MDM Technical Comparison White Paper_CR_Final

8/3/2019 MDM Technical Comparison White Paper_CR_Final

http://slidepdf.com/reader/full/mdm-technical-comparison-white-papercrfinal 1/22

White Paper:

A Technical Comparison of

Mobile Management Solution

Features and Functions



i

ContentsExecutive Summary ......................................................................................................................................... 1 About Microsoft System Center Mobile Device Management ....................................................... 2 Feature Comparison Matrix .......................................................................................................................... 2 Managing Devices and Users ...................................................................................................................... 4

Group Assignment Via Active Directory .................................................................................. 4 Device Membership in Active Directory .................................................................................. 5 Policy Based Management and Configuration ...................................................................... 6 OTA/Network Encryption and Mobile VPN ............................................................................ 7 On Device and File Encryption..................................................................................................... 9

Feature Lockdown ......................................................................................................................................... 10 Bluetooth Lockdown...................................................................................................................... 11

Application and Data Distribution/Management ............................................................................. 11 LOB Application Data Push/Alert.............................................................................................. 13

Asset Tracking, Logging, and Reporting .............................................................................................. 13 Firmware and Update Management ...................................................................................................... 15 Help Desk and Troubleshooting ............................................................................................................. 15 Self Service ....................................................................................................................................................... 16 Appendix .......................................................................................................................................................... 18

Methodology .................................................................................................................................... 18 Ratings ................................................................................................................................................ 19



1

Executive Summary

Managing a fleet of mobile devices while ensuring end-to-end data integrity is a difficult task.

Users want their desktop at their fingertips, with reliable access not only to familiar productivity

tools such as email, calendar, and contact management, but critical line-of-business applications

as well.

For the IT team, fulfilling these expectations requires a delicate balancing act. Mobile devices not

only transmit data over public networks but are also uniquely vulnerable to loss and theft.

Security, both for the device and the critical data on it and for its connection to the corporate

network, is paramount. But policy enforcement to protect corporate data should not come at the

cost of user productivity, nor pose an undue burden to IT and the help desk.

Achieving this balance demands a flexible, end-to-end mobile management solution that helps IT

administrators more easily secure and manage mobile devices within a corporate network, while

providing secure, single-point access for line-of-business (LOB) applications and corporate data.

This requires an extensive set of features and capabilities that can make selecting the right

solution for your organization’s needs a complex task.

But it’s important to note that choosing a mobile management solution involves more than just

checking off an extensive set of features, some of which may be of interest to only a small

number of organizations or particular industries. If it doesn’t fit gracefully into your existing

management and server infrastructure, you’re unlikely to achieve the full return on investment

(ROI) and total cost of ownership (TCO) benefits possible.

To aid technical decision makers in discerning the right mobile management solution for their

organization, Microsoft commissioned an independent third-party systems integrator that

specializes in the deployment and maintenance of enterprise mobility solutions to compare the

capabilities of three leading mobile management solutions:

Microsoft System Center Mobile Device Management 2008 (MDM 2008)

Blackberry Enterprise Server Version 4.1.4 Service Pack 4 (BES 4.1 SP4)

Motorola Good Mobile Messaging 5.0 (Good 5.0)

This technical comparison summarizes the results in a comparison matrix chart (Page 2) followed

by an explanation of each feature or capability and its significance in terms of the fundamental

mobile device challenges faced by IT professionals: management, control, maintenance, device

and communication security, scalability, and support. An appendix explains the methodology and

ratings used to create the comparison matrix, and offers a suggestion for weighting the results to

fit your organization’s specific needs.1

1As noted in the appendix, the comparison was executed by exercising the management interface to check

the availability of various functions; performance was not tested.



