7 questions to ensure UEM supports a Windows 10 migration Explore new approaches to macOS management

Compare UEM software and must-have features

UEM tools are essential to manage and secure the varying endpoints within an IT environment. Explore the major features and functions to consider and the vendors that provide them.

Unified endpoint management is the latest in a series of mobile device and application management tools to hit the market in the past decade, with the introduction of smartphones in the enterprise. The MDM tool market has since lagged behind desktop and laptop management tools, forcing admins to use multiple tools in order to manage the whole environment.

The challenge is that the long trail of mobile device management tools -- mobile application management (MAM), client management tools, MDM and enterprise mobility management (EMM) -- muddies the waters considerably as there is not a simple upgrade trail from one to the other. In fact, many products even include MDM as a product in the UEM suite. This can make it difficult to compare tools and determine which one(s) to use.

It is important to note that, according to Microsoft, over 50% of large enterprises already have UEM tools -- usually through licensing agreements -- but only an estimated 5% are actually using them. Buyers should know exactly what they need from the UEM software they plan to purchase so they can reap the benefits of the system. Leading products include the following:

UEM tool features and vendor comparisons

In all the tables below, key features are identified with each UEM tool as to whether the feature is present or not. Features are divided into six categories:

  • Supported OS platforms
  • Security and privacy
  • Device management and lifecycle
  • App and software management
  • Deployment and enrollment
  • Identity and access management (IAM)

It is important to note that vendors identify features with different names, so the capabilities listed here are our interpretation of them. If the vendor did not provide the information, the features are listed as N/A.

Supported OS platform

UEM software is either for on-premises, cloud or both. Note that only a few vendors support a pre-Windows 10 versions of the platform. If this is important to an organization, buyers should ensure that there is some legacy support available from the vendor. As noted, very few products listed here support Linux or VDI. Citrix, with its VDI investment, is notable because its product manages all devices -- legacy, mobile, IoT, desktops and laptops including VDI.

Note that support for IoT and wearables varies from vendor to vendor. For instance, Blackberry only supports smart glasses, while others such as Ivanti support Raspberry Pi.

OS and platform support

Security and privacy

UEM software should provide security and privacy for data, connections and applications through a wide variety of methods. Some rely heavily on a secure VPN connection, while others rely on data and or container encryption.

App containerization is also a popular method to separate the user from corporate apps and data, but not all vendors use containers, and for those that do, they apply security in different ways.

More products can detect devices with jailbreak, rooted devices and malicious apps, while others such as Sophos focus heavily on antivirus capabilities. Since security is a critical feature in a UEM tool, buyers must thoroughly vet a prospective platform's capabilities in this area.

Security and privacy

Device management and lifecycle

UEM software must be able to perform a wide variety of management tasks since device management is critical to the security of the enterprise, especially in BYOD environments. The tool must be able to manage a wide spectrum of devices from PCs to IoT devices.

Note that some are not able to manage devices running legacy OSes such as Windows 7 and 8.1, and most struggle with managing wearables and may be limited to specific products. Buyers should also look for a solid dashboard in a UEM system that can serve as a single point of contact.

Device management and lifecycle

Deployment and enrollment

When evaluating deployment and enrollment capabilities, buyers must consider devices, apps and their type of users. The native tools often address deployment and enrollment, with Microsoft Deployment Toolkit being one example. However, some UEM tools have their own separate deployment product.

Ease of use is critical as admins should be able to allow users to connect to a device and automatically enroll them with little, if any, IT intervention. Similarly, the system should be able to securely enroll users and deploy apps in bulk if necessary.

One additional feature that very few companies include or advertise is remote support, which allows IT to connect to the device to resolve issues.

Deployment and enrollment

App and software management

Admins must have a secure, controlled enterprise application catalog or repository that allows users to download and apply preapproved apps. IT should also have the ability to force required apps for installation, but still allow the user to select the installation day and time to avoid work conflicts. Analytics and reporting are important for IT staff to examine trends of problems and performance and make the necessary corrections.

One noteworthy feature that some UEM tools have is the ability to configure and interface with Office 365 apps. Note that different tools will provide a different experience. For instance, Blackberry reads the Excel, Word or Powerpoint document into its native editor but it appears to the users that they are editing it in the Microsoft app while they are, in fact, working within BlackBerry. This is important distinction for organizations with heavy investments in Office apps.

App and software management

Identity and access management

IAM controls user and device access based on valid accounts, passwords and security policies. Not all UEM software provides its own IAM capabilities; rather, it utilizes third-party tools such as Active Directory (AD).

One noteworthy feature is a passwordless authentication that allows one-time authentication before resorting to other access validation factors such as location, device and user authentication. This is a step past single sign-on and can serve to increase users' productivity as they can get straight to work rather than go through several steps to sign into devices.

If an organization has a heavy investment in legacy Windows devices, it must ensure that the selected UEM tool supports those legacy devices. If there are products like AD, ServiceNow or similar enterprise products in use, the new tool should provide interfaces to these products. Also, UEM vendors may have another product in their suite or a third party that provides IAM capabilities.

Identity and access management

Selecting the right UEM software depends a great deal on the OS platforms involved, the security requirements, the types of devices -- specifically if IoT, wearables and BYOD devices are in scope -- and current applications and infrastructure.

For instance, if the environment is heavily Microsoft-focused, many of the components for UEM may already be in place. Determine what components exist from previous MDM, MAM and mobile content management installations and take advantage of these components rather than starting from scratch.

Dig Deeper on Mobile management

Unified Communications