Unified Endpoint Management (UEM) 2021
This report provides an updated overview of the market for Unified Endpoint Management (UEM) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing UEM solutions.
1 Introduction / Executive Summary
The landscape of enterprise and personal computing technology is continuously evolving. It didn't seem that long ago, where the work environment consisted of a desktop computer and a landline phone. Traditional management of the desktop computers relied on manual updates of software and patches that were layered on top of each other. Later, "Gold Images" of desktop operating systems were used to provide a good know state of the OS but still required patches on a routine schedule, which would become what was known as traditional management.
As mobile phones became economically available, laptops and tablets computers replaced many stationary desktop computers; the business could control the employee device regarding it's OS and software applications used as well as security controls when the device was within the perimeter of the organization. Client management tools were used to manage these environments. Client management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually.
Later, organizations needed to quickly deal with the introduction of the bring-your-own-device (BYOD) paradigm shift. Organizations required policies to define the boundaries of BYOD that included the ability to segregate the business data and applications from personal data and applications. Mobile device management (MDM) provided the tools to control the device functionality and help manage the lifecycle of these mobile devices and their platforms. Enterprise Mobility Management (EMM) solutions added mobile information as well as application and content management. The ability to push software, updates or patches to devices has become what is known as modern endpoint management.
Since then, work environments have continued to change. The range of endpoint device types have expanded past desktop, laptop, tablets, and mobile phone to now include printers, IoT devices, wearables like Apple Watch, and even newer types of endpoint devices that support virtual/augmented/mixed reality environments using headsets such as Oculus and HoloLens. Businesses are seeking to improve productivity and efficiency, while employees want to work from anywhere at any time. And with the more recent Covid-19 world we live in today, the requirement to work from home has become imperative, which requires the use of mobile devices to access enterprise applications and data as if they were in the office.
Given the complexity and growing number of different types of technologies involved in linking employees to corporate data both on-premises and in the cloud, mobile device management has gone through several iterations and approaches, with many enterprises now standardizing on a Unified Endpoint Management (UEM) approach.
This KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership Compass focuses on Unified Endpoint Management from vendors from more localized geographic regions to vendors with a global presence. It considers these services in the context of the hybrid, on-premises, and cloud, with IT services delivery models commonly now found in enterprises.
- This Leadership Compass evaluates over 60% more UEM product vendors over the previous years.
- The UEM market is growing, and although maturing it continues to evolve.
- UEM is essential to business as a strategic approach to ensure overall IT security in a hybrid work environment.
- The level of endpoint intelligence has become a key differentiator between UEM product solutions.
- Device and Patch Management are the two strongest capabilities for the majority of products evaluated in this Leadership Compass.
- Varying levels of Application and Content Management appear as differentiators between UEM product solutions.
- The Overall Leaders are (in alphabetical order) Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- The Product Leaders (in alphabetical order) are Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- The Innovation Leaders (in alphabetical order) are Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- Leading vendors in innovation and market (a.k.a. the "Big Ones") in the UEM market are (in alphabetical order) Citrix, IBM, Ivanti, ManageEngine, Microsoft, VMware.
1.2 Market Segment
Endpoint Management is a market category that runs under a variety of names, such as Client Lifecycle Management, Unified Endpoint Management, and others. However, we see a clear trend towards comprehensive solutions supporting a variety of capabilities and types of endpoints. Thus, this Leadership Compass focuses on what is commonly referred to as Unified Endpoint Management. In this context, endpoints can be defined as traditional desktop or laptop computers, smartphones, tablets, wearables, printers, Internet of Things (IoT) devices, and even Virtual Reality (VR) headsets.
What is sometimes called client or service management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually. This type of management is also used to manage endpoint lifecycle, such as with UEM application management. Client management is a market segment in transition. Unified Endpoint Management (UEM) and Workspace Management are two of the major trends in client management.
A trend that has already become apparent in recent years has now become established. The separation between classic client management, which is usually based on Windows, and the management of mobile end devices (EMM, Enterprise Mobility Management) is now the exception rather than the rule. Most of the leading providers are focusing on Unified Endpoint Management, i.e., on solutions with which all types of end devices can be managed, from the variety of different desktops operating systems such as Windows, macOS, Linux or Chrome to mobile end devices with Android or iOS as the operating system.
The range of functions offered by such solutions now goes far beyond classic client management. It also includes the provision of configured work environments for employees, inventory, management of the operating system and applications, including security management, but also the management of content on end devices, for example, with the separation of personal and business apps and data.
Patch management, which a few years ago was often a separate product category, is also typically part of UEM solutions to the extent required today. Specialized solutions are still available, and patch management is also available in endpoint security solutions. However, most UEM products today also provide patch management functionality. Endpoint security can also be included in UEM, which sometimes intersects with other Endpoint Detection & Response (EDR) products. More information on this topic can be found in the KuppingerCole Buyer's Compass: Endpoint Detection & Response (EDR).
In addition to these influencing factors of workspace and user device expectations, other factors need to be considered when deciding how client management will be designed in the future. These include changes in application provisioning, client management from the cloud, integration with ITSM (IT Service Management) solutions, and the different concepts for client management on the one hand and for the provision of virtual work environments, i.e., the Digital Workspaces, on the other.
Here are some considerations of UEM solutions that this Leadership Compass covers:
- Products that are more classic software solutions that are installed and operated locally
- Cloud and hybrid UEM solutions
- Providers that have options for operation "as a service" that allow complete UEM to be obtained as a service without the need to install and operate servers locally
- The areas of UEM that the solution focuses on (e.g. device, application, security, patching, etc.)
- The breadth of operating systems and device types that the solution can support
- The depth of endpoint life cycle management the solution provides
- The level of application software, packaging or patch management
- Solutions that provide endpoint content management and containment capabilities
- The strength of the solutions endpoint security.
Ultimately, the selection of any UEM solution on the market will depend on the organization's particular requirements, which may depend on many other aspects such as existing infrastructure management or other IT solutions currently being used today. For example, if a specialized endpoint security solution is already in use, this functional area of UEM solutions is less or not at all relevant. Or if the organization only needs to focus on device and patch management capabilities, then maybe some fully featured UEM solutions may not be required, and a UEM solution with those specific features may be a better fit. In all cases, it is recommended that a structured selection process should be carried out before the product decision is made
1.3 Delivery Models
Although all delivery models are looked at, it is worth considering the pros and cons of each delivery model against the use case for Unified Endpoint Management solutions. For instance, a Unified Endpoint Management solution that can serve smaller use cases while also integrating endpoint management for other organizational services should be delivered in such a way that allows setting up instances of the service immediately. Also, it is good to be aware that in most cases, public cloud solutions are generally multi-tenant, while some cloud services are actually single tenant. Other approaches use container-based deployments to provide consistent delivery of a vendor's solution, whether cloud-hosted or on-premises. Ultimately selecting the right Unified Endpoint Management solution delivery model will depend on the customer requirements and their use cases.
1.4 Required Capabilities
When evaluating the products, we start by looking at standard criteria such as:
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- platform support
Each of the features and criteria listed above will be considered in the product evaluations below. We've also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.
When looking at this market segment, we are evaluating solutions that support a broad range of features that span the management of the endpoint device themselves, management of applications on the endpoints, device content management, and security controls for the endpoint. Aside from the baseline features such as delegated administration, and reporting, etc., we expect to see at least some of the capabilities listed in the required capabilities below as necessary features. In addition, Endpoint Management solutions must support centralized management of the various types of endpoints, as well as endpoint applications and overall configuration.
Features such as License Management, Asset Management, Contract Management, Patch Management, or Help Desk Services are also considered but are not mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings.
Expected features include, amongst others:
Support for endpoint life cycle management that includes:
- Endpoint onboarding
- Remote access or wiping
- OS management
Application software management with deployment and packaging capabilities such as:
- Enterprise App Store enrollment of users and their devices
- Appling policies and controls to applications on the endpoint
- whitelisting or blacklisting applications
- Support for bulk distributions of applications or configurations
- Patch Management
- Distribute and apply endpoint device system patches from various vendors
- Patch deployment on a schedule or critical/emergency patches
- Patch vulnerability testing
- Reporting of endpoint system status (e.g., patch level),
- Missing patch discovery e.g., security hotfix, application, or others
- Some level of automation
Endpoint security that can support:
- Access policies
- Context-based access
- Single Sign-On (SSO)
- Certificate management
- Application code signing
- Some level of analytics and/or AI/ML to provide endpoint insight
- Analytics to monitor risks based on user, app, and endpoint behavioral patterns
- Ability to smartly assist or take action to remediate endpoint related issues
- Make recommendations based on endpoint state, security posture, etc.
Endpoint content management that can support:
- Ability to separate business from personal apps and data
- Prevent sensitive data leaks
- Apply rules and policies to documents and other content on the device
- Audit trails for device configuration changes and access to sensitive content
Administration and DevOps support
- Overall architecture (e.g., is it modular, scalable, extendable, etc.)
- Solution deployment and delivery models
- Available APIs, CLIs, SDKs, etc.
- Developer portal or other product documentation, tutorials, examples, etc.
- Supported standards
- User and admin UIs, dashboards, centralized endpoint visibility
- Integration options (ITSM, SIEM, third-party extensions, etc.)
- Level of automation
Support for various systems beyond Windows clients, such as mobile devices systems
- E.g., iOS, Android, Windows 10, macOS, Linux
- Support for several of the capabilities listed above
- Point solutions that support only isolated capabilities, such as:
- Support for windows devices only
- Support for desktop/workstation or servers only, not for mobile devices
- Support for only mobile devices using one type of operating system
- Support for only IT remote desktop access and troubleshooting
- Pure-play Enterprise Mobility Management solutions that don't support notebooks and PCs
We've reached out to a large number of vendors to provide a comprehensive overview of the current state of the market. Picking the right vendor finally always will depend on your specific requirements and your current and future landscape that will be managed.