2

About Microsoft System Center Mobile Device Manager

Microsoft System Center Mobile Device Manager 2008 (MDM) is a robust and cost-effective

solution that can be seamlessly deployed into an enterprise’s existing Microsoft infrastructure and

addresses in a comprehensive fashion the three core requirements of IT professionals: security

management, device management, and security-enhanced connectivity.2

MDM’s ability to utilize Active Directory (AD) not only eases management by giving

administrators a single point and common interface from which to manage both personal

computers and mobile devices, but provides increased security by enabling them to more easily

apply security capabilities such as Public Key Infrastructure and permissions-based access to

resources. Administrators can use the familiar Windows Server Update Services (WSUS) platform

to deploy software to mobile devices and easily monitor compliance, while AD’s Group Policy

Objects functionality greatly eases the task of creating, enforcing, and monitoring policies on

mobile devices. MDM’s IPSec-based Mobile VPN helps protect sensitive data, and when

transmitting already-encrypted SSL traffic, the resulting double-envelope security offers enhanced

protection of critical corporate data.

Feature Comparison Matrix

Legend

Functionality Not Available

Limited Functionality

Average/Good Functionality

Extensive Functionality

Feature

MDM

2008

BES 4.1

SP4

Good

5.0

Managing Devices and Users -- -- --

Group Assignment via Active Directory

Device Membership in Active Directory

Policy Based Management and Configuration

Number of Policies

RSoP Data

Encryption Services -- -- --

OTA/Network Encryption

2For a detailed examination of the ROI and TCO benefits of System Center Mobile Device Manager, please

refer to the ROI and TCO analysis tools at https://roianalyst.alinean.com/microsoft/mobile/launch.html, or the

white papers available at http://www.microsoft.com/windowsmobile/en-us/business/business-

resources/enterprise-business-knowledge-center.mspx

https://roianalyst.alinean.com/microsoft/mobile/launch.html



http://www.microsoft.com/windowsmobile/en-us/business/business-resources/enterprise-business-knowledge-center.mspx









3

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Mobile VPN GMC3

On-Device Encryption

Encrypt Specific Files/Locations

Storage Card (SDIO) Encryption

Feature Lockdown -- -- --

Wi-Fi

Infrared

Camera

SMS/MMS

Storage Card (SDIO)

Phone

Disable IP Modem/Tether

Disable IMAP/POP

Restrict Cable Sync

Bluetooth Lockdown -- -- --

Restrict Radio

Restrict Profiles

Restrict Pairing/Discoverable

Application and Data Distribution/Management -- -- --

Restrict to device features set

Time based distribution

Reporting of deployment

Create custom action scripts

Application Allow/Deny

Block Unsigned Application Install

Block Third-party Downloads

LOB Application Data Push/Alert GMC4

3Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).

4Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).



4

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Asset Tracking, Logging, and Reporting -- -- --

Software and Hardware Inventory

Via log files

Via Administration UI

Collect log information from device

MOM/SNMP

Firmware Update Management -- -- --

OTA OS Update Push

Cable Firmware Update

Update Targeting

Help Desk and Troubleshooting -- -- --

Help Desk and Administrative Console

Role-Based Administration

Device remote control

OTA Provisioning and Bootstrapping

Bulk Provisioning

Self Service -- -- --

Self Enrollment

Self Service Portal

Server Management

Breadth of Device Platform Support

Hostability

Managing Devices and Users

Provisioning devices and enforcing policies are fundamental activities for mobile device

management. How a mobile management solution handles user and device groups, and the

extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Group Assignment via Active DirectoryMany mobile management solutions offer group management; however these groups are created

and managed within the middleware platform themselves, so that in organizations using

Microsoft Active Directory or another enterprise directory, membership must be maintained in

two locations, resulting in an increased management burden. An mobile management solution

whose policies and provisioning are based on Active Directory (AD) groups gives administrators

the ability to target groups of devices based on AD Group Policy Objects (GPOs), using the same



5

interface and procedures as for desktop management. This not only simplifies management but

improves scalability.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Managing Devices and Users -- -- --Group Assignment via Active Directory

MDMMDM allows targeting of policies through Active Directory using a common interface, Group

Policy Objects (GPO). Through GPO, administrators can assign customized policies for groups of

mobile phones and assign those policies to an organization unit (OU) within Active Directory. This

provides an easier transition between desktop computer and mobile device management.

BESRather than use existing groups in AD, BES uses its own group hierarchy for policy, software

deployment, and device management. These groups are created using the Blackberry Manager

console and stored in the configuration database native to BES. While this allows for simple bulk

provisioning and management, it is a separate group that must be created, managed, and

documented.

