% of organizations will have tablets by 2013 (see "Gartner's TopPredictions for IT Organizations and Users, 2011 and Beyond: IT's Growing Transparency").

These deployments bring a range of new challenges, from security, compliance and management, to cost andhuman capital management. Organizations address these challenges by defining policies that regulate theusage of consumer and personal mobility for employees, and they need the appropriate tools to enforcepolicies, regulate behaviors, contain costs and manage risks, across multiple device platforms.

Multiple options are available — the enterprise MDM market has more than 60 players with a wide range ofproducts, services and capabilities. Gartner research (see "Magic Quadrant for Mobile Device ManagementSoftware") identifies a subset of 23 vendors that qualify as viable for investments. These offerings areprogressively adding similar features, driven by fierce competition, and the market is going through acommoditization route.

IT organizations struggle to identify the right options for investment. On one hand, the rapid evolution ofmobile devices and business requirements makes it difficult to identify a clear set of MDM requirements. On theother hand, the lack of differentiation confuses buyers and complicates investment decisions.

One major area of differentiation among MDM offerings is the technical approach to management (see "How toSupport Corporate E-Mail and Other Applications on Personal Devices"):

Lightweight approach: Server-side product or service offerings may have a small mobile agent runningon the device, and/or call native APIs provided by the mobile OS platform (e.g., iOS 4), but do not have acomplete mobile management client. They can enforce policies on the server side, but cannot control thedevice and mobile user behavior in depth. They are used in combination with native mobile support incorporate email servers (e.g., Microsoft Exchange ActiveSync [EAS] in Microsoft Exchange Server or NotesTraveler in Lotus Notes/Domino) to enforce complementary policies to those provided by the server. Thus,they can preserve the native email client experience on iPhones and iPads, which are favorite choices forusers. Relevant vendors with this approach include AirWatch, BoxTone Fiberlink, MobileIron and Zenprise.

Heavyweight approach: Client-side management software is available for every relevant mobile OSplatform (either stand-alone or blended with a proprietary email client). The management client canenforce strong IT control on the device (e.g., local data encryption, selective wipe and containerization).Vendors with this approach are Good Technology, Excitor and Sybase. Good's product does not integratewith the email server's native mobile support (e.g., EAS) — actually, it replaces it, and it does not workwith the device's native email client, but requires its own client, which can only connect to a corporateemail server. Good Technology's approach prioritizes on IT control, limiting the user's choice andexperience with the email client.

Another important element of differentiation among these offerings is the delivery model: cloud services versuson-premises versus host. While most mature products (such as those from Good Technology, Sybase andMobileIron) are on-premises, a growing range of cloud services offerings (such as those from AirWatch,Fiberlink and Tangoe) are starting to appeal to users because they are more economical. In fact, there are noupfront costs, and an inexpensive price per user per month and more flexibility to scale up services withgrowing mobility adoption or needs.

Before entering MDM product selection analysis, organizations need to identify the risks and benefits ofintroducing support for corporate applications on personal devices. They then need to identify the IT policiesrequired to control deployments, manage risks and support users. Finally, they need to choose the appropriatemanagement approach and the products and services that can help to enforce those policies in a cost-effectiveway.

Return to Top

Product Class DefinitionGartner defines MDM as a range of products and services that enables organizations to deploy and supportcorporate applications to mobile devices, such as smartphones and tablets, possibly for personal use —enforcing policies and maintaining the desired level of IT control across multiple platforms. Areas offunctionalities include security, provisioning, software and inventory management, and decommissioning. See"Magic Quadrant for Mobile Device Management Software" for a complete description of the market andvendors that deliver these products or services. In this research, we focus on the capabilities and viability of asubset of offerings (products or services) from this market, which get the most attention and inquiries foradvice from our client base.

Return to Top

Critical Capabilities DefinitionMDM offerings address a range of requirements from IT organizations aiming to deliver mobility experiences totheir workforces or customers, while maintaining control and minimizing risks. They tend to bring a fairlycomplex set of functionalities, with progressively little differentiation among the competition. This researchexamines 10 critical capabilities that differentiate competing MDM products. The critical capabilities consideredfor enterprise MDM products are:

vendor's strategy for a particularproduct fits in relation to its otherproduct lines, its market direction andits business overall. Support includesthe quality of technical and accountsupport as well as customerexperiences for that product. Executionconsiders a vendor's structure andprocesses for sales, marketing, pricingand deal management. Investmentconsiders the vendor's financial healthand the likelihood of the individualbusiness unit responsible for a productto continue investing in it. Each productis rated on a five-point scale from poorto outstanding for each of these fourareas, and it is then assigned an overallproduct viability rating.

The critical capabilities Gartner hasselected do not represent allcapabilities for any product and,therefore, may not represent thosemost important for a specific usesituation or business objective. Clientsshould use a critical capabilitiesanalysis as one of several sources ofinput about a product before making anacquisition decision.

Page 3: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 3 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

for enterprise MDM products are:

Device Diversity

Policy Enforcement

Security and Compliance

Containerization

Inventory Management

Software Distribution

Administration and Reporting

IT Service Management

Network Service Management

Delivery Model

Detailed information about each critical capabilities follows:

Device Diversity: the degree of diversity in mobile devices and mobile OS platforms that the consideredMDM product can handle. This includes:

Support one or more OS platforms, such as Android, iOS, etc. (Note that support for Research InMotion [RIM] OS and Windows Phone 7 is rated as a plus because fewer vendors have added them.)

Support for media tablets

Support for ruggedized devices

Support for simpler phones

Policy Enforcement:

Enforce policies on eligible devices:

Detect OS platforms and versions, installed applications, and manipulated data.

Detect iOS jail-broken devices and rooted Android devices.

Filter (restrict) access from noncompliant devices to corporate servers (e.g., email).

Enforce application policies:

Restrict downloadable applications through whitelists and blacklists.

Monitor access to app stores and application downloads, and put prohibited applications onquarantine and/or send alerts to IT/managers/users about policy violations.

Monitor access to Web services, social networks and app stores, and send alerts toIT/managers/users about policy violations and/or cut off access.

Enforce mobile communications expense policies:

Monitor roaming usage.

Detect policy violations (e.g., international roaming) and, if needed, take action (e.g., disablingaccess to servers and/or send alerts to IT/managers/users about policy violations).

Enforce separation of personal versus corporate content:

Manage corporate apps on personal devices, and personal apps on corporate devices.

Tag content as personal or corporate through flags.

Detect violations of separation and, if needed, send alerts to IT/managers/users.

If a container is in use, prohibit exporting data outside the container (e.g., when opening anemail attachment), and regulate interaction between different enterprise containers.

Restrict or prohibit access to corporate servers (e.g., to email server or email account) in case ofpolicy violation.

