Analysis: Mobile Device Management

Can't afford the problems inherent in unmanaged handhelds? A strategic mobility initiative must include device management to keep your users in sync. We evaluate the four leading architectures.

April 28, 2007

34 Min Read
Network Computing logo

There's a lot of evidence that today's enterprise IS going mobile. The mobile-application market may experience double-digit growth and reach $3.5 billion by 2010, according to IDC. Enterprises like the fact that gains in productivity can be had as employees can work from virtually anywhere.

That mobility brings with it the need for a cohesive management strategy for handheld devices. But as companies have moved to take advantage of mobile productivity gains, they've done so without a centralized approach. In fact, a recent In-Stat survey of 505 executive from seven vertical markets regarding their deployment and adoption of wireless data applications found that about half of organizations let users pick their mobile device, carrier and pricing plan.

The problem with such a laissez-faire attitude toward enterprise mobile deployments is that it can counter improvements in productivity and lead to security vulnerabilities. Forcing users onto a single platform, such as the BlackBerry, simply may not be practical; MDM (mobile device management) systems can provide a means to perform device lockdown, security support, inventory and policy management, and backup while still letting users select their own devices.Nine vendors make those management systems, and four of them--Avocent LANDesk, Nokia Intellisync, Novell and Sybase iAnywhere--came to our labs for testing for a follow-up to our last mobile device management review (see "Herding Highly Mobile Cats"). All provide top-notch support for handhelds and laptops, but there are differences among them. Sybase's Afaria offers the best data encryption. Nokia's Intellisync Device Management platform introduces self-service features. And Novell and Avocent LANDesk build on capabilities in their corresponding desktop-management tools. For comparison, we also looked at Research In Motion's BlackBerry Enterprise Server (see "What About RIM?" ) and hosted device-management products from Perlego and iPass (see "Can't Someone Else Do It?").

Continue Reading This Story...

RELATED LINKSHerding Highly Mobile Cats

Rollout: Sybase's Information Anywhere SuiteDesktop Management Product Analysis RoundupMobile Messaging Gateways

IMAGESClick image to view image

NWC REPORTSDownload our in-depth review Mof mobile device management products from Avocent, Nokia, Novell and Sybase.

AROUND THE WEBMobile Broadband Data ServicesMobile broadband is here--is your enterprise ready? Get the facts from this in-depth report in choosing the right technology choice for your environment.

Tool Scope

With MDM products serving as the base for deploying applications, managing policies and securing devices, other applications and management products can then be layered on top. Mobile VPN and connection-management software; content-management systems; peripheral device management software; and mobile virus protection, firewall and encryption products all can play a role, working with an appropriate MDM product. However, we confined the scope of our comparison to the deployment of applications, policy management and security.

That casts a wide net and, aside from the four vendors that accepted our invitation, five vendors declined. After initially accepting our invitation, Altiris backed out, saying it's working on new code for its mobile security piece and couldn't provide shipping code by our deadline. Motorola Good declined, stating its product was geared more toward security and not some of the other features our review would focus on (such as inventory management and device backup). Hewlett-Packard/Bitfone and Synchronica were unable to respond by our invitation deadline. Ericsson didn't respond at all.

ArchitectureAll the products we tested require client software on each handheld. To simplify deployment, admins can send a Web link to the installation software, over SMS (Short Message Service) or e-mail, to distribute clients remotely. For the most part, the base functionality was the same with each system: A client establishes a connection to an enterprise server at a specified polling interval to determine if there are any updates or new software to install.

The one exception to this model is Nokia's--its system can pull or push updates; the push connection is the same one Nokia employs for mobile e-mail (which is also supported in the Intellisync platform). Given that most updates aren't time-critical, it's not crucial to maintain an always-on connection for updates, especially since the server can notify handhelds (using SMS) that they need to initiate synchronization to the server. However, for enterprises that consider software updates, data backup and/or security enforcement (issuing a device-lockdown message, for instance) critical, a push architecture is more efficient than pull.

Most of the products we tested run behind the enterprise firewall, requiring that ports be opened for communication between devices and the back-end server (see "Getting Behind the Firewall" in the gallery). Again, Nokia's network architecture is different: While the others rely by default on direct connections to the device-management server through the enterprise firewall, Nokia's setup lets you deploy a second server in the DMZ to relay traffic securely to the Intellisync server. However, the same functionality can be achieved on the other systems through the use of a reverse proxy (Sybase iAnywhere ships Apache with its Afaria device-management server to provide reverse-proxy services).