GoodRather than use existing groups in AD, Good uses its own group hierarchy for policy, software

deployment, and device management. These groups are created in the Good Management

Console and stored on the Good server. Groups used in Good are designed for software

deployment and device management. While these groups are easy to assign and manage policy

for, they also present extra administrative effort to maintain and create groups outside of AD.

Device Membership in Active DirectoryDevice membership in Active Directory allows for device targeting in addition to user targeting.

This allows administrators to assign policy based on either the user’s membership or the device

membership within Active Directory. Other device management products maintain a separate

user database and only allow for user based targeting.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0


Device Membership in Active Directory

MDMDevice membership in Active Directory allows targeting and management of the device as if it

was a computer object on the domain. This helps IT professionals manage devices with common

interfaces such as Group Policy Objects and the Active Directory Users and Computers console

with little additional training.



6

MDM enables management of mobile devices using Active Directory

In addition, device membership in Active Directory enables administrators to improve mobile

device security using several security capabilities, including Public Key Infrastructure (PKI), GPO

assignment, and permissions-based access to resources and internal websites. This promotes

communications security, protects corporate resources, and simplifies security management.

BESWhen adding users to BES initially, the Global Address List (GAL) is displayed to allow

administrators to select users who have mailboxes accessible by the server. After adding a user,

the entry is made in the configuration database but is not housed in Active Directory. Only limited

information regarding BlackBerry service is stored in the user’s Exchange mailbox (e.g., PIN

number, encryption key, and hosting BES server name).

GoodGood also uses the GAL to initially find user mailboxes for account association. However, like BES,

Good will only create an account locally on the server. Information is not associated to AD

accounts outside of mailbox access.

Policy Based Management and ConfigurationDevice management and software configurations may be assigned and managed via policies.

These policies, in many cases, can be assigned to either individuals or groups. Policies are an

effective way to lock down a mobile environment, but figuring out the effect of those policies on

a specific user or device can be difficult. While many mobile management solutions can report a

policy that is effective for a user, the settings for that policy may not be easily viewable.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0


Policy Based Management and Configuration

Number of Policies

RSoP Data

MDMPolicies used in MDM are assigned using Group Policy Objects (GPO). Because GPO is the

underlying mechanism of device management, administrators can quickly determine the effect of



7

policies on a specific user or device (or groups of them) using Resultant Set of Policies (RSoP).

While MDM does not have as many policies as BES, key policies are furnished to help alleviate the

mobile security concerns of many organizations.

Active Directory furnishes powerful tools for managing mobile device policies

BESRIM has an extensive set of policies for device management and PIM synchronization, which are

managed via the BlackBerry Domain, a collection of BES servers that share a common database.

These policies may be created for either groups or individuals, but reporting of the policies in

effect per user is not available.

GoodWhile its policy set is not as extensive as that of BES, Good does offer some of the more widely-

desired device management policies. These policies are managed by user groups and can be

assigned to a group with only one individual member if necessary. Policies available for groups

are divided into six categories: Password, Options, Sync Control, OTA, Applications, and Data.

OTA/Network Encryption and Mobile VPNThe type and strength of over-the-air (OTA) encryption offered by a mobile management solution

is an important factor in its ability to provide secure remote access. While some platforms allow

administrators to choose an encryption method or key size, others simply enforce a standard level

of encryption or none at all. In addition, when considering mobile VPN, it is important to

distinguish between two kinds of VPN connectivity offered by mobile management solutions.

VPN that grants devices membership in the corporate network (like desktops and laptops) offers



8

greater access to internal resources. By comparison, the more usual proxied VPN tunnel limits the

range of internal resources mobile devices can access.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Encryption Services -- -- --OTA/Network Encryption

Mobile VPN GMC

MDMMDM uses Active Directory to grant devices membership in the corporate network domain, with

connectivity over a mobile VPN. This helps to protect sensitive data and gives secured access to

the intranet, email, PIM, and line of business applications. Devices enrolled with MDM negotiate a

unique key for security-enhanced communications using an IPSec tunnel. All communications,

including intranet, email, PIM, and line of business application data must travel through this IPSec

tunnel between the corporate network and the device. There are no points of decryption between

the mobile device and the MDM Gateway Server (corporate network). By encapsulating MicrosoftExchange email already encrypted via SSL, MDM’s Mobile VPN IPSec tunnel offers the additional

protection of double-envelope security.

