Reprint Maximize your return on IT ■ www.networkworld.com May 23, 2011 ■ Volume 28, Number 10

Clear Choice Test: Mobile Device Management (MDM) New tools protect mobile devices Fiberlink wins five-vendor test; Tangoe, McAfee make strong showing

went one step further and tried to remediate By Tom Henderson the nature of the crack. and Brendan Allen CLEAR This is important since device adminis- anaging mobile devices entails tration is done by agent control, and with a level of complexity unheard CHOICE a cracked device the end user has gained of in the traditional enterprise control. You want to be able to thwart those world of Windows desktops. TEST efforts to change settings and policies. MDM software needs to con- Unlike the traditional desktop world, Mtrol devices from multiple manufacturers, where agents are pushed to the end user running different versions of as many as five from a management console, agent installa- operating systems, tied to carrier networks tion can take many forms. Some devices come with their own particular constraints. operating system coverage and still mostly in with the agent already installed (example: a This makes mobile device management beta at deadline time. phone already has ’s ActiveSync or a tough battle, but one that IT execs need We also invited MobileIron, Symantec, equivalent); sometimes the end user has to go to take on because mobile device users can and BoxTone, none of which could to an “app store” and download the agent, and lose important company data, potentially summon resources. Apple declined to “sup- sometimes there’s simply a link to an MDM increase personal and organizational liabil- port the review,’’ but we obtained our own management server URL. ity, and compromise systems security at lev- Apple testing resources. We asked Verizon, Devices may also be connected via Wi-Fi, els that will frighten even the most jaded of IT T-Mobile and Research in Motion for assis- instead of a telecom carrier, and we tested administrators. tance with the test, and RIM was the only both ways, where meaningful. We set up a comprehensive test that vendor of the three that helped out. The installed agent then assesses the cli- included eight mobile devices, four operat- ent mobile device and policies are enforced. ing systems, two service providers and five MDM basics The details are largely common to all mobile mobile management vendors (see “How We Mobile device management tools use agents devices: Did It” at tinyurl.com/3plfm4c). to control end user devices in the classic cli- ■ Once an agent is installed, it performs an Fiberlink’s MaaS360 is our Clear Choice ent/server model. Agents can be specific to evaluation of the phone’s state, software Winner, based on its strong overall perfor- the operating system version (and vendor) or inventory, configuration settings and mance, particularly its ease of use. But the use Microsoft’s ActiveSync or an API-com- other characteristics. competition was tough. McAfee’s Enterprise patible version, like NotifySync. ■ The collected information is relayed to the Mobility Manager delivered excellent security Since mobile devices can be cracked, via MDM server, where controls are matched features. Tangoe’s MDM displayed a strong rooting (Android OS) or jailbreaking (Apple to desired settings for the specific device methodology for managing fleets of devices. iOS), MDM tools should be able to detect and its user. Sybase Afaria supported a huge list of devices, whether that has occurred. In our testing, ■ In turn, messages are sent (pushed) to the but was difficult to configure and use. Fiberlink and McAfee were able to detect that mobile device agent software to change We tried Wavelink’s MDM offering, but a device had been cracked and then blocked the phone according to the MDM applica- it was incomplete in most the cracked device. Fiberlink’s MaaS360 tion policy settings. NETRESULTS

Product MaaS360 MDM Enterprise Mobility Afaria (version 5.2.2.10) Management (version (version 6.60.5257.0) 9.5.1.35471 ) Company Fiberlink Tangoe McAfee Sybase Price Starts at $4/device/month, Starts at $2.50/user/ N /A Starts at approximately $40 $10 with unlimited devices. month base price. for a perpetual license. Pros Very rapidly usable; Flexible, self or Very good security and Unmatched compatibility, consistent, strong Tangoe-hosted. management UI. nice applications included. policy controls. Cons Minor bugs. Lacks specific HP Lopsided toward Apple Difficult and obtuse Palm Support. iOS devices; weaker UI, inconsistent policy reporting and alerts. and feature controls. Score 4.1 3.6 3.6 3.1 CLEAR CHOICE Mobile Device Management (MDM) TEST