Security and Compliance: a set of mechanisms to protect corporate data on a device, corporate back-end systems and preserve compliance with regulations:

Password enforcement (strong alphanumeric password)

Device lock (after a given number of minutes of inactivity)

Remote wipe, selective remote wipe (e.g., only corporate content); total remote wipe (hard wipe,data not recoverable after deletion)

Local data encryption (phone memory, external memory cards)

Certificate-based authentication (include device ID, OS version, phone number); certificatedistribution

Monitoring device and data manipulation on device

Rogue app protection (e.g., application quarantine)

Firewall

Antivirus

Mobile VPN

Page 4: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 4 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Mobile VPN

Message archiving (SMS, IM, email, etc.) and retrieval; record historical event for audit trail andreporting

Containerization: a set of mechanisms to separate corporate from private content (data, applications) ona device and apply a range of actions to control the corporate footprint, such as:

Local data encryption

On-the-fly decryption

Selective remote wipe

No data export to other containers (data leakage prevention)

Controlled communication among containers

Application containerization (beyond email)

Containerization based on virtualization technology (e.g., Open Kernal Labs [OK Labs] OKL4, VMwareMVP, ARM TrustZone)

Inventory Management: a set of mechanisms to provision, control and track devices connected tocorporate applications and data:

Asset management and inventory

Device configuration and imaging

Device activation and deactivation

Provisioning (OTA):

Distribution (push)

Configuration (push):

Device configuration

iPhone profiles

Lockdown hardware features (e.g., enable/disable hardware, camera, removable media card, infrared[IR] port, Bluetooth, Wi-Fi)

Monitoring:

Performance

Battery Life

Memory

Lost-phone recovery

Locate and map

Restore and migrate

Software Distribution: a set of mechanisms to distribute applications and software upgrades to mobileusers OTA, avoiding tethering to a PC:

Application discovery (e.g., through private app stores)

Software updates, for applications or OSs

Patches/fixes

Backup/restore

Background synchronization

File distribution

Administration and Reporting: capabilities for IT administrators to manage mobile deployments andusers. This includes:

Single console

Web-based console

OTA provisioning

Role-based access

Group-based actions

Remote control (real-time or permission-based)

Enterprise platform integration (e.g., Exchange Active Sync; LDAP; BlackBerry Enterprise Server[BES]; certificate authority; trouble ticketing and help desk, such as Remedy; and networkmanagement, such as IBM Tivoli)

Business intelligence

Reporting

IT Service Management: capabilities to grant mobile service levels to mobile users, such as:

Help desk

User support with levels

Page 5: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 5 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

User support with levels

User self-service (administration, etc.)

End-to-end real-time monitoring

Troubleshooting

Alerting

Network Service Management: specific capabilities to monitor and optimize mobility costs, such as:

Contract management

Expense management

Service usage management

Delivery Model: ways to deliver MDM capabilities to customers (e.g., on-premises, hosted, cloud).Complete cloud offerings are rated higher, because they allow organizations to acquire MDM capabilitieswithout upfront investments. Pricing policies per users (as opposed to per device) are rated higher.

Return to Top

Use CasesWe have identified a number of use cases that come up fairly frequently in our client inquiries, and that help tohighlight the best characteristics of selected MDM offerings under specific conditions:

Case A1 — Highly regulated organizations focusing on corporate email only:

Organizations aiming to support consumer personally owned devices, such as iPhone, iPad and

Android devices

Organizations operating in sectors under severe regulatory constraints (e.g., financial, healthcare,military and defense) with strict security and compliance requirements, such as the Health InsurancePortability and Accountability Act (HIPAA; e.g., must enforce local data encryption on all devicesconnected to their email servers, required certifications, etc.)

Organizations focusing on the short term, only regarding corporate email support

Case A2 — Highly regulated organizations going beyond email:

Highly regulated organizations, as per Case A1, that want to deploy and support corporateapplications beyond email, need to distribute software OTA, and need discovery mechanisms (such asfor app stores, to block access, etc.)

Case B — Nonregulated organizations, mobility deployments:

Organizations operating in nonregulated sectors (e.g., retail, delivery services) that can live withbasic security and management support, and that must enforce limited mobile policies to mobileusers

Organizations with previous mobility experience and/or mobility skills

Support for consumer devices, such as iPhone, iPad, Android, BlackBerry devices; corporate orpersonal devices

Organizations focusing on email and/or other applications

Case C — Expense management focus:

Organizations that want to optimize mobility deployment expenses and that are less focused onsecurity

Cost optimization

Case D — Service-level management:

Organizations with critical mobile applications or users, and mobile service-level agreements

All types of deployment sizes (most often midsize to large)

Need to monitor and control end-to-end mobile deployments

Troubleshooting

Table 1 looks at the weightings of all the use cases in this research. Each use case weighs the capabilitiesindividually based on the needs of that case, which impacts the score. Each vendor may have a differentposition based on its capability and the weighting for each one. The overall use case is the general scoring forthe vendor's product, with all weights being equal.

Page 6: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 6 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

Inclusion CriteriaProducts covered in this research come from vendors included in "Magic Quadrant for Mobile DeviceManagement Software"; refer to it for a complete description of the market and vendors. The following criteriawere used to qualify vendors for inclusion in the Magic Quadrant for MDM:

Support for enterprise-class (noncarrier), multiplatform support MDM: software or software as a service(SaaS), with an emphasis on mobility

Specific MDM product focus and feature set, or a primary focus on MDM in another product set (messagingor security)

Security management, with at least these features:

Enforced password

Device wipe

Remote lock

Audit trail/logging

"Jailbreak" detection

At least mobile OS 3 platforms supported

Policy/compliance management

Software distribution, with at least these capabilities supported:

Application downloader

Application verification

Application update support

Application patch support

Inventory management, with at least these capabilities supported:

External memory blocking

Configuration change history

Managing at least 25,000 mobile lines

Five referenceable accounts

At least $1 million in MDM-specific revenue

Table 1. Weighting for Critical Capabilities in Use Cases

Critical ProductCapabilities Overall

Regulated,Email (A1)

Regulated,Applications(A2)

Nonregulated(B)

ExpenseOptimizationObjective (C)

Service-LevelManagement(D)

Device Diversity 10.0% 5.0% 1.0% 20.0% 1.0% 5.0%

PolicyEnforcement 10.0% 5.0% 10.0% 5.0% 0.0% 5.0%

Security andCompliance 10.0% 5.0% 10.0% 5.0% 0.0% 5.0%

Containerization 10.0% 70.0% 5.0% 0.0% 0.0% 0.0%

InventoryManagement 10.0% 5.0% 5.0% 9.0% 20.0% 15.0%

SoftwareDistribution 10.0% 1.0% 55.0% 15.0% 0.0% 10.0%

Administrationand Reporting 10.0% 1.0% 2.0% 40.0% 20.0% 20.0%

IT ServiceManagement 10.0% 2.0% 10.0% 4.0% 5.0% 40.0%

Network ServiceManagement 10.0% 5.0% 1.0% 1.0% 53.0% 0.0%

Delivery Model 10.0% 1.0% 1.0% 1.0% 1.0% 0.0%

Total 100.0% 100.0% 100.0% 100.0% 100.0% 100.0%

Page 7: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 7 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Given the large number of players in this market and the complexity of the products, we have chosen torestrict this analysis to a subset of vendors whose offerings get the most interest and highest level of inquiriesfrom Gartner's clients. This research focuses on products or services provided by AirWatch, BoxTone, Excitor,Fiberlink, FancyFon, Good Technology, Mobile Active Defense, McAfee, MobileIron,Sybase, Symantec, Tangoeand Zenprise. Vendors not included in this research are still valid options for consideration (see "MagicQuadrant for Mobile Device Management Software" for details), including: Capricode, Fixmo, IBELEM,Fromdistance, Motorola, Odyssey Software, Smith Micro Software, SOTI, The Institution and Ubitexx (acquiredby RIM).

