Market Guide – Mobile Device Management for ITAM
This guide looks at tools enabling ITAM-related management of mobile devices. It is primarily focused on tools that enable key parts of the ITAM lifecycle to be performed – in particular Discovery, Inventory, Management, and Retirement.
Mobile Device Management for ITAM
Applying ITAM principles to your mobile devices is important for a range of reasons including;
If you are issuing company devices to your employees & actively managing them, there may be a license requirement. This is particularly the case for organisations licensing Microsoft software on a per-device basis.
Device lifecycle (onboarding/offboarding)
Company-owned & issued devices need to be tracked through their lifecycle. By their very nature, mobile devices move from location to location – with a resulting impact on your Hardware Asset Management practices.
Mobile devices inevitably contain data subject to security, privacy, and compliance requirements. These requirements mean that you need a method of discovering where the device is, what data is stored on it, who is using it, and to have a means to wipe the device in the event of theft or loss.
With mobile devices often costing more than a standard issue laptop, there is an obligation to pay close attention to cost management. Devices, and the SIMs/mobile contracts associated with them, present a microcosm of your larger IT infrastructure. The hardware may be capital expenditure whereas the SIM card and contract will be operating expenditure, as will much of the software installed on the device. Managing this is complex due to the often-high number of devices and SIM contracts.
Market Characteristics & Management Requirements
Managing mobile devices differs from the management of PCs and servers in a number of ways.
Several ownership models exist, and each has an impact on ITAM practices. These models include;
BYOD – Bring your own device
Under this model the employee uses their own mobile device for work purposes.
CYOD – Choose Your Own Device
Under this model the employee selects a device that is solely or partly owned by the organisation. For example, some companies may provide a voucher for a device purchase, freeing up the employee to choose a higher price model.
COPE – Company Owned, Privately Enabled
Under this model the company owns and manages the device but permits employees to use it for personal use.
COBO – Company Owned, Business Only
As with COPE, but personal use is not permitted. Prevalent in industries where security is of utmost importance, and typically results in employees carrying two devices.
COSU – Company Owned, Single Use
This class of device can range from anything from an iPad Pro to an embedded IoT device. The difference is that the device is completely locked down to use a single application or provide a single function – often known as “kiosk mode”. COSU was originally a Google term applied to inexpensive “white-label” Android devices.
The above models can also apply to the airtime/data contract associated with the mobile device and can be mixed. With the growth of dual-SIM devices it is possible to have BYOD hardware running both a personal SIM & a company-supplied SIM, for example.
Implications for ITAM
The above ownership models have an impact on the degree to which the device is controlled and managed by the organisation. A COBO device may be completely locked-down by an organisation, which will assume full management responsibility for the device, including hardware replacement. Conversely, a BYOD device will be owned and replaced by the employee, who is also often paying for the airtime/data contract.
More acronyms – MDM, MAM, UEM
Mobile devices attract their fair share of acronyms (3G, LTE, CDMA, etc.) and management of these devices is no different. To a certain extent, mobile device management has evolved through these stages (MDM to MAM to UEM). So, what do these acronyms mean?
MDM – Mobile Device Management
Management of mobile devices started with MDM. MDM solutions tend to focus on basic requirements such as device enrolment and remote wiping. Usually, a classic MDM solution required an administrator to enrol the device, set up syncing for email and other data, and enable the ability to remotely wipe the device. MDM tended to align with HAM – in the sense that a new device was added to an inventory and issued to a user.
MAM – Mobile Application Management
MAM extends MDM capabilities by providing administrators with control over the application layer of the mobile device. This includes installation, updating, and deletion of company and commercially-available software packages, and may include some element of installation controls. Whereas MDM aligns with HAM, MAM aligns more closely with SAM.
UEM – Unified Endpoint Management
As the consumerisation of IT has progressed, IT Operations teams have turned to Unified Endpoint Management solutions to manage their estates. UEM tools provide a single interface to manage all devices present on a network – servers, laptops, PCs, tablets, mobile phones – and even wearables and Internet-of-Things devices. UEM is an evolving sector at present; as ITAM managers we should expect some overlap between it and our existing toolsets, particularly around inventory and discovery. Most tools in this guide have UEM capabilities due to changes in the management instrumentation of Windows & macOS with Windows 10 and macOS High Sierra respectively.