All the products we tested relied on hosting a copy of the client installer on a Web site, then informing the user that the client was available for download. This can be accomplished by sending the user an e-mail or sending an SMS message to the user's device. Another option is to deploy the client to handhelds using a desktop cradle and a synchronization program like Microsoft's ActiveSync or Palm's HotSync. We don't believe this option scales as well: It relies too much on end users; an OTA (over the air) deployment is better.

Plugging The HolesSecuring mobile devices is essential. Even if mobile e-mail is the only application available to an employee, unmanaged mobile devices can represent a real security risk to the enterprise, since messages often contain proprietary or confidential data. Additionally, because smartphones and PDAs are small, they're easily lost or stolen, creating a major problem for security administrators.

Sure enough, security features are what distinguish these device-management products from one another. The ability to enforce passwords and remotely lock and wipe devices is table stakes. In our recent user survey, readers chose data encryption as the third most-wanted feature (just behind encryption of data communications and user authentication). While encrypting all data communications is best left to the likes of mobile middleware or VPN vendors, device file encryption is something we wish more MDM products would do. We also would have liked better support for locking down device hardware. When we brought this topic up with the vendors, they said a lack of standardization among devices (especially those powered by Windows Mobile) makes it difficult to universally lock hardware features like cameras or Bluetooth. We're not sure we buy this; we've seen products marketed in the mobile security arena that are tackling this exact issue in an easy-to-use, intuitive way.

All the products let you perform general security tasks with relative ease. However, iAnywhere and Nokia offer advanced features.

Sybase iAnywhere impressed on the security front in a few ways. First, iAnywhere is the only product to provide native file-encryption support in the device-management suite, and that's key. With iAnywhere, administrators can set policies to encrypt data, rather than wipe it, from devices in the case of failed password attempts or prolonged lack of communication with the device-management server--useful if, for instance, the device stays in a drawer and then is sold on eBay. When a device is wiped it must then be completely reprovisioned; simply encrypting data keeps it secure while obviating a complete wipe.

Nokia impressed us by providing a self-service portal for users to perform management functions. Rather than having to call the helpdesk every time a device is lost, Nokia's portal lets a user remotely erase PIM and e-mail data, hard-reset a device (resetting it to the factory default) or lock a device with a password. Considering the number of times devices in our lab have gone missing only to be found an hour later, we can see the benefit in off-loading some of the remote lock/wipe chores from the helpdesk. That said, administrators can certainly still perform these tasks.For enterprises concerned with user authentication, the products from Nokia and Novell may present the best bets. While we were at times frustrated with Novell's implementation, which is based on the company's eDirectory identity-management system, it did offer some inherent advantages. Because users are derived from eDirectory rather than its own arbitrary user container, ZENworks can enforce passwords that draw from eDirectory--which can, in turn, pull from Active Directory. Intellisync also lets you pull user credentials from an Active Directory server. However, though both options tie user authentication to the enterprise-authentication structure quite well, the complex passwords often required by LDAP stores may diminish the user experience due to the small keyboards on smartphones (we fat-fingered many passwords during our tests).

App Deployment

Security isn't the only problem with unmanaged mobile devices: The inability to centrally administer devices and deploy mobile applications and patches means that those tasks become time-consuming. IT departments must conduct such operations manually, working on each device. A lack of centralized inventorying makes it difficult to audit software licenses and verify that users have the applications they need to do their jobs. This added workload for the IT staff weighs against the increased productivity (and, therefore, financial gain) that other departments enjoy from the use of mobile devices.

One of the greatest MDM features is the ability to deliver applications or updates down to your devices over a wireless network. Anyone in IT who wasn't under a rock this March was aware of the headaches caused by the U.S. Congress' decision to start daylight-saving time four weeks earlier than in the past. Desktops and servers weren't the only hardware affected: Microsoft, Palm, RIM and Symbian (the four leading mobile OS manufacturers) all released patches for their mobile platforms in the weeks leading up to the daylight-saving time switch date. While many phones weren't affected, because their clock settings are acquired from the cellular network, applications that rely on device-specific clock settings (such as Outlook) did require patches. Without a MDM system in place, IT administrators had to patch each handheld individually, rely on users to apply the patch themselves, or risk employees showing up to meetings an hour late.

