Businesses of all sizes are exploring how mobile devices can benefit their operations. Unfortunately, not all plan for how they will deploy, manage, secure, and maintain mobile devices so they can see the greatest ROI.
Mobile device management (MDM) solutions allow you to automate device management and provide much-needed visibility into device status and location to minimize downtime and secure your client’s network.
To help you evaluate mobile device management software for your clients, we invited vendors to share details about their products. The companies that provided information for this product comparison are:
- Citrix: Citrix Endpoint Management, formerly XenMobile
- SOTI: SOTI MobiControl
- VMware: VMware Workspace ONE
In the coming months, we’ll be adding additional information from vendors that didn’t meet this comparison post’s deadline.
Note: XaaS Journal product comparisons aren’t about rating products or choosing “the best.” And they aren’t paid listings or ratings that some websites publish. Our objective, as always, is to provide VARs and MSPs with unbiased resources to help them make the best decisions for their clients and their businesses.
We also recognize that each business is unique, making some solutions more appealing to one client than another. We’ve organized information provided by the vendors by features, making it easier for you to compare and contrast them.
Compatibility with Mobile and Desktop Platforms
The MDM solution you choose must support the platform – or platforms – used throughout your client’s organization. Mobile and desktop platforms supported by the products in our comparison include:
Citrix:
-
-
- Alexa for Business
- Android OS
- Android Enterprise
- Samsung Knox
- SEAMS
- SAFE
- iOS
- macOS
- tvOS
- Chrome OS
- Windows 10
- Citrix Workspace Hub
-
SOTI:
-
-
- Android
- iOS
- macOS
- Windows
- Linux
-
VMware:
-
-
- iOS
- Android (legacy and Android Enterprise)
- Samsung KNOX
- Windows Phone 10
- Windows CE 7
- Windows Mobile 5, 6.1, 6.5
- QNX 6.5
- Tizen
Windows 10 - macOS
- ChromeOS
- Linux
-
Security Features
Mobile devices are everywhere. Your client’s employees may be using them to communicate with the office when they’re on the road, transmit payment or personal data, or access applications and data when working remotely. Mobile devices can provide a business with capabilities that can help them operate more efficiently and elevate the quality of customer service – but they can also create security risks if not managed properly. Here are some of the security features the products in our comparison offer:
Citrix:
Citrix provides device-level encryption and app-level encryption, and customers can enable a combination of the two. Secure Hub, an agent on the device, leverages its unique token to decrypt the package and retrieve its unique cryptographic random numbers, which will be used to generate the AES keys for the device. Secure Hub protects these variables in its encrypted keychain for later use as needed. The server provides random numbers, the device ID, and other unique values used in the AES key generation.
Citrix also enables role-based access control (RBAC), with four roles available by default:
-
-
- Administrator (full access)
- Device user (enrollment and self-help portal only)
- Support (Support access only)
- Device Provisioning (bulk provisioning
-
Admin and user events are audited and tracked in audit logs, which can stream to Syslog for integration with SIEM tools. Citrix also offers REST APIs that can be used to aggregate logs with third-party tools.
SOTI:
File encryption profile configuration protects files on devices by encrypting them. To secure mobile data, SOTI MobiControl uses policy-based file encryption that uses FIPS 140-2 validated AES-256 encryption algorithms.
SOTI MobiControl allows administrators to dictate which divisions in an organization have permission (read/write) to users, custom data, and custom attributes.
SOTI MobiControl also gives you flexibility. It has its own secure web browser, SOTI Surf, and the platform’s Per App VPN feature enables you to specify which apps must communicate over VPN. It also allows you to configure Wi-Fi profiles on devices, set data leakage protection (DLP) and use LDAP profiles to determine which users can see specific files and websites and how they can interact with them.
Additionally, geofences can be as large or small as the business wants and easily manipulated to cover any space. SOTI MobiControl integrates with third-party SSO solutions that enable risk-based authentication and biometric authentication.
SOTI MobiControl Firewall profile configuration can create advanced firewall policies that filter or reroute device internal traffic. You can set the firewall to filter traffic (allow or deny) based on IP address, port number, port location, application or network type.
The platform offers device diagnostics through SOTI XSight and an extensive range of device and system reports.
VMware:
Workspace ONE encrypts data in use, at rest and in transit. Email attachments, content and media are encrypted. Workspace ONE technologies are FIPS 140-2 compliant. Additionally, Workspace ONE can enable native encryption services from Apple, Google, Microsoft and others across mobile and desktop operating systems.