While most vendors specialize in management for smartphones and tablets, a subset provides specificcapabilities to manage fleets of ruggedized devices (on Windows CE or Windows Mobile), including SOTI,Odyssey Software and Motorola. We do not consider these vendors in a separate use case because specializedmanagement tools for ruggedized devices generate limited Gartner client inquiries.

Return to Top

Critical Capabilities RatingEach of the products that meet our inclusion criteria has been evaluated on the critical capabilities, on a scaleof 1.0 to 5.0. To determine an overall score for each product in the use cases, the ratings in Figure 1 aremultiplied by the weightings in Table 1. These scores are shown in Figure 2. Figure 3 shows the product scorein the various use cases, and also provides our assessment of the viability of each product.

Figure 1. Product Rating on Critical Capabilities

Source: Gartner (July 2011)

Return to Top

Figure 2. Overall Score for Each Vendor's Product Based on the Nonweighted Score for EachCritical Capability

Page 8: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 8 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

Figure 3. Product Score in Use Cases

Page 9: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 9 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Product viability is distinct from the critical capability scores for each product. It is our assessment of thevendor's strategy and the vendor's ability to enhance and support a product throughout its expected life cycle;it is not an evaluation of the vendor as a whole. Four major areas are considered: strategy, support, executionand investment. Strategy includes how a vendor's strategy for a particular product fits in relation to thevendor's other product lines, its market direction and its business overall. Support includes the quality oftechnical and account support, as well as customer experiences with that product. Execution considers avendor's structure and processes for sales, marketing, pricing and deal management. Investment considers thevendor's financial health and the likelihood of the individual business unit responsible for a product to continueinvesting in it. Each product is rated on a five-point scale from poor to outstanding for each of these areas, andit is then assigned an overall product viability rating.

Source: Gartner (July 2011)

Return to Top

Figure 4 represents the overall general use for MDM with all ratings equally weighed. This segments thevendors into three positions based on their product capabilities alone: Zenprise, Mobile Active Defense andMobileIron at the top; Good Technology, Symantec and McAfee at the bottom; and the bulk of the othervendors rated in the middle. Unlike the MDM Magic Quadrant, which rates companies in a broader context thanby product alone, the MDM Critical Capabilities methodology solely assesses companies based on theirproducts.

Figure 4. Overall Use Case

Page 10: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 10 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 5 shows the vendors' product scores for Use Case A1.

Figure 5. Vendors' Product Scores for Regulated Email (A1) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 6 shows the vendors' product scores for Use Case A2.

Figure 6. Vendors' Product Scores for Regulated Application (A2) Use Case

Page 11: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 11 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 7 shows the vendors' product scores for Use Case B.

Figure 7. Vendors' Product Scores for Nonregulated Mobility Deployment (B) Use Case

Page 12: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 12 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

Figure 8 shows the vendors' product scores for Use Case C.

Figure 8. Vendors' Product Scores for Expense Optimization Objective (C) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Page 13: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 13 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Return to Top

Figure 9 shows the vendors' product scores for Use Case D.

Figure 9. Vendors' Product Scores for Service-Level Management (D) Use Case

The weighted capabilities scores for all use cases are displayed as components of the overall score.

Source: Gartner (July 2011)

Return to Top

VendorsAirWatchAirWatch's Enterprise MDM offering puts emphasis on device security, life cycle management, applicationdistribution and help desk controls. It supports a broad range of device platforms and integrates with enterpriseplatforms, such as LDAP, Active Directory, Microsoft Exchange Server, IBM Lotus Notes/Domino and IMAP-based email servers. It integrates with cloud-based email services, such as Gmail, Microsoft BPOS and Office365. AirWatch's origins come from the wireless network management services and ruggedized device market.The vendor has found equal success providing MDM through either a cloud-based or on-premises distributionmodel (see Table 2).

Page 14: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 14 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

BoxToneBoxTone's offering focuses on mobile service-level management and includes three modules: MDM, mobilesupport management and mobile operation management. It provides deep integration with enterprise mobilitysoftware platforms and many popular system management and monitoring platforms (e.g., BES, EAS and GoodTechnology). BoxTone supports BlackBerry, iOS, Android, Windows Mobile, webOS, and Windows Phone 7.Beyond MDM, BoxTone supports service desk management, incident management, problem management andapplication performance management (see Table 3).

Table 2. Critical Capabilities Rating for AirWatch's Enterprise MDM v.5.14

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity RIM OS, iOS, Android, Windows Mobile 6.x, Windows Phone 7, Symbian, webOS aresupported.

4.5

PolicyEnforcement

Profiles, monitoring, access restrictions, automated compliance policies and alerts forcorporate and personal devices (but mostly for iOS, Android and Windows Mobile 6.x).

3.3

Security andCompliance

User and device authentication, password enforcement and device lock, remote wipe, andtotal wipe (but selective wipe only for iOS, Android, Windows Mobile 6.x). Local dataencryption, application quarantine, whitelists/blacklists, Web filtering, auditing, mobileVPN, firewall support for selected platforms. No antivirus supported.

3.6

Containerization Application containerization with data leakage prevention for iOS. Monitor and enforcecompliance of OS-based encryption. No email container outside native OS capabilities.

2

InventoryManagement

OTA provisioning, lockdown hardware, monitoring of battery life and other hardwareresources, and inventory. Supports monitoring, diagnostics, remote control, performance,memory and battery status, and device location.

4.4

SoftwareDistribution

Downloader, verification, whitelists/blacklists, version detection, updates. 3.5

Administrationand Reporting

AirWatch's communication layer includes a complete infrastructure for API integration tothird parties, as well as APIs, Web services, single sign-on and authentication protocols.Its platform also supports multiple protocols for information sharing, such as SSH andSNMP.Can authenticate device users through a basic authentication process or by integratingdirectly with enterprise directory services (LDAP).

3.7

IT ServiceManagement

Integrated case management, user support levels, self-service portal, mobile serviceusage monitoring, alerting.

3.3

NetworkServiceManagement

Usage management to detect roaming and apply business rules, send alerts, and restrictdata downloads. No contract or expense management.