All the systems we tested let administrators deploy applications over a wireless network from a central location. The software from Nokia and Sybase let admins distribute files as chunks (that is, a configurable number of bytes per synchronization). This is important for large updates; mobile devices operate with limited bandwidth (WAN connections offer anywhere from a few hundred Kbps to a little over 1 Mbps of bandwidth), and administrators may not want to have a multimegabyte update hog bandwidth. Complex installations also can be handled, including those that require dependencies (for example, not installing X unless Y is installed) or where installers need to be executed in a specific order.If your organization deploys mobile applications, it's good to be able to confirm whether those applications reached your devices. That's where inventorying comes in. All the platforms we tested let administrators take stock of installed software and check available memory, OS type and battery level. Many times, administrators won't have direct access to the mobile devices they're administering. As a result, being able to audit these devices remotely is very important; in fact, respondents to our survey rated it as the second most important device-management feature. That makes sense: A mobile application is only good to your users if they have the application and their device is working properly.

Device Lockdown

End-user perceptions and expectations about mobile devices compound problems; cell phones are with employees more than any other device and walk the fine line between personal electronics and business devices. Users perceive these devices as "theirs," yet want all the enterprise business features they hear about in advertisements. MDM products also let administrators set policies to control how a device is used. This can help prevent users from playing solitaire on their new Motorola Qs all day.

In our tests, we were relatively pleased with the device-lockdown features offered. Although users could re-install an application deleted by the device manager, as soon as the next sync occurred, the application gets deleted again. While IT may decide to exert ultimate control and prohibit games and other applications from residing on a device, it's not necessarily the best policy. Giving users mobile devices on which they might play Tetris while stuck in an airport may not be a bad thing. The goal should be to make sure such applications don't hinder productivity, while still providing flexibility, freedom and some protection.

PricingThe conventional management vendors participating in our tests were very aggressive in pricing. Avocent LANDesk's and Novell's pricing started within $4 per node of each other ($55 per node for LANDesk Handheld Manager and $59 per node for ZenWorks Handheld Management). Sybase's Afaria was the most expensive, at $69 per node plus $5,000 for each deployed server, and Intellisync had a starting cost of $90 per node. With the higher costs of Intellisync and Afaria, however, come unique features that deliver increased value over their competition.

In The End

With security representing a major obstacle to deploying mobile applications, and with some IT managers viewing mobile devices as a threat, addressing security concerns has been a key issue for device-management vendors to tackle.

We liked Afaria's data-encryption features, along with a slightly more appealing device-security client. With strong tools for protecting data, Sybase's product is best-suited for verticals that deal with a lot of confidential customer data, such as in health care or financial management. Its group-based policy model makes it suited for large fleet-based deployments as well. Sybase iAnywhere has a proven track record for mobility: The company recently signed a deal with the U.S. Census Bureau, in which Afaria will manage mobile devices used in the 2010 census, marking one of the largest mobile deployments in the world. Sybase's cost may seem expensive at first, but when you factor in the increased cost of adding third-party encryption support, by our calculations, Afaria is cost-competitive with Nokia's Intellisync. That said, one quibble with Sybase's software is that we weren't as pleased with its management interface as we were with Nokia's.

Speaking of Nokia, its software represents another strong option for MDM with unique features. The product takes a more efficient approach than Sybase's, both from cost and staffing standpoints. Its self-service portal helps off-load management functions from helpdesks to mobile workers themselves, which may help organizations cut staffing costs. Nokia also presents a much more intuitive user interface; it was the simplest product to use by far. Because Nokia can easily tweak policies for individual users (Sybase Afaria uses a group-centric model), carpeted enterprises and sales staffs may find it more valuable. Nokia's Web-based self-service portal also may be helpful for small and midsize companies that operate with lean IT and helpdesk staffs. Nokia also has a strong track record in the mobile space; the Intellisync platform is deployed by major carriers and service providers worldwide in their hosted device-management systems.If you're already running Novell ZENworks or Avocent LANDesk to manage your desktop systems (or are adopting a new desktop and server management system), using these products to manage your mobile devices makes a lot of sense. All your administrators can work from a common system. And at a relatively low incremental cost per device, we figure adding handheld management into your existing management suite is a no-brainer. Although pure-play MDM vendors say they can support your desktop environments too, if you're trying to manage tens of thousands of desktops we can see where Novell ZENworks or LANDesk would have the edge. We'd place all four products we tested on our shortlist.