Developers can use the .NET Framework to create applications that run securely on the handheld,

or to integrate existing back-end applications into a mobile environment. Many applications, such

as Microsoft Dynamics CRM, already possess such integration. MDM offers the choice of 3DES or

AES at 128, 192 and 256-bit key length for data encryption.

BES

BES offers only proxied VPN. The Blackberry Enterprise Server acts as a secure proxy to

mobile devices, so they are not part of the corporate network and have limited access to the

corporate intranet and applications. Users can access email, PIM data, and web-services

based application via the Blackberry Browser. Developers may use the Blackberry Mobile Data

System (MDS) application development framework to create or integrate applications to

communicate with devices through the BES proxy service, which creates an outbound-initiated

secure connection.

To create the encrypted tunnel between the proxy server and devices, BES can use either of two

encryption methods: 3DES and AES. Devices with software version 4.0 or higher can communicate

with AES encryption, while older devices can only encrypt and decrypt using 3DES. By design, BES

uses two-key 112-bit 3DES encryption and 256-bit AES encryption. If both 3DES and AES are

selected, the BES will negotiate the highest available encryption method (AES) based on device

compatibility.

GoodGood offers only proxied VPN. Like BES, all communications from devices are proxied through

Good servers via an encrypted tunnel using a 192-bit AES encryption key. The encryption method

cannot be changed, and is universal for all handhelds. The key is generated based on the OTA

activation pin assigned to a user account. Once the Good software is installed on a handheld, the

PIN is entered by a user to initiate activation. The first step in this activation process is the

generation of the AES key by the Good Management Console, which is sent to the device via SSL.



9

The offering compared here, Good Mobile Messaging, does not offer any access to internal

resources other than email and PIM data. However, an optional module requiring additional

licenses, called Good Mobile Connection (GMC), will allow the Good client to access intranet sites

and other back-end data through a proxy. Developers can use Java or .NET for integration and

application development.

On Device and File EncryptionEven if communications between a mobile device and corporate servers are protected by

encryption, important data stored on the device can be compromised if it is lost or stolen. To help

alleviate this concern, many newer mobile management solutions offer the option for

administrators to enforce on-device encryption to help safeguard files and data stored on mobile

devices. While this improves security, it can adversely affect device performance.

Some solutions require the entire device to be encrypted; others permit encryption of individual

files, directories, or databases. The latter capability is important if the encryption methods

available have a performance impact.

It is also important that administrators be able to enforce encryption on files stored on expansionmemory (storage) such as SD Cards, Micro SD cards, and compact flash. This avoids the possibility

that an unauthorized or unintended user might bypass the device password by removing the

card.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Encryption Services -- -- --

On-Device Encryption

Encrypt Specific Files/Locations

Storage Card (SDIO) Encryption

MDMOn-device encryption can be easily handled for Windows Mobile devices enrolled with a MDM

device management server by enabling AES encryption for all data stored on the device. Using

AES encryption provides maximum protection, but unlike ECC encryption used on newer RIM

devices, AES encryption may degrade performance of the device slightly while data is being

decrypted for access. This can be alleviated by encrypting only critical files or locations as

specified by an administrator.

Storage cards may also be encrypted using AES encryption to further safeguard sensitive data.

When users add files to an encrypted storage card with MDM, the files are not decrypted when

encryption is turned off. Users must individually open each file after encryption is turned off in

order to decrypt them. Files may still be written to the card by other devices but will not be

encrypted.

BESWhile BES allows the entire device to be encrypted, it does not allow administrators to choose

individual files or locations to encrypt while the remainder of the device remains unprotected.

