KuppingerCole Report
Leadership Compass
By Richard Hill

Unified Endpoint Management (UEM)

This report provides an overview of the market for Unified Endpoint Management (UEM) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing UEM solutions.

1 Introduction

The landscape of enterprise and personal computing technology is continuously evolving. It didn’t seem that long ago, where the work environment consisted of a desktop computer and a landline phone. Traditional management of the desktop computers relied on manual updates of software and patches that were layered on top of each other. Later, “Gold Images” of desktop operating systems were used to provide a good know state of the OS but still required patches on a routine schedule, which would become what was known as traditional management.

As mobile phones became economically available, laptops and tablets computers replaced many stationary desktop computers; the business could control the employee device regarding it’s OS and software applications used as well as security controls when the device was within the perimeter of the organization. Client management tools were used to manage these environments. Client management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually.

Later, organizations needed to quickly deal with the introduction of the bring-your-own-device (BYOD) paradigm shift. Organizations required policies to define the boundaries of BYOD that included the ability to segregate the business data and applications from personal data and applications. Mobile device management (MDM) provided the tools to control the device functionality and help manage the lifecycle of these mobile devices and their platforms. Enterprise Mobility Management (EMM) solutions added mobile information as well as application and content management. The ability to push software, updates or patches to devices become what is known as modern endpoint management.

Since then, work environments are continuing to change. The range of endpoint device types have expanded past desktop, laptop, tablets, and mobile phone to now include printers, IoT devices, wearables like Apple Watch, and even newer types of endpoint devices that support virtual/augmented/mixed reality environments using headsets such as Oculus and HoloLens. Businesses are seeking to improve productivity and efficiency, while employees want to work from anywhere at any time. And with the more recent Covid-19 world we live in today, the requirement to work from home has become imperative, which requires the use of mobile devices to access enterprise applications and data as if they were in the office.

Given the complexity and growing number of different types of technologies involved in linking employees to corporate data both on-premise and in the cloud, mobile device management has gone through several iterations and approaches, with many enterprises now standardizing on a Unified Endpoint Management (UEM) approach.

This KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership Compass focuses on Unified Endpoint Management from vendors from more localized geographic region to vendors with a global presence. It considers these services in the context of the hybrid, on-premises, and cloud, with IT services delivery models commonly now found in enterprises.

Figure 1: Unified Endpoint Management

1.1 Market Segment

Endpoint Management is a market category that runs under a variety of names, such as Client Lifecycle Management, Unified Endpoint Management, and others. However, we see a clear trend towards comprehensive solutions supporting a variety of capabilities and types of endpoints. Thus, this Leadership Compass focuses on what is commonly referred to as Unified Endpoint Management. In this context, endpoints can be defined as traditional desktop or laptop computers, smartphones, tablets, wearables, printers, Internet of Things (IoT) devices, and even Virtual Reality (VR) headsets.

What is sometimes called client or service management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually. This type of management is also used to manage endpoint lifecycle, such as with UEM application management. Client management is a market segment in transition. Unified Endpoint Management (UEM) and Workspace Management are two of the major trends in client management.

A trend that has already become apparent in recent years has now become established. The separation between classic client management, which is usually based on Windows, and the management of mobile end devices (EMM, Enterprise Mobility Management) is now the exception rather than the rule. Most of the leading providers are focusing on Unified Endpoint Management, i.e., on solutions with which all types of end devices can be managed, from the variety of different desktops operating systems such as Windows, macOS, Linux or Chrome to mobile end devices with Android or iOS as the operating system.

The range of functions offered by such solutions now goes far beyond classic client management. It also includes the provision of configured work environments for employees, inventory, management of the operating system and applications, including security management, but also the management of content on end devices, for example, with the separation of personal and business apps and data.

Patch management, which a few years ago was often a separate product category, is also typically part of UEM solutions to the extent required today. Specialized solutions are still available, and patch management is also available in endpoint security solutions. However, most UEM products today also provide patch management functionality. Endpoint security can also be included in UEM, which sometimes intersects with other Endpoint Detection & Response (EDR) products. More information on this topic can be found in the KuppingerCole Buyer's Compass: Endpoint Detection & Response (EDR).

In addition to these influencing factors of workspace and user device expectations, other factors need to be considered when deciding how client management will be designed in the future. These include changes in application provisioning, client management from the cloud, integration with ITSM (IT Service Management) solutions, and the different concepts for client management on the one hand and for the provision of virtual work environments, i.e., the Digital Workspaces, on the other.

Here are some considerations of UEM solutions that this Leadership Compass covers:

  • Products that are more classic software solutions that are installed and operated locally
  • Cloud and hybrid UEM solutions
  • Providers that have options for operation "as a service" that allow complete UEM to be obtained as a service without the need to install and operate servers locally
  • The areas of UEM that the solution focuses on (e.g. device, application, security, patching, etc.)
  • The breadth of operating systems and device types that the solution can support
  • The depth of endpoint life cycle management the solution provides
  • The level of application software, packaging or patch management
  • Solutions that provide endpoint content management and containment capabilities
  • The strength of the solutions endpoint security.

Ultimately, the selection of any UEM solution on the market will depend on the organization’s particular requirements, which may depend on many other aspects such as existing infrastructure management or other IT solutions currently being used today. For example, if a specialized endpoint security solution is already in use, this functional area of UEM solutions is less or not at all relevant. Or if the organization only needs to focus on device and patch management capabilities, then maybe some fully-featured UEM solutions may not be required, and a UEM solution with those specific features may be a better fit. In all cases, it is recommended that a structured selection process should be carried out before the product decision is made.

1.2 Delivery models

Although all delivery models are looked at, it is worth considering the pros and cons of each delivery model against the use case for Unified Endpoint Management solutions. For instance, a Unified Endpoint Management solution that can serve smaller use cases while also integrating endpoint management for other organizational services should be delivered in such a way that allows setting up instances of the service immediately. Also, it is good to be aware that in most cases, public cloud solutions are generally multi-tenant, while some cloud services are actually single-tenant. Other approaches use container-based deployments to provide consistent delivery of a vendor’s solution, whether cloud-hosted or on-premises. Ultimately selecting the right Unified Endpoint Management solution delivery model will depend on the customer requirements and their use cases.

1.3 Required capabilities

When evaluating the products, we start by looking at standard criteria such as:

  • overall functionality
  • size of the company
  • number of customers
  • number of developers
  • partner ecosystem
  • licensing models
  • platform support

Each of the features and criteria listed above will be considered in the product evaluations below. We’ve also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.

When looking at this market segment, we are evaluating solutions that support a broad range of features that span the management of the endpoint device themselves, management of applications on the endpoints, device content management, and security controls for the endpoint. Aside from the baseline features such as delegated administration, and reporting, etc., we expect to see at least some of the capabilities listed in the required capabilities below as necessary features. In addition, Endpoint Management solutions must support centralized management of the various types of endpoints, as well as endpoint applications and overall configuration.

Features such as License Management, Asset Management, Contract Management, Patch Management, or Help Desk Services are also considered but are not mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings.

