White Paper: A Technical Comparison of Mobile Management Solution Features and Functions

White Paper:

A Technical Comparison of

Mobile Management Solution

Features and Functions

Contents

Executive Summary ... 1

About Microsoft System Center Mobile Device Management ... 2

Feature Comparison Matrix ... 2

Managing Devices and Users ... 4

Group Assignment Via Active Directory ... 4

Device Membership in Active Directory ... 5

Policy Based Management and Configuration ... 6

OTA/Network Encryption and Mobile VPN ... 7

On Device and File Encryption... 9

Feature Lockdown ... 10

Bluetooth Lockdown... 11

Application and Data Distribution/Management ... 11

LOB Application Data Push/Alert... 13

Asset Tracking, Logging, and Reporting ... 13

Firmware and Update Management ... 15

Help Desk and Troubleshooting ... 15

Self Service ... 16

Appendix ... 18

Methodology ... 18

Executive Summary

Managing a fleet of mobile devices while ensuring end-to-end data integrity is a difficult task. Users want their desktop at their fingertips, with reliable access not only to familiar productivity tools such as email, calendar, and contact management, but critical line-of-business applications as well.

For the IT team, fulfilling these expectations requires a delicate balancing act. Mobile devices not only transmit data over public networks but are also uniquely vulnerable to loss and theft. Security, both for the device and the critical data on it and for its connection to the corporate network, is paramount. But policy enforcement to protect corporate data should not come at the cost of user productivity, nor pose an undue burden to IT and the help desk.

Achieving this balance demands a flexible, end-to-end mobile management solution that helps IT administrators more easily secure and manage mobile devices within a corporate network, while providing secure, single-point access for line-of-business (LOB) applications and corporate data. This requires an extensive set of features and capabilities that can make selecting the right solution for your organization’s needs a complex task.

But it’s important to note that choosing a mobile management solution involves more than just checking off an extensive set of features, some of which may be of interest to only a small number of organizations or particular industries. If it doesn’t fit gracefully into your existing management and server infrastructure, you’re unlikely to achieve the full return on investment (ROI) and total cost of ownership (TCO) benefits possible.

To aid technical decision makers in discerning the right mobile management solution for their organization, Microsoft commissioned an independent third-party systems integrator that specializes in the deployment and maintenance of enterprise mobility solutions to compare the capabilities of three leading mobile management solutions:

 Microsoft System Center Mobile Device Management 2008 (MDM 2008)

 Blackberry Enterprise Server Version 4.1.4 Service Pack 4 (BES 4.1 SP4)

 Motorola Good Mobile Messaging 5.0 (Good 5.0)

This technical comparison summarizes the results in a comparison matrix chart (Page 2) followed by an explanation of each feature or capability and its significance in terms of the fundamental mobile device challenges faced by IT professionals: management, control, maintenance, device and communication security, scalability, and support. An appendix explains the methodology and ratings used to create the comparison matrix, and offers a suggestion for weighting the results to fit your organization’s specific needs.1

1 _{As noted in the appendix, the comparison was executed by exercising the management interface to check}

About Microsoft System Center Mobile Device Manager

Microsoft System Center Mobile Device Manager 2008 (MDM) is a robust and cost-effective solution that can be seamlessly deployed into an enterprise’s existing Microsoft infrastructure and addresses in a comprehensive fashion the three core requirements of IT professionals: security management, device management, and security-enhanced connectivity.2

MDM’s ability to utilize Active Directory (AD) not only eases management by giving administrators a single point and common interface from which to manage both personal computers and mobile devices, but provides increased security by enabling them to more easily apply security capabilities such as Public Key Infrastructure and permissions-based access to resources. Administrators can use the familiar Windows Server Update Services (WSUS) platform to deploy software to mobile devices and easily monitor compliance, while AD’s Group Policy Objects functionality greatly eases the task of creating, enforcing, and monitoring policies on mobile devices. MDM’s IPSec-based Mobile VPN helps protect sensitive data, and when

transmitting already-encrypted SSL traffic, the resulting double-envelope security offers enhanced protection of critical corporate data.