Selecting a vendor of a product or service must not only be based on the information provided in a KuppingerCole Compass. The Compass provides a comparison based on standardized criteria and can help identify vendors that shall be further evaluated. However, a thorough selection includes a subsequent detailed analysis and a Proof of Concept of pilot phase, based on the specific criteria of the customer.
Based on our rating, we created various ratings. The Overall rating provides a combined view of the ratings for:
2.1 Overall Leadership
The Overall Leadership rating is a combined view of the three Leadership categories, i.e., Product Leadership, Innovation Leadership, and Market Leadership. This consolidated view provides an overall impression of our rating of the vendor's offerings in the particular market segment. Notably, some vendors benefit, e.g. from a strong market presence will slightly drop in other areas such as innovation, while others show their strength, e.g. in the Product Leadership and Innovation Leadership, while having a relatively low market share or lacking a global presence. Therefore, we strongly recommend looking at all Leadership categories, the individual analysis of the vendors, and their products to gain a comprehensive understanding of the players in that market segment.
In the Overall Leadership rating chart, we see a maturing market showing small clusters throughout the market spectrum represented by the Unified Endpoint Management vendors we chose to represent in our Leadership Compass rating.
In the market for Unified Endpoint Management, there are seven companies in the Overall Leaders segment. These include Microsoft, Ivanti, VMware, IBM, and Citrix as established players with strong offerings and customer base, complemented by ManageEngine and a relatively younger companies Matrix42, which have continued to hold its market share over the past few years and remains in the Leaders segment.
Six vendors fall into the Challenger segment clustered at the top and bottom, indicating similar product, market, and innovation levels. One vendor, Baramundi, stands out in the center. The top grouping contains more established and older companies, with Entgra, HCL, Quest, and Micro Focus close together. At the bottom of the Challenger segment, we see BMC on its own and Aagon in close proximity of the bottom boarder.
In the Followers section, we see Miradore and Hexnode (Mitsogo) near the top border.
Leadership does not automatically mean that these vendors are the best fit for a specific customer requirement. A thorough evaluation of these requirements and a mapping to the product features by the company's products will be necessary.
Overall Leaders are (in alphabetical order):
2.2 Product Leadership
Product Leadership is the first specific category examined below. This view is mainly based on the analysis of service features and the overall capabilities of the various services.
Product Leadership, or in this case Service Leadership, is where we examine the functional strength and completeness of services.
Product Leadership is the view in which we focus on the functional strength and completeness of the Unified Endpoint Management product. Since the Unified Endpoint Management market is relatively mature, we find some challengers, one follower, and half of the vendors qualifying for the Leaders segment. As vendors offer a wide variety of Unified Endpoint Management capabilities and differ in how well they support these capabilities, organizations need to perform a thorough analysis of their Unified Endpoint Management requirements to align their priorities while evaluating a UEM solution.
In the Product Leadership, Ivanti is at the top followed by VMware, Microsoft, Matrix42, and IBM. Other vendors in this segment include Entgra, Citrix and ManageEngine near the bottom border.
Seven of the vendors are in the middle section of the Challenger section, where we find a range of good products which didn't quite make it into the Leaders sections because of maturity or missing some of the features found amongst the leaders. Only one vendor shows near the top of the follower section.
Product Leaders (in alphabetical order):
2.3 Innovation Leadership
Next, we examine innovation in the marketplace. Innovation is, from our perspective, a key capability in all IT market segments. Customers require innovation to meet evolving and even emerging business requirements. Innovation is not about delivering a constant flow of new releases. Rather, innovative companies take a customer-oriented upgrade approach, delivering customer-requested and other cutting-edge features, while maintaining compatibility with previous versions.
We have rated half of the vendors as Innovation Leaders in the Unified Endpoint Management market, which has driven this market forward through the innovation of their products. The leaders are VMware, Ivanti, Matrix42, Microsoft, IBM, Entgra, Citrix, and ManageEngine.
When looking at the Innovation capabilities, the graphics need to be carefully read given that the x-axis indicates the Overall Leadership while the y-axis stands for Innovation. Therefore, while some vendors are closer to the upper-right edge, others, being a little more to the left, score slightly higher regarding their innovativeness.
In the Challenger section of Innovation Leadership evaluation, we find six vendors. Given the maturity of Unified Endpoint Management solutions, the amount of innovation does not reach the level of the Innovation leaders. The vendors, however, continue to differentiate by innovating in niche areas.
Two other vendors are placed in the Followers section due to the amount of innovation we see as limited.
Innovation Leaders (in alphabetical order):
2.4 Market Leadership
Lastly, we analyze Market Leadership. This is an amalgamation of the number of customers, number of transactions evaluated, ratio between customers and managed identities/devices, the geographic distribution of customers, the size of deployments and services, the size and geographic distribution of the partner ecosystem, and financial health of the participating companies. Market Leadership, from our point of view, requires global reach.
In the Market Leadership evaluation, we see Microsoft clearly at the top, followed by Ivanti and IBM primarily for their large global customer base, partner, and support network. Near the bottom section of market leadership, we find ManageEngine, VMware, Micro Focus, and Citrix.
In the Challenger section, we find half of the vendors with good products but may lack in one or more areas of their customer base, partner, or support network compared to the market leaders. Finally, we see only one vendor remaining in the Follower section.
Market Leaders (in alphabetical order):
- Micro Focus
3 Correlated View
While the Leadership charts identify leading vendors in certain categories, many customers are looking not only for a product leader, but for a vendor that is delivering a solution that is both feature-rich and continuously improved, which would be indicated by a strong position in both the Product Leadership ranking and the Innovation Leadership ranking. Therefore, we provide the following analysis that correlates various Leadership categories and delivers an additional level of information and insight.
The first of these correlated views contrasts Product Leadership and Market Leadership.
3.1 The Market/Product Matrix
Vendors below the line have a weaker market position than expected according to their product maturity. Vendors above the line are sort of "overperformers" when comparing Market Leadership and Product Leadership.
All the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.
In the upper right segment, we find the "Market Champions" leading in both the product and market ratings. This segment contains Microsoft at the top, followed by Ivanti, IBM, VMware, ManageEngine, and Citrix. The vendors IBM, VMware, and Citrix, appear closest to the line showing a good balance between market and product.
Micro Focus is the only vendor to appear in the top middle box, which indicates a strong market presence, although it lacks the comparable feature set of the Market Champions.
In the middle right-hand box, we see the vendors that deliver strong product capabilities for Unified Endpoint Management but are not yet considered Market Champions. These vendors are Matrix42 and Entgra. Both of these vendors have a strong potential for improving their market position due to the stronger product capabilities that they are already delivering.
In the middle of the chart, we see five vendors that provide good but not leading-edge capabilities and therefore are not Market Leaders as of yet. They also have average market success as compared to market champions. These vendors include Quest, HCL, BMC, Baramundi, and Miradore.
The far-left middle box shows Hexnode (Mitsogo) with a stronger market than product capabilities, and Aagon in the bottom middle box, indicating a lower market presence than the other vendors.
Also, note that all the vendors below the line are underperforming in terms of market share. However, we believe that each has a chance for significant growth.
3.2 The Product/Innovation Matrix
This view shows how Product Leadership and Innovation Leadership are correlated. It is not surprising that there is a pretty good correlation between the two views with a few exceptions. The distribution and correlation are tightly constrained to the line, with a significant number of established vendors plus some smaller vendors.
Here, we see a good correlation between the product and innovation rating. Most vendors are placed close to the dotted line, indicating a healthy mix of product and innovation leadership in the market. Looking at the Technology Leaders segment, we find most of the leading vendors near the center of the box. The top-notch vendors are Ivanti, VMware, Matrix42, Microsoft, IBM, Entgra, followed by Citrix and ManageEngine, with vendors placing closer to the axis depicting a better balance of product features and innovation.
In the center box of the chart, we see HCL, Quest, Micro Focus, Baramundi, BMC, and Aagon having more product features and innovation than Miradore, which appear in the left-center box. Hexnode (Mitsogo) appears in the bottom left box of the chart.
3.3 The Innovation/Market Matrix
The third matrix shows how Innovation Leadership and Market Leadership are related. Some vendors might perform well in the market without being Innovation Leaders. This might impose a risk for their future position in the market, depending on how they improve their Innovation Leadership position. On the other hand, vendors which are highly innovative have a good chance for improving their market position. However, there is always a possibility that they might also fail, especially in the case of smaller vendors.
Vendors above the line are performing well in the market as well as showing Innovation Leadership; while vendors below the line show an ability to innovate though having less market share, and thus the biggest potential for improving their market position.
In the upper right-hand corner box, we find the "Big Ones" in the Unified Endpoint Management market: Microsoft, Ivanti, ManageEngine, VMware, and Citrix.
Micro Focus is at the top middle box, showing a strong market position but less in innovation than those in the Big One's category.
Both Matrix42 and Entgra appear in the middle-right box, indicating stronger innovation than market presence.
The segment in the middle of the chart contains the vendors rated as Challengers both for Market and Innovation Leadership, including Quest, HCL, Baramundi, and BMC.
In the left-most middlebox, we find Hexnode (Mitsogo), and Miradore, showing a stronger market than innovation position. Finally, in the lower-left box, Aagon appears lagging in the market compared to the other vendors.
4 Products and Vendors at a Glance
This section provides an overview of the various products we have analyzed within this KuppingerCole Leadership Compass on Unified Endpoint Management Platforms. Aside from the rating overview, we provide additional comparisons that put Product Leadership, Innovation Leadership, and Market Leadership in relation to each other. These allow identifying, for instance, highly innovative but specialized vendors or local players that provide strong product features but do not have a global presence and large customer base yet.