Expected features include, amongst others:

  • Support for endpoint life cycle management that includes:

    • Endpoint onboarding
    • Provisioning
    • Decommissioning
    • Remote access or wiping
    • Inventorying
    • OS management
  • Application software deployment and packaging capabilities such as:

    • Enterprise App Store enrollment of users and their devices
    • Appling policies and controls to applications on the endpoint
    • whitelisting or blacklisting applications
    • Support for bulk distributions of applications or configurations
  • Endpoint security that can support capabilities like:

    • Authentication
    • Access policies
    • Context-based access
    • Single Sign-On (SSO)
    • Certificate management
    • Application code signing
    • Analytics to monitor risks based on user, app, and endpoint behavioral patterns
  • Endpoint content management that can provide capabilities such as:

    • Ability to separates business from personal apps and data
    • Prevent sensitive data leaks
    • Apply rules and policies to documents and other content on the device
    • Audit trails for device configuration changes and access to sensitive content
  • Support for various systems beyond Windows clients, such as mobile devices systems

    • E.g., iOS, Android, Windows 10, macOS, Linux

Inclusion criteria:

  • Support for several of the capabilities listed above

Exclusion criteria:

  • Point solutions that support only isolated capabilities, such as:
    • Support for windows devices only
    • Support for desktop/workstation or servers only
    • Support for only mobile devices using one type of operating system
    • Support for only IT remote desktop access and troubleshooting
    • Pure-play Enterprise Mobility Management solutions that don’t support notebooks and PCs

We’ve reached out to a large number of vendors for providing a comprehensive overview of the current state of the market. Picking the right vendor finally always will depend on your specific requirements and your current and future landscape that will be managed.

2 Leadership

Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Leadership Compass. The Leadership Compass provides a comparison based on standardized criteria and can help identifying vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.

Based on our rating, we created the various Leadership ratings. The Overall Leadership rating provides a combined view of the ratings for

  • Product Leadership
  • Innovation Leadership
  • Market Leadership
Figure 2: The Overall Leadership rating for the Unified Endpoint Management market segment

The Overall Leadership rating is a combined view of the three Leadership categories, i.e., Product Leadership, Innovation Leadership, and Market Leadership. This consolidated view provides an overall impression of our rating of the vendor’s offerings in the particular market segment. Notably, some vendors benefit, e.g. from a strong market presence will slightly drop in other areas such as innovation, while others show their strength, e.g. in the Product Leadership and Innovation Leadership, while having a relatively low market share or lacking a global presence. Therefore, we strongly recommend looking at all Leadership categories, the individual analysis of the vendors, and their products to gain a comprehensive understanding of the players in that market segment.

In the Overall Leadership rating chart, we see a typical mature market that remains crowded and is represented by the Unified Endpoint Management vendors we chose to represent in our Leadership Compass rating.

In the market for Unified Endpoint Management, there are six companies in the Overall Leaders segment. These include Microsoft, IBM, Citrix as established players with strong offerings and customer base, complemented by MobileIron and two relatively younger companies Matrix42, and ManageEngine, which have continued to hold its market share over the past few years and remains in the Leaders segment.

The remainder of the vendors fall into the Challenger segment closely clustered indicating similar levels of product, market and innovation. The grouping contains a mix of younger and older companies with Ivanti, at the top with Quest KACE and Micro Focus close in proximity. One vendor, Baramundi trails this grouping in the overall rating.

None of the companies evaluated placed in the Followers section.

Leadership does not automatically mean that these vendors are the best fit for a specific customer requirement. A thorough evaluation of these requirements and a mapping to the product features by the company’s products will be necessary.

Overall Leaders are (in alphabetical order):

  • Citrix
  • IBM
  • ManageEngine
  • Matrix42
  • Microsoft
  • MobileIron

Product Leadership is the first specific category examined below. This view is mainly based on the analysis of service features and the overall capabilities of the various services.

Figure 3: Product Leaders in the Unified Endpoint Management market segment

Product Leadership is where we examine the functional strength and completeness of services.

Product Leadership is the view in which we focus on the functional strength and completeness of the Unified Endpoint Management product. Since the Unified Endpoint Management market is fairly mature, we find no followers, some challengers, and a greater number of vendors qualifying for the Leaders segment. As vendors offer a wide variety of Unified Endpoint Management capabilities and differ in how well they support these capabilities, it is important for organizations to perform a thorough analysis of their Unified Endpoint Management requirements to align their priorities while evaluating a UEM solution.

In the Product Leadership, MobileIron is at the top followed by Microsoft, IBM, and Matrix42. Other vendors in this segment include Citrix and ManageEngine near the bottom border.

A four of the vendors are in the middle section of the Challenger section where we find a range of good products which didn’t quite make it into the Leaders sections because of maturity or missing some of the features found amongst the leaders.

Product Leaders (in alphabetical order):

  • Citrix
  • IBM
  • ManageEngine
  • Matrix42
  • Microsoft
  • MobileIron

Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new ¬-releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.

Figure 4: Innovation Leaders in the Unified Endpoint Management market segment

We have rated over half of the vendors as Innovation Leaders in the Unified Endpoint Management market, which has have driven this market forward through the innovation of their products. The leaders are MobileIron, Microsoft, IBM, Matrix42, Citrix, and ManageEngine.

The graphics need to be carefully read when looking at the Innovation capabilities, given that the x-axis indicates the Overall Leadership while the y-axis stands for Innovation. Therefore, while some vendors are closer to the upper right edge, others being a little more to the left score slightly higher regarding their innovativeness.

In the Challenger section of Innovation Leadership evaluation, we find the remaining vendors. Given the maturity of Unified Endpoint Management solutions, the amount of innovation we see is limited. The vendors, however, still continue to differentiate by innovating in niche areas.

None of the companies evaluated placed in the Followers section.

Innovation Leaders (in alphabetical order):

  • Citrix
  • IBM
  • ManageEngine
  • Matrix42
  • Microsoft
  • MobileIron

Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.

Figure 5: Market Leaders in the Unified Endpoint Management market segment

In the Market Leadership evaluation, we see Microsoft clearly at the top followed by IBM, MobileIron, and Citrix primarily for their large global customer base, partner and support network. At the bottom section of market leadership, is Micro Focus.

In the Challenger section, we find the remainder of the vendors that have good products but may be lacking in one or more areas of their customer base, partner or support network compared to the market leaders.

Market Leaders (in alphabetical order):

  • Citrix
  • IBM
  • Micro Focus
  • Microsoft
  • MobileIron

3 Correlated View

While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor that is delivering a solution that is both feature-rich and continuously improved, which would be indicated by a strong position in both the Product Leadership ranking and the Innovation Leadership ranking. Therefore, we provide the following analysis that correlates various Leadership categories and delivers an additional level of information and insight. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.

3.1 The Market/Product Matrix

The first of these correlated views contrasts Product Leadership and Market Leadership

Figure 6: The Market/Product Matrix.

Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of “overperformers” when comparing Market Leadership and Product Leadership.

In this comparison, it becomes clear which vendors are better positioned in our analysis of Product Leadership compared to their position in the Market Leadership analysis. Vendors above the line are sort of “overperforming” in the market. It comes as no surprise that these are mainly the very large vendors, while vendors below the line are often innovative but focused on specific regions.

In the upper right segment, we find the “Market Champions”, which are leading in both the product and market ratings. This segment contains Microsoft at the top followed by IBM, and Citrix, with MobileIron close to the line showing good balance between market and product.

Micro Focus is the only vendor to appear in the top middle box, which indicates strong market presence, although lacks the comparable feature set of the Market Champions.

In the middle right-hand box, we see the vendors that deliver strong product capabilities for Unified Endpoint Management but are not yet considered Market Champions. All these vendors have a strong potential for improving their market position due to the stronger product capabilities that they are already delivering. These vendors are Matrix42 and ManageEngine.

In the middle of the chart, we see the remaining vendors that provide good but not leading-edge capabilities and therefore are not Market Leaders as of yet. They also have average market success as compared to market champions. These vendors include Ivanti, Quest KACE, and Baramundi.

All the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.

3.2 The Product/Innovation Matrix

This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between the two views with a few exceptions. The distribution and correlation are tightly constrained to the line, with a significant number of established vendors plus some smaller vendors.

Figure 7: The Product/Innovation Matrix.

Vendors below the line are more innovative, vendors above the line are, compared to the current Product Leadership positioning, less innovative.

