Review: Best tools for mobile device management

Mobile device management tools make sense when you are trying to control who can access your enterprise network and applications from particular phones and tablets. But to effectively evaluate these products, you should first identify what you're trying to control: the apps on particular devices, the pairing of a user with his device, the device itself, or the files on each device.

We looked at six products: AirWatch, Apperian EASE, BlackBerry Enterprise Server 10 (BES10), Divide, Fixmo, and Good Technology's Good for Enterprise.  Each has a somewhat different perspective and different strengths in terms of what it can control best. (Watch the slideshow version.)

All support Android and iOS devices, and some also support BlackBerries, Windows Phones, and even (in the case of AirWatch) desktops. Pricing varied between $20 to $75 per user or per device per year, and will depend on the particular features, with quantity discounts typically available. The most transparent pricing schemes came from AirWatch and BlackBerry. We wish others would follow their lead.

Certainly, assembling the various bits and pieces of a typical MDM solution isn't easy: in between the server and client components there is a lot of other stuff that interacts with a great portion of your network infrastructure, including Active Directory, Web proxies, email servers and firewall rules.

For example, some of the solutions we tested tightly couple with Active Synch so that you can save deployment time and use your existing security policy frameworks in Active Directory. But your own Active Directory implementation may not have any of these fields enumerated, so this may not be as useful as it sounds.

[ALSO: 5 ways to lock down your mobile device]

If you have a variety of mobile phones from various vendors running vintage OSs, you will quickly run into installation issues. (We used our Kindle Fire as the oddest of oddball Android versions for that specific reason.)

MDMs are not quite mature protection devices on two other counts: First, for iOS in particular, you can't have more than one vendor's profile active at any given time. This means if your phone or tablet has to traverse two or more networks that are using different MDMs, you are going to have problems. Second, while these products can identify once a phone has been rooted, they can't "unroot" it: you'll have to go through the process on each phone individually.

But there is some good news. Apple has been listening to enterprise users and iOS 7, which came out just as we began our review, offers better certificate management and APIs to incorporate into MDM tools. The new iOS also includes other corporate features, such as support for single sign-on, automatic app updates, and a mechanism to prevent reactivation of stolen phones.

No winners

No single MDM product won this review; all had flaws. But all had strong points as well.

For example, AirWatch had the widest phone/tablet/desktop support. But it also requires a messy collection of different downloaded apps that could be confusing to actually use.

Fixmo doesn't support many device OS versions and its cloud server still needs a supplemental VPN to be completely secure. However, if you’re going the secure container route, Fixmo is a strong contender.

BlackBerry now supports Android and iOS devices, but not in a smoothly integrated way. However, BlackBerry should be on your short list if your primary goal is protecting your messaging infrastructure.

Good Technology is a mature product that features solid email security, fast device enrollment, extensive security policies and wide device support. But Good has weak support for sharing files and apps.

Divide had the most appealing management console and overall simplest setup routines, and also supports licensing unlimited devices per user. It features the best overall approach to MDM and is the easiest to operate, but has the most limited device OS version support.

Apperian does a great job with setting up a protected app portal, but falls down on some basic MDM issues. Consider Apperian if you have developed a large collection of your own apps and want a consistent set of security policies when deploying them.

AirWatch

AirWatch supported the largest collection of devices, and was the only product that had both mobile and desktop management support. It supports  iOS7 and the MDM API that Apple developed for its latest mobile OS, and it has an app in the BlackBerry World app store as well. That is the good news.

The bad news is that AirWatch sells three different products: one for MDM, one for mobile content management and one for mobile applications management. They use a single integrated management console, but have different client pieces for each mobile device. All of this software is delivered from the cloud, although they will work with companies that want on-premises servers or virtual appliances.

Initially, you bring up a browser to begin the installation process. After you sign in to its Web console, you are presented with a lengthy task list and a series of more than a dozen wizards that will take you through lots of sequential steps. Fortunately, there are video and help files galore, including an online chat line for additional guidance.

[RELATED: AirWatch CEO: We will be the 'breakout market leader' in mobile management]

The enrollment step first installs the app on your phone, then automatically switches back and forth between the browser on your phone and the app to complete the process. This is necessary because AirWatch needs to make use of your Apple certificates to sign its apps, but it is all very smooth.

AirWatch automatically recognized that we had an older version of iOS and downloaded an older agent version to match it. There is even the ability to customize the terms-of-use text when you enroll each device, not that anyone reads this stuff anyway.

Once enrollment is complete, there are additional steps. Menus are clearly laid out and there is a lot of online support, videos, and help, too. The "dashboard" is somewhat of a misnomer: this is where you will find several reports including how many devices are enrolled and in compliance with the stated policies. In addition to this is a separate "Hub," which is actually more of a dashboard, that lists devices, compliance, apps, and other details about your installation.

We had some initial confusion over separating our administrative and user accounts, but once that was resolved, getting all the various tasks completed was mostly obvious. The other MDM products could learn from AirWatch's workflow and setup process.  