■ Periodic conversations with the MDM “mothership” server then update the SCORECARD phone and its policies and fleet inventory as desired. MaaS360 MDM Enterprise Afaria It sounds simple, but it’s not; each MDM Product Mobility Mgmt. vendor must make sense of the variances 4 3 3.5 2 among and other mobile devices, Installation & their operating systems and possible carrier- Docs (25%) imposed constraints, plus react to ongoing Policies & 4 3.5 3.25 3.5 user changes as well as operating systems Control (25%) changes (including patches and fixes). All of the products that we reviewed were Mgmt & Security (25%) 4 4 4 3 able to test phone configuration data, lock Compatibility/ 4 4 3.5 3.75 down features from user manipulation and Features (25%) require PINs/passcodes, as well as remotely wipe phones or change PINs. Total 4.0 3.6 3.6 3.1 Some also allowed users to remotely change a phone’s PIN — a handy but dicey Scoring key: 5: Exceptional; 4: Very good; 3: Average; feature if MDM server security is compro- 2: Below average; 1: Subpar or not available mised. Most can lock out use of a smart- phone’s camera. Some have the ability to push Microsoft Active Directory or Lotus Domino the EMM server. This means that remedia- applications to phones; this requires deeper and be able to connect to the SQL Server. We tion has to occur outside of the EMM applica- capability, as applications are required to be used this model for testing. tion’s auspices. Our jailbroken devices were digitally signed to make it to the Apple iOS The Enhanced security model uses two detected, but the rooted Android devices and Android platforms. servers; one contains a device management weren’t blocked. Certain phones that don’t Here are the individual product reviews: gateway, EMM portal, compliance filter and support hardware encryption, like older EAS proxy on the public-facing Windows IIS Android phones, can also be blocked. McAfee Enterprise Mobility Web server, while the EMM hub is installed The admin console uses policy tabs for Management (EMM) on an internal server on a private subnet. compliance, membership, passwords, restric- McAfee EMM was strong and cohesive, but Communications between the two uses SSL. tions (limited to iOS or WM5/6), VPN set- doesn’t support BlackBerry devices. Admin- Operations: Users provision their phones by tings and Wi-Fi constraints. Policies based istrative access is performed through a downloading an agent app from a URL. Apple on restrictions were easy to set, although Microsoft Silverlight GUI tied to Microsoft iOS users download an app from Apple’s many general restrictions were specific to IIS, and clients use an agent that uses certifi- app store, and Android 2.2 users download iOS. Policies can be applied to one or more cates to add in a layer of security. an app from Google’s Android market. HP groups, so for example we could publish We were impressed by McAfee’s control Palm/webOS users can use their ActiveSync policies that controlled VPNs, restrictions, of Apple’s iOS devices. EMM uses an Apple account. Once we logged on, the agent added password requirements, etc., based on group Enterprise Push Certificate to send com- our Exchange account, imposed policies and membership. munications and applications to compatible let us download recommended apps. EMM can push application payloads that Apple devices like other MDM applications We found and used basic Starter policy, the users optionally accept. These might be line we tested. (An update that arrived past our default policy applied to users who aren’t in of business, or other apps that are organiza- testing phase allows EMM to push certificate- groups covered by other policies. We then tionally licensed. However, Android pack- signed — aka “enterprise” — applications to examined EMM policies. Once installed, ages can only be delivered from the Android phones, allowing McAfee to serve as its own agents assume the role of administrator (a Market. iOS devices can get multiple package “app store.”) root role), then direct actions where policies types, Mobileconfigs, App store apps, enter- We hosted the McAfee EMM in our net- are chosen. Policies can mandate configura- prise apps and Web clips. work operations center on Windows 2008 tions, such as whether a PIN/passcode is WebOS users can choose from CAB files R2 Server virtual machines (along with required. The choices are staggering; some (standard WebOS app rollups), and third- Microsoft SQL Server 2008). In addition are common to all mobile devices, while oth- party apps are supported. EMM can also to iOS, McAfee EMM supports Windows ers are specific to an OS version or carrier push and install PocketPC or smartphone Mobile (not WM7 as of our