Based on our evaluation, a comparative overview of the ratings of all the products covered in this document is shown in Table 1.
|Aagon Client Management Platform|
|Baramundi Mangement Suite|
|BMC Helix Client Management|
|Citrix Endpoint Management|
|IBM Security MaaS360 with Watson|
|Ivanti Neurons for UEM|
|ManageEngine Desktop Central|
|Matrix42 Unified Endpoint Management|
|Micro Focus ZENworks Suite|
|Microsoft Endpoint Manager|
|Mitsogo Hexnode UEM|
|Quest KACE Suite|
|VMware Workspace ONE|
Table 1: Comparative overview of the ratings for the product capabilities
In addition, we provide in Table 2 an overview which also contains four additional ratings for the vendor, going beyond the product view provided in the previous section. While the rating for Financial Strength applies to the vendor, the other ratings apply to the product.
|Vendor||Innovativeness||Market Position||Financial Strength||Ecosystem|
Table 2: Comparative overview of the ratings for vendors
5 Product/Vendor evaluation
This section contains a quick rating for every product/service we've included in this KuppingerCole Leadership Compass document. For many of the products there are additional KuppingerCole Product Reports and Executive Views available, providing more detailed information.
In addition to the ratings for our standard categories such as Product Leadership and Innovation Leadership, we add a spider chart for every vendor we rate, looking at specific capabilities for the market segment researched in the respective Leadership Compass. For the Leadership Compass UEM, we look at the following eight categories:
Management of various endpoint device types, which includes its life cycle management such as onboarding, provisioning, decommissioning, operating system management, remote access for support, troubleshooting or wiping, and device inventory.
This category focuses on the ability to control and apply policies to applications in regards to endpoint devices, as well as other application management features. It can include the capability to enroll devices and users via App Stores, software packaging and deployment, distribute applications to endpoints whether bulk or otherwise, applying aspects of security such as white or blacklisting applications, isolating corporate from private user applications, etc.
Endpoint content management generally refers to the ability to apply access rules and policies to documents or other content on the endpoint device. The rules and policies can be coarse or fine-grained enough to apply down to an individual file. Capabilities can also include catalogs of enterprise documents, content security, as well as audit logging, etc.
This category focuses on the ability to distribute and apply endpoint device system patches (e.g. OS, application, etc.) from various vendors whether the patch is deployed on a schedule or critical/emergency patches distributed rapidly when necessary. Other capabilities include reporting of endpoint system status (e.g., patch level), missing patch discovery whether it's a security hotfix, application, or others, level of automation, etc.
Centralized Endpoint Visibility
The ability to provides a consolidated view and management of all endpoints regardless of where the solution is deployed. Centralized endpoint visibility often features a single pane view via a dashboard and provides visibility to device inventory, state, threats, policy management, licenses, reporting, etc.
This category looks at the level and use of analytics and/or artificial intelligence to provide insight into different aspects of the UEM domain as well as the ability to automate, assist or take action to remediate endpoint related issues, as well as other capabilities.
There is a wide range of endpoint security considered, such as the ability to collect and analyze information, to detect and prevent the execution of malicious code (e.g., malware), prevent data loss, hardware destruction, or prevent lost productivity on user devices. Other capabilities considered can include the level of security intelligence, forensic investigation tools, firewall, and URL filtering, crypto libraries, file system monitoring, process obfuscation, as well as the ability to provide strong internal security and authentication for the management console, etc.
Admin & DevOps Support
The ability to provide IT environment support options for both administrators of the solution and the operations team that can support their tools, automation, and continuous integrations.
The spider graphs provide comparative information by showing the areas where vendor services are stronger or weaker. Some vendor services may have gaps in certain areas, while are strong in other areas. These kinds of solutions might still be a good fit if only specific features are required. Other solutions deliver strong capabilities across all areas, thus commonly being a better fit for strategic implementations of Fraud Reduction technologies.
5.1 Aagon - Aagon Client Management Platform
Founded in 1992, Aagon is a German company headquartered in Soest with offices in Berlin and Munich. Aagon has 30 years of Client Management experience with customers primarily focused in Germany, Austria, and Switzerland. The Aagon Client Management Platform (ACMP) provides a fully integrated and comprehensive solution for distributing and patching software with advanced automation features and is data protection compliant.
The Aagon Client Management Platform is modular, providing flexibility, Endpoint device, patch, license, asset, and contract Management. Endpoint discovery, vulnerability detection & remediation, and security capabilities are also provided. Also, an integrated service desk and hardware asset management are included. Traditional endpoint types are supported, which includes desktop, laptops, tablets, smartphones, printers, and SNMP scanning devices. Supported endpoint operating systems include iOS, Android, Windows, macOS, and Linux. Chrome OS is not supported.
ACMP provides complete endpoint lifecycle management such as endpoint activation, decommissioning, remote access with device locking and wiping capabilities. User, device, and application onboarding is also given that can be automated and customized by its client commands. Patch management supports Windows, macOS, and Linux operating systems with the ability to scan & detect endpoint software such as versions, patch-level, device health. Application software deployment and packaging include the ability to create and customize software packages. The solution is also capable of applying policies and controls to applications on the endpoint. Application whitelisting and blacklisting are not available. The ACMP provides a modern and detailed UI for the management of its capabilities.
Aagon provides software for on-premises deployments to servers or a managed service and SaaS provided through Aagon's partners. Cloud and container-based options are not available. For the on-premises deployment, a Microsoft SQL Server is required. Half of the ACMP functionality is accessible via SOAP, REST, JSON-RPC, XML-RPC, Webhooks, or PowerShell APIs. Access to ACMP functionality via CLI or SDKs is not available. A developer portal is on Aagon's roadmap. Integrating third-party solutions such as ITAM, ITSM, threat intelligence, EDR, EPP, AI/ML, or analytics is possible via ACMP's APIs.
Aagon customers are primarily medium to mid-market organizations with the ability to meet the needs of both small and enterprise companies in EMEA, focusing on the DACH/GSA region. Aagon also provides a good partner ecosystem in the DACH region. Aagon offers a viable solution for companies in the DACH region requiring endpoint device and patch management capabilities.
5.2 Baramundi - Baramundi Management Suite
Founded in 2000 and headquartered in the European Union, baramundi software AG is owned by Wittenstein SE, Germany. The baramundi Management Suite focuses on securing cross-platform management of workstations and other endpoint environments.
The baramundi Management Suite not only provides support for mobile endpoint management, application management, content management, and patch management, but it also supports license and asset management, among other features. Basic endpoint security is available, although more advanced endpoint security capabilities are missing, although features such as device health management policies and strong device communication encryption are given. A good range of endpoint devices can be supported, which uniquely extends to SNMP devices, SIEMENS Simatic (PLCs), Rugged Android mobile Devices (e.g., CipherLab devices). Endpoint operating system support includes iOS, Android, macOS, and Windows, although missing Linux, and chrome support.
The baramundi Management Suite uses a push-based job/task paradigm. Endpoint lifecycle management includes endpoint device and application provisioning with endpoint activation QR-code enrollment provided. Broad platform support for patch management is given, which covers iOS, Android, and Windows, although macOS, Linux, and Chrome platforms are not supported. For Android, only updates of applications are supported, while system updates are not supported. Software deployment mechanisms support MSI, InstallShield, Inno, and Wise. Their "Automation Studio" is given for GUI-based deployments. Workflows are supported from can be preconfigured and defined throughout the endpoint lifecycle. The product is GDPR certified. The baramundi Management Suite centralized UI can run within a Windows-Client, web browser, or mobile app. A fair number of out-of-the-box reports are given, although the solution does not provide pre-defined compliance reports such as GDPR, HIPPA, or PSD2, for example. Baramundi provides its own ITSM solution and some good third-party integration options such as other Threat Intelligence, EPP, and EDR solutions.
Although product deployment models such as on-premises, cloud, and hybrid can be supported, Baramundi focuses on on-premises with its core baramundi Management Server that is cloud-enabled to manage endpoints on the internet too. A managed service is available through partner organizations. Managed services include universal patch management with partners providing support during packaging, roll-outs, configuration as examples. REST and JSON RPC APIs are available to access the solution's capabilities, although SOAP services for legacy systems are not provided.
Baramundi Software is a privately-owned company serving the mid-market with a strong EMEA regional presence. Baramundi Software shows particular strengths in the device, application, content, and patch management, although we see room for improvement in regards to endpoint intelligence and endpoint security features. Overall, Baramundi provides a comprehensive UEM solution that can also support industrial device and control use cases with the Baramundi Management Suite.
5.3 BMC - BMC Helix Client Management
BMC Software is a privately held company founded in 1980 and is headquartered in Houston, Texas. BMC has a background in IT operations management, services, and software solution. The BMC Helix Platform is a SaaS-based operations management solution with Client Management that includes UEM capabilities that cover endpoint device, application, and patch management.
BMC provides a single platform with multiple capabilities and services that can be purchased separately. The product has been independently certified to support compliance with the FIPS 140-2 cryptographic module standard. The UEM related capabilities include device, application, license, and asset management. Also included are endpoint discovery and security, device health monitoring, and software packaging and distribution. Also noted is its compliance management that can be customized and SCAP 1.3. Traditional endpoint types such as desktops, laptops, tablets, smartphones, and printers are supported. SNMP devices are supported as well. For endpoint operating systems, BMC supports iOS, Android, Windows, macOS, and Linux. Chrome OS support is not given.
Endpoint device lifecycle management includes endpoint activation, decommissioning, and license management. Remote access to endpoints gives direct access to the file system, registry, services, process, events, and remote control. iOS lock and wipe is also available. Missing are more advanced options such as endpoint troubleshooting via analytics and intelligence or endpoint life cycle management workflows, although life cycle status can be automatically updated regarding the different attributes of the device like reception time, service start date, etc. Endpoint patch management supports Windows and macOS only. Endpoint health policy management, the ability to scan & detect endpoint software version/patch level/health, as well as good software package creation and patch rollout capabilities are given. Missing are endpoint content and containment management.
BMC Helix Client Management is a client-server application with an administration console that provides a Java or Web based UI. The Client Management supports both endpoint agents or agentless options. The solution can be deployed on-premises or in a private cloud environment. All of BMC Client Management functionality is accessible via REST or XML-RPC APIs. Neither CLI or SDK support is given. A developer portal is available with Swagger for web services and online product documentation. BMC client management integrates well with other BMC products such as Remedy ITSM, CMDB, SSO, and Remedyforce. Other BMC integration options include Smart IT, Track-It, My IT (service broker connector), LiveChat, Footprints.