Feature Comparison Matrix

Legend

Functionality Not Available  Limited Functionality  Average/Good Functionality  Extensive Functionality 

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Managing Devices and Users -- -- --

Group Assignment via Active Directory   

Device Membership in Active Directory   

Policy Based Management and Configuration   

Number of Policies   

RSoP Data   

Encryption Services -- -- --

OTA/Network Encryption   

2 _{For a detailed examination of the ROI and TCO benefits of System Center Mobile Device Manager, please}

refer to the ROI and TCO analysis tools at https://roianalyst.alinean.com/microsoft/mobile/launch.html, or the white papers available at

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Mobile VPN   GMC3

On-Device Encryption   

Encrypt Specific Files/Locations   

Storage Card (SDIO) Encryption   

Feature Lockdown -- -- --

Wi-Fi   

Infrared   

Camera   

SMS/MMS   

Storage Card (SDIO)   

Phone   

Disable IP Modem/Tether   

Disable IMAP/POP   

Restrict Cable Sync   

Bluetooth Lockdown -- -- --

Restrict Radio   

Restrict Profiles   

Restrict Pairing/Discoverable   

Application and Data Distribution/Management -- -- --

Restrict to device features set   

Time based distribution   

Reporting of deployment   

Create custom action scripts   

Application Allow/Deny   

Block Unsigned Application Install   

Block Third-party Downloads   

LOB Application Data Push/Alert   GMC4

3 _{Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).} 4 _{Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).}

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0 Asset Tracking, Logging, and Reporting -- -- --

Software and Hardware Inventory   

Via log files   

Via Administration UI   

Collect log information from device   

MOM/SNMP   

Firmware Update Management -- -- --

OTA OS Update Push   

Cable Firmware Update   

Update Targeting   

Help Desk and Troubleshooting -- -- --

Help Desk and Administrative Console   

Role-Based Administration   

Device remote control   

OTA Provisioning and Bootstrapping   

Bulk Provisioning   

Self Service -- -- --

Self Enrollment   

Self Service Portal   

Server Management   

Breadth of Device Platform Support   

Hostability   

Managing Devices and Users

Provisioning devices and enforcing policies are fundamental activities for mobile device management. How a mobile management solution handles user and device groups, and the extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Group Assignment via Active Directory

Many mobile management solutions offer group management; however these groups are created and managed within the middleware platform themselves, so that in organizations using

Microsoft Active Directory or another enterprise directory, membership must be maintained in two locations, resulting in an increased management burden. An mobile management solution whose policies and provisioning are based on Active Directory (AD) groups gives administrators the ability to target groups of devices based on AD Group Policy Objects (GPOs), using the same

interface and procedures as for desktop management. This not only simplifies management but improves scalability.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Managing Devices and Users -- -- --

Group Assignment via Active Directory   

MDM

MDM allows targeting of policies through Active Directory using a common interface, Group Policy Objects (GPO). Through GPO, administrators can assign customized policies for groups of mobile phones and assign those policies to an organization unit (OU) within Active Directory. This provides an easier transition between desktop computer and mobile device management.

BES

Rather than use existing groups in AD, BES uses its own group hierarchy for policy, software deployment, and device management. These groups are created using the Blackberry Manager console and stored in the configuration database native to BES. While this allows for simple bulk provisioning and management, it is a separate group that must be created, managed, and documented.

Good

Rather than use existing groups in AD, Good uses its own group hierarchy for policy, software deployment, and device management. These groups are created in the Good Management Console and stored on the Good server. Groups used in Good are designed for software

deployment and device management. While these groups are easy to assign and manage policy for, they also present extra administrative effort to maintain and create groups outside of AD.

Device Membership in Active Directory

Device membership in Active Directory allows for device targeting in addition to user targeting. This allows administrators to assign policy based on either the user’s membership or the device membership within Active Directory. Other device management products maintain a separate user database and only allow for user based targeting.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Managing Devices and Users -- -- --

Device Membership in Active Directory   

MDM

Device membership in Active Directory allows targeting and management of the device as if it was a computer object on the domain. This helps IT professionals manage devices with common interfaces such as Group Policy Objects and the Active Directory Users and Computers console with little additional training.

MDM enables management of mobile devices using Active Directory

In addition, device membership in Active Directory enables administrators to improve mobile device security using several security capabilities, including Public Key Infrastructure (PKI), GPO assignment, and permissions-based access to resources and internal websites. This promotes communications security, protects corporate resources, and simplifies security management.