testing); Motor- feature payload. editions for WM5 or WM6, with either third- ola Android 2.2+, Android 2.2, Android In order for an EMM policy to be applied, party apps or CAB files for Windows Mobile 2.1 (manually, no agent download) but not you must click the Publish button. This users. Android 3/Honeycomb; and doesn’t have must be done each time settings are changed EMM also delegates administration to dif- support directly for BlackBerry, although and saved. We found that the policies only ferent user types, starting in rank with Sys- third-party ActiveSync-compatible agents allow you to provision apps based on Active tem Administrator, then Helpdesk and Policy may work (not tested). Directory (or Domino) user groups and then Administrator and finally Reports Viewer. We had a choice of three security models: mobile device type. But there doesn’t seem to The administrative GUI was easy for us to Basic, Enhanced and Simplified Deployment. be any way to provision apps, for example, to understand and use. In the Basic model, the McAfee EMM IIS control only vs. . Reports were somewhat limited, although components are installed on a single server/ Mobile devices not meeting security poli- there’s a lot of data that can be exported using VM, and this server must be connected to cies can be blocked from communicating with tab-delimited format to be subsequently

2 May 23, 2011 www.networkworld.com churned by external applications. We had also set the Tangoe-hosted Web pages that Canned Tangoe reports include: User no trouble doing this. The “canned” reports instruct users how to install everything on Assets and Apps; BlackBerry Enterprise consist of an audit log, Compliance Status, their phone or mobile device. Server Stats; Mobile Device Manager Sum- Package Deployment, User List, Unregistered This can be sent as a link or via SMS. mary; Carrier Plans and Usage; a System Log; Devices and Pending Actions report. Apple’s iOS and Android require an app to and an Error Log. EMM also has a Help Desk section that be installed, the instructions for which will Summary: Overall, we liked Tangoe MDM. shows excellent drill-down detail — but isn’t be shown on the website that the user logs It has lots of features, customization and a report-generating mechanism. Unlike EMM into. BlackBerry devices don’t require an app integration capabilities. If your enterprise is reports, in this section you can actually search because they’re controlled by the BES server. invested in BES already, then that’s a bonus. for users, models, phones. Also, you can per- All the Web-based instruction screens for We did have to configure a lot of the policies form actions on each device like wiping, lock- each type of device can be modified by the outside of the Tangoe interface (ActiveSync ing, resetting password, deleting email and admin (for preferences in layout or instruc- via Exchange Server and BlackBerry policies PIN data, uninstalling, deleting, etc. tions) in the configuration section of the man- via BES). Although we were able to get most Summary: McAfee EMM was quite easy to agement Web portal. of our phones and tablets provisioned with- set up and use. It heavily favors iOS devices, Tangoe policies: The only policies that out too much trouble, the iOS apps still need and has a consistent and understandable actually can be configured within the Tan- a little more polish. Another point we didn’t user interface. Compared with other MDMs goe MDM are the Apple iOS policies, as like was that we had to enter a list of smart- we tested, it had fewer policy options and had BlackBerry policies are a function of the BES phones manually. Compared with McAfee weaker support for Android overall. Reports server, and ActiveSync device policies control (which provides a list of phones and updates were a bit weak, but from a day-to-day admin- Android devices. them periodically), we thought this is some- istrative perspective, it worked well with few Policies can be applied to users based not thing Tangoe should have. We liked the ability unhappy surprises. only on LDAP criteria, but by device, carrier, to track the voice, SMS and data usage, which free memory available and many others. we didn’t see in the other products. Tangoe MDM Tangoe can block a specific version of an Tangoe’s MDM is a SaaS-based or self-hosted Apple iOS device, but there’s no way for Tan- Fiberlink MaaS360 product, and we chose SaaS hosted by Tan- goe to detect jailbroken iPhones or rooted The Fiberlink application initially shocked goe. The time to usability was reduced by not Android phones. We’re told that Tangoe will us, as it was comparatively simple to deploy. having to provision our own servers, and link