Devices with 4.1 device software and earlier used a 256-bit AES key to encrypt data. While this key

offers strong protection for data, it increased access times to stored data and degraded device



10

performance. In device software version 4.2, RIM changed the encryption key to a selectable 160-

bit, 283-bit, or 571-bit elliptical curve cryptology (ECC) key, which offers better performance.

Users are prompted with Strong, Stronger, and Strongest to select the key size. Administrators

may also force one of these 3 key sizes via policy.

Administrators may also enforce encryption for data stored on external memory cards, protected

by a user password, the BlackBerry device key, or both. This setting determines the key used toencrypt data on the card. Files may still be written to the card by other devices but will not be

encrypted.

GoodThe Good client application can enforce 256-bit AES encryption on both specific folders and

databases on the device, which may be specified from the server administration console. While

this adds additional security, it does not provide protection for all data located on the device,

since there are other locations for data that cannot be protected using the Good management

interface.

Administrators may also require data stored on external memory to be encrypted as well, using a

user-specified password. Any existing data on the card must be erased before applying

encryption. Good creates a file on the memory card and mounts it as a separate disk volume on

the handheld. The file created consumes the entire amount of storage space on the card; thus, the

card cannot be used to store unencrypted data from another device.

Feature Lockdown

Most mobile devices have features, such as tethering, third-party email services, and cameras that

may not be desirable to an organization. Rather than force employees onto different devices, at a

potential loss of other capabilities, lockdown polices can restrict the use of these features. This

can improve security and reduce the help desk burden, as well as simplifying maintenance and

management.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Feature Lockdown -- -- --

Wi-Fi

Infrared

Camera

SMS/MMS

Storage Card (SDIO)

Phone

Disable IP Modem/Tether

Disable IMAP/POP

Restrict Cable Sync



11

Bluetooth LockdownBluetooth’s short range communications services allow mobile devices to extend the office

experience. Devices such as printers, keyboards, headsets, and even automobiles can connect to

mobile devices for services, raising additional concerns about security. Mobile management

solutions help to alleviate this concern by offering lockdown policies for the Bluetooth radio

and/or profiles related to Bluetooth services.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Bluetooth -- -- --

Restrict Radio

Restrict Profiles

Restrict Pairing/Discoverable

MDM

Policies may be enabled on MDM to completely disable the Bluetooth radio, or block specificprofiles. However, to block a profile, administrators must know the Universal Unique Identifier

(UUID) of that specific profile. In other device management platforms, the profiles are given in a

dropdown list. While the use of UUID’s allows administrators to be more flexible in blocking

Bluetooth profiles, it can be more difficult to set up the policy initially. It is not possible to restrict

discovery or pairing.

BESThe most robust middleware platform for Bluetooth security, BES allows administrators to restrict

specific service profiles such as serial, hands-free, or headset. BES also allows disabling

discoverability or pairing with devices, and can even require a password to enable Bluetooth on

the device. Newer BlackBerry devices are capable of Bluetooth tethering for IP modem

connections; this feature can be disabled using a BES policy.

GoodGood will allow administrators to disable Bluetooth completely. Alternatively, administrators may

restrict discoverability on devices to allow the pairing of a headset with the phone while ensuring

that other devices will not be able to pair unless the Good device detects them first.

Application and Data Distribution/Management

Many mobile applications on the market can be deployed wirelessly to devices. This includes

third-party applications and custom applications developed in-house by organizations. Users may

also install applications via cable or connection to a website. The ability to manage deploymentsefficiently, as well as to block user installation of undesirable applications, are important for

lowering the IT and help desk burden of mobile device management.



12

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Application and Data Distribution/Management -- -- --

Restrict to device features set

Time-based distribution

Reporting of deployment

Create custom action scripts

Application Allow/Deny

Block Unsigned Application Install

Block Third-party Downloads

MDMUsing MDM enables administrators to create custom software deployment packages for mobile

devices. Once these packages are created, administrators may deploy them by targeting thedevice group, or target based on existing hardware on the device. WSUS offers extensive

reporting capabilities that allow administrators to monitor deployment to devices using filters to

specify the range of devices and updates desired.

WSUS allows extensive update report customization

MDM can prevent users from using applications supplied with the mobile device, or the

installation of unsigned applications. It cannot prevent the installation of signed third-party

applications.