Although the products we tested were from vendors that focus on mobility, keep an eye on conventional device-management vendors. With Symantec (which has experience in developing mobile security products) purchasing Altiris (a leading device-management company), we expect this arena to continue to develop and gain even greater parity with systems from mobile-centric vendors (see Interview, page 80). Whether mobile vendors will try to make further inroads into the desktop-management sector remains to be seen.

A final note about standardization: We've heard complaints about its absence among mobile device platforms, even on the same OS, within the mobile industry for a while. Two solutions exist: Develop a standard hardware profile, as you would do for your PCs, or develop a standard way of performing device management. The good news is Nokia and other vendors are pushing for OMA DM (Open Mobile Alliance Device Management), a standards-based approach that should allow for device management at lower layers of the hardware stack. Right now, OMA DM is carrier-centric, but there have been efforts to tie OMA DM more tightly to enterprise device-management platforms. We hope to see more traction in this area over the next year. What About Rim?

We'll admit it: We've been ignoring the 500-pound gorilla in the room. Research In Motion's BlackBerry is one of the top mobile device platforms in the world, so it is certainly worthy of discussion. The fact is, RIM's BlackBerry is a strong, albeit partially proprietary, system. Our review was focused on device-management systems that offered cross-platform compatibility; alas, RIM doesn't do that yet.

RIM has gotten a lot of knocks from competitors and some analysts for not being a good application-development platform, but in speaking to technology pros, one finds that's not entirely the case. Northrop Grumman, for example, standardized on the BlackBerry platform originally for mobile e-mail, then expanded its use to PIM (personal information management), then to enterprise applications (primarily specific field-service-automation apps, but some CRM apps as well), says Keith Glennan, CTO at Northrop Grumman. RIM's BES (BlackBerry Enterprise Server) has been used exclusively as the company's handheld management and security platform.Most people recognize BES as a mobile e-mail platform that integrates with Lotus Notes, Microsoft Exchange or Novell GroupWise. But BES also provides access to back-office data (through its Mobile Data Services feature) and provides extensive device-management capabilities as well. BES's device-management functions, however, are a double-edged sword. BES has excellent device management, but only for BlackBerrys. Administrators can disable individual pieces of hardware on the device, such as cameras and Bluetooth peripherals. No other MDM vendor we've worked with can offer the granular level of control that RIM exerts over its own BlackBerry hardware.

However, though RIM has begun to extend the BES platform to other handhelds based on Palm, Symbian and Windows Mobile through its BlackBerry Connect program, only mobile e-mail and data services are offered as features. RIM says it introduced a "robust set of IT policies," including mandating passwords and controlling access to applications. But according to David Heit, senior product manager at RIM, "It is up to the device manufacturer to decide which IT policies to include; however, many are expected to support the new IT policies on their BlackBerry Connect-enabled devices." We haven't found that device manufacturers have picked up on these new policy-management features. So, today, if you want to deploy BES and manage non-BlackBerry devices with it, you'll have to deploy a separate MDM package, or work with a hosted provider, to manage them.

The good news is that many MDM vendors have at least some form of integration to the BlackBerry platform. This is mostly limited to inventorying and some security features (device wipe and lock, for instance). IT managers can thus do the majority of their management from a single console while performing more advanced features through BES. Vendors cited a lack of access to lower levels of the BlackBerry hardware platform as a reason why they haven't provided similar features for device management in their own systems. Enterprises that want to use BlackBerrys will have to run BES anyway, so running it to handle more advanced security policies while relying on a central MDM solution to handle inventorying shouldn't pose much of a problem.

BlackBerry has a compelling feature set and, with recent handsets like the Pearl and 8800, the product has begun to have better feature parity with other competing handsets, such as Palm's popular Treo. We only wish RIM would provide a more feature-rich experience between BES and platforms outside of the BlackBerry OS--and that manufacturers would implement those features as well. Can't Someone Else Do It?