2

Delivery Model Available on-premises, as a software appliance or SaaS. 4.5

Table 3. Critical Capabilities Rating for BoxTone v.6.1

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity RIM OS, iOS, Android, Windows Mobile 6.x., webOS. Symbian and MeeGo are notsupported.

4.2

PolicyEnforcement

Profiles, monitoring, access restriction. Automated policy management, compliancemanagement, configuration management and application management are integrated intoActive Directory for enterprise group IT policy management and enforcement.

4.2

Security andCompliance

User and device authentication, password enforcement and device lock, remote wipe andtotal wipe, and selective wipe on iOS, BlackBerry and Android. Filter server access tononcompliant devices. Local data encryption for RIM OS, iOS and Android devices, andmemory cards, including individual certificate-based encryption and control of Androidapplications. Application quarantine, whitelists/blacklists and mobile VPN for supportedplatforms. Web filtering for RIM OS and Android. Firewall supported for BlackBerry only.No antivirus supported. Enhanced compliance enforcement functions, such as recordhistorical events for audit trail and reporting.

3.9

Containerization Not available. 1

Page 15: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 15 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

ExcitorExcitor's DME Mobile Device Manager focuses on MDM and security. It does not rely on Exchange Active Syncpolicies to manage devices, but instead implements its own policies within their mobile management client. Itsupports standards such as OMA DM. Simple containerization is supported, but only in combination withExcitor's DME email product (see Table 4).

Source: Gartner (July 2011)

Return to Top

InventoryManagement

OTA provisioning, lockdown hardware, device configuration, monitoring service quality,battery life and other hardware resources, and inventory. Change history tracking of eachdevice, including timestamped details for audit or reproducing specific state and status ata given time for troubleshooting or other change management.

4.4

SoftwareDistribution

Private app store, software upgrades, OS updates, background synchronization, patches,fixes, file distribution.

4.2

Administrationand Reporting

Integration with enterprise mobility platforms, such as BES, Good Messaging and EAS.Integration (in a single console) with the most widely used system management platforms(through prebuilt connectors and software development kits [SDKs]/APIs), such asMicrosoft SCOM, HP Operations Manager, BMC Software, CA Technologies and IBM-BigFix.BoxTone can also integrate with other management platforms via SNMP technology. Webconsole. Role-based access. Remote control only for BlackBerry and Windows Mobile 6.x.Analytics tools.

3.7

IT ServiceManagement

Strong help desk, user support, service-level management. Real-time status transactionflow for most enterprise mobile servers, plus automated problem or fault detection.Integrated knowledgebase with alerting mechanisms, etc. Self-service and self-provisioning support for supported platforms.

4.3

NetworkServiceManagement

Not available. BoxTone partners with telecom expense management (TEM) vendors, suchas ProfitLine and Rivermine, and integrates with their products (but not directly resellingor embedding).

1

Delivery Model Mostly sold as on-premises, but managed and cloud services are also available. 4

Table 4. Critical Capabilities Rating for Excitor's DME Mobile Device Manager v.3.5.x

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity RIM OS, iOS, Android, Symbian,Windows Mobile 6.x, Windows Phone 7, webOS andMeeGo are not supported.

4.5

PolicyEnforcement

Profiles, monitoring, access restriction. Control access to app store. Control on enterpriseapplications for Symbian, iOS and Android.

3.9

Security andCompliance

User and device authentication, password enforcement and device lock. Remote wipe, plustotal wipe and selective wipe for selected platforms. Filter server access to noncompliantdevices. Local data encryption supported for BlackBerry, Symbian, iOS, Android andWindows Mobile 6. Application quarantine on devices is supported for iOS and Android.Whitelists/blacklists, Web filtering and mobile VPN for selected platforms. No nativeantivirus or firewall capabilities are provided, but it can nicely integrate with otherproducts, such as Symantec.

3.4

Containerization Containerization of email, in combination with the DME email client. Supported on iOS andSymbian. BlackBerry, Android and Windows Phone 7 support will be added in the nextreleases. Containerization extended to other applications, downloaded from the DME-based private app store, in the DME enterprise container. Data leakage prevention foremail attachments and email copy/paste, limited to iOS.

3.3

InventoryManagement

OTA provisioning, inventory, lockdown hardware, monitoring of battery life and otherhardware resources for selected platforms.

3.8

SoftwareDistribution

Private app store for iOS, Android, BlackBerry, Symbian, Windows Mobile 6, WindowsPhone 7. Software upgrades, OS updates, patches and fixes are limited to some platforms.

3.3

Administrationand Reporting

No integration with BES, Good Messaging and EAS (i.e., DME email client connects to DMEserver only). Integration (in a single console) with system management platforms via Webservices. Web console and role-based access. No remote control. Business intelligence,analytics and reporting tools are supported natively.

3

IT ServiceManagement

Provides first-line and second-line support through help desk capability to customersthrough excitor.com. Check device status and configuration.

2.5

NetworkServiceManagement

Basic capabilities provided in the DME Cost Control module. Additional TEM capabilitiesthrough external TEM providers (such as Teleopti and Pridis).

3

Delivery Model On-premises, managed and cloud services. 4.5

Page 16: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 16 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

FancyFonFancyFon's Mobility Center (FAMOC) is a centralized platform to manage the mobile device life cycle, from OTAprovisioning to configuration, application updates, security and troubleshooting. It provides remote support fora range of mobile devices, either as a hosted or an on-site solution. FAMOC supports iPad, Android tablets andRIM Playbook through a dedicated media tablet application available in respective app stores. It also supportsruggedized devices and not typical mobile devices (e.g., GPSs) through Windows CE and Windows Mobilesupport, and Java-based feature phones with basic management, such as backup/restore, remote configurationand security (see Table 5).

Source: Gartner (July 2011)

Return to Top

FiberlinkFiberlink's MaaS360 Platform is a pure MDM cloud services offering, for organizations aiming to support bothcorporate and personal devices. It's a multitenant platform (see Table 6). Existing embedded platforms (BES,EAS and IBM Lotus Notes Traveler) are included in MaaS360 management via a single "cloud extender" agentthat is deployed in the LAN. If device-side APIs are available, then device support beyond BES and EAS is donevia API (e.g., Apple MDM protocol). If no device-side MDM API is present, then there is a native agent for thatplatform (e.g., Android).

Table 5. Critical Capabilities Rating for FancyFon's FAMOC v3.3

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity RIM OS, iOS, Android, Symbian, webOS and Windows Mobile 6.x and Java are supported.Limited support for Windows Phone 7, MeeGo and bada.

4.5

PolicyEnforcement

Profiles, monitoring, access restriction, acceptable use for selected platforms. Limitedcontrol on personal and corporate apps (FAMOC configuration management).