BES

When adding users to BES initially, the Global Address List (GAL) is displayed to allow

administrators to select users who have mailboxes accessible by the server. After adding a user, the entry is made in the configuration database but is not housed in Active Directory. Only limited information regarding BlackBerry service is stored in the user’s Exchange mailbox (e.g., PIN number, encryption key, and hosting BES server name).

Good

Good also uses the GAL to initially find user mailboxes for account association. However, like BES, Good will only create an account locally on the server. Information is not associated to AD accounts outside of mailbox access.

Policy Based Management and Configuration

Device management and software configurations may be assigned and managed via policies. These policies, in many cases, can be assigned to either individuals or groups. Policies are an effective way to lock down a mobile environment, but figuring out the effect of those policies on a specific user or device can be difficult. While many mobile management solutions can report a policy that is effective for a user, the settings for that policy may not be easily viewable.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Managing Devices and Users -- -- --

Policy Based Management and Configuration   

Number of Policies   

RSoP Data   

MDM

Policies used in MDM are assigned using Group Policy Objects (GPO). Because GPO is the

policies on a specific user or device (or groups of them) using Resultant Set of Policies (RSoP). While MDM does not have as many policies as BES, key policies are furnished to help alleviate the mobile security concerns of many organizations.

Active Directory furnishes powerful tools for managing mobile device policies

BES

RIM has an extensive set of policies for device management and PIM synchronization, which are managed via the BlackBerry Domain, a collection of BES servers that share a common database. These policies may be created for either groups or individuals, but reporting of the policies in effect per user is not available.

Good

While its policy set is not as extensive as that of BES, Good does offer some of the more widely-desired device management policies. These policies are managed by user groups and can be assigned to a group with only one individual member if necessary. Policies available for groups are divided into six categories: Password, Options, Sync Control, OTA, Applications, and Data.

OTA/Network Encryption and Mobile VPN

The type and strength of over-the-air (OTA) encryption offered by a mobile management solution is an important factor in its ability to provide secure remote access. While some platforms allow administrators to choose an encryption method or key size, others simply enforce a standard level of encryption or none at all. In addition, when considering mobile VPN, it is important to

greater access to internal resources. By comparison, the more usual proxied VPN tunnel limits the range of internal resources mobile devices can access.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Encryption Services -- -- --

OTA/Network Encryption   

Mobile VPN   GMC

MDM

MDM uses Active Directory to grant devices membership in the corporate network domain, with connectivity over a mobile VPN. This helps to protect sensitive data and gives secured access to the intranet, email, PIM, and line of business applications. Devices enrolled with MDM negotiate a unique key for security-enhanced communications using an IPSec tunnel. All communications, including intranet, email, PIM, and line of business application data must travel through this IPSec tunnel between the corporate network and the device. There are no points of decryption between the mobile device and the MDM Gateway Server (corporate network). By encapsulating Microsoft Exchange email already encrypted via SSL, MDM’s Mobile VPN IPSec tunnel offers the additional protection of double-envelope security.

Developers can use the .NET Framework to create applications that run securely on the handheld, or to integrate existing back-end applications into a mobile environment. Many applications, such as Microsoft Dynamics CRM, already possess such integration. MDM offers the choice of 3DES or AES at 128, 192 and 256-bit key length for data encryption.

BES

BES offers only proxied VPN. The Blackberry Enterprise Server acts as a secure proxy to mobile devices, so they are not part of the corporate network and have limited access to the corporate intranet and applications. Users can access email, PIM data, and web-services based application via the Blackberry Browser. Developers may use the Blackberry Mobile Data System (MDS) application development framework to create or integrate applications to

communicate with devices through the BES proxy service, which creates an outbound-initiated secure connection.

To create the encrypted tunnel between the proxy server and devices, BES can use either of two encryption methods: 3DES and AES. Devices with software version 4.0 or higher can communicate with AES encryption, while older devices can only encrypt and decrypt using 3DES. By design, BES uses two-key 112-bit 3DES encryption and 256-bit AES encryption. If both 3DES and AES are selected, the BES will negotiate the highest available encryption method (AES) based on device compatibility.