BMC Software is capable of supporting multiple world regions through BMC support services and regional partners, as well as having a worldwide online marketplace. BMC client management integrates well with other BMC products and is a good option for existing customers requiring endpoint device, application, and patch management capabilities.
5.4 Citrix - Citrix Endpoint Management
Founded in 1989 and headquartered in Fort Lauderdale, FL, Citrix Systems (Citrix) is a well-established IT vendor with a strong customer base. Citrix has a well-established partner ecosystem and continues to innovate its solutions in the areas of workspaces, virtual apps, and desktops, as well as optimizing the delivery of applications over the Internet and private networks. The Citrix Endpoint Management (formerly XenMobile), comes as a stand-alone product or is included with their other Workspace offerings.
Citrix Endpoint Management provides support for mobile endpoint device, application, identity, and content management, as well as license and asset management too. Citrix also supports more advanced features such as device health monitoring, endpoint discovery, and tracking. Other advanced capabilities such as Mobile and Cloud Expense Management or Remote Access Management for Remote Troubleshooting and Endpoint Vulnerability Detection & Remediation are not given. Citrix Identity is a part of the Citrix Cloud, including the Citrix Workspace and Endpoint Management. With the exception of wearables, mixed reality headsets, or printers, a wide range of endpoint devices types is supported, including some IoT endpoints like Citrix Ready Workspace Hub (Raspbian based Raspberry Pi) and Alexa for Business. Supported endpoint operating systems include iOS, Android, macOS, Chrome, and Windows 10. Windows 7 & 8 can be supported through its Workspace Environment Management component. Linux OS is not supported. Third-party integrations can be accomplished through its Citrix Workspace for applications like ServiceNow & Atlassian using its Citrix Microapp technology. More advanced endpoint threat intelligence, EPP, and EDR types of capabilities are available through third-party Mobile Threat Defense (MTD) integrations such as Check Point, Lookout, Wandera, and Zimperium.
The solution provides endpoint provisioning of users, devices, and applications. User onboarding can be achieved via enrollment invitations as well as E-mail Based Discovery technology. Platform-specific bulk enrollment workflows are also supported. Endpoint activation is given for supported operating systems. Devices can be selectively wiped during a decommissioning workflow. Remote access to endpoints is partner supported through integration with TeamViewer, and devices can be selectively wiped during a decommissioning workflow. OS deployments can be accomplished through Windows Update Service, Apple OS service (iOS, macOS), for example, and Samsung E-FOTA is also fully supported. At the same time, policies can be enforced via Citrix Endpoint Management (CEM). Endpoint troubleshooting via analytics and intelligence can be accomplished using the Citrix Analytics Service offering of their Citrix Workspace solution and support for endpoint troubleshooting via analytics and intelligence using the Citrix Endpoint Management Analyzer Tool. Regarding application management, an enterprise app store enrollment is available for users and their devices. Limited support is given for application or software packaging for endpoints, although the solution does support packages created using an Intune integration for additional MDM functionality.
Citrix Endpoint Management deployment models cover on-premises using the Citrix Cloud Connector, and multiple cloud types (public, private, government, multi-cloud), and hybrid scenarios. The solution is delivered as SaaS, virtual appliances, or as a managed service. Managed services are available from Citrix's Service Provider community. The Citrix Cloud Operations team monitors and manages the cloud delivery and supports full multi-tenancy for all components. The product is implemented using a microservices architecture, although container-based platforms deployment options are not available. Most of the product functionality is accessible via REST APIs only, although SOAP API services support is not available for legacy systems. SDK options include support for Android, iOS, Java, Cordova, Xamarin, and Swift. Citrix is moving towards a more UEM agnostic approach with its MAM and Micro-VPN SDKs on the roadmap.
Citrix supports small to enterprise organizations with an emphasis on enterprise-level companies. Citrix provides a good partner ecosystem as well as professional services. Customers are primarily located in North America and EMEA, with continued growth in the APAC region. Overall, Citrix Endpoint Management is a leader in the Unified Endpoint Management product, market, and innovation segments. Since Citrix Endpoint Management integrates well into their overall Citrix Workspace solution, it should be of particular interest to Citrix's existing as well as new customers.
5.5 Entgra - Entgra Suite
Entgra spun out of WSO2 in 2018, in which Entgra was formerly a WSO2 vertical called the Device Integration Platform. Today, Entgra maintains the OEM license to embed WSO2 technologies and is a technology partner for all WSO2 IoT and MDM customers. Entgra is a single platform for enterprise Internet of Things (IoT), Unified Endpoint Management (UEM) & Enterprise Mobility Management (EMM) needs. The Entgra offerings considered in this UEM Leadership Compass include Entgra IoT Server, Entgra Edge G/W, Entgra IoT Server (UEM Profile), and Entgra Smart Grid Middleware.
Entgra provides device, application, identity, content, patch, license, and asset management. Also offered is endpoint security as well as device provisioning, health monitoring, and location tracking. Endpoint intelligence and analytics are available, although features such as mobile threat defense or privilege management are not. Support for a wide range of endpoint device types includes desktop, laptop, smartphones, IoT, printers, smartboards, TV OS, mixed reality headsets, point-of-sale kiosks, and ATMs. More industrial use cases are also supported, such as SNMP devices, programmable logic controllers (PLC), smart utility meters, weather stations, smart cameras, to name a few. Interestingly, wearables and business virtual assistants are not supported. Entgra also supports a wide range of endpoint operating systems such as iOS, Android, Windows, macOS, Linux, as well as FireOS, Android TVOS, FreeRTOS, Lua RT, and Micro Python RT. Chrome OS support is not available.
Endpoint patch management covers iOS, Android, macOS, and Linux-based devices. Neither Window nor Chrome patch management options is supported, although currently on its roadmap. Entgra relies on external packaging tools or deployment pipelines to build software application packaging. The solution can then be configured to manage the remainder of the publishing workflow and delivery of the software application packages. Entgra provides a modern and useful UI with embedded analytics dashboards. The device fleet view includes tracking a device in a map view through its Complex Event Processor engine integration and extended Grafana dashboards. Also, all data used by dashboards and management consoles are available as authorized API endpoints. Integration to third-party ITSM, threat intelligence, EPP, or EDR solutions can be accomplished through REST APIs or its real-time event analysis APIs when a specific type of event occurs.
Entgra products can be deployed as software, hardware, or a virtual appliance on-premises, as well as a fully multitenant cloud SaaS service, hybrid, or managed service. Entgra is partially implemented as a microservice and supports the delivery of its product as Docker containers that can also be deployed to container-orchestration systems such as Kubernetes. All of Entgra's capabilities are accessible via SOAP, REST, and Webhook APIs. WebSockets and MQTT for event publishing are also available. CLI is available for bulk enrollment and uploading of devices. Additionally, curl commands are available to cover the full range of product APIs. SDKs are available for Android, iOS, Java, C/C++, .NET, Arduino, and Python programming languages. Agent software is used to collect data from a device, execute commands received from the server end, and execute localized policies. Also, support for custom agents that can run on legacy hardware platforms as well as configured to specific endpoints supporting legacy capabilities. The Entgra solution has also been independently certified to comply with the FIPS 197, FIPS 140-2, and NIST 800-57 Key Management, IEC 60870-5-104, and IEC 62056 DLMS/COSEM standards. Only remote support services are available, although on-site customer visits are possible if required.
Entgra's platform uniquely supports both IoT and Mobile Device Management uses cases and leverages an already good IAM product by building on top of the WSO2 middleware stack. Entgra customers are medium-sized organizations spread throughout the North American, EMEA and APAC regions. Entgra also leverages WSO2, which has a good worldwide presence. Although Entgra is still growing its market presence, organizations requiring endpoint management beyond the traditional device types, Entgra offers an interesting alternative UEM solution.
5.6 HCL - HCL BigFix
BigFix was founded in 1997 and was formally owned by IBM until HCL Technologies acquired it in 2019. However, HCL maintains an IP partnership with IBM, which applies to part of the BigFix portfolio, and does not encompass its UEM capabilities. BigFix is based in Emeryville, California, with major offices in Rome Italy, Bangalore, India and Krakow Poland, and offers endpoint management through a suite of products that includes Patch, Lifecycle, Compliance, Inventory, Insights, and Mobile capabilities.
HCL BigFix is a single platform with a suite of products and services. BigFix is capable of providing endpoint device, application, patch, license management, compliance enforcement and reporting, device provisioning, automation, and health monitoring capabilities. Also available are endpoint discovery, intelligence, and security. Other areas such as device expense, identity, asset management, or more advanced capabilities such as mobile threat defense or endpoint vulnerability detection & remediation are not given. BigFix can support a range of both traditional and industrial endpoint types that include server, virtual machine, desktop, laptop, tablets, and smartphones. Other non-tradition endpoint types supported are IoT, smartboards, point-of-sale kiosks, ATMs, industrial mobile, and SNMP devices. Endpoint devices such as wearables, printers, or mixed reality headsets are not supported out-of-the-box (OOB) unless they are running a standard operating system like Windows IoT for example. With the exception of Chrome OS, BigFix gives good OS support coverage for endpoints such as iOS, Android, Windows, macOS, Linux, as well as many other OS's with the exception of Chrome OS.
HCL BigFix has a particular strength as an IT automation platform, which results in strong patch management, providing support for most device OS platforms endpoint policies have the ability to scan and detect endpoint software versions, patch level, device health, as well as other attributes. This can be achieved via custom properties, policies and fixlets. Automated scheduling options for the roll out of patch policies is given too. The solutions Insights for Vulnerability Remediation module uses correlation engines to determine the right patches and configurations for vulnerabilities discovered by Qualys and Tenable vulnerability management tools. BigFix Lifecycle includes a Software Distribution Module that provides automatic package and distribution of common and custom applications. BigFix Lifecycle also provides remote control, OS Deployment (Bare metal, upgrade and restore), server automation & task sequencing, and the ability to perform a fast query on attributes/state across endpoints. For endpoint content management and containment, an endpoint quarantine feature is given. Separation of business from personal apps and data is accomplished by leveraging Android containers. BigFix MDM APIs are utilized for content control data leak prevention, for example. HCL BigFix provides a useful and KPI-focused UI with notifications, alerts, daily tasks, devices, and metric dashboards. HCL BigFix only offers username/password and SAML authentication options for user self-service and admin access.
