MOBILITY / MDM SOLUTIONS - Capabilities

      MDM offerings address a range of requirements from IT organizations aiming to deliver mobility experiences to their workforces or customers, while maintaining control and minimizing risks. They tend to bring a fairly complex set of functionalities, with progressively little differentiation among the competition. The critical capabilities to be considered for choosing an enterprise MDM product are as follows:-

  • Device Diversity
  • Policy Enforcement 
  • Security and Compliance 
  • Containerization
  • Inventory Management 
  • Software Distribution
  • Administration and Reporting  
  • IT Service Management
  • Network Service Management
  • Delivery Mode

The degree of diversity in mobile devices and mobile OS platforms that the considered MDM product can handle. This includes:

  • Support one or more OS platforms, such as Android, iOS, etc. (Note that support for Research In Motion [RIM] OS and Windows Phone 7 is rated as a plus because fewer vendors have added them.)
  • Support for media tablets
  • Support for ruggedized devices
  • Support for simpler phones

    • Enforce policies on eligible devices:
      • Detect OS platforms and versions, installed applications, and manipulated data.
      • Detect iOS jail-broken devices and rooted Android devices.
      • Filter (restrict) access from noncompliant devices to corporate servers (e.g., email).
    • Enforce application policies:
      • Restrict downloadable applications through whitelists and blacklists.
      • Monitor access to app stores and application downloads, and put prohibited applications on quarantine and/or send alerts to IT/managers/users about policy violations.
      • Monitor access to Web services, social networks and app stores, and send alerts to IT/managers/users about policy violations and/or cut off access.
    • Enforce mobile communications expense policies:
      • Monitor roaming usage.
      • Detect policy violations (e.g., international roaming) and, if needed, take action (e.g., disabling access to servers and/or send alerts to IT/managers/users about policy violations).
    • Enforce separation of personal versus corporate content:
      • Manage corporate apps on personal devices, and personal apps on corporate devices.
      • Tag content as personal or corporate through flags.
      • Detect violations of separation and, if needed, send alerts to IT/managers/users.
      • If a container is in use, prohibit exporting data outside the container (e.g., when opening an email attachment), and regulate interaction between different enterprise containers.
    • Restrict or prohibit access to corporate servers (e.g., to email server or email account) in case of policy violation.

A set of mechanisms to protect corporate data on a device, corporate back-end systems and preserve compliance with regulations:


  • Password enforcement (strong alphanumeric password)
  • Device lock (after a given number of minutes of inactivity)
  • Remote wipe, selective remote wipe (e.g., only corporate content); total remote wipe (hard wipe, data not recoverable after deletion)
  • Local data encryption (phone memory, external memory cards)
  • Certificate-based authentication (include device ID, OS version, phone number); certificate distribution
  • Monitoring device and data manipulation on device
  • Rogue app protection (e.g., application quarantine)
  • Firewall
  • Antivirus
  • Mobile VPN
  • Message archiving (SMS, IM, email, etc.) and retrieval; record historical event for audit trail and reporting

A set of mechanisms to separate corporate from private content (data, applications) on a device and apply a range of actions to control the corporate footprint, such as:


  • Local data encryption
  • On-the-fly decryption
  • Selective remote wipe
  • No data export to other containers (data leakage prevention)
  • Controlled communication among containers
  • Application containerization (beyond email)
  • Containerization based on virtualization technology (e.g., Open Kernal Labs [OK Labs] OKL4, VMware MVP, ARM TrustZone)

A set of mechanisms to provision, control and track devices connected to corporate applications and data:

    • Asset management and inventory
    • Device configuration and imaging
    • Device activation and deactivation
    • Provisioning (OTA):
      • Distribution (push)
      • Configuration (push):
        • Device configuration
        • iPhone profiles
    • Lockdown hardware features (e.g., enable/disable hardware, camera, removable media card, infrared [IR] port, Bluetooth, Wi-Fi)
    • Monitoring:
      • Performance
      • Battery Life
      • Memory
    • Lost-phone recovery
      • Locate and map
      • Restore and migrate