BESApplications can be pushed from the BES using software configurations. These software

configurations require the installation files be copied and indexed on the BES directly. After

indexing the files, administrators can build software configurations and apply custom software

policies to the configuration. These policies can override handset settings to give applications

access to GPS radios, keyboard application programming interfaces (API), or the phone.

Once assigned, applications are deployed to devices every four hours (time-based distribution).

This application polling interval can be overridden in the registry as a static entry if desired.

However, changing this registry setting will affect all users on the server. Service Pack 4 for BES

version 4.1 allows administrators to deploy applications immediately and bypass the four-hour

timer.



13

Reporting on application deployment is provided via a status block in the user status pane of the

administration console, but does not offer the extensive filtering capabilities found in MDM.

BES can also disallow specific applications from being installed on the device. However in order to

achieve this, administrators must first copy and index the installation files on the BES directly and

create a software configuration with a policy set to disallow the installation. A policy also exists to

block third-party application downloads.

GoodApplications may be pushed from the Good server by administrators, with deployment managed

through user groups. Applications can be inherited from the default “All Users” group or applied

directly to a group. If an administrator wishes to deploy custom software to mobile devices, the

software is uploaded to the Good NOC for hosting. A URL and GUID are then assigned to the

software to identify it back to the Good server it was uploaded from, and made available to

handhelds. By default, users are reminded to install software three times in a 24 hour period.

Administrators can override this to a custom setting or force mandatory installations.

Administrators may also disallow applications from being run on the handheld. However, in Good

version 5, administrators may only disallow native applications. These native applications include

pictures & video, solitaire, and ActiveSync on Windows Mobile devices.

LOB Application Data Push/AlertIn addition to deploying software, some platforms have the capability to automatically push

application data to handhelds. This gives mobile devices access to up-to-date information from

back-end systems such as SAP, CRM, or other database or web service-driven applications in the

organization, simplifying management and improving scalability.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

LOB Application Data Push/Alert GMC

MDMMDM does not support push data alerts for internal applications.

BESBES supports push alerts for application data using a listener port on BES that will send data to

the mobile application when data is updated. BES also supports the ability to create web-based

application alerts using a browser push channel. This alert changes the appearance of the device-

side icon when information on the web site is updated. Applications developed using the

Blackberry Mobile Device System (MDS) framework can also push data to devices.

GoodWith the addition of Good Mobile Connection (GMC), the Good platform can send push alerts to

users as internal application data changes.

Asset Tracking, Logging, and Reporting

Asset tracking can be difficult with a mobile infrastructure. Being able to log and report on

deployed hardware and software configurations is fundamental to mobile device management,



14

especially when planning upgrades or future deployments. Keeping track of device upgrades,

swaps, mobile phone numbers, and serial numbers/unique identifiers simplifies management and

maintenance and improves scalability. Logging of user activities can also be useful for improving

security.

Feature

MDM

2008

BES 4.1

SP4

Good

5.0

Asset Tracking, Logging, and Reporting -- -- --

Software and Hardware Inventory

Via log files

Via Administration UI

Collect log information from device

MOM/SNMP

MDMMDM offers a robust set of data reported back from mobile devices that can enable

administrators to plan future deployments. This data includes platform version, installed software,

and installed hardware. MDM may also be coupled with Microsoft Operations Manager (MOM) to

capture Simple Network Monitoring Protocol (SNMP) traps from the MDM servers to provide

proactive troubleshooting of server issues. Device management data is stored entirely in SQL,

enabling the generation of custom reports using any SQL reporting tools.

BESReports exported from BES show some data exported into a comma separated value (CSV)

format: user name, mailbox path, mobile phone number, PIN number, handheld model, and

software version. Data extracted from this export can be used to reconcile wireless bills or track

assets. Additional data may be shown in the administration console. This data includes a detailedlist of applications, ESN/IMEI serial numbers, hardware capabilities, free/available memory, and

active carrier, which may be extracted from the configuration database using custom SQL scripts.