Here, we see a good correlation between the product and innovation rating, with most vendors being placed close to the dotted line indicating a healthy mix of product and innovation leadership in the market. Looking at the Technology Leaders segment, we find most of the leading vendors in the in the center of the box. The top-notch vendors are MobileIron, Microsoft, IBM and Matrix42 followed by Citrix and ManageEngine with vendors placing closer to the axis depicting a better balance of product features and innovation.

In the center box of the chart, we see the remainder of the vendors with Baramundi having slightly more product features and more innovation than Quest KACE and Ivanti which appear further to the right of the center box and Micro Focus appearing slightly lower and left within the box.

3.3 The Innovation/Market Matrix

The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innovation Leaders. This might impose a risk for their future position in the market, depending on how they improve their Innovation Leadership position. On the other hand, vendors which are highly innovative have a good chance for improving their market position. However, there is always a possibility that they might also fail, especially in the case of smaller vendors.

Figure 8: The Innovation/Market Matrix

In the upper right-hand corner box, we find the “Big Ones” in the Unified Endpoint Management market which are Microsoft, IBM, Citrix and MobileIron.

At the top and to the left of the Big Ones is Micro Focus show strong market position, but less in innovation than those in the Big Ones category.

The middle right box we find ManageEngine and Matrix42 indicating better innovation than market position.

The segment in the middle of the chart contains the vendors rated as Challengers both for Market and Innovation Leadership which includes Ivanti, Quest KACE, and Baramundi.

4 Products and Vendors at a glance

This section provides an overview of the various products/services we have analyzed within this KuppingerCole Leadership Compass on Unified Endpoint Management. This overview goes into detail on the various aspects we include in our ratings, such as security, overall functionality, etc. It provides a more granular perspective, beyond the Leadership ratings such as Product Leadership, and allows identifying in which areas vendors and their offerings score stronger or weaker. Details on the rating categories and scale are listed in chapter 7.2 to 7.4.

4.1 Ratings at a glance

Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1.

Product SecurityFunctionalityInteroperabilityUsabilityDeployment
Legend: criticalweakneutralpositivestrong positive
Baramundi Mangement Suite
Citrix Endpoint Management
IBM Security MaaS360
Ivanti UEM with Ivanti Cloud
ManageEngine Desktop Central
Matrix42 Unified Endpoint Management
Micro Focus ZENworks Suite
Microsoft Endpoint Manager
MobileIron
Quest Unified Endpoint Management

In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.

Vendor Innovativeness Market Position Financial Strength Ecosystem
Legend: criticalweakneutralpositivestrong positive
Baramundi Software
Citrix
IBM
Ivanti
ManageEngine
Matrix42
Micro Focus
Microsoft
MobileIron
Quest

Table 2 requires some additional explanation regarding the “critical” rating.

In Innovativeness, this rating is applied if vendors provide none or very few of the more advanced features we have been looking for in that analysis, like the level of analytics and AI used within the product, container-based delivery model, types of endpoint device that can be support such as wearables or IoT or the ability to automatically remediate compromised endpoint as some examples.

These ratings are applied for Market Position in the case of vendors which have a very limited visibility outside of regional markets like France or Germany or even within these markets. Usually the number of existing customers is also limited in these cases.

In Financial Strength, this rating applies in case of a lack of information about financial strength or for vendors with a very limited customer base but is also based on some other criteria. This doesn’t imply that the vendor is in a critical financial situation; however, the potential for massive investments for quick growth appears to be limited. On the other hand, it’s also possible that vendors with better ratings might fail and disappear from the market.

Finally, a critical rating regarding Ecosystem applies to vendors which have no or a very limited ecosystem with respect to numbers and regional presence. That might be company policy, to protect their own consulting and system integration business. However, our strong belief is that growth and successful market entry of companies into a market segment relies on strong partnerships.

5 Product/service evaluation

This section contains a quick rating for every product/service we’ve included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.

Spider graphs

In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For the Unified Endpoint Management Leadership Compass, we look at the following six categories:

  • Device Management
    Management of various endpoint device types, which includes its life cycle management such as onboarding, provisioning, decommissioning, operating system management, remote access for support, troubleshooting or wiping, and device inventory.

  • Application Management
    This category focuses on the ability to control and apply policies to applications in regards to endpoint devices, as well as other application management features. It can include the capability to enroll devices and users via App Stores, software packaging and deployment, distribute applications to endpoints whether bulk or otherwise, applying aspects of security such as white or blacklisting applications, isolating corporate from private user applications, etc.

  • Content Management
    Endpoint content management generally refers to the ability to apply access rules and policies to documents or other content on the endpoint device. The rules and policies can be coarse or fine-grained enough to apply down to an individual file. Capabilities can also include catalogs of enterprise documents, content security, as well as audit logging, etc.

  • Patch Management
    This category focuses on the ability to distribute and apply endpoint device system patches (e.g. OS, application, etc.) from various vendors whether the patch is deployed on a schedule or critical/emergency patches distributed rapidly when necessary. Other capabilities include reporting of endpoint system status (e.g., patch level), missing patch discovery whether it’s a security hotfix, application, or others, level of automation, etc.

  • Centralized Endpoint Visibility
    The ability to provides a consolidated view and management of all endpoints regardless of where the solution is deployed. Centralized endpoint visibility often features a single pane view via a dashboard and provides visibility to device inventory, state, threats, policy management, licenses, reporting, etc.

  • Endpoint Intelligence
    This category looks at the level and use of analytics and/or artificial intelligence to provide insight into different aspects of the UEM domain as well as the ability to automate, assist or take action to remediate endpoint related issues, as well as other capabilities.

  • Endpoint Security
    There is a wide range of endpoint security considered, such as the ability to collect and analyze information, to detect and prevent the execution of malicious code (e.g., malware), prevent data loss, hardware destruction, or prevent lost productivity on user devices. Other capabilities considered can include the level of security intelligence, forensic investigation tools, firewall, and URL filtering, crypto libraries, file system monitoring, process obfuscation, as well as the ability to provide strong internal security and authentication for the management console, etc.

  • Admin & DevOps Support
    The ability to provide IT environment support options for both administrators of the solution and the operations team that can support their tools, automation, and continuous integrations.

The spider graphs provide comparative information by showing the areas where vendor services are stronger or weaker. Some vendor services may have gaps in certain areas, while are strong in other areas. These kinds of solutions might still be a good fit if only specific features are required. Other solutions deliver strong capabilities across all areas, thus commonly being a better fit for strategic implementations of Fraud Reduction technologies.

5.1 Baramundi Software

Founded in 2000 and headquartered in the European Union, baramundi software AG is owned by Wittenstein SE, Germany. The baramundi Management Suite focuses on securing cross-platform management of workstation and other endpoint environments.

The baramundi Management Suite not only provides support for endpoint mobile management, application management, content management, and patch management, but it also supports license and asset management. Basic endpoint security is available, although more advanced endpoint security capabilities are missing without modules powered by its partner DriveLock, as well as features such as device health monitoring or location tracking are not given. A good range of endpoint devices can be supported with the exception of wearables, although SNMP devices, SIEMENS Simatic (PLCs), Rugged Android mobile Devices (e.g., CipherLab devices) are supported. Endpoint operating system support includes iOS, Android, macOS, Windows 10 as well as most previous Windows versions, although Linux and chrome are not supported.

Endpoint lifecycle management includes endpoint device and application provisioning with endpoint activation QR-code enrollment provided. Broad platform support for patch management is given, which covers iOS, Android, Windows, and macOS, although Linux platforms are not supported. For Android and macOS, only updates of applications are supported, while system updates are not supported. Application software deployment includes the solution's integrated self-service portal that users can assign apps and tasks to their own devices. Software deployment mechanisms support MSI, InstallShield, SFX, Nullsoft. Their "Automation Studio" is given for GUI-based deployments. Both endpoint containment and content management use the Android Enterprise Work Profile and native mechanism in iOS. baramundi DeviceControl powered by DriveLock is utilized to prevent sensitive data from leaking externally. The baramundi Management Suite centralized UI supports only a Windows-Client. A fair number of out-of-the-box reports are given, although the solution provides pre-defined compliance reports such as GDPR, HIPPA, or PSD2, for example.