remedy this in future releases. It uses a SaaS model and warnings apply on the pieces together. Tangoe uses LDAP and We successfully pushed apps to mobile ensuring Fiberlink’s infrastructure availabil- Active Directory to bridge a host network devices, but it wasn’t easy. Apple iOS apps ity. We were struck by several powerful policy into a discrete instance of Tangoe’s MDM need to be signed with an Enterprise Apple controls. At its most extreme, Fiberlink can application. Push Notification Certificate. The instruc- force a user to comply with a policy; barring As with all SaaS applications, customers tions aren’t clear, but we did find that the file that, it can wipe a phone within minutes. have to trust Tangoe’s infrastructure to with- extension is key to what can be downloaded Fiberlink supports most ActiveSync- stand outages, attacks and interruptions, but to what kind of mobile device. For example, enabled devices, has management apps for Tangoe apparently has several customers you can send Android “.apk” files to Android, Android/iOS, but can control other phones with fleets in excess of 10,000 users. but not to iPhones, where the extension is through ActiveSync. BlackBerry devices Support for mobile devices was broad but meaningless. require the BES Server. Of the packages did not include HP Palm, although Tangoe Reports and audit: Tangoe’s reports were reviewed, only Fiberlink supported Android says it can manage Palm through ActiveSync. very good. There are cost management reports 3/Honeycomb. Tangoe supports BlackBerry 4x-6.x, Android that can track carrier plans and profiles to The only Fiberlink installation necessary 2.1/2.2, Apple iOS 3.1.3, 4.0.x ,4.1.x, 4.2.x and track data usage, minute usage and SMS is the “Cloud Extender” software which Windows Mobile 6.1/6.5. Phones that use use. Features can be added like international makes a secure link between your Exchange Exchange 2007/2010 or Good Mobile Mes- roaming or long-distance. Incoming and out- and/or ActiveDirectory server and the MaaS saging 6.1 for ActiveSync agent use are sup- going calls and SMS can be tracked together or 360 cloud. You’ll need a /2008 ported and indeed there are versions of iOS, separately for monitoring purposes. machine/VM (preferably x64 if you are run- Android and Windows Mobile that need this There are different types of monitors we ning Exchange 2010, because Exchange 2010 to work. Tangoe integrates with the Black- could create to watch logs and send alerts. is 64-bit only and some x64 Exchange tools berry Enterprise Server, which is required With these monitors you can watch for vari- are necessary). to implement policies for BlackBerry devices. ous details, keep a log of it and optionally send You’ll need PowerShell 2.0, Exchange 2007 Despite the rapid link-up, there was still a notification based on a trigger. or 2010, unrestricted access between the work to do to bring Tangoe up to speed. We For example, we could program it to see cloud extender VM to Active Directory and installed a required Apple Push Network if a phone is roaming in another country to MS Exchange, Exchange management tools Certificate for communications to Apple iOS send an alert (email or device notification) to on the VM, and AD admin access rights for devices. We set up users via ActiveDirectory. the user to be careful how much they use the the Cloud Extender service. We added Microsoft Exchange 2010 configu- phone, as it may cost a lot of money. Monitors There is also Fiberlink support for Lotus ration. Tangoe can also manage BES, AD and can also log to the Windows Event log or email Traveler server if you use that (not tested). Exchange for you. an admin. The alerts can be recurring, and a There is yet another connector/extender that Provisioning: Users can provision their own severity of the alert can be specified as criti- goes between BES server and the MaaS360 phones through the Tangoe Web page portal, cal, warning or informational. Just like poli- for BlackBerries (not tested). Add an Apple and it’s also possible to reset the device or cies and pushed apps, these all can be filtered Push Notification Certificate to their website, change their password remotely. We could down to various devices or users. and bam — you’ve got iOS management. The clients: Provisioning is done through Honeycomb, which we believe to be a Touch- inactivity time. We could also decide what a URL sent to the mobile in various ways: a) down application problem. Android policies action is taken when a device is out of com- SMS message, b) email, c) QR code that can be included passcode and device restrictions pliance — selective wipe or do nothing. scanned from the mobile phone. For