Your data center is packed to the brim, the lights dim every time you reboot a server and not only can you serve up Web pages, you can bake some tasty bread in the process. Now you've been called on to manage your enterprise's mobile devices. But with already taxed resources, do you really need to dedicate one or more beefy servers to managing your mobile deployment?The truth is, you don't have to do it all yourself. Hosted and managed options can take the burden off of both your data center and your IT staff. Enterprises can use offerings from iPass, Nokia Intellisync (which resells an OEM version of its software to carriers and other service providers) and Perlego (which also resells to service providers) in a hosted model. In addition, mobile carriers, including Sprint, have started to offer hosted MDM. Besides reducing strain on the data center, hosted solutions provide higher reliability and availability compared with in-house setups. Service providers have the resources and expertise to keep servers and services up and running, two factors that may not be available within the enterprise.

Although we didn't test these options extensively, we did receive demonstrations from Perlego and iPass to get a feel for how hosted offerings worked (we didn't look at Intellisync's hosted model, focusing instead on its installed version).

Whereas most of the servers we installed in our test bed used a management console to manage devices, hosted options operate over a Web interface. We found that both iPass and Perlego offer many of the features an enterprise would need to manage its mobile-device deployment without the extra cost and complexity of running its own servers. Perlego, iPass and Intellisync all made sure to note that the setup is designed to be virtually separated, meaning that, while multiple clients' mobile deployments will be managed from the same physical server, from a logical standpoint the installations are separate. Organization A can't access or manage organization B's mobile devices.

Hosted solutions may be worthwhile as your company starts with limited mobile device deployments and gradually expands. As deployments begin to scale and become more complex, it's probably sensible to bring device management directly under your control. Expect costs to run from $5 to $15 per month per device plus any additional setup or hosting charges.

Despite being akin to the boogeyman in the IT world, outsourcing can also represent a good strategy for some organizations. Let's face it: Like managing desktops, managing mobile devices can be time-consuming for any IT staff. If your resources are taxed, working with companies that offer IT outsourcing, like Hewlett-Packard (which we spoke with for this article), may represent a good option, leaving your IT staff to tackle strategic challenges like developing and supporting mobile applications to make the lines of business more productive.Product Review: Mobile Device Management Systems

NWC Reports: Mobile Device Management

To qualify, products in our mobile device management comparison had to offer security features (remote wipe, lockdown, device reset and policy support), OTA (over-the-air) software deployment, centralized policy management and inventorying capabilities. In addition, one or more handheld platforms had to be supported (Windows Mobile/PocketPC, Symbian, Palm OS or RIM OS).


Avocent LANDesk, Nokia, Novell and Sybase iAnywhereTESTING SCENARIO

Each participating vendor's software was installed on a Dell PowerEdge SC1425 server with Windows Server 2003 installed. Vendors provided a client device for each client OS supported. Client devices included handsets from Hewlett-Packard, Nokia, Palm, Research In Motion and Samsung.

To test, we ran through three use-case scenarios:

» How does an administrator configure security policies for mobile endpoints, as well as enable passwords and any other lockdown features that exist?

» How does an administrator deploy software packages to devices?» How do the products handle inventorying, and what reports can be generated?


• Security: Rates the products' data security, password enforcement, policy management and lockdown features.

• Software deployment: Rates the effectiveness of over-the-air software distribution.

• Platform compatibility: Rates the breadth and depth of endpoints supported.• Inventorying: Rates what can be inventoried and the quality of reports.

• Ease of use: Rates the quality of management and client interfaces.

• Price: MSRP before volume discounts and support costs.


All the products passed our tests, providing a base level of device management that would serve enterprises well, and all made our shortlist.Sybase Afaria represented the strongest product with regard to security, making it a clear winner for verticals that deal with confidential data--such as health care or finance--due to its native support for file encryption on devices. Afaria's group-based policy support makes it easy to manage fleet-type deployments, but we were sometimes stumped by how to easily provide policies or software deployments to users--which may be detrimental for carpeted enterprises that need more custom-tailored policies.

We were impressed with Nokia Intellisync Device Management's overall performance. Intellisync is well-positioned to help IT reduce the admin burden on the helpdesk by off-loading some tasks (performing password resets and device wipes, for instance) to users through a simple Web management interface. Although Nokia doesn't provide encryption natively, it does provide LDAP authentication, letting users leverage the same password for both handheld and desktop devices.