Although product deployment models such as on-premises, cloud, and hybrid can be supported, Baramundi focuses on on-premises with a managed service through partner organizations. Managed services include universal patch management with partners providing support during packaging, roll-outs, configuration as examples. Both SOAP and REST APIs are available to access the solution’s capabilities.

Baramundi Software is a privately-owned company serving the mid-market with a strong DACH regional presence. Baramundi Software shows particular strengths in the device, application, content, and patch management, although we see room for improvement in regards to endpoint intelligence and endpoint security features. Overall, Baramundi provides a comprehensive UEM solution with the Baramundi Management Suite.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Application management
  • Device management
  • Content management
  • Patch management
  • Good range of endpoint devices supported

Challenges

  • Heavily centered on the EU with limited global reach
  • Relatively small partner ecosystem outside of the DACH/GSA region
  • Limited endpoint intelligence capabilities without partner modules
  • Limited endpoint security features
  • Centralized product UI is Windows-Client only

5.2 Citrix

Founded in 1989 and headquartered in Fort Lauderdale, FL, Citrix Systems (Citrix) is a well-established IT vendor with a strong customer base. Citrix has a well-established partner ecosystem and continues to innovate its solutions in the areas of workspaces, virtual apps, and desktop, as well as optimizing the delivery of applications over the Internet and private networks. The Citrix Endpoint Management (formerly XenMobile), comes as a stand-alone product or included along with their other Digital Workspace offerings.

Citrix Endpoint Management provides support for mobile endpoint device, application, identity, and content management, as well as license and asset management, Citrix also supports more advance features such as device health monitoring and tracking. Mobile Expense Management is not given. Citrix Identity is a part of the Citrix Cloud, including the Citrix Workspace and Endpoint Management. A wide range of endpoint devices types is supported, including some IoT endpoints like Citrix Ready Workspace Hub (Raspbian based Raspberry Pi) and Alexa for Business as well as support for Apple Watch MDM policies and Secure Mail notifications on Apple Watch. Support for endpoints such as printers is not given. Supported endpoint operating systems include iOS, Android, Chrome, Windows 10 as well as Windows 8 and Windows 7 via their Workspace Environment Management agent.

The solution provides endpoint provisioning of users, devices, and applications. User onboarding can be achieved via enrollment invitations. Endpoint activation is given for supported operating systems. Devices can be selectively wiped during a decommissioning workflow. Remote access to endpoints is partner supported. Operating system deployment is available by services such as Windows Update Service or Apple OS service (iOS, macOS), although policies can be enforced via Citrix Endpoint Management. Endpoint troubleshooting via analytics and intelligence can be accomplished using the Citrix Analytics Service offering of their Citrix Workspace solution. Regarding application management, an enterprise app store enrollment is available for users and their devices. Limited support is given for application or software packaging for endpoints, although configuration support is given for ADMX files for Windows 10 applications, Powershell script deployment as well as full support for the AppConfig Community. Software deployment mechanisms include Win32, Apple VPP & ABM/ASM, Google Managed Play Store, Microsoft Store for Business, and Citrix MDX (Citrix's Proprietary Application Management Technology). WebClips deployments are also supported.

Citrix Endpoint Management deployment models cover on-premises, public cloud, and hybrid scenarios. The solution can be delivered as SaaS, virtual appliances, or as a managed service. Managed services are available from Citrix’s Service Provider community. The cloud delivery is monitored and managed by the Citrix Cloud Operations team supports full multi-tenancy for all components. Product functionality is accessible via REST APIs, although SOAP support is not available.

Citrix supports small to enterprise organizations with an emphasis on enterprise companies. Citrix also provides a good partner ecosystem as well as professional services. Customers are primarily located in North America with strong growth in the EMEA as well as the APAC region. Overall, Citrix Endpoint Management is one of the leaders in the Unified Endpoint Management product, market, and innovation segments. Citrix Endpoint Management integrates well into their overall Citrix digital workspace solution and should be of particular interest to Citrix’s existing customers as well as new customers.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Content management
  • Patch management
  • Endpoint security
  • Wide range of supported endpoint types
  • Good partner ecosystem

Challenges

  • Limited application/software packaging capabilities
  • Some features require integration with other Citrix services or third-party partners
  • Endpoint intelligence and analytics has dependency on the Citrix Analytics Service
  • Primary focus on the North American market, although showing growth in other regions

Leader in

Overall
Product
Innovation
Market

5.3 IBM

IBM is one of the leading companies in IT. Founded in 1911, it is one of the largest US-based firms. The MaaS360 product was originally developed by Fiberlink Communications as a cloud-hosted software-as-a-service (SaaS) platform in 2008 with a focus on managing more traditional endpoints. IBM MaaS360 with Watson has since evolved from a traditional cloud-based endpoint management product to an AI-enabled software-as-a-service (SaaS) Unified Endpoint Management (UEM) platform designed to give enterprises the ability to manage and secure a wide range of devices.

IBM Security MaaS360 covers a wide range of UEM features that include endpoint device, application, identity, content, patch, asset, license, and expense management, endpoint security, as well as device provisioning, tracking, and health monitoring. MaaS360 also gives broad support of endpoint types beyond desktop, laptops, and mobile devices to include tablets, wearables, IoT, and printers. Most endpoint operating systems are supported, such as iOS, Android, Windows 10, macOS, Chrome, as well as Windows 7, XP, and Zebra LinkOS, although Linux operating systems are not.

One strength is MaaS360 with Watson, which provides intelligence and cognitive abilities that give actionable insights and contextual analytics to their UEM offering. MaaS360 gives good endpoint containment capabilities and is accomplished through containerization, DLP, and encryption. It can also provide threat and attack detection of contained apps or data, which requires embedded IBM Trusteer and partnership with Wandera, both of which are sold by IBM and packaged with the MaaS360 product. With all of MaaS360’s many strengths, MaaS360 is missing application management software packaging and deployment capabilities, although support is given for importing packages created with other endpoint management solutions. Support for bulk distributions of applications or configurations is available. Additionally, MaaS360 provides single sign-on (SSO), conditional access, and multi-factor authentication (MFA) capabilities out-of-the-box through integrated features from IBM Cloud Identity.

MaaS360 can be offered as a standalone SaaS product to support enterprise organizations down to the SMB level. The cloud delivery gives full multi-tenancy. Also, it can also be offered as a managed service, whether partially or fully managed by IBM services. Managed services can support full device lifecycle management, Device as a Service (DaaS). MaaS360 functionality is also available via REST APIs and webhooks. SOAP is not supported.

IBM offers a large number of system integration partners on a global scale and substantial experience in large-scale deployments. The IBM MaaS360 offering provides full spectrum UEM capabilities supporting SMB to large enterprises, making them a strong contender in the UEM market.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Content management
  • Patch management
  • Endpoint intelligence
  • Endpoint security
  • Wide range of supported endpoints
  • Strong professional services and partner ecosystem

Challenges

  • UEM primary focused in North America, although expanding footprint in the EMEA and APAC regions.
  • SaaS only, no on-premises deployment model
  • Linux OS not supported
  • Missing software packaging capabilities
  • Requires integration with other IBM products for some more advanced features

Leader in

Overall
Product
Innovation
Market

5.4 Ivanti

Founded in 1985, Ivanti is a large company with 36 offices in 23 countries with headquarters in the Western US. Ivanti's products focus on two areas - Unified Endpoint Management and Enterprise Service Management. The Ivanti UEM with Ivanti Cloud offers a set of capabilities to manage and secure workstations, servers and mobile devices. Additional real-time intelligence and analytics, as well as integration to Service Management is available in Ivanti Cloud, which is included as part of the UEM offering.