3.7

Security andCompliance

User, media and device authentication; password enforcement and device lock; andremote, full and selective wipe for iOS and Android. Auditing, filters access toinappropriate devices, Web filtering on selected platforms. Whitelists/blacklists supportedfor RIM OS, iOS, Symbian and Windows Mobile 6.x. Antivirus, firewall and mobile VPN aresupported.

4.1

Containerization Not available. 1

InventoryManagement

Rich OTA provisioning, inventory, lockdown hardware. Check memory space, diagnosticsand monitory battery life for selected platforms (FAMOC configuration management).

4.4

SoftwareDistribution

Downloader, verification, version detection, software upgrades, OS updates, patches, fixesand updates (FAMOC Application Management).

4.5

Administrationand Reporting

OMA DM (Nokia, Sony Ericsson, Windows Mobile devices), OMA CP, OpenSCEP (Apple),Apple MDM API, BES, SyncML, EAS support.FAMOC is compatible and makes use of BES, Microsoft Exchange Server, Lotus Domino,Microsoft Active Directory, LDAP and Funambol. Support for role-based and group-basedaccess. Single console, business intelligence, analytics and reporting tools available.

2.8

IT ServiceManagement

Help desk and user support. Rich self-service. Device monitoring, file management andremote access control are supported.

3

NetworkServiceManagement

Limited invoice management, limited contract information. Usage monitoring and alerting(FAMOC Asset Management).

2

Delivery Model On-premises-based; others (managed, SaaS) provided by partners. 4.3

Table 6. Critical Capabilities Rating for Fiberlink's MaaS360 Platform (internal v.10.6; serviceavailable as of 21 June 2011)

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Complete support for BlackBerry, iOS, Android, Symbian, webOS, Windows Mobile 6.x. 4.5

Page 17: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 17 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

Good TechnologyGood for Enterprise is a mobility suite that supports mobile collaboration with strong support for security andmanagement (see Table 7). The main components of the suite include: Good Mobile Control, for MDM; Good

Mobile Access, for secure access to corporate data; Good Mobile Messaging, for secure wireless email (see"Critical Capabilities for Enterprise Wireless E-Mail Software"; this document has been archived, and some of itscontent may not reflect current conditions). Good Technology's MDM and security capabilities are sold as partof the entire mobility suite (i.e., not sold as individual products) and require the adoption of Good MobileMessaging product for wireless email, including Good's email client. It replaces the email server's native mobilesupport. Through its native email client, it enforces separation between corporate and personal data; however,many MDM capabilities are available in the email client only. Good Technology provides the strongestimplementation of containerization for the email client, on iOS, Android and Symbian devices. It also supportsdata leakage prevention (e.g., prohibiting the saving of email attachments outside the container).

Device Diversity Complete support for BlackBerry, iOS, Android, Symbian, webOS, Windows Mobile 6.x.Limited support for Windows Phone 7. No support for MeeGo.

4.5

PolicyEnforcement

Profiles, monitoring, access restriction. Control access to app store, and control onenterprise applications. Acceptable use policies. Additional policy enforcement for iOS APIsinclude dynamically changing policy (e.g., restrict VPN) or taking a remediation action(e.g., wipe device), based on device context (e.g., location) or a recent event (e.g.,removed SIM); automatic provisioning of policies to devices discovered on corporate emailservers.

3.7

Security andCompliance

User and device authentication, password enforcement and device lock; remote and totalwipe (plus selective wipe for iOS and Android). Local data encryption (only core, nomedia). Can filter access to inappropriate devices for Symbian only. Whitelists/blacklistssupported for iOS and Android. No support for rogue application protection (e.g.,application quarantine) or Web filtering. No antivirus or firewall supported. MaaS360provides mobile VPN as a managed service, and adds MDM profile lockdown for iOS andAndroid (prohibits users from removing management software).

2.8

Containerization Document distribution and database updates through Apple enterprise applicationdistribution; it provides data leakage prevention within encrypted applications andreporting for audit. Same capabilities provided on Android.

2

InventoryManagement

OTA provisioning, inventory, lockdown hardware. Check memory space. Diagnostics andmonitoring of battery life for iOS and Android.

4.2

SoftwareDistribution

Cross-platform application catalog, software distribution and updates. 3.5

Administrationand Reporting

Integration with BES, EAS and Lotus, with certificate authority. For desktop management,integration with management consoles from IBM, Check Point, Iron Mountain, LumensionSecurity and others. Other MDM platforms (e.g., MobileIron) can be integrated andcontrolled from inside MaaS360 to include PC management in the same console. Rich Webconsole and role-based access. Business intelligence, analytics and reporting toolsavailable. Fiberlink offers a remote control service as part of its 24/7 global help desk atno additional cost. Technicians can take control of a problematic device via SMS andperform user context actions on BlackBerry, Windows Mobile, Symbian and Android.

4.2

IT ServiceManagement

Rich help desk and user support. Self-service support. Device monitoring is supported, butnot end-to-end monitoring (extended to BES, Exchange, etc.). Limited troubleshootingsupport.

4

NetworkServiceManagement

Roaming detection, automated restrict policy (Wi-Fi, VPN and email). 2

Delivery Model Completely cloud-based model, with pricing per device or per user, and free service up to25 users. User-based bundled pricing is available for an unlimited number of devices peruser at a flat monthly fee.

4

Page 18: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 18 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Table 7. Critical Capabilities Rating for Good Technology's Good for Enterprise v.6.3.1.x

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Support though proprietary email, calendar and contact client, with security andmanagement capabilities (at both the application and device levels) for iOS, Android,Symbian and Windows Mobile 6.x. No support for RIM OS and MeeGo.

3.5

PolicyEnforcement

Mobile OS version detection, profiles, monitoring, access restriction for iOS, Android,Symbian, Windows Mobile 6.x. Detect jailbroken/rooted devices. Filter access to corporatesystems to noncompliant devices. Control on personal and corporate apps for supportedplatforms. Support for acceptable use and audit trail. Does not rely on a local EAS agenton the device for policy implementation, but provides its own policy implementation. Using"whole device" management APIs on iOS, Android, Symbian and Windows Mobile 6.x.Reporting for installed applications, provisioning profiles installed and certificates installedthrough iOS MDM API will be released later in 2011.

3.5

Security andCompliance

Multiple security and compliance features, but these are made available for selectedplatforms only. User and device authentication, password enforcement, device lock,remote and total wipe, and selective wipe for all supported platforms. Authenticationbetween device and network operations center [NOC], then between NOC and corporateback end. Core encryption for all supported platforms. Media encryption supported forSymbian, Windows Mobile, Palm OS and Android (Dell Streak). Data encryption at restand in transport (container only). Filter access to inappropriate devices for all supportedplatforms. Web filtering for all supported platforms. Whitelists for all supported platforms.Blacklists for Symbian and Windows Mobile. No support for rogue application protection(e.g., application quarantine), antivirus, firewall and mobile VPN. Only supports VPN overWi-Fi on iOS platforms. Other features include device monitoring with coverage historyand last message sent/received, NOC-based architecture, and secure browser for intranetaccess.