Android, with many more options than any other When ActiveSync and Exchange poli- a Google Market app needs to be downloaded MDM clients we tested. cies are used, policies come directly from and we needed to enter our corporate email Application restrictions are extensive. the Exchange server and any changes or and the corporate identity code. MaaS360 can add a list of apps that can’t be additions will be synced with the Exchange Apple’s iOS devices require no downloaded installed or will be removed by the MDM app; server. Regular ActiveSync policies seemed app. The MaaS360-provided URL installed we needed to enter the app name and app ID. to work well. But when we tried to unset the the profiles that are needed, and an app was We added a restricted app that we located and auto-quarantine feature, we had to manually installed automatically (a Web clip app, so it’s installed, and the MaaS360 client said we had turn it off on the Exchange server. This was not an app store app). to uninstall it to comply. the only problem we encountered. When launching the MDM client apps, We didn’t comply just to see what would BlackBerry policies are required to be man- users have to enter their AD credentials or a happen and found MaaS360 put us in non- aged on BES server, and currently you can one-time use passcode, or both, depending on compliant state. Admins are notified and only assign policies via the MaaS360 inter- how MaaS360 is configured, to successfully can take action from there, not only for app face, but these weren’t tested. log in and pull down apps, policies, etc. restrictions but for any out-of-compliant MaaS360 was supposed to be able to detect This is configured in “Configure Device state. One option that we smiled at was to jailbroken or rooted devices. This initially Enrollment Settings” in the MaaS360 UI. wipe the phone after 15 minutes. So there. didn’t work for iPhone, but MaaS360 fixed Exchange settings can be pushed through MaaS360 can also push Wi-Fi settings the bug so our iOS device was detected as policies only for iOS (using Apple’s built-in (SSIDs, Wi-Fi 802.11 type, passwords, cer- being jailbroken. Our Android devices were configuration) and Android. tificates, etc.). Security policy settings are detected as being rooted. There is also a self-service portal, but also elaborate. We could Enforce Device Apps can be push-delivered only to Apple this is for after you have provisioned your encryption (y/n, and only works on Android iOS and Android, but both Google Mar- device, so that you can wipe the device if it 3.0), and make passwords visible as you type ket/Apple App Store apps and enterprise gets lost. them or black dots. apps can be delivered to the phone via the Controls: Apple iOS polices are simi- We could also specify device passcode MaaS360 management app. This worked lar to the other MDM applications we characteristics; send warning message after a well. Pushed apps can be restricted to groups tested. Android policies we checked were device user tries to disable the agent; enforce based on a dizzying variety of criteria. They downloaded via MS Exchange push set- actions after a device has been disabled, rang- can be restricted to a particular device, using tings through Exchange for Touchdown. ing from do nothing to wipe the device, selec- custom attributes and all the default attri- These worked OK, but not for Android 3/ tive wipe, or lock the device with optional butes included within categories like Hard- ware Inventory, Network Information, OS, Security and Compliance, Software Installed, MaaS360 Services, Provisioning Profiles, Wavelink Avalanche 5 shows promise Configuration Profiles, Device Restrictions ne of the largest mobile device managers is Wavelink — but its strength has and Certificates. been in hand-held scanners, Wi-Fi industrial devices, and the mobile non-phone Within each of those categories are from Omarketplace. three to 30-plus attributes, depending on the Wavelink Avalanche 5 is a SaaS-based MDM application poised toward simple device OS. We found this to be very flexible mobile device management. Wavelink tried to get its Smartphone Console ready in and useful for large organizations that pro- time for this review, but didn’t make it. vision according to both user groupings and What we did see was encouraging. Avalanche 5 places a strong emphasis on poli- deployed devices. cies related to Wi-Fi use, application policy restrictions, forced encryption of critical Administration and reporting: The main data (mail, contracts and specific folders) and blackout periods. admin page has a watchlist that contains a list Wavelink plans to add support for Android, Motorola, HTC, Apple, Samsung