For Windows desktops, Workspace ONE also features full BitLocker encryption lifecycle management. Admins can encrypt an entire hard disk, system volume, or used space; and use multiple encryption methods: AES CBC 128/256bit, XTS AES 128/256bit. Workspace ONE can enable filevault2 encryption for macOS, which is XTS AES 128-bit encryption with a 256-bit key.
Workspace ONE features both user and admin roles for RBAC. Standard roles allow for access only to the portions of the console or workflows that match a user’s persona within a company and their industry. Workspace ONE UEM has packaged default roles and 1100+ unique permissions. All permissions are available to define custom roles.
In addition, all administrative and device actions are stored in the Event Log of the Admin Console. Users can view the events from the Workspace ONE UEM Console and export event logs as .csv files. Workspace ONE integrates with SIEM tools by sending event logs using the Syslog protocol.
Certain events, like device wipes, are subject to an additional security auditing framework. If a certain threshold of changes is exceeded in a period of time, subsequent wipes can be held for admin approval.
Additional Security Features
| Citrix | SOTI | VMware | |
| Mandatory password protection | x | x | x |
| Jailbreak protection | x | x | x |
| Remote wipe | x | x | x |
| Remote lock | x | x | x |
| Malware detection | x | x | |
| VPN configuration and management | x | x | x |
| Wi-Fi configuration and management | x | x | x |
| Secure web browser | x | x | x |
| Application blacklisting/whitelisting | x | x | x |
| Device compromise detection | x | x | x |
| Encrypted email messages | x | x | x |
| Geofencing | x | x | x |
| Time fencing | x | x | |
| Multifactor authentication | x | x | x |
| Single sign-on support | x | x | x |
| Risk-based authentication | x | ||
| Behavioral biometric authentication | x |
Key Enterprise Application Integration
Integrating mobile device management software with other business applications can benefit your clients with added efficiency, time-saving, and greater productivity. Integrations available for the products in our comparison include the following:
Citrix:
-
-
- Active Directory
- Azure Active Directory
- Derived Credentials
- Microsoft Exchange
- Citrix Cloud
- Citrix Workspace
- Slack
- Microsoft 365
- line of business applications
-
SOTI:
-
-
- Azure Active Directory
- LDAP
- Microsoft 365
- SOTI XSight
- SOTI Snap
- SOTI Connect
- SOTI Identify
-
VMware:
Directory Services: Active Directory, Azure Active Directory, ADFS, Lotus Domino, Novell e-Directory, Okta, Ping Identity, Oracle, Centrify, CA, other LDAP
Certificate Authorities: Microsoft ADCS, Generic SCEP, Verisign, Symantec, OpenTrust, Entrust, Secure Auth, RSA, Global Sign, JCCH Gleas, EJBCA
Email Services: Microsoft Exchange, Office 365, Gmail, Novell GroupWise, Lotus Traveler
CDN: Akamai
MDM: Apple Business Manager (DEP, VPP), Apple School Manager, Apple Configurator, Android for Work, Microsoft Graph API
Trust Network: Integration to mobile and desktop security partners, including Carbon Black, Lookout, and Netskope
Client Management Tools: Microsoft System Center Configuration Manager, Flexera AdminStudio, Dell Client Command Suite, Adaptiva OneSite, HP TechPulse for DaaS offering
Service Management Tools: ServiceNow; integrations offered through SMTP and API calls with various other Service Desk tools
Pricing
Citrix:
The Citrix Endpoint Management cloud offering is a bundled termed subscription and must be licensed to the same set of users. Price includes both entitlement to the service as well as support services (CSS) for the duration of the term. License entitlement is offered per device or user.
Users have their choice of:
-
-
- Citrix Endpoint Management MDM: mobile device management, enterprise app store
- Citrix Endpoint Management Advanced: Citrix Endpoint Management MDM features, plus mobile app management, Micro-VPN, Citrix Secure Apps, and Integration with Microsoft EMS/Intune
- Citrix Endpoint Management Enterprise: Citrix Endpoint Management MDM and advanced features, plus advanced content collaboration service
-
The Citrix Endpoint Management on-premises offering is also available as a perpetual offer with license entitlement offered per device or per user.
SOTI:
Contact SOTI for pricing information.
VMware:
Workspace ONE is available as both per-user and per-device subscription licensing. Perpetual licensing and support are also available for on-premises customers. The available features vary based on whether the customer purchases Workspace ONE Standard, Advanced or Enterprise tiers. The lowest tiered offer that includes unified endpoint management (UEM) features are available in Workspace ONE Standard, which starts at $3.78/device/month. For SMB/mid-market customers, a low-cost per-device MDM offer is also made available as AirWatch Express, priced at $2.68/device/month.