Ivanti UEM features are more narrowly focused on including endpoint device, patch, asset, and license management, as well as some endpoint security and device provisioning, and health monitoring. Most endpoint devices are supported with the exception of wearables. Good support is given to a wide range of operating systems to include all mobile and desktop operating systems evaluated in this report.

Ivanti UEM gives good support to endpoint life cycle management, which includes user onboarding, and endpoint provisioning of users, devices, and applications. Ivanti has a particular strength in patch management and application management software packaging and deployment capabilities covering most areas, including scans and detection of endpoint software version, patch level, and health. Ivanti can also provide a large patch repository with 3rd party patches from various vendors that can be rolled out to endpoints. Some UEM limitations are with content management, and endpoint security capabilities. The solution does support some endpoint troubleshooting using analytics and intelligence features such as smart assistance feature tool that is part of UEM solution in Ivanti Cloud which can analyze and remediate the triggered events by an agent on the endpoint.

Ivanti supports all deployments models to include on-premises, public, and private cloud as well as hybrid. The Ivanti UEM can be delivered as software deployed to a server on-premises. In addition to the software deployed on premises is a cloud service virtual appliance that allows the on-premises product to communicate with devices via the internet. A managed service is also offered iwhich as a cloud-hosted instance, which provides support, and management to the customer. The Ivanti Cloud add-on component is multi-tenant. In addition, Ivanti UEM capabilities are accessible via SOAP or REST APIs.

Ivanti has a market presence in both North America and the EMEA region with a growing presence in both the APAC region and Latin America. Ivanti UEM with Ivanti Cloud supports small to enterprise organizations and a somewhat small partner ecosystem. Ivanti UEM with Ivanti Cloud provides a good option to customers looking for solutions with a particular focus on device and patch management features of UEM.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Patch management
  • Application management
  • Wide range of endpoint types and operating systems supported

Challenges

  • Somewhat small partner ecosystem
  • Limited content management
  • Limited endpoint security capabilities

5.5 ManageEngine

Headquartered in Pleasanton, US, ManageEngine is under the umbrella of the India-based Zoho Corporation that was founded in 1996. ManageEngine offers Endpoint Management, IT Security, and IT Analytics feature sets via their ManageEngine Desktop Central product, which is a single set of products within an integrated suite.

ManageEngine’s Unified Endpoint Management solution provides a single pane of glass for UEM capabilities such as mobile device management, application management with software packaging and distribution, asset intelligence, security management, patch management, auditing, and analytics. ManageEngine supports most endpoint device types, with the exception of printers. All endpoint operating systems evaluated are supported including mobile iOS and Android as well as Windows XP to Windows 10, and good support for Linux Ubuntu, RedHat, CentOS, Fedora, Mandriva, Debian, Mint, and SuSe. ManageEngine also offers co-management options for legacy client machines.

Support is given for deploying OSs and applications to the endpoint as well as managing their updates. Asset intelligence and management are given for both hardware and software. Support for remotely troubleshooting the endpoints and de-provisioning endpoints. Endpoint provisioning is available for users, devices, and applications. ManageEngine is also capable of automating the on-boarding process of endpoints. BYOD devices can be enrolled either through an E-mail invite or through SMS. Endpoint enrollment can be authenticated with a one-time passcode or a user's Active Directory credentials, and 2FA is also supported. Although good application management features are given, some software packaging capabilities are missing, such as the creation of software packages or the importation of packages created with other Endpoint Management solutions as well as providing pre-configured package pools for loading standard packages of common applications online or by other means.

Support is given for deploying OSs and applications to ManageEngine is capable of on-premises, public, and private cloud deployments. For on-premises deployments, ManageEngine Desktop Central is downloaded as bundled software complete with a Nginx web server and Postgres database. ManageEngine is also delivered as SaaS, where Zoho is the cloud provider with data-centers in the North America, EU, Asia and Australia. ManageEngine also offers software for Managed Service providers to provide a managed service to the customer but doesn't manage the service themself. Multi-tenancy is supported for their Remote Monitoring and Management (RMM) and Enterprise Mobility Management solutions for Managed Service Providers. ManageEngine Desktop Central Mobile Device Management is an addon with then enterprise edition, or come with it when purchased as a standalone UEM solution. Only REST APIs are exposed to access product functionality.

ManageEngine is well represented in the market with customers in North America, EMEA, and the APAC regions. ManageEngine also provides a good partner ecosystem and professional services. Overall, ManageEngine’s Desktop Central UEM solution gives a fairly good balance of features and appears in this UEM Leadership Compass as both Product and Innovations leaders.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Content management
  • Patch management
  • Endpoint security
  • A well laid out and user-friendly UI
  • Good partner ecosystem and professional services

Challenges

  • Windows only delivery option for on-prem
  • Missing some advanced endpoint security features
  • Missing some software packaging capabilities of endpoint application management, although good support for pre-created software templates is given

Leader in

Overall
Product
Innovation
Market

5.6 Matrix42

Established in 1991 with headquarters in Frankfurt, Germany, Matrix42 provides products to manage and secure digital working environments. Matrix42 Unified Endpoint Management is a single platform that gives support to managing devices, applications, and processes through features such as client management and mobile device management.

Matrix42 Unified Endpoint Management product focus includes endpoint device, identity, content, patch, asset, and license management as well as endpoint security and device provisioning, health monitoring, and tracking capabilities. Matrix42 UEM supports a wide range of endpoint devices from desktop to mobile, as well as IoT, wearables, and even printers. Supported endpoint operating systems include iPadOS, Android, Windows, and well as prior versions, macOS, Linux, and Chrome.

Matrix42 UEM provides a very modern, well laid out, and user-friendly centralized dashboard that gives good visibility to all of the supported aspects of its UEM features as well as an intuitive drag & drop UI capability. Matrix42 also offers automation through its workplace autopilot workflow (Windows Autopilot, Apple DEP, Android Enterprise) that is capable of installing agents that configure endpoint devices which includes the security policies, encryption technology, DLP, pushing all needed applications, as well as other device and application controls. Matrix42 relies on its proprietary low-code platform SolutionBuilder to integrate other applications in its UI console. Also given is the use of machine learning in self-service scenarios, such as providing device image analysis to identify the problem and give a solution.

Matrix42 UEM is capable of a devised set of deployment models such as on-premises, cloud, multi-cloud, and can be delivered as SaaS, virtual and hardware appliance, as well as container-based with Kubernetes. For cloud delivery, the product supports full multi-tenancy for all product components. Matrix42 relies on the Azure Autoscaling for the rapid scaling of additional users and/or high traffic events. Matrix42 also provides a managed service that includes all system configurations and extensions. Matrix42 UEM capabilities can be accessed via SOAP or REST APIs.