The tools listed in this market guide are assessed from an ITAM standpoint, rather than from a full feature set needed by, for example, IT Security or IT Operations. As such, we are interested in the information and functionality they provide at each stage of the ITAM Operational lifecycle.
- Discovery capabilities will focus on detecting mobile devices present on your corporate network.
- Inventory capabilities should include application inventory along with usage data per device and per user.
- Operate/Service capabilities will cover addition and removal of software, and a level of control over the device.
- Retire capabilities should include the ability to recover software licenses from the device alongside the ability to remotely wipe it.
Additionally, note will be made of support for vendor-specific capabilities such as Apple VPP, ABM & DEP, Android Enterprise, and Samsung Knox. These vendor-supplied capabilities are built into their devices to provide enterprise readiness for what are, essentially, consumer devices. These tools include capabilities such as pre-activation, application containerisation, and provisioning of company-owned applications to personal devices.
In compiling this guide we have sought to include a wide variety of solutions in terms of cost, target organisation size, and geographies. If you are a vendor with an MDM/UEM/MAM solution with ITAM-related capabilities and are not included, please contact us for possible inclusion in a later revision. Similarly, if you are an end user of a solution not listed, please consider submitting a review on The ITAM Review Market Place.
42 Gears SureMDM
42 Gears is based in Bangalore, India and provides a range of Endpoint Management products. For the purpose of this guide, SureMDM is the most relevant product. SureMDM manages a broad range of devices all the way from legacy endpoints such as Windows 7 to modern wearables and IoT devices. List prices range from $4 to $8 per month per device. Support is provided for Apple DEP & VPP, alongside Android for Enterprise & Samsung Knox.
Blackberry Unified Endpoint Management
Blackberry Unified Endpoint Management is the current iteration of Blackberry’s venerable device management and security suite. Additionally, it incorporates features and functionality from a former market leader, Good Technology, acquired in 2015. In many ways, Blackberry invented smartphone management technology and they continue to innovate, lead, and deliver in this sector. Blackberry UEM is an enterprise scale (up to 150,000 devices) solution for managing Apple iOS, Android, Windows 10, macOS, and Chrome OS devices, with deployments on-premises or cloud-based. It is sold in 5 editions, all of which meet ITAM-specific requirements.
Certero for Mobile
Certero for Mobile is the first ITAM-dedicated tool to feature on this list. Flexible deployment options exist from on-premises through to public, hybrid, or private cloud. Certero for Mobile is dedicated to managing iOS & Android devices, with support for Apple VPP & DEP, and Android Enterprise. The solution forms part of the Certero Management Platform, alongside other Certero solutions, providing a single view of your asset base. It is also available as a standalone solution.
Citrix Endpoint Management (XenMobile)
Citrix approach UEM from their core competency in user workspace management. As such their offering is extremely broad and deep – far beyond the requirements for ITAM-specific management of mobile devices. Citrix Endpoint Management is available as a standalone offering although usually deployed as part of a wider Citrix deployment. It supports Apple VPP & DEP & Android Enterprise. This product is particularly strong in offering containerised, secure applications for common business functions such as email and document-sharing.
Cisco Meraki MDM
Cisco Meraki’s unique capability is in the centralised management of an organisation’s network alongside its computing endpoints. For the purpose of this guide it has a strong focus on managing BYOD alongside company-owned Macs & PCs. This solution may be a good fit for organisations with a Cisco-based physical network.
Eracent Mobility Manager
Eracent Mobility Manager is integrated with their IT Management Center (ITMC) platform, providing a comprehensive view of all asset types in a single interface. This solution is based on IBM (formerly Fiberlink) MaaS360. Additionally, Eracent customers can used Eracent Data Extractors (EDEs) to bring data from third-party UEM tools into the ITMC platform.
Google G Suite MDM
Google G Suite includes MDM in all paid-for editions at no extra charge, enabling management of Android, iOS, and Chromebook devices. However, there is no support for the Windows ecosystem. This is a good option for G Suite customers to get started with MDM and as with all G Suite services it is available as a per user license via cloud deployment.
IBM acquired MaaS360 from Fiberlink Corporation in 2013. As with VMWare Airwatch, MaaS360 was a market leader at the time of acquisition. In the intervening years IBM have developed and integrated MaaS360 with existing toolsets such as BigFix and their AI platform Watson. Offered in 4 editions and priced at between $4 & $9 per device per month, it is a very competitive offering. As the name suggests it is a SaaS-only deployment capable of managing Android, iOS, macOS, Windows devices. It also has strong capabilities for managing IoT & COSU (kiosk) devices. These extend to rugged Android devices such as those from Zebra, Panasonic, and Honeywell – devices common in industrial, engineering, and retail sectors.