Novell ZENworks' low cost per device, combined with its ability to manage both enterprise desktop and handheld deployments, may prove appealing to some enterprises. Its eDirectory implementation allows for LDAP integration (like Nokia) and provides a consistent look and feel for administrators familiar with Novell's other products. However, those unfamiliar with eDirectory may find Novell difficult to use compared with competitors.

LANDesk also provides a strong unified management solution, letting admins provide both handheld and systems management from the same interface at a low cost. Those familiar with LANDesk (and even those who aren't) should be able to easily perform basic management functions with LANDesk's handheld system, but its feature set is limited compared with those from mobile-centric competitors.

Avocent Landesk Handheld ManagerAvocent landesk's first foray into mobile device management (MDM) is off to a positive start. Those familiar with the LANDesk interface will find it easy to manage mobile devices. The strategy began with the purchase of Sonic Mobility in 2004. After maintaining the Sonic Mobility platform as a separate product for some time, Avocent has begun to introduce handheld management into the LANDesk platform.

With the Handheld Manager, administrators have the benefit of managing desktops, servers and handhelds all from the same management interface. We generally liked the LANDesk management console. The company did a good job segmenting the features that relate to handheld management from those that relate to other types of hardware. We hope LANDesk can better integrate the client activation process (currently done through a separate Web management interface) with the LANDesk console to create a more unified experience. But otherwise, we were able to accomplish all the tasks for managing our mobile devices with ease.

LANDesk runs on all the platforms you'd expect (Windows Mobile, Palm, BlackBerry). While the system doesn't include support for Symbian, it does include support for embedded devices from Teklogix and Symbol Technologies, which is unique in this class of products. Like other platforms, LANDesk can perform over-the-air activation through either SMS (Short Message Service) or e-mail. SMS messages are sent via a carrier's e-mail gateway. To ease communications, LANDesk includes a handy feature to select the carrier a user is on. For instance, an administrator can select "Verizon Wireless" and enter "315-555-0426" to send an SMS rather than sending e-mail to [email protected].

LANDesk provides some mobile-oriented features. Recognizing that cellular data connections are limited, LANDesk offers bandwidth-management and compression capabilities. However, we weren't able to determine how to customize these features (for example, state that only 10 percent of available bandwidth should be allocated for management purposes).

LANDesk provides the basic security functions one would expect, including password enforcement, remote lock and remote wipe. It does not include user authentication against enterprise identity stores (like Active Directory), nor is encryption support provided.We've held LANDesk in high regard as a desktop management platform in the past. If you're looking for a system to handle everything from one central console, LANDesk should be on your shortlist. This MDM system offers all the base features a mobile device management platform should have at a reasonable incremental price.

Nokia Intellisync Device Management

Nokia's Intellisync suite presented the cleanesT, most intuitive experience for MDM of all of the products we tested. Like Sybase, Nokia offers products beyond MDM. However, Nokia has done a much better job of tightening integration than Sybase has. For instance, Nokia's Intellisync offering leverages the same configuration interface for both its mobile e-mail and its device management products. Nokia also uses the same push-based communications architecture in the two products. While the Intellisync device management client can be used in a pull model (querying the server at a set period of time for new updates), Intellisync's push architecture will maintain an always-on connection between the Intellisync server and a client device. This produces a much quicker response in pushing out updates or issuing security commands (such as instructions to wipe a device immediately). While the maintenance of a push connection can decrease battery life among devices, if you're already using Intellisync for e-mail, it makes sense to use the same connection for device management.

Nokia also includes support for the creation of a DMZ relay. In this architecture, the Intellisync server establishes an outbound-only connection to a relay server located in the DMZ. Client devices then establish a connection to the relay server, allowing for the use of the Intellisync server without opening ports in the enterprise firewall. The process basically works like a reverse proxy, which competing platforms support.

One of the unique features in Intellisync is its self-service portal. Competing products require the IT helpdesk to perform routine administrative tasks. Using Intellisync's self-service portal, users can lock their devices with a password, or perform a password reset or device wipe. Administrators also can log into the Web portal to perform tasks on the users' behalf or walk them through using the portal.Nokia's is the only product we tested that includes support for OMA DM (Open Mobile Alliance Device Management). Mobile OS manufacturers such as Microsoft and Symbian have begun to incorporate support for OMA DM into their operating systems. Because OMA DM is a standards-based method of device management, and development is driven by the operating system manufacturers, an OMA DM client can be tied much more closely to the OS stack. OMA DM clients can exert more granular control over device hardware features than with a standard device-management client. Today, OMA DM is largely a carrier-driven protocol, but we expect an enterprise OMA DM profile to be written in the future.