3.4

Containerization Clean separation of personal and corporate data, including email, calendar, contacts andattachments. Based on mobile OS sandbox mechanism. Best implementation, with dataleakage prevention. Only email and browser client application so far. Main featuresinclude: enable/disable download of attachments and block by attachment size/type;disable sync of contacts and/or limit sync of specific fields only; disable cut/copy/pastebetween personal and corporate data; detect last time connected to corporate data andwipe if exceeds policy; control intranet sites that users have access to via secure browser.

4.2

InventoryManagement

OTA provisioning and basic inventory capabilities for all supported platforms. Lockdownhardware, check memory space, diagnostics and monitoring of battery life for selectedplatforms (Symbian, iOS, Windows Mobile 6.x)

3.3

SoftwareDistribution

Downloader, application verification, updates and patches for all supported platforms.Private app store supported for iOS, Android and Windows Mobile.

3.3

Administrationand Reporting

No integration with EAS, and no support for OMA DM. Integration through Active Directorywith third-party management systems and portals. Partnerships with monitoring vendors(e.g., BoxTone).

2.8

IT ServiceManagement

Help desk and user support through portal. Good Technology has monitoring capabilitiesfor the device, but no end-to-end monitoring (extended to BES, Exchange, etc.) andtroubleshooting. No BlackBerry support.

3

NetworkServiceManagement

Not available. 1

Page 19: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 19 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

McAfeeMcAfee is a prominent global security player with strong positions in desktop and laptop antivirus, encryption,and comprehensive endpoint management. McAfee has entered MDM through the 2010 acquisition of TrustDigital. It combines its Enterprise Mobility Management (EMM) platform with security support, and itsvirus/malware protection software (via the McAfee ePolicy Orchestrator [ePO] console) with other McAfeeproducts (see Table 8).

Source: Gartner (July 2011)

Return to Top

Mobile Active DefenseMobile Active Defense's Mobile Enterprise Compliance and Security (MECS) provides mobile security andcompliance cloud-based services for organizations to support corporate email and other applications onconsumer and personal devices, enforcing security and compliance policies. It can integrate with e-mail serversand/or cloud services (including personal accounts). MECS is a clientless, zero-footprint product available on-premises, or as hosted or cloud services. E-mail is delivered through the device's native e-mail client through asecure VPN connection with encrypted data transmission. The mobile security server supports anti-spam andcontent filtering, controlling any messages that are being synchronized on the devices. It enforces security

policies on a personal device connecting to corporate email, preserving regulatory compliance (e.g., with ISO27001 or HIPAA). Mobile Active Defense extends controls beyond email by forcing all traffic over the VPN fromapplications to the browser — including content filtering, geolocation-based firewall rules, application inspectionand remediation, and jailbreak remediation. It is also used in combination with hosted virtual desktopinfrastructure (e.g., Citrix Receiver) to provide a secure VPN connection from iPads into the corporateapplication servers (see Table 9).

Delivery Model On-premises and managed. 3.5

Table 8. Critical Capabilities Rating for McAfee's EMM

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Android, Apple iOS, Nokia S60, webOS, Windows Mobile 5 and 6.x, and Windows Phone 7are supported.

3

PolicyEnforcement

Sets password policies, restricts device features and applications, and requires strongauthentication.

3

Security andCompliance

The combined products of Mobile Security for Enterprise, ePO Integration and compliancesets are needed to enforce and report on compliance, based on device configuration, OSlevels, security and jailbroken status. Full and selective wipe. Anti-malware integrationwith EMM and whitelist/blacklist for Android to be added in future releases.

2.8

Containerization Not available. 1

InventoryManagement

Provisioning, distribution and configuration OTA and lockdown hardware. Limited featuremanagement: It collects key information about the device, including user, phone number,device ID, device status, device carrier, and application list. No monitoring (e.g., ofbattery life).

3.4

SoftwareDistribution

Policy-based app distribution, downloader, verification, whitelists/blacklists, versiondetection, updates.

3

Administrationand Reporting

Same centralized visibility and control over the mobile devices on your network as withdesktops and laptops. Can configure ePO dashboard for a customized view of devices byplatform, domain, and group. Supports LDAP and SQL Server integration.

2.8

IT ServiceManagement

Help desk support. Simple end-user provisioning. Basic self-service portal. 2.5

NetworkServiceManagement

Not available yet. Signed TEM partnership agreement. ePO integration planned for 3Q11. 1

Delivery Model On-premises-based software only. 3

Table 9. Critical Capabilities Rating for Mobile Active Defense's MECS Server v.1.1

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Complete support for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x. No supportfor Windows Phone 7, webOS and MeeGo.

4

Policy Mobile OS version detection, profiles, monitoring, access restriction, control on personal 4

Page 20: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 20 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

MobileIronMobileIron launched its product in September 2009, and has seen very quick growth in sales, mind share andmarket share, outselling most MDM platforms in the past year. Built from the ground up, it is solely focused onmobility management, incorporating the Virtual Smartphone Platform (VSP) architecture to support security,data visibility, application management and access control. It does not provide encryption or VPN capabilitiesoutside of what is provided on the device. MobileIron was one of the first vendors to combine MDM withnetwork service management (see Table 10).

PolicyEnforcement

Mobile OS version detection, profiles, monitoring, access restriction, control on personaland corporate apps, acceptable use, and audit trail. Location-based policy enforcement.

4

Security andCompliance

User and device authentication, password enforcement and device lock; remote, selectiveand total wipe. Core and media encryption (except for Windows Phone 7; that is underdevelopment), and auditing. Filter access to inappropriate devices and Web filtering,whitelists/blacklists on selected platforms, application quarantine. Antivirus, firewall andmobile VPN supported. Location-based firewall enforcement. Automatic remediationoptions, including jail break detection, hostile malware behavior and evolving mobilethreats. Policy-driven reactions include notification, remote wipe and network disconnect.

4.6

Containerization Not implemented, but personal and corporate content is tagged, and a selective wipe canbe applied to corporate content only.

2

InventoryManagement

OTA provisioning, lockdown hardware, check memory space, diagnostics and monitoringof battery life and inventory for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x.

4.2

SoftwareDistribution

Application downloader, application verification, updates and patches, app storemanagement, private app store support.

4

Administrationand Reporting

MECS has an EAS installed on it, and supports OMA DM. It can integrate with third-partymanagement systems. It can generate aggregated access reports with Syslog.

2.8

IT ServiceManagement

Help desk and user support, remote control, and self-service. Device monitoring. 3.3

NetworkServiceManagement

Invoice management, contract information. Mobile usage monitoring and alerting. 3

Delivery Model On-premises, managed and cloud services. 4.5

Table 10. Critical Capabilities Rating for MobileIron's VSP

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Android, Apple iOS, RIM OS, Nokia S60, webOS, Windows Mobile 6.x and Windows Phone7 are supported.