Matrix42 is a privately owned medium-sized company primarily focused in the EMEA region supporting medium to mid-market customers, with some inroads to enterprise companies. Matrix42 also provides a fairly good partner ecosystem, again with a focus in the EMEA region. Overall, Matrix42 offers both a strong and well-balanced feature set in the UEM market and would be of particular interest to organizations in the EMEA region.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Application management
  • Content management
  • Patch management
  • Endpoint intelligence
  • Good user-friendly UI dashboard
  • Workflow automation

Challenges

  • Primarily focused in the EMEA market, although some presence in North American and other regions
  • Partner ecosystem largely focused in the EMEA region, with growing support in other regions
  • Limited set of OOB reports, although some pre-defined compliance reports such as GDPR is given
  • Only partial delegated admin support

Leader in

Overall
Product
Innovation
Market

5.7 Micro Focus

Micro Focus is a UK based company that has been in the market since 1976, which acquired the NetIQ (originally Novell) product suite in 2014. Since then, Micro Focus executed a significant shift in its product strategy to build some market-leading security products during the time of its merger with Hewlett Packard Enterprise (HPE). The effects of this merger are believed to offer a comprehensive security portfolio with a sharper focus on integrated IAM technologies and boost its market presence with strong professional services around the globe. The Micro Focus ZENworks suite for Unified Endpoint Management and protection portfolio includes features from ZENworks Configuration Management, ZENworks Patch Management, ZENworks Full Disk Encryption, ZENworks Endpoint Security, ZENworks Asset Management, Micro Focus Desktop Containers, ZENworks Service Desk, Connected MX, Interset, Voltage, Vertica, Retain Information Archiving, Micro Focus Filr, NetIQ, and ArcSight.

The Micro Focus UEM solution focuses on endpoint device, application, content, patch, license, and asset management as well as endpoint security, although endpoint expense management and device health monitoring or location tracking are not given. Other features that Micro Focus provides is endpoint backup via the Connected solution. Also noted is that Mobile Content Management is provided via Filr, Voltage SmartCipher, and Mobile Device Archiving & eDiscovery is provided via Retain Information Archiving. Micro Focus gives good support to a variety of endpoint devices such as desktops, laptops, smartphones, and tablets, although endpoint such as wearables and printers is not given. Micro Focus does give some unique endpoint device support to Apple TV, ATMs, and Point of Sale Kiosks, in addition to Smart Scales, Smartboards, Vehicle IoT, among others. With the exception of Chrome, Micro Focus UEM supports mobile iOS, Android, all Windows from version 7 and above, macOS, and Linux operating systems.

Micro Focus ZENworks endpoint lifecycle management supports endpoint provisioning of devices and applications. User onboarding is currently not available and is on the roadmap, although user provisioning can be accomplished with the NetIQ Identify Management solution, which is part of the broader Micro Focus Portfolio. Micro Focus gives good support to endpoint activation, decommission, license management, and remote access. Remote locking and wiping of endpoints can be accomplished via conditional access controls. A strength of Micro Focus ZENworks is its patch management. Broad patch management is given for Android, iOS, Windows, macOS, and Linux. ZENworks also provides the ability for customers to either deploy patches from the subscription feed or to generate custom patches using a click to build interface. ZENworks also includes Flexera AdminStudio Standard Edition for creating software packages, as well as for customizing MSIs and InstallShield packaged applications.

Micro Focus ZENworks gives a basic endpoint security feature set with more advanced security features on the roadmap. Micro Focus NetIQ Access Manager and SecureLogin can provide SSO capabilities for Windows devices. For risk-based monitoring, Micro Focus provides Interset UEBA, which includes an endpoint sensor that can provide analytics capabilities. ZENworks also provides application lifecycle management allowing administrators to not only control what happens during distribution but also during each subsequent launch. Admins can typically deploy applications with little to no need for scripting.

Micro Focus ZENworks suite supports on-premises and private cloud with near term AWS and Azure cloud offerings as well as hybrid deployment models. Currently, the private cloud offering does not support multi-tenancy. The ZENworks suite can only be delivered as either as a virtual appliance or software deployed to a server. Also, ZENworks capabilities can be accessed via SOAP, although REST APIs are not available.

Micro Focus has a good global presence and is a member of the Market Leader segment of this Leadership Compass. Micro Focus ZENworks suite offers a focused set of UEM capabilities primarily in device and patch management, with an opportunity to grow its feature set to other areas of UEM as indicated by the Micro Focus ZENworks roadmap. ZENworks could be of particular interest to existing Micro Focus customers that can take advantage of the integration of other Micro Focus products.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Application management
  • Patch management
  • Endpoint security
  • OOB reporting
  • Enterprise-level product family offering
  • Support and professional services

Challenges

  • Product offering components sometimes complex to understand and implement
  • Weaker marketing messaging and execution compared to competitors
  • Limited content management
  • Limited endpoint intelligence
  • Cloud option does not support multi-tenancy, although on roadmap

Leader in

Overall
Product
Innovation
Market

5.8 Microsoft

Microsoft Corporation is one of the largest technology companies worldwide with headquarters in Redmond, Washington. Within their security portfolio, Microsoft has consolidated Microsoft’s Endpoint Configuration Manager, which was Microsoft System Center Configuration Manager (SCCM), which has been brought together with Microsoft Intune. Endpoint Configuration Manager, with a focus on traditional image-based PC management and Intune focused on the multi-platform mobile device management using a more modern management context, are now under a single product offering to form the Microsoft Endpoint Manager product offering.

The Microsoft Endpoint Manager (MEM) product focus includes endpoint device, identity, content, patch, asset, and license management as well as endpoint security and device provisioning, health monitoring, and tracking capabilities, although support for endpoint expense management is not given. All areas of endpoint device support are covered, including desktop, mobile, tablets, wearables (e.g., smartwatches), IoT, and printers, with additional device support via Intune and ConfigMgr, including servers. Most endpoint operating system support is given, such as iOS, Android, Windows 10, and prior Windows versions and macOS. Not given are Linux and Chrome OS support.

Deeper under the Endpoint Manager technology stack of Endpoint Configuration Manager and Intune are capabilities that support desktop analytics, Azure-based Security, Insight via cloud analytics, endpoint and application policy controls, and automatic deployment features. All features with the MEM can leverage the Microsoft Azure cloud-driven intelligence. Regarding endpoint containment capabilities, MEM supports Native iOS/Android containment for MDM enrolled devices, containment features of macOS, full management of the containment features of Office 365 mobile apps, as well as support Windows Information Protection (WIP) for Windows.

Since MEM inherits the capabilities of both Intune and ConfigMgr, both on-premises and cloud deployment models are supported, with the cloud service running on the PaaS on Azure. Although ConfigMgr can be deployed on-prem and Intune as cloud-only, they can work together to form a hybrid model. Microsoft Managed Desktop (MMD) is offered to provide management of devices on behalf of organizations. Endpoint Manager capabilities are accessible via its Microsoft Graph (REST) API. The use of the SOAP protocol is not supported.

Since its founding in 1975, the Microsoft Corporation has grown to have one of the largest market presence in just about every part of the world with strong support and professional services as well as a partner ecosystem. Microsoft has the infrastructure and is capable of scaling to extremely high workloads. Microsoft is a clear leader in the UEM space as indicated by appearing in the Product, Market, Innovation, and Overall Leader segments of this Leadership Compass report. Microsoft Endpoint Manager should be on the shortlist for organizations considering deploying UEM solutions.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Application management
  • Content management
  • Patch management
  • Endpoint security
  • Endpoint intelligence
  • Good unified admin UI console
  • Strong support and partner ecosystem

Challenges

  • Dependences on other Microsoft services required for some features
  • Missing support for both Linux and Chrome operating systems.
  • Limited OOB and pre-defined compliance reporting

Leader in

Overall
Product
Innovation
Market

5.9 MobileIron

MobileIron is a publically listed company founded in 2007 with headquarters located in Mountain View, California. The MobileIron UEM product offers a mobile-centric zero-trust security platform that provides secure data access to data on endpoints within the digital workplace. At the foundation of the MobileIron platform is MobileIron UEM with additional add-on modules that include MobileIron Threat Defense (MTD) for protection against mobile threats and provides a data source for security analytics, as well as MobileIron Access provides passwordless multi-factor authentication and conditional access layer. Both MobileIron Threat Defense and MobileIron Access require additional licenses.

