BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
We throw around the terms MDM, MAM, EMM, and UEM, taking for granted that everybody knows what they mean. But, if you’re new to the space, you might need a quick guide to tell the difference between mobile device management, mobile app management, enterprise mobility management, and the most recent variant, unified endpoint management. Brian wrote an article outlining MDM, MAM, and MIM a few years ago, but since we don’t really use MIM anymore and these new terms have come along, here’s an updated take.
What is MDM?
While mobile computers (and means to manage them) have been around for at least two decades, mobile device management as we know it arrived a few years after the introduction of the iPhone and Android.
Mobile device management software, which is available as cloud services or traditional on-premises software, uses a remote management protocol to do things like enforcing device passcodes and encryption; configuring email, wifi, and VPN settings; installing apps; locating, locking, or wiping lost or stolen devices, and so on. In other words, it’s how we take a smartphone or tablet and make it fit all the requirements for a business or educational setting.
Usually, the settings on the device are defined by the operating system, while the server side of MDM software comes from third-party products like VMware Workspace One, Microsoft Intune, MobileIron, Citrix Endpoint Management, IBM MaaS360, and BlackBerry.
Compared to traditional endpoint management (like how we’ve been managing Windows PCs for the past 25 years), MDM has a few key differences:
First, modern mobile devices can be managed remotely, over the internet. There’s no need for devices to be on the corporate network or a VPN.
Second, mobile devices are more tightly controlled than Windows was back in the day. You can’t get under the hood and mess with the operating system, and apps don’t run around messing with DLLs. Instead, apps are sandboxed and can’t see each other’s data, they mostly come directly from official app stores, and they install and uninstall without leaving anything behind. To access sensitive data like user location, they have to explicitly ask for permission and use standard APIs. Also, operating system updates arrive frequently, directly from official sources. And there’s no “imaging” a mobile device—you just take the OS as it comes and configure it as needed.
Third, mobile devices often contain users’ personal apps and data, in addition to corporate apps and data. This is thanks to the trend of BYOD (bring your own device) and the deployment practice known as COPE. (COPE stands for corporate-owned personally enabled, which means the company owns the phone and can ultimately set whatever policies they want, but they also let users treat it like their own phone and install personal apps.) In response, modern mobile operating systems have features that can be configured via MDM to both keep corporate data from leaking into personal apps, while shielding personal data. (I’ll cover this more in the MAM section.)
Today, MDM covers a broad range of use cases on iOS and Android. For example, using iOS Supervised Mode or Android Enterprise dedicated devices, you can lock down devices in kiosk use cases, such as education, point of sale, and industrial devices. For more, check out Apple’s reference materials, and Google’s Android Enterprise materials.
What is MAM?
mobile app management is the idea of applying security and settings directly to apps. For example, you might want to make sure an app is encrypted and has a passcode, remotely wipe or uninstall an app, or prevent data leakage by blocking the ability to take screenshots or cut and paste.
MAM is especially useful in cases when devices have both work and personal apps and data. Companies can protect their corporate data with security policies, but since they apply just to apps, users don’t have to worry about onerous policies when they’re using their personal apps. This is sometime referred to as “containerization.”
In the early days of iOS and Android, the only way to do MAM was to build all of the desired management features directly into special versions of apps. For example, there are many enterprise email clients and browsers with MAM built in; or companies can use SDKs or app wrapping to add MAM features to their own custom apps. I like to call this type of MAM “app-based MAM,” and a lot of people also call it “MAM-only” or “MAM without enrollment.” One final thing to note is that customers can’t just take any random app from a public store and add MAM features into it—they have to be built in by the developer.
Later on, mobile operating systems started to include their own MAM features, where certain management policies can be applied to specific apps. So this is also MAM, but since it’s based in the operating system, I like to call it “device-based MAM.” You might also hear someone call this “native containerization” or something like that. The advantage is that you can put any app you want into these management buckets; but on the other hand, you’re limited to whatever features the device happens to provide. Today, most devices have these features, including iOS (after version 7); Samsung devices (with Samsung Knox); and Android (via Work Profiles, available from Android 5 and later).
You can see that the different types of MAM have different strengths and weaknesses, so it can get kind of confusing. The best thing to do is consider your use case. Sometimes companies want to avoid the liabilities of BYOD, or users are concerned about privacy, and there are still plenty of reasons why companies say no to BYOD. Instead of leaning heavily on MAM, sometimes users just wind up having separate work and personal phones. Other times, like with contractors or gig workers, the company can’t enroll a device in MDM at all, so they have to go with the app-based MAM approach.
What is EMM?
In the days before enterprise mobility management, there were mobile device management vendors and mobile app management vendors, and they would compete with each other. Fortunately, they came to their senses, and realized that different use cases call for different techniques. Soon, we saw the emergence of vendors that provided both MDM and MAM, and people started calling this enterprise mobility management. (There are still some companies that focus on just MDM or just MAM for specialized use cases, though.)
EMM vendors sought to cater to all enterprise mobility needs, and many also have products like enterprise file sync and share, note-taking apps, corporate directory apps, and the like.
In more recent years, the rise of cloud apps has promoted many EMM vendors to also offer identity management features like federation and multi-factor authentication. In addition, many EMM vendors integrate with other identity management products like Okta or Ping Identity. As a result, companies can now implement conditional access policies, where users can only access applications if their devices meet set security requirements.
Today, EMM products are fairly mature. Most large enterprises have chosen to protect their devices, but even smaller businesses could still find helpful uses for enterprise mobility management.
What is UEM?
Now we have unified endpoint management: Over the last few years, desktop operating systems like Apple macOS and Microsoft Windows 10 have added mobile device management features, and in response, EMM and MDM vendors started supporting desktops and laptops. (By the way, this use of UEM is not to be confused with user environment management, another definition of UEM that we use frequently on this website.)
Of course, desktop operating systems and applications have decades of complexity, so it’s hard for the recently-added MDM APIs to do all the same things that traditional desktop management platforms do. In response, EMM and MDM platforms that aim to be unified endpoint management platforms have been gradually adding in some traditional management features, as well. (And, the MDM APIs in Windows 10 and macOS have been getting more powerful and complex, too.)
Another approach to unified endpoint management is to simply integrate the backend services for MDM with the backend services for traditional endpoint management.
Today, the state of the art for unified endpoint management is to use a mixture of traditional management and MDM; and provide management for mobile devices, laptops, mobile apps, and sometimes other types of devices. For example, Microsoft is blending System Center Configuration Manager with Intune MDM. VMware is adding many aspects of traditional management into Workspace One, as well.
Bonus: What is a workspace?
With EMM and UEM, the trend today is to unify the management of as many aspects of the end user experience as possible. Platforms seek to manage laptops, mobile devices, mobile apps, browsers, authentication and identity, and virtual desktops, all from one platform, with security policies that can span the whole stack. This is called ‘workspace’ management.
While EMM for mobile devices is well established, we’re still in the early days of unified endpoint management, using MDM to manage laptops, and workspace management. This space is what we cover on a daily basis here at BrianMadden.com, so follow us for the latest developments.