HCL BigFix can be installed as software on-premises. Alternatively, both a cloud and managed service are available. The solution can be delivered as a virtual appliance or Docker container for its Mobile Management Server components. SOAP, REST, and XML-RPC APIs provide access to the majority of BigFix functionality. Access to functionality is available via a command-line interface (CLI), although SDKs are not available. The BigFix solution has been independently certified to comply with the FIPS 140-2, NIST 800-57, ISO/IEC 15408 (Common Criteria), and ISO/IEC 27001. Other certifications include CIS Security Software Certification, SCAP v1.2 certification, and ISO-20243.
HCL BigFix has a presence in North America and other world regions with good product support and professional services. HCL BigFix is a consideration for organizations requiring a single solution for servers, desktop and mobile with strong patch management, automation, good endpoint device, and application management.
5.7 IBM - IBM Security MaaS360 with Watson
IBM is one of the leading companies in IT. Founded in 1911, it is one of the largest US-based firms. The MaaS360 product was originally developed by Fiberlink Communications as a cloud-hosted software-as-a-service (SaaS) platform in 2008 with a focus on managing more traditional endpoints. IBM MaaS360 with Watson has since evolved from a traditional cloud-based endpoint management product to an AI-enabled software-as-a-service (SaaS) Unified Endpoint Management (UEM) platform designed to give enterprises the ability to manage and secure a wide range of devices.
IBM Security MaaS360 covers a wide range of UEM features that include endpoint device, application, identity, content, patch, asset, license, and expense management, endpoint security, as well as device provisioning, tracking, and health monitoring, as well as some more advanced capabilities such as containment (Secure PIM Suite), insider threat detection and zero trust. MaaS360 also gives broad support of endpoint types beyond the desktop, laptops, and mobile devices. Most endpoint operating systems are supported, such as iOS, Android, Windows 10 & 11, macOS, Chrome, as well as FireOS, and LinkOS (Zebra Printer), although Linux operating systems are not. Although IoT and business virtual assistants use cases are missing, mixed reality headsets and commerce point-of-sales, ATM, and industrial mobile devices are supported.
One strength is MaaS360 with Watson, which provides intelligence and cognitive abilities that give actionable insights and contextual analytics to their UEM offering. MaaS360 gives good endpoint containment capabilities, which are accomplished through containerization, DLP, and encryption. It can also provide threat and attack detection of contained apps or data, both natively embedded with IBM Trusteer as well as via partnership with Wandera sold by IBM with the MaaS360 product. With MaaS360's many strengths, MaaS360 is missing some application management software packaging capabilities, although support is given for importing packages created with other endpoint management solutions such as Microsoft's SCCM application migration tool available for Windows Apps. Strong patch management is given except for missing patch capabilities for ChromeOS and Linux. Support for bulk distributions of applications or configurations is available. MaaS360 provides single sign-on (SSO), conditional access, and multi-factor authentication (MFA) capabilities out-of-the-box through fully integrated features from IBM Security Verify. ITSM capabilities are available via partner integration such as Salesforce and ServiceNow.
MaaS360 has been independently certified to comply with standards such as SOC 2, FedRAMP High Impact Level 2, ISA 27001, 27018, 27701, FISMA Moderate, and FIPS 140-2. It can be offered as a standalone SaaS product to support enterprise organizations down to the SMB level. The product can support both public and government cloud environments. The cloud delivery gives full multi-tenancy. It can also be offered as a managed service, whether partially or fully managed by IBM services for full device lifecycle management; Device As A Service. The product is implemented using a microservices architecture that can support container-based platforms such as Docker and Red Hat. For on-premises deployment, the IBM Cloud Extender is required to connect to the MaaS360 cloud service. Almost all of MaaS360 functionality is available via REST APIs and webhooks. Functionality via CLI is unavailable, but both Android and iOS SDKs are available, focusing on DLP and Gateway capabilities.
IBM offers a large number of system integration partners on a global scale and substantial experience in large-scale deployments. The IBM MaaS360 offering provides full spectrum UEM capabilities supporting SMB to large enterprises, making them a strong contender in the UEM market.
5.8 Ivanti - Ivanti Neurons for UEM
Founded in 1985, Ivanti is a large privately held company with 36 offices in 23 countries with headquarters in the Western US. Along with Ivanti's existing position as a global IT solutions provider, the acquisition of MobileIron, a mobile-centric UEM solution, and Pulse Secure providing secure access and mobile security have strongly positioned Ivanti in the market UEM, as Ivanti Neurons for UEM solution. The more recent acquisition of Cherwell, a leading ITSM solution, further strengthened Ivanti's UEM market position when combined with Cherwell's offering.
Ivanti Neurons for UEM solution is a single platform with multiple products and services. The product provides a wide range of capabilities, including endpoint device, identity, content, patch, asset, license, expense, privileged management, endpoint security and device provisioning, health monitoring, and tracking capabilities. However, support for endpoint contract management is not given. Additional modules such as Mobile Threat Defense (MTD) for protection against mobile threats can be activated on the same agent used for UEM but requires additional licenses. Expense management capabilities are available through its partnership with Wandera. Almost all areas of endpoint device support are covered, including desktop, laptop, tablets, smartphones, wearables (e.g., smartwatches), IoT, smartboards, and printers, with additional device support for mixed reality headsets, point-of-sale kiosks, ATMs, and industrial mobile devices. Support for business virtual assistants are not given. All endpoint operating systems evaluated are supported, such as iOS, Android, Windows, macOS, Linux, and Chrome. Also included is support for Raspberry Pi OS.
The UEM platform gives full endpoint lifecycle support with good third-party integration options. Patch management supports Windows, macOS, and Linux platforms, although iOS, Android, and Chrome are not. Strong application software deployment and packaging features are given. Ivanti uses AppConnect/Secure Apps Manager, Android Enterprise and Samsung Knox, Apple Business Manager, and other OS-specific mechanisms to contain endpoint applications and data. Good endpoint content management is available. Ivanti Neurons for UEM solution's centralized endpoint visibility includes a modern and useful UI with detailed dashboards.
Ivanti UEM solution can be deployed as software or an appliance (hardware or virtual) installed on a customer's premises or as a public or private cloud service and hybrid use cases. The UEM solution's components are implemented as microservices and container, container-orchestration system, and serverless platforms delivery are available, although limited container-based platforms are supported. Managed services are sold and provided by partners. The majority of the UEM solutions capabilities are available via SOAP, REST, and JSON-RPC APIs. Although command-line interface access to functionality is not available, both Android and iOS SDKs are given to protect application data and content. DevOps can take advantage of its developer portal's documentation, tutorials, and configuration information. The solution has been independently certified to support compliance with the FIPS 140-2, ISO/IEC 27001, and ISAE 18 SOC 2 standards.
Ivanti has a good market presence in both the EMEA and North America regions, with a growing presence in both the APAC region and Latin America. Ivanti's customer base is made up of small to mid-market organizations with an increasing presence at the enterprise level. Ivanti appears in all leadership segments of this UEM Leadership Compass. Overall, Ivanti Neurons for UEM solution offers a well-balanced and flexible UEM offering that should be on the shortlist for organizations considering deploying UEM solutions.
5.9 ManageEngine - ManageEngine Desktop Central
Headquartered in Pleasanton, US, ManageEngine is under the umbrella of the India-based Zoho Corporation founded in 1996. ManageEngine offers Unified Endpoint Management & Security, Advanced IT Analytics, IAM, SIEM, Enterprise Service Management, and IT Operations Management feature sets within their ManageEngine Desktop Central product, a single set of products as an integrated suite.
ManageEngine's Unified Endpoint Management solution provides a single pane of glass for UEM capabilities such as the management of endpoint devices, applications, assets, expense, security, patch management, endpoint discovery, health monitoring, and endpoint intelligence, to name a few. With the exception of business virtual assistants, smartboards, and printers, ManageEngine supports a wide range of common endpoint types and support for some interesting types of endpoints, such as wearable devices and mixed reality headsets. Point-of-sale, ATM and industrial mobile devices can also be supported. All endpoint operating systems evaluated are supported, including mobile iOS, Android, and Chrome as well as Windows XP to Windows 10 to Windows Servers, and good support for macOS and Linux. ManageEngine also offers co-management options for legacy client machines. However, mobile threat defense is not supported.
Management of device lifecycle is strongly supported and gives inventory and audit details of all managed applications. Also provided is the ability to automate app updates across major app stores. Users can be authenticated during enrollment with a one-time passcode or a user's Active Directory credentials, and 2FA is also supported. Also given are smart groups to dynamically modify policies based on the remote office or other user location in which users are connected. Good workflow support is available to keep track of device repairs, device upgrades with automated workflows to manage and schedule the device updates. ManageEngine's automation can also apply to the enrollment process with its zero-touch enrollment capabilities. The solution provides patch management for Windows, macOS, Linux, Chrome, as well as other third-party applications such as Adobe Reader, Firefox Browser, Java, etc. Patch management for iOS and Android is not included. Software package Creation and Distribution, OS imaging, and deployment are included. However, endpoint application management has some missing software packaging capabilities, although good support for pre-created software templates is given. ManageEngine provides many other auxiliary products for capabilities such as ITSM, license management, EEP, EDR, etc., so there are limited integration options to other third-party solutions. However, integrations to Jira, ServiceNow, Spiceworks, and Zendesk are available.