Good

Good offers only proxied VPN. Like BES, all communications from devices are proxied through Good servers via an encrypted tunnel using a 192-bit AES encryption key. The encryption method cannot be changed, and is universal for all handhelds. The key is generated based on the OTA activation pin assigned to a user account. Once the Good software is installed on a handheld, the PIN is entered by a user to initiate activation. The first step in this activation process is the

The offering compared here, Good Mobile Messaging, does not offer any access to internal resources other than email and PIM data. However, an optional module requiring additional licenses, called Good Mobile Connection (GMC), will allow the Good client to access intranet sites and other back-end data through a proxy. Developers can use Java or .NET for integration and application development.

On Device and File Encryption

Even if communications between a mobile device and corporate servers are protected by

encryption, important data stored on the device can be compromised if it is lost or stolen. To help alleviate this concern, many newer mobile management solutions offer the option for

administrators to enforce on-device encryption to help safeguard files and data stored on mobile devices. While this improves security, it can adversely affect device performance.

Some solutions require the entire device to be encrypted; others permit encryption of individual files, directories, or databases. The latter capability is important if the encryption methods available have a performance impact.

It is also important that administrators be able to enforce encryption on files stored on expansion memory (storage) such as SD Cards, Micro SD cards, and compact flash. This avoids the possibility that an unauthorized or unintended user might bypass the device password by removing the card.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Encryption Services -- -- --

On-Device Encryption   

Encrypt Specific Files/Locations   

Storage Card (SDIO) Encryption   

MDM

On-device encryption can be easily handled for Windows Mobile devices enrolled with a MDM device management server by enabling AES encryption for all data stored on the device. Using AES encryption provides maximum protection, but unlike ECC encryption used on newer RIM devices, AES encryption may degrade performance of the device slightly while data is being decrypted for access. This can be alleviated by encrypting only critical files or locations as specified by an administrator.

Storage cards may also be encrypted using AES encryption to further safeguard sensitive data. When users add files to an encrypted storage card with MDM, the files are not decrypted when encryption is turned off. Users must individually open each file after encryption is turned off in order to decrypt them. Files may still be written to the card by other devices but will not be encrypted.

BES

While BES allows the entire device to be encrypted, it does not allow administrators to choose individual files or locations to encrypt while the remainder of the device remains unprotected. Devices with 4.1 device software and earlier used a 256-bit AES key to encrypt data. While this key

performance. In device software version 4.2, RIM changed the encryption key to a selectable 160-bit, 283-160-bit, or 571-bit elliptical curve cryptology (ECC) key, which offers better performance. Users are prompted with Strong, Stronger, and Strongest to select the key size. Administrators may also force one of these 3 key sizes via policy.

Administrators may also enforce encryption for data stored on external memory cards, protected by a user password, the BlackBerry device key, or both. This setting determines the key used to encrypt data on the card. Files may still be written to the card by other devices but will not be encrypted.

Good

The Good client application can enforce 256-bit AES encryption on both specific folders and databases on the device, which may be specified from the server administration console. While this adds additional security, it does not provide protection for all data located on the device, since there are other locations for data that cannot be protected using the Good management interface.

Administrators may also require data stored on external memory to be encrypted as well, using a user-specified password. Any existing data on the card must be erased before applying

encryption. Good creates a file on the memory card and mounts it as a separate disk volume on the handheld. The file created consumes the entire amount of storage space on the card; thus, the card cannot be used to store unencrypted data from another device.

Feature Lockdown

Most mobile devices have features, such as tethering, third-party email services, and cameras that may not be desirable to an organization. Rather than force employees onto different devices, at a potential loss of other capabilities, lockdown polices can restrict the use of these features. This can improve security and reduce the help desk burden, as well as simplifying maintenance and management.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Feature Lockdown -- -- --

Wi-Fi   

Infrared   

Camera   

SMS/MMS   

Storage Card (SDIO)   

Phone   

Disable IP Modem/Tether   

Disable IMAP/POP   

Bluetooth Lockdown

Bluetooth’s short range communications services allow mobile devices to extend the office experience. Devices such as printers, keyboards, headsets, and even automobiles can connect to mobile devices for services, raising additional concerns about security. Mobile management solutions help to alleviate this concern by offering lockdown policies for the Bluetooth radio and/or profiles related to Bluetooth services.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Bluetooth -- -- --

Restrict Radio   

Restrict Profiles   

Restrict Pairing/Discoverable   

MDM

Policies may be enabled on MDM to completely disable the Bluetooth radio, or block specific profiles. However, to block a profile, administrators must know the Universal Unique Identifier (UUID) of that specific profile. In other device management platforms, the profiles are given in a dropdown list. While the use of UUID’s allows administrators to be more flexible in blocking Bluetooth profiles, it can be more difficult to set up the policy initially. It is not possible to restrict discovery or pairing.