The MobileIron UEM product provides capabilities that include endpoint device, identity, content, patch, asset, license, and expense management as well as endpoint security and device provisioning, health monitoring, and tracking capabilities. Support for endpoint expense management is provided by the MobileIron partner Wandera. Most endpoint operating system support is given, such as iOS, Android, Windows 10, and prior Windows versions and macOS. Not given are Linux and Chrome OS support, although support for Chrome is on the MobileIron near term roadmap. MobileIron gives wide support to endpoint devices including desktop, mobile, tablets, and wearables, although printers support is not provided. MobileIron UEM also supports IoT devices running on Android, iOS, macOS and Windows as well as other devices such as tvOS, Oculus and HoloLens.

For endpoint lifecycle management, MobileIron supports user, device, and application provision with flexible onboarding features. MobileIron also supports endpoint activation, decommissioning, as well as remote access, remote locking or wiping. Almost all endpoint patch management capabilities evaluated are supported with the exception of patch management for Linux. Equally good support is given to MobileIron’s application software packaging and deployment features and uses both public and private app stores, Google Play, Apple Store, and private company approved stores for its software deployment mechanisms. Endpoint containment mechanisms include MobileIron AppConnect/Secure Apps Manager, Android Enterprise and Samsung Knox. Strong endpoint security features are given, although some capabilities require third-party support. With MobileIron Go, authentication into Office365 can be accomplished using a QR code sent to the mobile device.

MobileIron supports on-premises, public & private cloud, and hybrid deployment models. The product can be delivered as a fully multi-tenant SaaS, hardware or virtual appliance, software deployed to a server, or container-based. A managed service is also offered which includes the MobileIron UEM, MTD and Access platform modules. Both SOAP and REST APIs are available to access MobileIron product functionality.

MobileIron customer base is principally located in the EMEA region with a good footprint in North America. MobileIron customer base is made up of small to mid-market organizations with a growing presence at the enterprise level. MobileIron also gives a good partner ecosystem, support, and professional services. MobileIron appears in all leadership segments of this UEM Leadership Compass. Overall, MobileIron offers a well-balanced and flexible UEM offering and should be on the shortlist for organizations considering deploying UEM solutions.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Application management
  • Content management
  • Patch management
  • Endpoint intelligence
  • Endpoint security
  • Good admin & DevOps support

Challenges

  • Majority of customers are in the EMEA region, followed by North America and the APAC region
  • Customer base is small to mid-market organizations, with a growing enterprise level presence
  • Some UEM capabilities have dependences on third-party products
  • Missing support for Linux and Chrome OS

Leader in

Overall
Product
Innovation
Market

5.10 Quest

Quest is a privately held software company headquartered in Aliso Viejo, California. Although Quest was founded in 1987, KACE Unified Endpoint Management was founded in 2003, which is one business unit within Quest. Quest KACE UEM solution is comprised of the KACE Systems Management Appliance and KACE Cloud Mobile Device Manager (CMDM) from the KACE suite of products. KACE Systems Management Appliance (SMA), which has a focus on on-premises management of devices, while the KACE Cloud Mobile Device Manager provides the cloud portal and device management.

The Quest KACE UEM solution centers on endpoint device, patch, license, and asset management as well as endpoint security, device health monitoring and location tracking. Endpoint application, identity, content, and expense management is not supported. With the exception of consumer wearable devices, all other device types are supported including desktop, mobile, tablets, IoT, and printers. Quest KACE supports a wide range of endpoint operating systems that includes iOS, Android, Windows, macOS, Linux, and chrome.

For endpoint life cycle management, endpoint provisioning of devices and applications is possible, but user provisioning is not, although good user on-boarding is given. Endpoint decommissioning is available, with endpoint activation through KACE CMDM. Excluding mobile devices, remote access to other endpoint devices is possible. Endpoint troubleshooting via analytics is accomplished using SMA to capture data that can be used to create smart alerts/notifications to IT personal. The KACE patch management features are particularly strong, giving good support to iOS, Android, Windows, and macOS. Linux patches can also be installed but require scripting. The KACE Systems Management Appliance provides a good user experience with a well laid out administration dashboard that utilizes dashboard component widgets and allows different theme options such as a dark mode for a more modern look and feel. Uniquely, the KACE suite also gives a built-in service desk for customers that don’t have a third-party service product, as well as the ability to allow third-party integrations. A KACE GO app is also part of the UEM strategy at no extra charge. Another feature allows for the integration of VMware AirWatch instance for the purpose of ingesting the AirWatch inventory information as well as integrations into Google G Suite.

With KACE Systems Management Appliance for on-premises and KACE Cloud Mobile Device Manager for the cloud, the combination of both KACE components allows for a hybrid deployment model. The KACE solutions are delivered as SaaS and as a virtual appliance. Managed Service Providers also use KACE SMA for imaging, patching, and device management. KACE SMA is also available in the Azure Marketplace to run in Azure. REST APIs are available for access to KACE functionality, but a SOAP API is not given.

Quest KACE customer base is concentrated in North America with a growing presence in the EMEA and APAC regions and is focused on medium to mid-market organizations, but can scale to the enterprise. Quest KACE gives good support and professional services, although it has a relatively small partner ecosystem. Quest KACE is worthy of consideration, particularly for customers in North America with requirements focused on device and patch management.

Security
Functionality
Interoperability
Usability
Deployment

Strengths

  • Device management
  • Application management
  • Patch management
  • Inventory & Asset management
  • Wide range of endpoint OS support
  • Well laid out and modern UI
  • Good support & professional services

Challenges

  • Primarily concentrated in the North American market, while present in EMEA, LatAm & APAC regions
  • Focused on medium to mid-market organizations, although scalable to enterprise
  • Relatively small, but growing partner ecosystem
  • Limited endpoint intelligence
  • Limited content management

6 Vendors and Market Segments to watch

Aside from the vendors covered in detail in this Leadership Compass document, we also observe other vendors in the market that we find interesting. Some decided not to participate in this KuppingerCole Leadership compass for various reasons, while others are interesting vendors but do not fully fit into the market segment of Unified Endpoint Management or are not yet mature enough to be considered in this evaluation. We provide short abstracts below on these vendors.

6.1 42Gears

Founded in 2009, 42Gears is a medium-sized enterprise headquartered in Bangalore, India of the APAC region and an office in Fremont, CA. Under their portfolio of products, 42Gears offers Unified Endpoint Management tools corporately-owned, BYOD, and even IoT devices.

42Gears SureMDM provides lifecycle management for endpoint devices and supports Android, iOS, Google Wear OS, Linux, macOS, Windows, Virtual Reality (VR), and IoT such as printers or cash registers. Other endpoint device products include SureFox for securing Android, iOS, and Windows Mobile & CE device browsers. Also, SureLock gives the ability to lock down mobile devices like smartphones, smartwatches tablets, as well as desktop computers. SureLock support Android, Windows, Windows Mobile & CE, and Google Wear OS.

6.2 Aagon

Aagon is a German company headquartered in Soest with offices in Berlin and Munich and was founded in 1992. Aagon is a medium-sized enterprise with customers primarily focused in Germany, Austria, and Switzerland. Aagon produces Client Management software with advanced automation features.

Aagon provides a fully integrated and comprehensive solution that is capable of distributing and patching software and is data protection compliant. Their products are modular to allow for flexibility, which includes inventory features with asset and license management. Desktop automation, software management, and OS deployment capabilities are also given, as well as helpdesk, application usage tracking, and reporting. Security vulnerability management and detection are available, and connectors to AESB, mobile devices, AD, and SNMP scanners are also given.

6.3 BlackBerry

BlackBerry has a long history in wireless devices and other solutions in the mobile communication market. Since then, BlackBerry now provides a UEM solution and acquires Cylance in 2019 to provide AI-driven endpoint protection, detection, and response capabilities to enhance their endpoint security. Founded in 1984, BlackBerry has headquarters in Waterloo, Ontario, Canada. Blackberry operates worldwide in 30 countries.