AirWatch has an impressive collection of granular policy settings, down to the minimum sub-version of Android OS allowed, being able to disable a device's camera, adding geo-fencing or being able to restrict a device to a particular Wi-Fi network.

It has a particularly rich passcode policy that can override the device OS defaults. These various elements are spread across about a dozen sub-menus in the policy section of the product, where you would set up specific policies for each particular device type. When you create a policy, you can either apply it to the device itself or to a group of users, which is nice. When you are finished, you save and publish your profile settings to your device collection in one click.

As we said, there are three different services for AirWatch: the base MDM and a second service to secure files (called Content Locker) and a third to run protected apps. Each service works with its own downloaded app on your device. That’s a lot of apps to download and add to your phone, and it can get confusing to keep switching among them. One caveat: these supplementary apps will require at least iOS v5 or later, although the base AirWatch MDM works on iOS v4 devices.

The content locker has its own policy settings, and can set up files that can't be printed or edited for example. It will also keep track of previous file versions.

You can protect your email servers, just as long as they are Microsoft Exchange, Lotus Notes, Novell Groupwise and Google Apps for Business (which means the free Google Apps isn't supported).

AirWatch supplies yet another downloaded app to use your email securely. There are other connective pieces to integrate with Active Directory (to enroll users and propagate policies, a mobile access gateway to connect to internal servers, and to exchange certificates).

AirWatch's pricing is very transparent and published on its website. Each of the three modules (MDM, content, and apps) are priced a la carte either as a perpetual license with a one-time, per-device fee, or on a subscription basis, also on a per-device but monthly fee.

The MDM starts at $48 per device per year and the other modules can triple this annual cost. There is also a free 30-day trial for 50 devices that offers full functionality. AirWatch plans to begin selling a lighter-weight version called Pro that will have fewer features and be lower priced.

Apperian EASE

As you might guess from its name, Apperian is all about the apps. While it sells its product with its own MDM, it is very lightweight in terms of device and user control. If you have a lot of corporate mobile apps and you want to wrap them in a very secure mechanism to keep track of who uses them on what particular devices, then this is the product for you.  

Apperian has two separate functional modules: an application control system and a built-in MDM. The MDM module doesn't support BlackBerries – they are just supported on the app module. It has fewer features than the other MDM products we reviewed, although you can do the basics including wiping data from you phone, rootkit detection, controlling copy/paste from the mobile's clipboard, and some rudimentary password control on your devices.

Initially, you don't download anything to your phone, instead you use your phone's Web browser to bring up the enrollment link and download a customized app store for your particular device and user name. However, this simple process is balanced with a tedious app wrapping process to add your security layer.

Each app can have its own security policies and they are very clearly spelled out in the policy screen on the Web management console. You need to make use of a corporate app certificate to wrap each app: Apperian prevents you from using individually signed certificates to distribute your own enterprise apps. Once you have created a customized app, you can't delete it remotely from IOS without an MDM enrollment.

Its app catalog comes in different versions for native iOS or Android devices, along with another catalog that supports HTMLv5 and can be displayed in the device's Web browser, which is how BlackBerry can access its app catalog.

Apperian has some basic reports on app usage but doesn't really provide the kind of details on your devices that other MDM products have. It also has solid online context-aware help screens.  

Apperian's pricing is $48 per user per year. This means that if you have users who own many devices, they don't pay anything extra, as some of the other MDM products charge by device.  

BlackBerry Enterprise Server (BES) v10.1

BES always was one of the more solid and secure MDMs and the BlackBerry was almost synonymous with protected mobile email back when the company was called Research in Motion (RIM). Until recently, BlackBerry could only manage its own devices. Now it is capable of managing both Android and iOS too, via a new Universal Device Service. The extension into the brave new world of managing its competitors is intriguing, full of solid advantages, but somewhat complex to administer.

First, BES, along with Good, are probably the two best MDM solutions that we tested that really lock down your mobile email. If this is a big concern then you should consider this product just on that alone. Second, BES has a solid collection of iOS/Android device management policies that you wouldn't expect from a v1 product.

[BACKGROUND: Can BES 10 save BlackBerry?]

They cover the waterfront, from a very granular collection of password policies to turning off specific phone peripherals (and not just disabling the camera itself but more subtle things like being able to hide the icon on your phone desktop or disable screen captures). There are policies to wipe your phone or require particular iOS or Android versions. For each policy, you can see which version of iOS or Android is relevant right on the screen: that is a nice touch and we wish other vendors were as forthcoming in documenting this.

To get started, you'll need to install the various bits and pieces to a Windows Server (we tested a version that was already setup for us). There are three Web-facing consoles: one for your overall situation that is more of a dashboard with seven nice summary reports, one for managing just BlackBerry devices, and one for managing Android and iOS devices.

Each of the three consoles has different user interfaces and collections of tools. So if you want a single policy that can cover your entire installation, you are out of luck here: you'll have to create a BlackBerry policy for password complexity, and then go over to the Android console to create the same thing again for those devices. We hope that eventually all can be melded into one unified console, because that is this product's biggest drawback.