BES

The most robust middleware platform for Bluetooth security, BES allows administrators to restrict specific service profiles such as serial, hands-free, or headset. BES also allows disabling

discoverability or pairing with devices, and can even require a password to enable Bluetooth on the device. Newer BlackBerry devices are capable of Bluetooth tethering for IP modem

connections; this feature can be disabled using a BES policy.

Good

Good will allow administrators to disable Bluetooth completely. Alternatively, administrators may restrict discoverability on devices to allow the pairing of a headset with the phone while ensuring that other devices will not be able to pair unless the Good device detects them first.

Application and Data Distribution/Management

Many mobile applications on the market can be deployed wirelessly to devices. This includes third-party applications and custom applications developed in-house by organizations. Users may also install applications via cable or connection to a website. The ability to manage deployments efficiently, as well as to block user installation of undesirable applications, are important for lowering the IT and help desk burden of mobile device management.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0 Application and Data Distribution/Management -- -- --

Restrict to device features set   

Time-based distribution   

Reporting of deployment   

Create custom action scripts   

Application Allow/Deny   

Block Unsigned Application Install   

Block Third-party Downloads   

MDM

Using MDM enables administrators to create custom software deployment packages for mobile devices. Once these packages are created, administrators may deploy them by targeting the device group, or target based on existing hardware on the device. WSUS offers extensive reporting capabilities that allow administrators to monitor deployment to devices using filters to

specify the range of devices and updates desired. WSUS allows extensive update report customization

MDM can prevent users from using applications supplied with the mobile device, or the installation of unsigned applications. It cannot prevent the installation of signed third-party applications.

BES

Applications can be pushed from the BES using software configurations. These software configurations require the installation files be copied and indexed on the BES directly. After indexing the files, administrators can build software configurations and apply custom software policies to the configuration. These policies can override handset settings to give applications access to GPS radios, keyboard application programming interfaces (API), or the phone. Once assigned, applications are deployed to devices every four hours (time-based distribution). This application polling interval can be overridden in the registry as a static entry if desired. However, changing this registry setting will affect all users on the server. Service Pack 4 for BES version 4.1 allows administrators to deploy applications immediately and bypass the four-hour timer.

Reporting on application deployment is provided via a status block in the user status pane of the administration console, but does not offer the extensive filtering capabilities found in MDM. BES can also disallow specific applications from being installed on the device. However in order to achieve this, administrators must first copy and index the installation files on the BES directly and create a software configuration with a policy set to disallow the installation. A policy also exists to block third-party application downloads.

Good

Applications may be pushed from the Good server by administrators, with deployment managed through user groups. Applications can be inherited from the default “All Users” group or applied directly to a group. If an administrator wishes to deploy custom software to mobile devices, the software is uploaded to the Good NOC for hosting. A URL and GUID are then assigned to the software to identify it back to the Good server it was uploaded from, and made available to handhelds. By default, users are reminded to install software three times in a 24 hour period. Administrators can override this to a custom setting or force mandatory installations.

Administrators may also disallow applications from being run on the handheld. However, in Good version 5, administrators may only disallow native applications. These native applications include pictures & video, solitaire, and ActiveSync on Windows Mobile devices.

LOB Application Data Push/Alert

In addition to deploying software, some platforms have the capability to automatically push application data to handhelds. This gives mobile devices access to up-to-date information from back-end systems such as SAP, CRM, or other database or web service-driven applications in the organization, simplifying management and improving scalability.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

LOB Application Data Push/Alert   GMC

MDM

MDM does not support push data alerts for internal applications.

BES

BES supports push alerts for application data using a listener port on BES that will send data to the mobile application when data is updated. BES also supports the ability to create web-based application alerts using a browser push channel. This alert changes the appearance of the device-side icon when information on the web site is updated. Applications developed using the

Blackberry Mobile Device System (MDS) framework can also push data to devices.

Good

With the addition of Good Mobile Connection (GMC), the Good platform can send push alerts to users as internal application data changes.