ManageEngine has been independently certified as compliant with ISO 27001, SOC 2, and HIPPA/HITRUST standards and is capable of on-premises, public, private, and government cloud deployments. For on-premises deployments. ManageEngine Desktop Central is downloaded as bundled software complete with an Nginx web server and Postgres database. Deployments to container-based platforms are not available. ManageEngine is also delivered as SaaS, where Zoho is the cloud provider with data centers in North America, the EU, Asia, and Australia. ManageEngine also offers software for Managed Service providers to provide a managed service to the customer but doesn't manage the service themself. Multi-tenancy is supported for their Remote Monitoring and Management (RMM) and Enterprise Mobility Management solutions for Managed Service Providers. ManageEngine Desktop Central Mobile Device Management is an addon with the enterprise edition or comes with it when purchased as a standalone UEM solution. Only REST APIs are exposed to access product functionality using the product's Jersey RESTful Web Services framework. The product agent and server installation, uninstall, and upgrades can all be done using a CLI. SDKs are not available.
ManageEngine is well represented in the market with customers in North America, EMEA, and the APAC regions with growth in Latin America with a range of customers from SMB to enterprise-level deployments. ManageEngine provides a good partner ecosystem as well as professional services. Overall, ManageEngine's Desktop Central UEM solution gives a good balance of features and appears in this UEM Leadership Compass as a Product, Innovation, and Market leader.
5.10 Matrix42 - Secure Unified Endpoint Management
Established in 1991 with headquarters in Frankfurt, Germany, Matrix42 provides products to manage and secure digital working environments. Matrix42 Secure Unified Endpoint Management (SUEM) is a single platform that supports managing devices, applications, and processes through features such as client management and mobile device management as part of its digital workspace management product portfolio.
Matrix42 Unified Endpoint Management product focus includes endpoint device, identity, content, patch, asset, license management, endpoint security and device provisioning, health monitoring, and tracking capabilities. Beyond some typical UEM capabilities, Matrix42 also offers mobile threat defense, endpoint privilege management, intelligence, vulnerability detection & remediation features. Matrix42 SUEM supports a wide range of endpoint devices from desktop to mobile, IoT, wearables, mixed reality headsets, virtual business assistants, smartboards, and printers. Supported endpoint operating systems include Android, Windows, macOS, Linux, and Chrome. Also supported are iPadOS and AppleTV.
Matrix42 SUEM offers a very modern, well laid out, and user-friendly centralized dashboard that gives good visibility to all of the supported aspects of its UEM features as well as an intuitive drag & drop UI capability. Matrix42 provides a flexible workflow engine (Workflow Studio) that automates the installation of agents that configure endpoint devices, including security policies, encryption technology, pushing out all needed applications, and other device and application controls. Support for endpoint content management automation and intelligence includes DLP capabilities in which sensitive data can be detected and encrypted for data transfer, detecting leakage depending on the abnormal movement of data. Also given is machine learning in self-service scenarios, such as providing device image analysis to identify the problems and provide solutions.
Matrix42 SUEM is implemented in a microservices architecture and is capable of a devised set of deployment models such as on-premises, cloud, multi-cloud, and can be delivered as SaaS, virtual and hardware appliance, server or serverless platforms, as well as container-based with Kubernetes. For cloud delivery, the product supports full multi-tenancy for all product components. There is an operational requirement on Microsoft technology dependencies such as Windows Server, .Net framework, MS SQL database, and Matrix42 relies on the Azure Autoscaling for the rapid scaling of additional users and/or high traffic events in the cloud. For container-based deployments, only Docker is supported. Matrix42 also provides a managed service that includes product installation, configuration, update, and maintenance. Matrix42 SUEM capabilities can be accessed via SOAP, REST, and JSON-RPC APIs. Although functionality is not exposed via CLI, SDKs are available and support C/C++, .NET, and PowerShell.
Matrix42 is a privately owned company primarily focused in the EMEA region, supporting medium to mid-market customers, with some inroads to enterprise companies. Matrix42 provides a fairly good partner ecosystem, also focused on the EMEA region. Overall, Matrix42 offers a well-balanced and robust feature set in the UEM market and would be of particular interest to organizations in the EMEA region.
5.11 Micro Focus - ZENworks Suite
Micro Focus is a UK-based company that has been in the market since 1976, which acquired the NetIQ (originally Novell) product suite in 2014. Since then, Micro Focus executed a significant shift in its product strategy during its merger with Hewlett Packard Enterprise (HPE). The effects of this merger provided a comprehensive security portfolio with a focus on integrated IAM technologies and a boost in market presence with strong professional services around the globe. The Micro Focus Unified Endpoint Management and Protection Portfolio offer endpoint device lifecycle management, vulnerability detection, and protecting endpoint data. The Micro Focus ZENworks suite for Unified Endpoint Management, evaluated in this Leadership Compass, includes features from ZENworks Configuration Management, ZENworks Patch Management, ZENworks Full Disk Encryption, ZENworks Endpoint Security, ZENworks Asset Management, Micro Focus Desktop Containers, ZENworks Service Desk, Connected MX, Interset, Voltage, Vertica, Retain Information Archiving, Micro Focus Filr, NetIQ, and ArcSight.
The Micro Focus UEM solution focuses on the endpoint device, application, content, patch, license, and asset management, as well as endpoint discovery tracking and security. However, endpoint device health monitoring is not given. Micro Focus features include policy-driven endpoint backup and recovery for Windows and macOS devices with in-built file sync and share capabilities via its Connect MX solution. Also noted is that Mobile Content Management is provided via Filr, Voltage SmartCipher, and Mobile Device Archiving & eDiscovery is provided via Retain Information Archiving. New is an integrated antimalware protection capability through its endpoint security management which can define policies to deliver the antimalware agent and report back and view via the security dashboard. With the exception of more advanced device types such as IoT, printers, virtual business assistants, or mixed reality headsets, Micro Focus gives good support to traditional types of endpoint devices such as desktops, laptops, smartphones, and tablets, with the additional support for smartboards, and TV OS, ATMs, Point of Sale Kiosks and industrial mobile devices. Most operating systems are supported with the exception of Chrome.
Micro Focus ZENworks endpoint lifecycle management supports endpoint provisioning of devices and applications. The lifecycle management provides a hardware and software inventory, software distribution, configuration and patch management, remote support, backups, and license tracking. For endpoint device end-of-life, device wiping is available. Micro Focus also provides endpoint application containerization and application streaming capabilities. ZENworks Service Desk is an ITSM tool that integrates with ZENworks, which assists in remote management, software deployment, configuration management, and requesting services through the ITSM portal. Integration with third-party ITSM is also possible using its SOAP and REST APIs. Other third-party endpoint solutions integrations are limited. The solutions endpoint provisioning covers users, devices, and applications. Also, dynamic local user capabilities allow ZENworks to automatically provision user accounts on Windows devices that are not a part of a Windows domain. The solution supports endpoint activation for Apple DEP, Microsoft Autopilot, and Android Enterprise. ZENworks patch policies allow automated and scheduled installation of patches. Patch compliance dashboards in the management console automate the collection of information and display the patch status of devices. Integrates with the NIST CVE database providing a CVE based view of the environment.
Micro Focus ZENworks provides a modern, detailed, and complex centralized UI with a good set of out-of-the-box reports, and user self-service. Dashboards allow drill-down details with customizable dashlets. Micro Focus ZENworks is also moving in a microservice-based architecture direction. It offers a traditional installer that runs on Windows or Linux that can be deployed on-premises or on a cloud-hosted VM. Linux installments require Docker and a file-based microservice on Windows installments. Also offered is a pre-built virtual appliance that includes Docker and is available for vSphere, Hyper-V, and XEN virtualization platforms. For Cloud, Micro Focus supports Windows or Linux server cloud deployments. Currently, the cloud offering does not support multi-tenancy. Also, ZENworks capabilities can be accessed via SOAP or REST APIs. Some CLI access to functionality is provided, although SDK support is not.
Micro Focus has a good global presence and is a member of the Market Leader segment of this Leadership Compass. Micro Focus ZENworks suite offers a set of UEM capabilities with strength in patch, device, and application management, with an opportunity to grow its feature set into other areas of UEM as indicated by the Micro Focus ZENworks roadmap. ZENworks could be of particular interest to existing Micro Focus customers that can take advantage of the other Micro Focus product integrations.
5.12 Microsoft - Microsoft Endpoint Manager
Microsoft Corporation is one of the largest technology companies worldwide, with headquarters in Redmond, Washington. Microsoft has consolidated Microsoft's Endpoint Configuration Manager within their security portfolio, which was Microsoft System Center Configuration Manager (SCCM), brought together with Microsoft Intune. Endpoint Configuration Manager, which focuses on traditional image-based PC management, and Intune, focused on the multi-platform mobile device management using a more modern management context, are now under a single product offering to form the Microsoft Endpoint Manager product offering.
The Microsoft Endpoint Manager (MEM) product focus includes endpoint device, identity, content, patch, asset, license management, endpoint security and device provisioning, health monitoring, and tracking capabilities. However, support for endpoint expense management is not given. All areas of endpoint device support are covered, including desktop, mobile, tablets, wearables (e.g., smartwatches), and IoT, with additional device support via Intune and ConfigMgr, including servers. Most endpoint operating system support is given, such as iOS, Android, Windows, and macOS. Support for Linux desktops is a recent addition. AzureAD conditional access policies will apply to Linux devices for Ubuntu and Red Hat platforms on the near-term roadmap. Not provided is Chrome OS support.
Deeper under the Endpoint Manager technology stack of Endpoint Configuration Manager and Intune are capabilities that support desktop analytics, Azure-based Security, Insight via cloud analytics, endpoint and application policy controls, and automatic deployment features. All features with the MEM can leverage the Microsoft Azure cloud-driven intelligence. Regarding endpoint containment capabilities, MEM supports Native iOS/Android containment for MDM enrolled devices, containment features of macOS, full management of the containment features of Office 365 mobile apps, as well as support Windows Information Protection (WIP) for Windows. Easier enrollment for Android Open Source Project (AOSP) devices is now in public preview. Microsoft Endpoint Manager has expanded the types of applications it can manage on macOS to manage DMG apps with Intune. Configuration Manager servers also extend the Microsoft Connect Cache for general availability. Windows devices not enrolled for management can now be protected by Microsoft Defender using the same security policies used for enrolled devices. Microsoft Defender support for unenrolled devices will extend to both Linux servers and macOS in the near future.