Nokia's policy framework is much like Novell's and Avocent's: Users are assigned one or more devices, and they're assigned to groups. Policies can be set systemwide, to a group and to an individual. We liked this framework since it allows more granular control over policies (useful for those times when an executive wants an individual setting). Using Nokia's management console, which is based on Microsoft's MMC, we were able to easily configure policies, lock down devices, distribute software and perform device wipes. While Nokia has partnered with third-party vendors such as Credant Technologies for file encryption, we would have liked to see encryption integrated into this Intellisync suite. Overall, however, Nokia has done a good job presenting a unified architecture for both device management and e-mail, and is a serious contender for those considering device management in their enterprise.

Novell Zenworks For Handhelds

Novell has been working in the handheld management arena for several years. Whereas Sybase and Nokia have focused primarily on managing mobile devices, Novell has adding mobile management to its broader systems-management portfolio. While the competing products offer enhanced features for the mobile environment, Novell's ZENworks should suit organizations that need to do systems management and handheld management from the same suite.

Novell ZENworks relies on the company's eDirectory infrastructure to handle identity-management policies. One of the major advantages is that admins can easily tie log-in credentials to eDirectory and thus to a wide variety of directory structures, including Active Directory. ZENworks also is scalable; enterprises can distribute the eDirectory infrastructure (and so the device-management infrastructure) across the organization. Management is provided through Novell ConsoleOne, and Novell administrators will appreciate its familiar interface. However, the uninitiated may find some stumbling blocks. There is a poor distinction between functions that relate to MDM and those that relate to other eDirectory elements. Fortunately, Novell's online help is extensive and well-written. The company is in the process of moving to a Web-based management console, which we hope will provide a more intuitive management experience.Similar to Sybase, Novell provides the ability to remotely control devices, which can be an advantage in troubleshooting user problems. Novell uses the free TightVNC to provide remote-control capabilities. TightVNC sends "screen scrapes," or captures of the remote device's screen, back to the console, whereas Sybase sends only changes in the position of objects on the screen (similar to functionality in Citrix or Microsoft Terminal Services). Novell's remote-control capabilities get the job done, but the extra bandwidth required to send screen images back over the narrow pipe results in a more sluggish performance than Sybase's product.

One other gripe we had with ZENworks was its handheld client distribution. The good news is that the process of creating and distributing handheld install packages was relatively seamless. The bad news is that Novell decided to include the program on the product install CD rather than on the server ZENworks was installed on. If you're as prone to losing install media as we are, it's best to make copies of the product install CD or copy the handheld install package wizard to the ZENworks server. We only wish Novell had done that for us.

We also didn't see bandwidth-management options for distributing software packages with the ZENworks product. Given the limitations of cellular data connections (especially 2.5G connections like EDGE or 1xRTT) and the large size that installers can occupy, we would have preferred the ability to send files down in chunks rather than all at once.

Overall, ZENworks provides a capable platform for performing device management. While mobile-centric vendors may offer some enhanced capabilities, ZENworks had all of the functions needed for basic MDM. If you're looking for a centralized system to manage both systems and mobile devices, ZENworks is an option worth considering.

Sybase Ianywhere AfariaSybase isn't necessarily a vendor IT admins think of when it comes to mobility. When its name was mentioned to colleagues as a participant in our MDM review, many said, "Sybase? Isn't it a database company?" Sybase has been involved in the mobile arena for some time through a series of strategic acquisitions. Its presence in the MDM space began in 2004 through its acquisition of XcelleNet, the creator of Afaria.

For our comparison, we looked at Afaria 5.5. Afaria uses a Web-based UI for the creation of policies, distribution of software packages and performance of other management tasks. For the most part, the interface behaved well, with one exception: When we changed the password for our domain administrator account (used to authenticate ourselves to Afaria), we were locked out of the Afaria Web UI. The apparent workaround is to run an install script that resets the password Afaria expects for authentication. But rather than relying on that workaround, the best approach is to install Afaria with a service account whose password won't change.

