Enterprise mobility, or mobile device and data management, has become a top priority for modern organizations since the iPhone launched in 2007.
While several mobile management tools exist, one of the most critical is mobile application management (MAM) software, as it provides oversight and security for software on a user's device.
Mobile application management software features
The BYOD environment, which enables users to put corporate software on personal mobile devices, presented significant challenges to desktop administrators. In response, mobile application management software is a tool for the administrators to control and protect software on users' devices -- up to and including the OS.
For instance, it enables users to have private apps on their phones and still access corporate applications, while enforcing policies, updates and security requirements that protect corporate data from unauthorized access. Additionally, IT can prohibit users from copying or sharing corporate data to a personal or public location.
Mobile application management software tools provide several specialized features that include the following:
- Platform. Some MAM products are restricted to Android or iOS platforms, so it's crucial to ensure that they support the platform applicable to the organization's environment.
- App configuration. Administrators can configure managed applications by changing properties, variables, data connections, network and share configurations, and more. The product should provide remote access to apps for these actions.
- App catalog and delivery. Organizations may use default public application stores, such as Google Play or Apple's App Store, in addition to developing a custom app catalog that may include mandatory and optional applications for users.
- App management. Application management capabilities include application lifecycle management -- installation, removal, updates and configuration. Users do not typically have control unless delegated by the administrators. This category also includes remote control access, enabling administrators to manipulate application configurations, updates and deployment remotely.
- App volume license support. The product should support application volume licensing and management to provide seamless licensing management.
- App updating. Often included in app management or configuration features, app updating permits patches and updates to be forced or optionally available to users. This enables the IT staff to validate patches before deployment.
- App performance monitoring. Some products provide performance monitoring of response time, connection errors, status codes and other functions. They may also include performance reporting and other analytics.
- App wrapping. Like containerization, the product provides dynamic libraries layered over the application's compiled code to define security encryption for a particular application. This happens on an application basis rather than a group of applications, like containerization does, and is done without requiring access to source code via the management console. App wrapping is quick and easy but lacks the features and capabilities of containers.
- App containerization. Some vendors provide an SDK that permits developers to create code-based containers directly into the apps managed by the vendor's management tool. Containers can provide secure separation from a user's personal data, thus creating a protected area for corporate data and control on a user's personal device.
- App-based policies. Policies should be available to provide application-level security, such as restricting it to kiosk mode, defining VPN parameters and locking down other security requirements, such as allowlisting and blocklisting, and other controls.
- User authentication and authorization. Some products permit defining user accounts and access rights within the product and may use third-party directory services, such as Active Directory (AD).
- Third-party integration. The product may integrate with third-party directory services, such as AD, G Suite, Okta and Zendesk, and other services, such as ServiceNow.
Comparing the top MAM products
While a product's feature list helps determine if it's right for an organization, administrators and managers must also determine how those features are applied. Feature implementation and pricing can vary greatly from product to product.
MaaS360 is a unified endpoint management platform that combines MAM and mobile device management (MDM) functionality and other UEM features. But the full feature list is divided among four licensing categories: Essentials, Deluxe, Premier and Enterprise.
ManageEngine Desktop Central
Desktop Central is a UEM product and has several unique features, such as predefined application templates and management software that permits scheduling off-hours deployments. There is also a free version with features that would benefit an SMB. Note that ManageEngine refers to its application catalog as the Software Repository.
Intune is an MDM and MAM product that enables IT administrators to manage apps using MAM and app protection policies on devices not enrolled with Intune MDM. This means Intune can manage apps on devices enrolled with third-party enterprise mobility management providers. It integrates with Azure AD identity and has native connectivity to Microsoft 365, Office mobile apps and other Microsoft products. Intune does not support containerization -- but uses conditional access. If the organization uses Microsoft products exclusively, the security occurs at the server level using conditional access, which checks for domain-joined devices and other requirements before allowing access. Microsoft also provides App Wrapping Tool to provide security for internally developed apps.
Citrix Endpoint Management
Citrix Endpoint Management supports an extensive list of platforms and offers Workspace Environment Management (WEM) that extends management capabilities to Windows 7 and 8.1 devices. It also uses Microsoft Enterprise Mobility + Security/Intune integration for Microsoft 365 and Microsoft Teams and interfaces to several identity providers, such as Microsoft Azure AD and Okta. Citrix also offers a micro VPN to provide application data encryption.
VMware Workspace One
A UEM product, VMware's Workspace One provides a deep set of capabilities to deploy internal, public, purchased, web and virtual apps -- including SaaS apps -- and an extensive and well-documented SDK that permits a high level of customization. VMware also offers various compliance features, including forcing or blocking applications, patching and updating, and certificate management capability.
Unlike other platforms on this list, Jamf exclusively supports Apple platforms. However, it offers full application and device management across the Apple ecosystem by using native Apple volume licensing, as well as Apple's Self Service catalog and Device Enrollment Program. Jamf offers multiple platforms, including Jamf Pro for larger organizations and Jamf Now for small businesses.
Hexnode MDM and Hexnode UEM
Hexnode supports all common OSes and has an interesting policy application feature called Geofencing that enables administrators to automate policies and enforce restrictions based on where a device is. Hexnode also has app-based tracking that identifies applications that cross administrator-defined data consumption boundaries. Compared to the competition, Hexnode goes above and beyond to review the features included on each OS and platform.
Evaluating mobile application management software
To find the best MAM product for an organization, the IT administrator must analyze the feature list and determine the following:
- the features that are important to the organization;
- if the supported platform meets the organization's requirements; and
- whether the cost fits the budget.
After identifying the products that check each of these boxes, the administrator can test each -- most vendors have a free evaluation license for this purpose -- and find the product best suited for their team.