Since MEM inherits the capabilities of both Intune and ConfigMgr, both on-premises and cloud deployment models are supported, with the cloud service running on the PaaS on Azure. Although ConfigMgr can be deployed on-prem and Intune as cloud-only, they can work together to form a hybrid model. Microsoft Managed Desktop (MMD) is offered as a cloud-based service to provide user device management, security monitoring , and IT service management and operations on behalf of organizations. Endpoint Manager capabilities are accessible via its Microsoft Graph (REST) API. The use of the SOAP protocol is not supported.
Since its founding in 1975, the Microsoft Corporation has grown to have one of the largest market presences in just about every part of the world with strong support, professional services, and a partner ecosystem. Microsoft has the infrastructure and capability to scale extremely high workloads and is continually expanding support to other device platforms beyond its own. Microsoft is a clear leader in the UEM space, as indicated by appearing in this Leadership Compass report's Product, Market, Innovation, and Overall Leader segments. Microsoft Endpoint Manager should be on the shortlist for organizations considering deploying UEM solutions.
5.13 Miradore - Miradore
Founded in 2006, Miradore is a privately held company based in Finland. The product, also called Miradore, is a cloud-based Mobile Device Management platform reviewed in this Leadership Compass.
Miradore offers device, application, patch, and asset management. Device health monitoring and tracking are also available. Some endpoint intelligence is given, and remote access management for remote troubleshooting and integration to TeamViewer remote control. Support is given to more traditional endpoint device types such as desktops, laptops, tablets, and smartphones. Support for point-of-sale kiosks and industrial mobile devices are also given. Supported endpoint operating systems include iOS, Android, Windows, and macOS. Support for Linux and Chrome is not available.
Endpoint lifecycle management includes endpoint provisioning of users and applications. The solution also provides automatic enrollment via DEP, Zero-Touch, and Samsung KME, as well as remote locking and/or wiping of endpoints. Miradore also offers endpoint discovery capabilities and keeps a repository of discovered endpoint hardware, software information. Also, an analysis of discovered endpoints can be conducted for vulnerabilities and compliance (e.g., missing patches). Endpoint patch management is limited to iOS and Windows, which is well supported through patch updates, workflows, rollouts options, automatic approvals with Windows patching, as well as testing, piloting, and approval of patches before release. Miradore's patch feed provides Windows updates and patches for hundreds of software products from almost 100 software vendors, in which the feed is updated with new patches, products, and vendors continuously. Application software deployment and packaging allow for application whitelisting or blacklisting for iOS and Android. Package creation and customization are also given. Miradore business policy can contain a set of applications, files, certificates, and configurations. If missing, they are automatically deployed.
Miradore provides a single platform. The solution is available as a public cloud service or as a managed service through managed service providers. Some of Miradore's functionality is accessible via REST APIs, although access through CLI or SDKs is not provided. Custom integration with third-party services like ITSM, threat intelligence, EEP, or EDR can be accomplished via API. The Miradore UI is simply laid out with a useful dashboard with many OOB widgets. Also, an MSP portal for partners managing customers.
Miradore supports SMB customers concentrated in the EMEA and North America region, although showing growth in APAC, Latin America, and other regions as well. SMBs requiring basic endpoint device, application and patch management capabilities can consider Miradore for evaluation.
5.14 Mitsogo - Hexnode UEM
Founded in 2013 and headquartered in the San Francisco Bay area with offices in Australia, Germany, and India, Hexnode is a software division of Mitsogo Inc. and provides a centralized platform for device, app, content, identity, and threat management for companies ranging from SMBs to the enterprise level.
Hexnode UEM product focuses on device, application, content, patch, asset, contract, and cloud expense management. Device health monitoring and tracking are available as well as endpoint security, vulnerability detection & remediation, with intelligence and analytics. Also offered is remote access management for remote troubleshooting. Not given are endpoint identity, license, discovery, and OS imaging and deployment capabilities. More traditional endpoint devices such as desktops, laptops, tablets, smartphones, TV OS, point-of-sale kiosks, and industrial mobile devices are supported. Advanced device types such as wearables, business virtual assistants, smartboards, or mixed reality headsets are not supported. Endpoint operating systems support includes iOS, Android, macOS, and Windows 10, although support for Linux, or Chrome is not. Legacy client machines and devices support is given via a Microsoft SCCM integration. Integrations with third-party solutions are limited, although a Zendesk ITSM integration is possible.
Endpoint lifecycle management includes automated user onboarding, provisioning of users, devices, applications, content, and endpoint activation and decommissioning. Remote access provides device locking and/or wiping as well as endpoint troubleshooting via analytics and intelligence. An inventory of all endpoints is also given. Limited patch management capabilities are available, although endpoint health policy management with the ability to scan, detect, and report on the endpoint software version, patch level, and health is available. Although the ability to build app packages is lacking, other application management features cover the deployment of IPA, APK, PKG, MPKG, DMG & MSI packages, configurations such as in-app setup, app permissions, push per-app VPN, store layout, set up app data usage limits, and the ability to create app catalogs/enterprise app stores. Endpoint containment and content management capabilities are given, allowing for the separation of business from personal apps and data. Containment policies are course-grained, and one or more container profiles can be defined. Details of the contained applications can be accessed, while the solution prevents sensitive data from leaking externally.
A web-based interface provides a simple and useful centralized UI with a view of analytics and intelligent insights of endpoints under management. Some out-of-the-box (OOB) reports are provided, as well as a pre-defined HIPAA compliance policy template OOB for U.S. health-related customers. Hexnode UEM is implemented in a microservice architecture and is primarily deployed as a cloud service, although some support for on-premises use cases can be supported. Some of the solution's functionality is accessible via a REST API. Both CLI and SDK access to product functionality are not available.
Hexnode customers are SMB to mid-market with growth in enterprise organizations in North America with a good market presence in the EMEA and APAC regions. Small to mid-market organizations requiring basic endpoint devices and content management can consider Hexnode UEM for evaluation.
5.15 Quest - KACE Suite
Quest is a privately held software company headquartered in Aliso Viejo, California. Although Quest was founded in 1987, KACE Unified Endpoint Management was founded in 2003, which is one business unit within Quest. Quest KACE UEM solution, considered in this Leadership Compass, is comprised of the KACE Systems Management Appliance (SMA) and KACE Cloud Mobile Device Manager (CMDM), and KACE-as-a-Service (KaaS) from the KACE suite of products. The KACE Systems Management Appliance (SMA) focuses on on-premises management of devices, while the KACE Cloud Mobile Device Manager provides the cloud portal and device management. KaaS gives the same capabilities as SMA but from the cloud.
The Quest KACE UEM solution centers on the endpoint device, application, patch, license, content, asset management, endpoint security, device provisioning, endpoint discovery, health monitoring, and location tracking. Other capabilities such as endpoint identity, expense management, or mobile threat defense are not supported. With the exception of consumer wearable devices, virtual business assistants, and mixed reality headsets, all other device types are supported, including desktop, mobile, tablets, IoT, printers, smartboards, point-of-sale kiosks, ATM, and other industrial use cases. Quest KACE supports a wide range of endpoint operating systems: iOS, Android, Windows, macOS, Linux, and Chrome.
Endpoint life cycle management includes endpoint provisioning of users, devices, and applications, and a built-in service desk can accomplish automated onboarding via ticket processes. Endpoint activation and decommissioning are available through KACE CMDM. Remote access to endpoint devices requires a third-party integration. The solution provides remote locking and wiping of endpoints for iOS, Android, Windows, and macOS. OS image creation is not part of the KACE UEM solution, but KACE does offer a system deployment solution for image creation, deployment, and management. The KACE patch management features are strong, giving good support to iOS, Android, Windows, and macOS. Automated Linux security update deployments are also available out of the box. Endpoint patch management intelligence requires AI/ML integration through its API or 3rd-Party DB Access and can be shown through the solution's dashboards and reporting. Patch management is also complemented by built-in vulnerability scanning and reporting. The KACE Systems Management Appliance provides a good user experience with a well-laid-out administration dashboard that utilizes dashboard component widgets and allows different theme options such as a dark mode for a more modern look and feel. Uniquely, the KACE suite also gives a built-in service desk for customers that don't have a third-party service product and the ability to allow third-party integrations. Both user self-service and admin access to its portals are supported through some good authentication options and MFA.
With KACE Systems Management Appliance for on-premises and KACE Cloud Mobile Device Manager for the cloud, the combination of both KACE components allows for a hybrid deployment model. The KaaS is delivered as SaaS. Also, virtual appliance delivery options are available. Container-based platforms are not supported. Managed Service Providers also use KACE SMA for imaging, patching, and device management. KACE SMA is also available in the Azure Marketplace to run in Azure. REST APIs are available for access to KACE functionality, but a SOAP API for legacy system support is not given. Some CLI access to product features is available, although SDK support is not.
Quest KACE customer base is concentrated in North America with a growing presence in the EMEA and APAC regions and is focused on medium to mid-market organizations but can scale to the enterprise. Quest KACE provides good support and professional services. Quest KACE is worthy of consideration, particularly for customers in North America with requirements focused on the endpoint device, application, and patch management.
5.16 VMware - VMware Workspace ONE
VMware is a US company listed on the NYSE. VMware provides large-scale enterprise virtualization and cloud infrastructure solutions. Workspace ONE Unified Endpoint Management (UEM) is part of VMware's growing portfolio aimed at positioning itself as a one-stop shop for cloud infrastructure, virtualized and software-defined data centers, security, and desktop application delivery. VMware Workspace ONE is a single platform with multiple services, including VMware Horizon, Modern IT Service, and Workspace ONE UEM evaluated in the Leadership Compass.