and of custom searches, which could be modifica- BlackBerry devices by model, or “generic” hardware models, which is a unique way to tions of supplied default searches. However, look at controls — as everyone else supports by operating system constraints. Each the number of watchlist items you have is model, in turn, is tied to a carrier, and only U.S. domestic carriers are currently sup- limited to just 10. ported by the version we reviewed. The management user interface offered us There are device constraints related to specific software.W e could ban the Apple rapidly accessible and understandable selec- App Store, restrict explicit content (we were unable to test exactly how), or disable tions for managing groups, devices, policies screen shots, YouTube, iTunes and . We could also kill a device’s camera or and other objects. Reports amount to inven- completely control the requirements and characteristics of a PIN. tory assessments, and we were disappointed By comparison, Avalanche 5 was primitive compared to the other packages we to find a lack of triggered alerts. reviewed, but admittedly, only a few Avalanche Apple iOS functions were deemed Summary: MaaS360 is very easy to use. production worthy by Wavelink. Even though it is cloud-based, there is a If Wavelink brings Avalanche up to the speed of its other mobile device applica- “Cloud Extender” package that can be put into tions, there’ll be something competitive to work with. Today, it’s just not ready. your /enterprise that you can put in a VM. This connects your Active Directory — Tom Henderson and Brendan Allen and Exchange information with MaaS 360. Everything was relatively easy to set up.

www.networkworld.com May 23, 2011 4 CLEAR CHOICE Mobile Device Management (MDM) TEST

We found minor bugs, like the fact that the The next administrative step is dependent scripting language for Afaria that can use app is based on GMT, and we don’t live in the on what type of device needs managing. If logic (if/else) to control the task. U.K. so we had to add six hours to all of the you have an iOS device, you go to DataViews- ■ Software Manager, which delivers files/ time/date stamps to make them understand- >Clients->New Button->Device->iOS and apps to clients. able. But despite its shortcomings, we like fill in the info there, like user Exchange info, The frustrating part is that each of the MaaS360 the best. email/phone number and username, and aforementioned channels might work with send the notification to the user. This detail Android and Windows Mobile, but not with Sybase Afaria step was different from all other mobile WebOS. Each channel seems to have been After lots of testing, we came to the conclusion device types tested. separately groomed in function and use. that Afaria has a lot of depth yet behaves like a For other devices, you must first go to Most of Afaria’s policies are configured half-dozen packages running under a master Home->Client Deployment->Addresses and via the Configuration Manager channel; iOS control application. create some phone numbers for people you and Windows Mobile are the only ones that Afaria supports many devices: webOS 5.2, want to provision — meaning it was not pos- have policies that can be configured in the 5.4, Windows Mobile (CE 4.x, PocketPC 2003, sible to admit or control Wi-Fi-only Android policies section of the GUI. We tested only PocketPC 5.0, Pro 6 and Standard 6), Android 3 Xoom, as it didn’t have a phone number! Apple’s iOS, Android and BlackBerry poli- 2.0.1, 2.1, 2.2, 2.3, 3.0, BlackBerry with J2ME For Android devices, you need to send cies but took a look at the settings for others version 4.2, 4.5, 4.6, 4.7 (without BES!), Sym- “seed data” first, then the message with the briefly. We built Profiles as a way to group bian (OS 9.x, S^3, S^1 S60 5th Edition), iOS 3.x, OTA link. The OTA link can be sent via email, the policies, channels, users, monitors and 4 and a of feature phones using OMA but for some reason Afaria won’t let you send packages into one section for administra- DM (mostly not smartphones). the “seed data” message via email. You need tion ease. The ingredients are a Windows 2008 SMS. This leads to Catch-22 situations. Apple iOS policies are pushed using the Server virtual machine, to which are applied We created a new message template for the standard Apple Policy Profiles (just like an installation and the rest of the server side device type, then we right-clicked the tem- using the iPhone configuration app on the components. The Afaria platform is mostly plate and chose “send notification.” Here you Mac), via the Afaria management page. Over- Web-based, but there are some Windows- can select the people you want