Asset Tracking, Logging, and Reporting

especially when planning upgrades or future deployments. Keeping track of device upgrades, swaps, mobile phone numbers, and serial numbers/unique identifiers simplifies management and maintenance and improves scalability. Logging of user activities can also be useful for improving security.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Asset Tracking, Logging, and Reporting -- -- --

Software and Hardware Inventory   

Via log files   

Via Administration UI   

Collect log information from device   

MOM/SNMP   

MDM

MDM offers a robust set of data reported back from mobile devices that can enable

administrators to plan future deployments. This data includes platform version, installed software, and installed hardware. MDM may also be coupled with Microsoft Operations Manager (MOM) to capture Simple Network Monitoring Protocol (SNMP) traps from the MDM servers to provide proactive troubleshooting of server issues. Device management data is stored entirely in SQL, enabling the generation of custom reports using any SQL reporting tools.

BES

Reports exported from BES show some data exported into a comma separated value (CSV) format: user name, mailbox path, mobile phone number, PIN number, handheld model, and software version. Data extracted from this export can be used to reconcile wireless bills or track assets. Additional data may be shown in the administration console. This data includes a detailed list of applications, ESN/IMEI serial numbers, hardware capabilities, free/available memory, and active carrier, which may be extracted from the configuration database using custom SQL scripts. Logging for BES is also available through log files located in the installation directory (by default) and named according to the service related to the log. Although they are cryptic, the log files provide very detailed information on user activity. Log levels and location may be changed by administrators. Support for MOM/SNMP is available via third-party applications.

Good

Good’s reports, exported as a CSV file, show data similar to that available from BES, including user name, device serial number, handheld ID/platform, mobile phone number, network ID/carrier, and mailbox path. The data can also be viewed in the administration console, where additional

information may be displayed, such as handheld state and software version numbers. No software inventory is available on Good outside of reporting software assignment groups.

Log files for Good are housed in the installation directory. These log files are very cryptic and in a proprietary format. Logs can be easily uploaded to Good technical support from the

Firmware and Update Management

Firmware and operating system updates are an important part of mobile device management. Just as with desktop and laptop computers, updates can improve security by protecting against the latest virus threats, which are increasingly a concern for mobile devices. As well, such updates may be able to add new features to existing mobile devices, such as direct push email, wireless email reconciliation, PIM synchronization, and IP modem support. This simplifies maintenance and preserves an organization’s investment in their mobile infrastructure.

Feature MDM 2008 BES 4.1 SP4 Good 5.0

Firmware Update Management -- -- --

OTA OS Update Push   

Cable Firmware Update   

Update Targeting   

MDM

MDM itself does not offer over-the-air firmware or OS updates. Critical security fixes related to Microsoft software are provided by Windows Update for Windows Mobile in coordination with the device manufacturers and the Microsoft Security Response Center. Patches not related to security issues are provided by the mobile operator, and can be delivered to a Windows Mobile 6 device via the mobile operator’s device management server. Windows Mobile fully supports the Firmware Over-The-Air OMA-DM standard.

BES

BES does not support over-the-air firmware updates, but does offer device updates via USB cable from either the BlackBerry Desktop Manager or the BlackBerry Manager administration console.

Good

While Good does not offer over-the-air device firmware or OS updates, it can keep the Good client software updated via the administration console. When a new client software version becomes available, administrators may select the new version for automatic deployment. New client software may also be targeted based on device platform.

Help Desk and Troubleshooting

Not just users but administrators are becoming more mobile, so remote management of mobile devices is a desirable feature, and can improve scalability. Many mobile management solutions offer the ability to lock down the administration console with a password (other than that of a user login) and assign role-based administrative control. This enables help desk personnel to install the administration console on remote computers for decentralized administration. Some mobile management solutions may also offer web-based administration to overcome concerns about security and limited administrative access.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0 Robust Helpdesk and Troubleshooting Functionality -- -- --

Helpdesk and Administrative Console   

Role-Based Administration   

Device remote control   

OTA Provisioning and Bootstrapping   

Bulk Provisioning   

MDM

Role-based administration for MDM is controlled via groups in Active Directory. This allows administrators to use the same interface for administrator permissions as found in device policy, thus simplifying management. By contrast, in Good and IMS, roles are defined and customized directly from the administration console.