Afaria takes a group-based approach to enforcing policies, deploying software and so on. While this method works great for fleet deployments (where employees are given identical corporate devices), most IT managers have dealt with the "exceptions to the rule." Certain individuals (a company vice president, for instance) want their policies tweaked or want specialized software deployed to their devices; while this generally goes against best practices, politics dictate that the IT department submit to such requests. Competing solutions allow for hierarchical sets of policies to be deployed, whereby the individual user's policy is inherited from a higher-order policy unless an explicit user policy is set. While competing solutions let you target the individual device, with Afaria, the VP's device would have to be assigned to its own group, which would be targeted with the requested software package. While Afaria's group model does discourage creating one-off policies, we would have rather seen the concept of "users" introduced to Afaria's architecture and avoid the need for IT to create one-off groups.

Despite our quibble with Afaria's architectural model, the software did well as we put it through its paces. We were particularly impressed with its security features. Afaria's native encryption support made it stand out from the rest of the pack. The encryption modules are FIPS 140-2 certified, so government agencies required to operate under FIPS 140-2 guidelines can use Afaria to help comply with mobile data security regulations. Afaria's security manager client was also more customizable than competitors', allowing for custom branding and messages to tailor the user experience. This can be useful for enterprises trying to provide a corporate feel to their handheld devices. Nevertheless, while we enjoyed Afaria's security features, we were still disappointed by the lack of support for Symbian. Afaria does provide inventorying and synchronization features for the Symbian platform but has yet to extend security services. We were hoping to see Symbian support come with the official release of Afaria 5.5, but development work is ongoing.

While Afaria 5.5 introduced over-the-air provisioning, we wish it were more streamlined. The company's OneBridge e-mail client can be distributed from a single Web link; a script built into the Web page automatically decides which package is the appropriate one to install and delivers accordingly. For Afaria, each client install package has its own Web link. While the selection of the appropriate link can be selected through Afaria's client deployment tool (which sends e-mail or an SMS message to a user), we believe directing people to a particular address for download is easier, especially for support over the phone in case messages aren't properly transmitted.With Version 5.5, Afaria also introduced the ability to remotely control Windows Mobile clients using technology from Danware. Using Danware's NetOp Remote Control, administrators can directly control a user's device in a manner similar to Microsoft's Remote Desktop. We used the remote-control feature briefly during our testing and were pleased with the results given the limited performance characteristics of cellular data networks. Support for other platforms, beyond Windows Mobile, is unavailable.

In addition to its unique features, Afaria supports all of the features you'd expect to see in an MDM platform. Administrators can back up files, deploy software and enforce policies on devices. Overall, Afaria represents a solid device-management platform, especially for the security-conscious. It's ideally suited for fleet-based applications; those who find themselves often having to custom-tailor policies to users may be better-served by other products.

How We Tested MDM

FOR OUR REVIEW of mobile device management systems--testing for which was conducted at our Real-World Labs® at Syracuse University--we allocated each product a Dell PowerEdge SC1425 server with a 3-GHz Intel Xeon processor and 3 GB of RAM. Each server ran Windows Server 2003. We requested that vendors send us a client device representative of each platform supported by their management software, and as a result, we received Hewlett-Packard, Nokia, Palm, Research In Motion, Samsung and HTC (Cingular) devices.

To gauge the client installation process, we installed each vendor's client software using its over-the-air distribution mechanism. To evaluate each system's performance, we carried out a variety of tasks, including those related to both security (such as wiping a device or enforcing policies) and management (such as distributing software or performing inventory reports). Client devices connected to the management servers directly through our Sonicwall Pro 2040 firewall; we were unable to configure a demilitarized zone for this review, so we did not evaluate proxy or relay systems. Client devices utilized either a Wi-Fi (802.11) or a WAN connection (EV-DO or EDGE) for connectivity.

All NETWORK COMPUTING product reviews are conducted by current or former IT professionals in our own Real-World Labs®, according to our own test criteria. Vendor involvement is limited to assistance in configuration and troubleshooting. NETWORK COMPUTING schedules reviews based solely on our editorial judgment of reader needs, and we conduct tests and publish results without vendor influence.Sean Ginevan is a technology analyst with the Center for Emerging Network Technologies at Syracuse University. Write to him at [email protected].

Stay informed! Sign up to get expert advice and insight delivered direct to your inbox

You May Also Like

More Insights