operating system (OS) How to evaluate on-premises vs. cloud-based MDM, UEM

unified endpoint management (UEM)

Unified endpoint management (UEM) is an approach to securing and controlling desktop computers, laptops, smartphones and tablets in a connected, cohesive manner from a single console. Unified endpoint management typically relies on the mobile device management (MDM) application performance indicators (APIs) in desktop and mobile operating systems.

Capabilities, advantages of UEM

Several different vendors offer UEM products, and the capabilities vary from one offering to the next. Some common UEM capabilities include:

  • A single-pane-of-glass interface for managing desktop and mobile devices.
  • Ability to push updates to devices.
  • Ability to apply security policies to managed devices.
  • A remote wipe feature that can remove all applications and data from a lost or stolen device.
  • A portal that allows bring your own device (BYOD) users to enroll their own devices.
  • Application management capabilities. Depending on the product, an administrator might push enterprise applications to managed devices or provide authorized users with access to an enterprise app store where the user can download applications on their own.

In addition, some of the third-party UEM products include tools that track end-user activity or detect and remediate security issues. Vendors are augmenting some products with machine learning and artificial intelligence (AI) engines that help to improve data security and mobile content management.

MDM vs. EMM vs. UEM

There are three terms that are often used in regard to device management. These terms are mobile device management (MDM), enterprise mobility management (EMM) and unified endpoint management. Although these terms are sometimes used interchangeably, they can mean different things.

MDM refers to a system that exclusively manages mobile devices. An MDM can manage Android and Apple iOS devices, for example, but lacks the ability to manage devices running desktop operating systems.

EMM is similar to MDM, except that it tends to be a bit more comprehensive. While MDM usually focuses solely on mobile devices, EMM might also include infrastructure components such as wireless access points. Additionally, some EMM products can help to manage IoT devices.

Differences between MDM, EMM and UEM

UEM products typically include all of the functionality that one would expect to find in an MDM product, and also the ability to manage desktops and laptops. UEM products also tend to focus on the user experience. Such a product might equip the user with self-enrollment capabilities, a device management portal, an enterprise app store or a VPN (virtual private network). UEM products are designed to act as a cohesive offering in an organization's mobility strategy.

Microsoft UEM

Prior to the widespread use of mobile devices, the majority of devices on a Windows network were domain-joined. This meant that administrators were able to use Group Policy settings and login scripts to manage the devices at a very granular level. Admins could use Group Policy settings to set password policies, configure the Windows desktop and to push applications to Windows devices.

The most significant limitation of Group Policy settings is that they can only be applied to domain-joined devices. Non-Windows devices such as those running Android, iOS, MacOS or Linux operating systems cannot be domain-joined and, therefore, cannot be managed through Group Policies. Similarly, there are some Windows devices that do not support the use of Group Policy management, such as some consumer-oriented editions of Windows 10, as well as legacy Windows devices such as Windows RT tablets and Windows Phones.

Exchange Server marked Microsoft's first attempt at creating an MDM product. Although Exchange Server is first and foremost an enterprise email platform, Exchange Server's Mobile Device Mailbox Policies can apply policy settings to mobile devices that have been configured to act as mail clients. These policies can enforce device password requirements, disable hardware components (such as Bluetooth or the device camera), perform a remote wipe and much more.

Over time, Microsoft integrated MDM capabilities into other products. System Center Mobile Device Manager, for example, was a mobile device management tool that performed functions such as provisioning and inventorying mobile devices, as well as performing various security functions. Mainstream support for System Center Mobile Device Manager ended in 2013.

Microsoft's major UEM product is Microsoft Intune. Intune is designed to manage Windows, MacOS, iOS and Android devices. It provides endpoint configuration management, provisioning, security and application deployment capabilities. In 2019, Microsoft combined Intune with System Center Configuration Manager (SCCM) into a single UEM product called Microsoft Endpoint Manager.

UEM market

Many vendors market UEM as a feature of their broader EMM software suites, and some EMM vendors have made strides to close the gap between MDM and traditional Windows management tools. For example, MobileIron Bridge allows IT administrators to use MDM to deploy scripts that modify the Windows 10 file system and registry and perform other advanced tasks, including deploying legacy.exe applications.

Other vendors that offer UEM include VMware, Citrix, BlackBerry and Apple. Apple's Mac OS X operating system has included MDM APIs since at least 2012. Today, all of the major vendors that offer UEM also support OS X.

This was last updated in April 2020

Continue Reading About unified endpoint management (UEM)

Dig Deeper on Unified endpoint management