BES

Administrators or help desk personnel requiring access to a BES can do so by using a local installation of BlackBerry Manager. This installation connects to the configuration database used to host the BES environment and uses the login account of the administrator or help desk representative to determine the amount of administrative access. Security administrators can set several pre-defined levels of access based on role. The lowest role available has access to

troubleshooting features, but cannot add or remove users and licensing. Using groups, junior and senior administrators can provision activation passwords for users in bulk. This allows for

deployment of devices to entire teams with minimal administrative effort.

Good

Good allows service administrators to assign custom or pre-set roles to help desk or audit administrators, who can install the Good administrative console on their desktop to access the system. Windows logon credentials are passed to the Good server to authenticate roles for administrators. Users can be added to the administration console in bulk, automatically generating an activation email for each user.

Self Service

Allowing users to provision themselves can help reduce the call volume to help desk personnel. Mobile management solutions can extend this level of self service with a web portal that allows users to provision devices without IT involvement.

Feature MDM ₂₀₀₈ BES 4.1 _SP4 Good _5.0

Self Service Capabilities -- -- --

Self Enrollment   

MDM

The self service portal that may be optionally installed with MDM allows users to enroll their own devices, perform remote wipes if the device is lost or stolen, and even reset their PIN. This helps users quickly disable a device when they believe it to be lost or stolen, and reactivate a device they receive from IT without an additional support call.

BES

With BlackBerry Administration Server, administrators may install the Web Desktop Manager to allow users to set their own Enterprise Activation password for provisioning. This web portal also allows users to access all of the features of BlackBerry Desktop Manager software, providing they have installed the required files as prompted on their first visit to the site. Users must first be added to a BES before they are able to log in to the Web Desktop Manager site.

Good

Appendix

Methodology

The products were installed on servers in accordance with their specified system requirements, so that the management interface could be fully exercised. Performance was not tested; the goal was to understand the functionality of each product’s feature set in the following nine important areas of mobile device management:

Managing Devices and Users

Provisioning devices and enforcing policies are fundamental activities for mobile device management. How a mobile management solution handles user and device groups, and the extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Encryption Services

Encryption is necessary both for secure remote access to corporate data and applications (mobile VPN) and to protect data on the device itself in case of loss or theft. The type of encryption used can have an impact on performance.

Mobile VPN

This may not be necessary (may be included in Encryption Services above, TBD)

Feature Lockdown

The ability to disable various features on mobile devices (e.g., Bluetooth, tethering, or third-party email services) improves security, expands the range of devices that can be supported, and eases management and maintenance.

Application and Data Distribution

It is important for a mobile management solution to make the process of pushing applications or data out to mobile devices as easy and flexible as possible. In addition, the ability to control what applications users may install on a mobile device improves security, reduces the help desk burden, and eases management and maintenance.

Asset Tracking, Logging, and Reporting

Being able to log and report on deployed hardware and software configurations is fundamental to mobile device management, especially when planning upgrades or future deployments. Logging of user activities can also be useful for improving security.

Firmware Update Management

The ability to update a mobile device’s operating system and feature set is not only critical for security, but helps preserve an organization’s hardware investment.

Helpdesk and Troubleshooting

Not just users but administrators are becoming more mobile, so remote management of mobile devices is a desirable feature, and can improve scalability. Role-based administration adds flexibility.

Self Service

Allowing users to perform a limited set of provisioning operations can reduce the IT management and helpdesk burden.

Ratings

For each product, its functionality for each capability was rated with one of four ratings.

Functionality Not Available: the product does not offer the functionality needed to support this feature or capability

Limited Functionality: the product supplies some of the functionality needed to support this capability

Average/Good Functionality: the product supplies most of the functionality needed to support this capability

Extensive Functionality: the product supplies extensive functionality in support of this capability Although a weighted-average weighting method is generally more useful, the weightings depend on the specific needs of an organization, so these un-weighted ratings are offered as a starting point. By assigning a point value to each rating level, and then weighting each feature within a set of features (e.g., Feature Lockdown) in accordance with its importance to your organization, you may obtain a clearer sense of how each of the solutions review here matches your needs.

The information contained in this white paper represents the current view of Microsoft Corporation on the issues discussed as of the date of publication. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical,

photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property of Microsoft. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, email address, logo, person, place or event is intended or should be inferred.

©2009 Microsoft Corporation. All rights reserved. Microsoft Active Directory, Operations

Manager, System Center Mobile Device Management 2008, and Windows System Update Services are trademarks of the Microsoft group of companies. The names of actual companies and