4.5

PolicyEnforcement

Detects OS platforms and versions, installed applications, manipulated data, and jail-broken devices. Profiles, monitoring, access restriction to email server. Identifieswhitelist/blacklist violations and takes quarantine or other actions. Control on personaland corporate applications. Real-time roaming detection. Automatic group creation:Autogenerates groups based on ownership so IT can easily apply differentiated policies.

4

Security andCompliance

Password enforcement and device lock, total and selective remote wipe. On iOS devices,selective wipe includes email, Wi-Fi settings, VPN settings and in-house apps. On otherplatforms, like the BlackBerry, it provides a selective wipe of files (through visibility intothe phone's file system, as dictated by the MobileIron privacy policy applied to thatphone). Certificate-based authentication, filter server access to noncompliant devices,rogue application protection (e.g., application quarantine) and whitelists/blacklists of apps.Local data encryption not supported if not natively provided by the device. VPN client notprovided, but VPN can be remotely configured and secured through certificates. Webfiltering, firewall and antivirus not supported. MobileIron Mobility API allows externalsystems to trigger MobileIron MDM actions through a Web services request.

3.4

Containerization Privacy policy gives granular control over what device data (files, usage, SMS, apps,location, etc.) is monitored by MobileIron. Policies can be set by device or groups ofusers/devices.

2

InventoryManagement

OTA provisioning, lockdown hardware, check memory space, diagnostics and monitoringof battery life, and inventory. Ownership designation: Tags each device managed byMobileIron as either employee- or company-owned.

4.1

SoftwareDistribution

Full mobile software management and support. Software and OS updates, patches, andfixes. Private app store. Firmware updates not supported.

3.5

Administrationand Reporting

Prepackaged integration with EAS, LDAP, BES, certificate authorities and email archivesystems. Enable integration to multiple systems through the MobileIron API. Provides alist view of all devices under management and all devices accessing enterprise email, andreporting. No prepackaged adaptor for other management consoles/systems, but theplatform is designed to integrate with external systems. Integration with IT provisioningand management systems, as well as business intelligence databases, is possible throughMobileIron APIs.

4.2

Page 21: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 21 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

SybaseAfaria is Sybase's MDM and security product, also delivered as cloud services within Sybase Managed Mobility

(or as hosted services through partners such as Verizon and Orange). Sybase does not require a proprietaryemail client, but instead offers integrated secure control over a third-party email solution (for Android, viapartner NitroDesk). Afaria provides rich support for software distribution, policy enforcement, inventorymanagement and security. It is one of the oldest MDM products (see Table 11).

Source: Gartner (July 2011)

Return to Top

SymantecSymantec is a prominent global security player with strong positions in desktop and laptop antivirus,encryption, and comprehensive endpoint management. Symantec has offered MDM support in Altiris since2004. Although Symantec has offered MDM for years, Gartner analysts have not seen evidence of competitivepublic visibility until recently, and cannot verify a significant presence through our client references. Symantechas successfully obtained all the pieces for a strong MDM platform, but its strong focus on security causes adiminution in understanding of the business and operational requirements for mobile device life cyclemanagement. Symantec integrates its Mobile Endpoint 6.0 solution for security (anti-malware) with its MobileManagement 7.0 offering, which focuses on software, inventory and application management (see Table 12).

MobileIron APIs.

IT ServiceManagement

Help desk, user roles, end-user self-service, monitoring of mobile infrastructure, andtroubleshooting/alerting for the mobile device and connections.

3.3

NetworkServiceManagement

Wireless Expense Management with Mobile Activity Intelligence gives IT, finance and theend-user a detailed, real-time view of phone usage (voice, SMS and data activity), costdrivers and service quality (e.g., to catch high-cost items, like international roaming andexcess usage, as they happen, to control costs). Traditional TEM services, such as contractmanagement and bill analysis, not supported.

3.1

Delivery Model On-premises and hosted (by partners) in production. SaaS service (MobileIron ConnectedCloud).

4

Table 11. Critical Capabilities Rating for Sybase's Afaria v.6.6

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Support for iOS, Android, Symbian, Windows Mobile 6.x, Windows CE and OMA DM. Partialsupport for RIM OS. No support for Windows Phone 7, webOS and MeeGo.

3.5

PolicyEnforcement

Afaria Advanced Enterprise Security (AES) for Android adds more than 80 devicemanagement policies for Samsung Android devices.

4

Security andCompliance

Password enforcement and device lock; remote, selective and total wipe for RIM OS,Symbian, iOS, Android and Windows Mobile 6.x. Core and media encryption for Symbian,iOS and Windows Mobile 6.x. User and device authentication, filters access toinappropriate devices, Web filtering, whitelists/blacklists, and application quarantine forlimited platforms. Mobile VPN support. Limited support for antivirus and firewall. Supporton iOS and Android application portal for enterprise application management.

3.3

Containerization Granular control over files, application configurations and management tasks on devices,so that administrators can only affect corporate data. In iOS and Android, this separationis built on the sandbox; in Windows Mobile, the separation is built on OS hooks. There isno data leakage prevention.

2.5

InventoryManagement

OTA provisioning, lockdown hardware, check memory space, diagnostics, monitoring ofbattery life, and inventory for RIM OS, iOS, Android, Symbian and Windows Mobile 6.x.

3.7

SoftwareDistribution

Application downloader, application verification, updates and patches, app storemanagement. Limited private app store support.

4

Administrationand Reporting

Comprehensive set of system APIs that allow database access to collected informationfrom other management products. No integration for BES, Good Technology and EAS.

3.1

IT ServiceManagement

Help desk and user support, remote control, self-service, and device monitoring for RIMOS, Symbian, iOS and Android.

3.3

NetworkServiceManagement

Invoice management, and contract information for RIM OS, Symbian, iOS, Android,Windows Mobile 6.x, Windows Phone 7 and OMA DM. Mobile usage monitoring and alertingare under development.

3.1

Delivery Model On-premises, managed and cloud services. 4.5

Table 12. Critical Capabilities Rating for Symantec Mobile Management 7.0

Page 22: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 22 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

TangoeTangoe is a fast-growing communications life cycle management company with TEM and MDM capabilities.Although the primary revenue source is through TEM, the vendor also has seen the adoption of its MDMplatform (acquired from InterNoded) grow during the past 18 months. Tangoe has done a good job ofintegrating TEM and MDM, and offering MDM as a service, although its offering has not yet matured. TheTangoe Mobile Device Management platform focuses more on security compliance and policy management,versus adding encryption for the content or authentication for the device. Tangoe's MDM solution is typicallysold in a bundle with TEM services, and is delivered in multiple ways: as SaaS or behind the firewall, hosted oras a managed service (see Table 13).

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Android, BlackBerry, Apple iOS, Windows Mobile 6.x are supported. No support forWindows Phone 7 and MeeGo.