Logging for BES is also available through log files located in the installation directory (by default)

and named according to the service related to the log. Although they are cryptic, the log files

provide very detailed information on user activity. Log levels and location may be changed by

administrators. Support for MOM/SNMP is available via third-party applications.

GoodGood’s reports, exported as a CSV file, show data similar to that available from BES, including user

name, device serial number, handheld ID/platform, mobile phone number, network ID/carrier, and

mailbox path. The data can also be viewed in the administration console, where additionalinformation may be displayed, such as handheld state and software version numbers. No software

inventory is available on Good outside of reporting software assignment groups.

Log files for Good are housed in the installation directory. These log files are very cryptic and in a

proprietary format. Logs can be easily uploaded to Good technical support from the

administration UI.



15

Firmware and Update Management

Firmware and operating system updates are an important part of mobile device management.

Just as with desktop and laptop computers, updates can improve security by protecting against

the latest virus threats, which are increasingly a concern for mobile devices. As well, such updates

may be able to add new features to existing mobile devices, such as direct push email, wireless

email reconciliation, PIM synchronization, and IP modem support. This simplifies maintenance and

preserves an organization’s investment in their mobile infrastructure.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Firmware Update Management -- -- --

OTA OS Update Push

Cable Firmware Update

Update Targeting

MDM

MDM itself does not offer over-the-air firmware or OS updates. Critical security fixes related to

Microsoft software are provided by Windows Update for Windows Mobile in coordination with

the device manufacturers and the Microsoft Security Response Center. Patches not related to

security issues are provided by the mobile operator, and can be delivered to a Windows Mobile 6

device via the mobile operator’s device management server. Windows Mobile fully supports the

Firmware Over-The-Air OMA-DM standard.

BESBES does not support over-the-air firmware updates, but does offer device updates via USB cable

from either the BlackBerry Desktop Manager or the BlackBerry Manager administration console.

GoodWhile Good does not offer over-the-air device firmware or OS updates, it can keep the Good

client software updated via the administration console. When a new client software version

becomes available, administrators may select the new version for automatic deployment. New

client software may also be targeted based on device platform.

Help Desk and Troubleshooting

Not just users but administrators are becoming more mobile, so remote management of mobile

devices is a desirable feature, and can improve scalability. Many mobile management solutions

offer the ability to lock down the administration console with a password (other than that of a

user login) and assign role-based administrative control. This enables help desk personnel to

install the administration console on remote computers for decentralized administration. Some

mobile management solutions may also offer web-based administration to overcome concerns

about security and limited administrative access.



16

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Robust Helpdesk and Troubleshooting Functionality -- -- --

Helpdesk and Administrative Console

Role-Based Administration

Device remote control

OTA Provisioning and Bootstrapping

Bulk Provisioning

MDMRole-based administration for MDM is controlled via groups in Active Directory. This allows

administrators to use the same interface for administrator permissions as found in device policy,

thus simplifying management. By contrast, in Good and IMS, roles are defined and customized

directly from the administration console.

BESAdministrators or help desk personnel requiring access to a BES can do so by using a local

installation of BlackBerry Manager. This installation connects to the configuration database used

to host the BES environment and uses the login account of the administrator or help desk

representative to determine the amount of administrative access. Security administrators can set

several pre-defined levels of access based on role. The lowest role available has access to

troubleshooting features, but cannot add or remove users and licensing. Using groups, junior and

senior administrators can provision activation passwords for users in bulk. This allows for

deployment of devices to entire teams with minimal administrative effort.

Good

Good allows service administrators to assign custom or pre-set roles to help desk or auditadministrators, who can install the Good administrative console on their desktop to access the

system. Windows logon credentials are passed to the Good server to authenticate roles for

administrators. Users can be added to the administration console in bulk, automatically

generating an activation email for each user.

Self Service

Allowing users to provision themselves can help reduce the call volume to help desk personnel.

Mobile management solutions can extend this level of self service with a web portal that allows

users to provision devices without IT involvement.

FeatureMDM

2008

BES 4.1

SP4

Good

5.0

Self Service Capabilities -- -- --

Self Enrollment

Self Service Portal



17

MDMThe self service portal that may be optionally installed with MDM allows users to enroll their own

devices, perform remote wipes if the device is lost or stolen, and even reset their PIN. This helps

users quickly disable a device when they believe it to be lost or stolen, and reactivate a device

they receive from IT without an additional support call.