Ivanti Unified Endpoint Management
Ivanti’s background in IT Service Management (as Landesk) means there are a number of UEM solutions in their portfolio. Their solutions offer breadth, integrating client management tools with mobile device management, and IT Asset Management. The solutions employ both agent and agentless discovery methods and are able to manage the full ITAM lifecycle for iOS & Android devices, alongside robust management tools for Windows & Mac computers.
ManageEngine Mobile Device Manager Plus
ManageEngine MDM Plus provides management capabilities for Apple iOS, Android, and Windows including application distribution, inventory, discovery, application containerisation, and remote wipe. The containerisation feature improves security of BYOD devices by storing all enterprise data in an encrypted container, separate from the user’s personal applications. The solution is available On Premises or as a Cloud deployment and is free for up to 25 devices. List pricing for the Professional Edition deployed as a cloud service is $30k per annum for 2500 devices.
Matrix42’s UEM solution combines two products – one for desktop and one for mobile management – into a single management console. Matrix42 have long-standing capabilities in desktop endpoint management and integrates UEM with their ITSM products, providing the ability for automation & employee self-service. The solution is licensed per-user which may be more cost-effective than other solutions, given that most users will have multiple devices.
Microsoft Intune is available standalone or bundled as part of their Enterprise Mobility + Security (EMS) product. For organisations with substantial on-premises Windows deployments the inclusion of Windows Server CAL equivalent rights with EMS is likely to mean that is the more cost-effective method of acquiring MDM capabilities from Microsoft. EMS E3 list price is $8.74 per user per month. For devices not associated with a user (e.g. kiosks, tills, and so on) there are also Device subscription licenses available. Intune provides full ITAM-lifecycle management capabilities for Windows, macOS, iOS, and Android and provides close integration with Office 365, in particular differentiating from other products around information protection.
Miradore is unique in the market in offering free MDM for unlimited devices. Cloud-based only, it provides instant access to basic MDM capabilities for any size of organisation. Miradore manages Android, Apple, and Windows 10 devices. For full ITAM lifecycle management the paid-for Enterprise plan will be required, costing £2 per user per month.
MobileIron Unified Endpoint Management
Mobileiron are pioneers in the MDM space, founded in 2007 and perfectly placed to deliver enterprise-grade mobile security products that enabled the shift from Blackberry to iOS & Android. Their solution continues to manage iOS & Android devices, with the addition of macOS & Windows 10 to build out their UEM capability. MobileIron also work closely with industry partners as an OEM provider and have an extensive sales and partner network providing managed services.
Snow Device Manager
Snow Device Manager is closely integrated with other Snow products – notably License Manager and Automation Platform. This close integration enables onboarding/offboarding and tracking of software license consumption and requirements. Support is primarily focused on iOS & Android in comparison to other tools in this guide but as such may be a good solution for an existing Snow customer looking for a point solution. Deployment is available on-premises or as a SaaS solution.
Sophos Mobile UEM
Sophos Mobile is deployable as a cloud service or on-premises. It provides an integrated solution for managing Android (Knox & Android Enterprise), iOS 11, Windows Phone, Windows 10, and macOS with options to license by user and device. Available as a standalone service, it also integrates with Sophos’ Endpoint Protection security suites.
SOTI Mobicontrol manages Android, iOS, Windows, macOS, Linux, and IoT devices, providing the widest coverage of any tool in this roundup. SOTI focus on security, compliance and reliability in the context of mobile device management and have a suite of complementary products including remote access/support software.
VMWare Workspace One UEM
Workspace One is VMWare’s UEM product, acquired from former market leader AirWatch in 2014. AirWatch’s strong capabilities are now wrapped up in a very broad UEM offering from VMWare, with options available to manage user workspaces and provide full desktop virtualisation. As with other products in this guide the core functionality exists to manage Android, iOS, macOS, and Windows devices. This solution will be a good fit for organisations committed to VMWare’s ecosystem, but may be overkill for smaller organisations. The product is available on a per device or per user basis, with pricing across 4 tiers rising from $3.78 per device per month for Standard up to $25 per user per month for Digital Workspace plus VDI.