3.8

PolicyEnforcement

Symantec Endpoint Protection Mobile Edition 6.x detects OS and versions for supportedplatforms. Detects installed applications, manipulated data and jail-broken devices, Filtersor restricts access to corporate servers for noncompliant devices. Restricts applicationdownload. Enforces expense policies. No Web filtering.

3.5

Security andCompliance

Password enforcement, device lock, remote wipe, selective remote wipe (e.g., onlycorporate content), total remote wipe and local data encryption. Certificate-basedauthentication, Monitoring device and data manipulation on device. Rogue app protection(e.g., application quarantine), firewall, antivirus and mobile VPN.

4.1

Containerization Not currently supported. 1

InventoryManagement

Moderate number of features supported; varies by platform. 4.3

SoftwareDistribution

Application delivery capabilities with application self-healing, and on-demand or scheduledupdating of running applications. Private app store to enable distribution of applications,files, links and media. Software updates, fixes and patches for supported platforms.

3.5

Administrationand Reporting

Integrate Mobile Management with Altiris Client Management Suite to extend Symantecsystem management capabilities to manage mobile devices. Web console, OTAprovisioning, and role- and group-based access.

3

IT ServiceManagement

Help desk, user support levels and alerting. Symantec's solution provides thesecapabilities holistically across all endpoints (mobile, laptop, desktop and server): Mobilemanagement is integrated with endpoint management and security solutions through theSymantec Management Platform. No troubleshooting, but integration with other productsis supported.

2.2

NetworkServiceManagement

Not available. 1

Delivery Model On-premises-based software. 3

Table 13. Critical Capabilities Rating for Tangoe's Mobile Device Manager v.5.2.11.1

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Android, BlackBerry, Apple iOS, webOS, Windows Mobile 6.x., Symbian, Windows Phone 7and Gobi 2000 are supported.

4.4

PolicyEnforcement

Supports applying any EAS policy. The limitations are based on the device's OS andmanufacturer. Role-based policy management.

4

Security andCompliance

Provides a granular role-based security model that can restrict all components and actionswithin MDM.

3.1

Containerization Not available. 1

InventoryManagement

Mobile Device Manager supports the full features of inventory management. 4.5

SoftwareDistribution

Deploys or removes corporate applications, and provides a private app store. Support forupdates, patches and fixes.

2.7

Administrationand Reporting

A central management console delivers real-time statistics across devices, platforms anddomains, managing all stages of deployment. Integrates with BES, Good Mobile Messagingand EAS.

3.6

IT ServiceManagement

Help desk and user support. Support for a self-service portal and device monitoring ofapplications, SMS, and voice and data activity against carrier plans.

2.7

Page 23: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 23 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

Source: Gartner (July 2011)

Return to Top

ZenpriseZenprise's Mobile Manager is one of the more innovative platforms available, combining a strong mobile VPNsolution with the use of location-based technologies. It has a clear interface and solid reporting capability. It isa small company focused on MDM. It recently acquired Sparus Software, a small, French security and MDMcompany, to better support mobile security and encryption (see Table 14).

Source: Gartner (July 2011)

Return to Top

Management applications, SMS, and voice and data activity against carrier plans.

NetworkServiceManagement

Specialized capabilities on TEM (e.g., ordering, provisioning and expense management forsimpler phones).

4.2

Delivery Model On-premises-based software and managed services. 4

Table 14. Critical Capabilities Rating for Zenprise's Mobile Manager

CriticalCapabilities

Product/Service Name and Brief Description Rating

Device Diversity Android, BlackBerry, Apple iOS, webOS, Windows Mobile 6.x. and Windows Phone 7 aresupported.

4.7

PolicyEnforcement

Zenprise Security Manage provides a smartphone audit feature to enforce compliance withcorporate policies. Ensures that all smartphones are running only the latest softwarepatches and firmware. Policy and password enforcement, and content encryption.

4

Security andCompliance

Zenprise Security manager tracks policies applied to the device, and identifies missing orremoved policies. Provides detailed reports of potential security problems. Zenprise MobileManager includes four layers of security operating at device, application and network tiers,providing end-to-end security: Dynamic Defense (device security), AppTunnel (applicationsecurity), Secure Mobile Gateway (controls access to corporate networks, applicationquarantine) and Mobile Network Intelligence (enterprise wireless network traffic). IFIPScompliance certification process is ongoing.

4.4

Containerization Not available. 1

InventoryManagement

Zenprise Device Manager provides visibility and control of end users' smartphones. Offersremote control capabilities to troubleshoot smartphone problems.

4.4

SoftwareDistribution

Private app store for users' application discovery, and for IT administrators to silentlyconfigure and provision enterprise applications on smartphones and tablets. Softwareupdates, patches and fixes for selected platforms; backup/restore, backgroundsynchronization and file distributions. Dashboard displays version, configuration andmemory use information for mobile applications across all connected devices.

3.7

Administrationand Reporting

Unified Web console, and role-based and group-based access. Remote control (real timeor permission-based) for BlackBerry, Windows Mobile and Android, including the ability toinitiate chat and voice over Internet Protocol between the administrator and user, or toremotely view and kill processes running on the devices. Offers more than 50 performancereports to aid in your infrastructure planning. Offers profiles of real-time and historicalperformance of BES, Exchange, EAS, Active Directory and SQL servers. Integrates withRemedy, Microsoft Systems Center, IBM Tivoli, HP OpenView and BMC Patrol

3.8

IT ServiceManagement

Zenprise Expense Manager offers smartphone security audits that help avoid costlylitigation or compliance lapses.

4.3

NetworkServiceManagement

Zenprise offers network service management consistent with the described criteriafeatures.

3

Delivery Model Primarily on-premises-based software. 4

Page 24: Critical Capabilities For Mobile Device Management

3/29/12 8:54 AMCritical Capabilities for Mobile Device Management

Page 24 of 24http://www.gartner.com/technology/reprints.do?id=1-16U0UOL&ct=110801&st=sg

© 2011 Gartner, Inc. and/or its affiliates. All rights reserved. Gartner is a registered trademark of Gartner, Inc. or its affiliates. This publication may not bereproduced or distributed in any form without Gartner’s prior written permission. The information contained in this publication has been obtained from sourcesbelieved to be reliable. Gartner disclaims all warranties as to the accuracy, completeness or adequacy of such information and shall have no liability for errors,omissions or inadequacies in such information. This publication consists of the opinions of Gartner’s research organization and should not be construed asstatements of fact. The opinions expressed herein are subject to change without notice. Although Gartner research may include a discussion of related legalissues, Gartner does not provide legal advice or services and its research should not be construed or used as such. Gartner is a public company, and itsshareholders may include firms and funds that have financial interests in entities covered in Gartner research. Gartner’s Board of Directors may include seniormanagers of these firms or funds. Gartner research is produced independently by its research organization without input or influence from these firms, funds ortheir managers. For further information on the independence and integrity of Gartner research, see “Guiding Principles on Independence and Objectivity” on itswebsite, http://www.gartner.com/technology/about/ombudsman/omb_guide2.jsp.