to send the all, we got lost surfing the channels for excep- based tools that are used, such as the Client provisioning link to. Then we selected the tion handling and constraints. Install Creation Tool, the OTA (Over The package we created, and sent the messages. App delivery: Afaria packages can be Air) Publishing Tool and the Reporting Tool. After all of these steps, we were able to provi- pushed to client agents for Apple iOS and Afaria is nothing if not modular. sion the various phones we tested. However, Android users, and the apps can either be Getting there: Afaria Software is installed we had difficulties. We could make self-ser- sourced from Google Market, iOS App Store by Sybase support personnel for 100% of vice portals to provision first-time users, but apps or Apple Enterprise Developer Certif- customers. We only needed to set up a Win- only an iOS example is given, and we had to icate-signed enterprise apps. The apps can dows 2008 Server virtual machine — which develop the portal ourselves. be assigned people via profiles in the “por- doesn’t have to be joined to a domain either, Controlling devices: Once the lengthy steps tal packages” section. The profiles can be although it helps — and Sybase installed the needed to provision devices is accomplished, assigned based on local groups, Active Direc- rest of the pieces online, into our NOC test devices are managed largely according to tory groups or groups created within Afaria. center. This didn’t, however, mean we were their operating system type. Afaria uses the By contrast, webOS, Windows Mobile and done and ready to have instant policies and concept of “Channels” that are OS and device Symbian apps can be pushed via the Soft- users. specific, but in strange combinations with ware Manager channel. First certificates had to be installed. Then odd exceptions. Each channel has a primary Summary: Afaria often frustrated us, and client packages had to be built — and none of function feature for mobile device manage- had us bouncing endlessly back and forth the other MDM packages tested required this. ment. We recognized a few from our personal through its user interfaces. Afaria does have We needed to install Microsoft Exchange and experience with Verizon and T-Mobile. its merits (even if those merits are all cobbled an agent had to be installed. The Exchange The Channels included: together in the GUI like a fruit salad just agent was later clobbered by a Microsoft ■ Backup Manager. thrown together), such as the insane amount update, but Sybase fixed that rapidly. Sev- ■ Configuration Manager, which sends of devices it supports; even BlackBerries are eral IIS settings had to be tweaked and the policies pushed through to Afaria clients. supported without needing a BES server. Windows Server Active Directory Certifi- ■ Data Security Manager, which creates Afaria has a feel like it was originally meant cate Services needed more configuration security policies such as password pro- to work with Windows Mobile, then had suc- and changes. A call to tech support got these tection, lockdown actions, data encryp- cessive modules grafted on, sometimes hap- things working eventually. tion and custom user interfaces. hazardly, to support other phones — and a We then set up provisioning, or basic setup ■ Document Manager, which manages or blistering number of them. There is a lot of to manage groups and then the fleet. Provi- pushes content or lets users subscribe to wisdom buried inside Afaria, but we were sioning wasn’t easy. First we had to create content. forced to play Afaria almost like it was an “Channels” and “Client Groups.” Then we ■ Inventory Manager, which gets infor- online role-playing game. n had to create the aforementioned “Client mation about the device, hardware and Install” package using Afaria’s Windows software-wise. This works on almost all Henderson is managing director and tools for each specific mobile device platform phones, and runs every time an Afaria Allen is a researcher for ExtremeLabs, of we wanted to control. Nothing was pre-made. client connects to the server. Bloomington, Ind. Henderson can be Next we had to publish the installation in the ■ Session Manager, which lets you run reached at [email protected]. “OTA Publisher.” scripted tasks on the clients. It’s a kind of

5 May 23, 2011 www.networkworld.com Fiberlink Communications 1787 Sentry Parkway Blue Bell, PA 19422 215-664-1600 [email protected] www.maas360.com

© Copyright 2011 by Network World, Inc., Southborough, MA 01772-9108 • Posted from Network World • Trademark is owned by , Inc. #1-28780113 Managed by The YGS Group, 717.505.9701. For more information visit www.theYGSgroup.com/reprints.