What Makes Each MDM Software Product Stand Out Among the Competition?
In addition to asking vendors for information about specific features of their solutions, we also allowed them to tell you what makes their products unique. The responses from the mobile device management vendors in our comparison follow:
Citrix:
“Along with an MDM solution, we provide a full-feature UEM platform that integrates with existing Citrix infrastructure and our Citrix Workspace solution to provide VPN/remote access, enterprise file sharing, mobile content management, app virtualization and desktop virtualization delivery. We also support various endpoints: laptops, desktops and IoT devices. This includes the Citrix Workspace Hub, which enables managing and delivering a fully virtualized desktop from a raspberry pi.
We offer a MAM-only solution for BYO scenarios, so IT can manage on an app level and a highly rated enterprise-grade productivity suite of applications that include mail, web and content and collaboration.
We were the first to market with Microsoft EMS/Intune integration. Our integration with EMS/Intune leverages the Microsoft Graph APIs. Most of these integrated capabilities support our better together with Microsoft strategy. This integration adds value for customers using Intune and provides additional security and productivity benefits to EMS/Intune/Office 365 and Citrix Endpoint Management customers.”
In 2018, Citrix landed leader positions in three IDC MarketScape reports focused on mobility solutions:
-
-
- The Worldwide Unified Endpoint Management Software 2018 Vendor Assessment
- The Worldwide Enterprise Mobility Management Software 2018 Vendor Assessment
- The Worldwide Enterprise Mobility Management Software for Ruggedized/IoT Device Deployments 2018 Vendor Assessment
-
Citrix was also ranked as a leader in Unified Endpoint Management solutions by independent research firm Forrester Research, Inc. in a report titled: The Forrester Wave™: Unified Endpoint Management, Q4 2018, The 12 Providers that Matter Most and How They Stack Up.”
SOTI:
“SOTI MobiControl is part of the SOTI ONE Platform: an innovative, integrated management solution that maximizes the ROI of your business-critical mobile devices and printers.”
SOTI also offers customers L1, L2, and L3 support; standard support is provided from 9 a.m. to 5 p.m. local time. Contact SOTI for information on chatbot support.
VMware:
“Workspace ONE UEM continues to establish itself as a market leader and innovator within the MDM space, especially as today’s workforces expand their IT perimeter beyond the office. VMware continues to deliver new solutions that differentiate Workspace ONE UEM as the industry’s digital workspace platform of choice from an IT and employee perspective. From apps to mobile devices to PCs, Workspace ONE UEM provides employees with a single, secure console to access their most critical business apps and devices across all their platforms, including Windows, macOS, Chrome OS, iOS, and Android. And on the back end, Workspace ONE UEM also provides IT with the tools they need to deliver an always-on, automated and on-demand workspace environment with greater flexibility and lower costs while providing an intuitive, secure experience for all employees inside and outside the office.
Workspace ONE UEM was recently recognized as a Leader in the unified endpoint management solution space by analyst firms Forrester, IDC and Gartner. Workspace ONE UEM positioned highest in both Capabilities and Strategies in the 2018 IDC MarketScape for Unified Endpoint Management Software report. Additionally, Workspace ONE UEM was positioned highest in both Ability to Execute and Completeness of Vision in the inaugural 2018 Gartner Magic Quadrant for Unified Endpoint Management Tools report.
Workspace ONE UEM can also manage devices beyond mobile phones, including PCs, rugged and IoT devices. VMware believes that customers benefit from having a single platform to manage all devices, which is why we’ve architected Workspace ONE UEM the way it is. We are working with many of our customers to take them through the journey of mobile device management (MDM) to enterprise mobility management (EMM) to unified endpoint management (UEM), and Workspace ONE UEM can serve as the modern management platform for all these use cases.”
Final Thoughts
Throughout the comparison, it’s apparent that MDM isn’t a stand-alone solution. It’s meant to be used as a part of a security suite, integrated with business applications, and, of course, used to support the business’ mobile devices. You have a viable opportunity to offer MDM as a part of a broader scope of services that supports all of your clients’ IT needs. You will not only become a more valuable business partner for your clients but also grow your business with additional sources of recurring revenue.
If you’d like more information on mobile device management solutions or want XaaS Journal to provide additional insights on how providing MDM as a Service can positively impact your business, please reach out. We welcome your feedback. 