BlackBerry UEM provides a single solution for device and application management with both security and IoT support. BlackBerry UEM allows for control policies for users, devices, and applications visibility within a centralized console. Support for endpoint environments includes Android, Chrome, iOS, macOS, and Windows. Both on-premises and cloud deployment options are also given.

6.4 HCL BigFix

BigFix was founded in 1997 and was formally owned by IBM until HCL Technologies acquired it in 2019. BigFix is based in Emeryville, California. BigFix offers endpoint security and management through a suite of products that includes BigFix Lifecycle, BigFix Inventory, BigFix Insights, and BigFix Modern Client Management.

BigFix Lifecycle provides endpoint management with features such as asset discovery, patch management, software distribution, OS provisioning, remote control. BigFix Inventory is their asset inventory solution. BigFix Insights uses data analytics to identify potential risks across on-premises, cloud, and devices. BigFix Modern Client Management provides enrollment and policy management of Windows 10 and macOS endpoints.

6.5 Hexnode

Headquartered in the San Francisco Bay area with offices in Australia, Germany, and India. Founded in 2013, Hexnode is a software division of Mitsogo Inc. and provides a centralized platform for device, app, content, identity, and threat management for companies ranging from SMBs to the enterprise level.

Hexnode MDM for Unified Endpoint Management allows for the management of endpoint platforms and devices and supports Android, FireOS, iOS, macOS, tvOS, and Windows. Hexnode MDM capabilities support the management of applications such as inventory, catalogs, distribution, and black or white listing. Also, managed device access to content controlled by policy and content security features are available. Remote monitoring and troubleshooting are also given. Hexnode MDM also gives the ability to track and locate devices with geofencing. Other capabilities include data segregation and kiosk lockdown features.

6.6 Meraki

Founded in 2006, Meraki provides cloud-based Wi-Fi, routing and security products. Cisco acquired Meraki in 2012 and is now Cisco Meraki with a regional headquarter in the San Francisco Bay Area. Among Cisco Meraki's portfolio of product is their Systems Manager for Meraki cloud-based Mobile Device Management.

Systems Manager allows for the provisioning of devices and user as well as applications and content. Monitoring of devices is available to locate, track, and give visibility to the device's security and health status. Inventory of both software and hardware is possible through their centralized management console. Security features include capabilities such as remote device wiping, device and data encryption, and network policies for network access control.

6.7 NationSky

Established in 2005, NationSky Technology is headquartered in the Dongcheng District , Beijing, China and is primarily focused on the market in China. NationSky provides mobile security or "Cloud-Endpoint-Security" to provide both industry and government solutions. NationSky enterprise mobile device solution is NQSky EMM.

NQSky EMM allows for the security and management of mobile devices as well as their applications and content. NQSky EMM solution includes an EMM server, mobile security access gateway, identity management service, and their NQSky push notification service. NQSky EMM core functionality covers MDM, MAM, and MCM capabilities. On-premises, cloud, and hybrid deployment models are all supported.

6.8 Snow Software

Snow Software is a large Swedish based company founded in 1997. Snow Software is headquartered in Stockholm, Sweden with offices throughout the EMEA, APAC and North America. Snow Software provides a suite of products that provided the discovery and management of company technology assets. The Snow Device Manager solution provides enterprise mobility management.

Snow Device Manager allows for the lifecycle management of mobile devices such as tablets and smartphones. The platform provides configuration and management of software and applications across device types. Other features include the ability to access internal system resources securely, and document management as well as containment and separation between corporate and personal data in BYOD use cases.

6.9 Sophos

Sophos is a public company listed on the London Stock Exchange with its headquarters in Abingdon in the UK. It was founded in 1985 in Oxford England, and originally produced anti-virus software. Since then, Sophos has expanded to support other business solutions, which include Next-Gen Firewalls, public cloud visibility, and threat response, as well as managed threat response. Sophos's solution for endpoint protection is their Intercept X Endpoint product. Sophos Intercept X provides a comprehensive defense-in-depth approach to endpoint protection, featuring deep learning malware detection, exploit prevention, and anti-ransomware capabilities.

Sophos Intercept X runs on the 32-bit and 64-bit versions of Windows 7, 8, 8.1 and 10, Windows Server 2008 R2 and later, and Mac OS 10.12 and above. There are also versions of Intercept X for Mobile for Android and iOS.

All versions of Intercept X are managed using a single cloud-based management console that comes with default policies and recommended configurations. Sophos Intercept X Advanced, combines foundational and advanced capabilities into a single, integrated product and represents the current core endpoint protection offering from Sophos, with the option of adding Endpoint Detection and Response (EDR), which is not available as a standalone product, and Managed Threat Response (MTR) services.

6.10 SOTI

Founded in 1995, SOTI is a large enterprise headquartered in Mississauga, Canada, with worldwide offices in the EMEA and APAC regions. SOTI has had a long-time product focus on MDM, EMM, and UEM solutions, but has changed strategic direction to focus on business mobility and the Internet of Things (IoT) in 2017 with their SOTI ONE Platform.

The SOTI ONE Platform is a tightly integrated set of products such as SOTI MobiControl, SOTI Assit, SOTI Insight, and SOTI Connect. MobiControl addresses EMM with compliance and data security in mind by managing the lifecycle of endpoint devices. SOTI Assit provides help desk features that can analyze, troubleshoot and fix many device and application issues. SOTI Insight gives visibility of endpoint devices and applications with many out-of-the-box analytic capabilities. SOTI Connect focuses on the lifecycle management of IoT devices.

6.11 Tanium

Tanium is a large company based in Emeryville, California founded in 2007. Tanium has a large customer base in the EMEA region as well as deployments within branches of the U.S. Armed Forces, financial institutions, and retailers. Tanium's solutions focus on both endpoint and security management.

The Tanium platform provides two main product which are the Tanium Unified Endpoint Management and the Tanium Unified Endpoint Security. The Tanium Unified Endpoint Security gives capabilities like asset discovery & inventory, vulnerability & configuration management, endpoint detection & response, and data risk & privacy features. The Tanium Unified Endpoint Management covers capabilities such as patch management, software management, asset discovery & inventory, configuration management, and performance monitoring. Both solutions together provide a comprehensive endpoint solution.

6.12 VMware

VMware is a US company listed on the NYSE. VMware is still primarily perceived as vendor of virtualization solutions. They provide large scale enterprise virtualization and cloud infrastructure solutions. Identity and Access Management, Access Governance and endpoint application delivery across devices and operating system paradigms have since been added to a growing portfolio aiming at positioning themselves as a one-stop-shop for cloud infrastructure, virtualized and software defined data centers, security and desktop application delivery.

Workspace ONE aims at delivering all required application software independent of their individual ecosystem, to every end user device. It is based on strong authentication, reliable identities and fine-grained access policies. This method allows their Unified Endpoint Management to leverage Software-Defined Networks. Workspace ONE Unified Endpoint Management allows for the management of endpoint lifecycle for mobile devices like Android and iOS, or desktop operating systems such as Chrome OS, macOS, and Windows 10. Even IoT devices that run Linux are also supported. Workspace ONE gives a centralized console to manage all corporate-owned, BYOD, and other types of endpoint devices. Some other UEM capabilities include intelligent automation of desktop management, remote wiping, an application catalog, and conditional access policies for Microsoft Office 365 for Mobile Application Management (MAM), all within a cloud multitenant environment. Also, an API framework is given to support integrations into other enterprise systems and services.

Methodology

Copyright

©2020 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole´s initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarksTM or registered® trademarks of their respective holders. Use of them does not imply any affiliation with or endorsement by them.

KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst ompany, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.

KuppingerCole, founded back in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.

For further information, please contact clients@kuppingercole.com.

top