BESWith BlackBerry Administration Server, administrators may install the Web Desktop Manager to

allow users to set their own Enterprise Activation password for provisioning. This web portal also

allows users to access all of the features of BlackBerry Desktop Manager software, providing they

have installed the required files as prompted on their first visit to the site. Users must first be

added to a BES before they are able to log in to the Web Desktop Manager site.

Good

Good does not offer a self-service portal.



18

Appendix

MethodologyThe products were installed on servers in accordance with their specified system requirements, so

that the management interface could be fully exercised. Performance was not tested; the goal was

to understand the functionality of each product’s feature set in the following nine important areas

of mobile device management:

Managing Devices and UsersProvisioning devices and enforcing policies are fundamental activities for mobile device

management. How a mobile management solution handles user and device groups, and the

extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Encryption Services

Encryption is necessary both for secure remote access to corporate data and applications (mobileVPN) and to protect data on the device itself in case of loss or theft. The type of encryption used

can have an impact on performance.

Mobile VPN

This may not be necessary (may be included in Encryption Services above, TBD)

Feature LockdownThe ability to disable various features on mobile devices (e.g., Bluetooth, tethering, or third-party

email services) improves security, expands the range of devices that can be supported, and eases

management and maintenance.

Application and Data DistributionIt is important for a mobile management solution to make the process of pushing applications or

data out to mobile devices as easy and flexible as possible. In addition, the ability to control what

applications users may install on a mobile device improves security, reduces the help desk

burden, and eases management and maintenance.

Asset Tracking, Logging, and ReportingBeing able to log and report on deployed hardware and software configurations is fundamental

to mobile device management, especially when planning upgrades or future deployments.

Logging of user activities can also be useful for improving security.

Firmware Update ManagementThe ability to update a mobile device’s operating system and feature set is not only critical for

security, but helps preserve an organization’s hardware investment.

Helpdesk and TroubleshootingNot just users but administrators are becoming more mobile, so remote management of mobile

devices is a desirable feature, and can improve scalability. Role-based administration adds

flexibility.



19

Self ServiceAllowing users to perform a limited set of provisioning operations can reduce the IT management

and helpdesk burden.

Ratings

For each product, its functionality for each capability was rated with one of four ratings.

Functionality Not Available: the product does not offer the functionality needed to support this

feature or capability

Limited Functionality: the product supplies some of the functionality needed to support this

capability

Average/Good Functionality: the product supplies most of the functionality needed to support

this capability

Extensive Functionality: the product supplies extensive functionality in support of this capability

Although a weighted-average weighting method is generally more useful, the weightings depend

on the specific needs of an organization, so these un-weighted ratings are offered as a starting

point. By assigning a point value to each rating level, and then weighting each feature within a set

of features (e.g., Feature Lockdown) in accordance with its importance to your organization, you

may obtain a clearer sense of how each of the solutions review here matches your needs.



The information contained in this white paper represents the current view of Microsoft

Corporation on the issues discussed as of the date of publication. Because Microsoft must

respond to changing market conditions, it should not be interpreted to be a commitment on the

part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented

after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,

EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the

rights under copyright, no part of this document may be reproduced, stored in or introduced into

a retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written

permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual

property rights covering subject matter in this document. Except as expressly provided in anywritten license agreement from Microsoft, the furnishing of this document does not give you any

license to these patents, trademarks, copyrights, or other intellectual property of Microsoft.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail

addresses, logos, people, places and events depicted herein are fictitious, and no association with

any real company, organization, product, domain name, email address, logo, person, place or

event is intended or should be inferred.

©2009 Microsoft Corporation. All rights reserved. Microsoft Active Directory, Operations

Manager, System Center Mobile Device Management 2008, and Windows System Update Services

are trademarks of the Microsoft group of companies. The names of actual companies and

products mentioned herein may be the trademarks of their respective owners.

Documents

MDM Technical Comparison White Paper_CR_Final