Workspace ONE UEM aims to consolidate IT management tools with the centralized management of endpoint lifecycle support, security, and intelligent analytics. Workspace ONE UEM provides a wide range of capabilities, including endpoint device, identity, content, patch, asset, license, expense management, endpoint security and device provisioning, health monitoring, and tracking capabilities. However, support for endpoint privileged or contract management, and endpoint discovery features are not supported. Almost all areas of endpoint device support are covered, including desktop, laptop, tablets, smartphones, wearables, and printers, with additional device support for business virtual assistants, TV OS, mixed reality headsets, point-of-sale kiosks, and industrial mobile devices. Also supported are Infinite Peripherals Sleds, OS-less devices like beacons, and IoT devices with x86_64 or ARM architecture, although support for ATMs and smartboards are not given. All endpoint operating systems evaluated are supported, such as iOS, Android, Windows, macOS, Linux, and Chrome. Additionally, Tizen's support is given, as IoT has shown through its support for Win10 IoT and Raspberry Pi.
Full endpoint lifecycle management is provided, such as device provisioning, activation, and decommissioning. Workspace ONE also supports out-of-the-box (OOB) enrollment options for Android, iOS, macOS, Chrome OS, and Windows endpoints. Also noted is that desktop OEMs such as Dell, HP, and Lenovo have integrated Workspace ONE into their factory provisioning services. The platform also supports the ability to perform an enterprise reset for managed Windows 10 endpoints. Strong patch management includes support for iOS, Android, Windows, macOS, Linux, and Chrome. Support is also given for configurations of device health and security policies. Other features include the ability to detect endpoints for required OS and app versions, patches, CVE vulnerabilities, as well as device health configuration drifts. Real-time and detailed reporting is available within Workspace ONE UEM and Intelligence platform. Strong authentication options are given for both user self-service and admin access to the Workspace ONE UEM portals. The Workspace ONE UEM UI is modern that is straightforward, with useful graphics and dashboards. Good options for third-party integration are available such as an OOB integration with ServiceNow for ITSM. Other integrations such as third-party threat intelligence, EPP, and EDR are supported via Workspace ONE Trust Network.
VMware Workspace ONE UEM can be deployed as software installed on a customer's premises as well as public, private, or government cloud services, hybrid or as a managed service. A Docker container-based platform is also supported. For on-premises deployments, the Workspace ONE UEM Cloud Connector (aka AirWatch Cloud Connector) and the Unified Access Gateway server components can be installed. On-premises deployments also require a Microsoft SQL Server database. Cloud solutions are multi-tenant. Less than half of Workspace ONE UEM functionality is accessible via APIs, which includes SOAP and REST, although both CLI access and SDKs for Android, iOS, Java, C/C++, Cordova, and Xamarin are supported. The product has been independently certified to comply with a large number of standards such as ISO 27017, ISO 27018, FedRAMP, SOC 3, FIPS 201-2, NIST SP 800-49, NIST SP 800-53-4, CIO Council Federal Mobile Security Baseline, CESG End User Devices Security and Configuration Guidance, and Australia Signals Directorate just to name a few.
VMware supports a large customer base worldwide with its products and professional services. Overall, Workspace ONE UEM offers a well-balanced set of UEM capabilities with strong support for a multitude of security standards. VMware appears in all leadership categories of this Leadership Compass and should be on the shortlist for organizations considering UEM solutions.
6 Vendors to Watch
Founded in 2009, 42Gears is a medium-sized private enterprise headquartered in Bangalore, India, of the APAC region and an office in Fremont, CA. Under their portfolio of products, 42Gears offers Unified Endpoint Management tools to manage various types of endpoints and their apps and content.
42Gears SureMDM provides lifecycle management for endpoint devices such as Android, iOS, Linux, macOS, Windows, Google Wear OS, and Virtual Reality (VR) headsets. Other endpoint device solutions include SureLock for locking down devices used as a self-service Kiosk and SureFox for securing device browsers. In addition, CamLock gives the ability to secure device cameras.
Why worth watching: Why worth watching: 42Gears provides a unified set of solutions such as MDM lifecycle support, including device enrollment, application and content management, location tracking, and support for Kiosk use cases.
AppTec360 is a privately owned company with headquarters in Basel, Switzerland. Its Enterprise Mobility Management solution supports device management of its lifecycle, policies, applications, security, and content. Also supported are device service and expense management. Supported operating systems include Android, iOS, macOS, and Windows.
The solution's web console gives a unified view of its management capabilities, including device inventory, device details, and dashboard graphics and reports. A user self-service portal is also given. The AppTec360 system architecture consists of the EMM server managed through the AppTec360 EMM console and device access through its Universal Gateway.
Why worth watching: AppTec360 provides its regional servers in Germany and Switzerland, focusing on data security and a worldwide presence with customers in 107 countries providing more than just a common MDM solution.
BlackBerry has a long history in wireless devices and other solutions in the mobile communication market. Since then, BlackBerry has now provided a UEM solution and acquired Cylance in 2019 to provide AI-driven endpoint protection, detection, and response capabilities to enhance its endpoint security. Founded in 1984, BlackBerry has headquarters in Waterloo, Ontario, Canada, and operates worldwide in 30 countries.
BlackBerry UEM provides a single solution for device, application, and data management. BlackBerry UEM allows for control policies for users, devices, and applications visibility within a centralized console. Support for endpoint environments includes Android, iOS, macOS, Windows 10, and Chrome. Both on-premises and cloud deployment options are also given.
Why worth watching: Blackberry continues to provide an enterprise-grade UEM solution with innovative AI-driven endpoint protection, detection, and response capabilities.
Sophos is a public company listed on the London Stock Exchange with its headquarters in Abingdon in the UK. It was founded in 1985 in Oxford England, and originally produced anti-virus software. Since then, Sophos has expanded to support other business solutions, including recent acquisitions of several cybersecurity companies Braintrace, Capsule8, and Refactr. Sophos's solution for endpoint protection is their Intercept X Endpoint product. Sophos Intercept X provides a comprehensive defense-in-depth approach to endpoint protection, featuring intelligent EDR, XDR, exploit prevention, anti-ransomware capabilities, and managed threat response.
Sophos Intercept X supports Windows and Mac OS systems. All versions of Intercept X are managed using a single cloud-based management console that comes with default policies and recommended configurations. Sophos Intercept X Advanced combines foundational and advanced capabilities into a single, integrated product and represents the current core endpoint protection offering from Sophos.
Why worth watching: Sophos is increasing its endpoint intelligence capabilities through existing and recently acquired cybersecurity companies and their technology.
Founded in 1995, SOTI is a large enterprise headquartered in Mississauga, Canada, with worldwide offices in the EMEA and APAC regions. SOTI has had a long-time product focus on MDM, EMM, and UEM solutions. Although past strategic direction focused on business mobility and the Internet of Things (IoT) in 2017 with their SOTI ONE Platform, they have build onto its platform with SOTI Identity that provides centralized user authentication, single sign-on and role management to its portfolio and SOTI Central giving an online community for SOTI partners and customers
The SOTI ONE Platform is a tightly integrated set of products such as SOTI MobiControl, SOTI Assist, SOTI Insight, and SOTI Connect. MobiControl addresses EMM with compliance and data security in mind by managing the lifecycle of endpoint devices. SOTI Assist provides help desk features that can analyze, troubleshoot, and fix many device and application issues. SOTI Insight gives visibility of endpoint devices and applications with many out-of-the-box analytic capabilities. SOTI Connect focuses on the lifecycle management of IoT devices.
Why worth watching: SOTI continues to expand its SOTI platform offering more capabilities to its customers.
Tanium, founded in 2007, is a large company headquartered in Kirkland, Washington, with additional offices globally. Tanium has a large customer base in the EMEA region and deployments within branches of the U.S. Armed Forces, financial institutions, and retailers. The Tanium platform provides both security and IT operations with a centralized view of endpoints and their data.
The Tanium platform Client Management solution is modular. It provides many capabilities that include discovery abilities for identifying a wide range of endpoint types, asset inventory of endpoint data, deployment & patch management of software, performance insights, and centralized policy enforcement of endpoint.
Why worth watching: Look for the Tanium platform to continue to build out its endpoint management capabilities.
7 Related Research
Executive View: Microsoft Azure AI Platform - 80233
Executive View: Microsoft Enterprise Mobility + Security Suite - 72541
Leadership Compass: Enterprise Endpoint Security: Anti-Malware Solutions - 71172
8.1 About KuppingerCole's Leadership Compass
KuppingerCole Leadership Compass is a tool which provides an overview of a particular IT market segment and identifies the leaders within that market segment. It is the compass which assists you in identifying the vendors and products/services in that market which you should consider for product decisions. It should be noted that it is inadequate to pick vendors based only on the information provided within this report.
Customers must always define their specific requirements and analyze in greater detail what they need. This report doesn’t provide any recommendations for picking a vendor for a specific customer scenario. This can be done only based on a more thorough and comprehensive analysis of customer requirements and a more detailed mapping of these requirements to product features, i.e. a complete assessment.
8.2 Types of Leadership
We look at four types of leaders:
- Product Leaders: Product Leaders identify the leading-edge products in the particular market. These products deliver most of the capabilities we expect from products in that market segment. They are mature.
- Market Leaders: Market Leaders are vendors which have a large, global customer base and a strong partner network to support their customers. A lack in global presence or breadth of partners can prevent a vendor from becoming a Market Leader.
- Innovation Leaders: Innovation Leaders are those vendors which are driving innovation in the market segment. They provide several of the most innovative and upcoming features we hope to see in the market segment.
- Overall Leaders: Overall Leaders are identified based on a combined rating, looking at the strength of products, the market presence, and the innovation of vendors. Overall Leaders might have slight weaknesses in some areas, but they become Overall Leaders by being above average in all areas.
For every area, we distinguish between three levels of products:
- Leaders: This identifies the Leaders as defined above. Leaders are products which are exceptionally strong in certain areas.
- Challengers: This level identifies products which are not yet Leaders but have specific strengths which might make them Leaders. Typically, these products are also mature and might be leading-edge when looking at specific use cases and customer requirements.
- Followers: This group contains vendors whose products lag in some areas, such as having a limited feature set or only a regional presence. The best of these products might have specific strengths, making them a good or even best choice for specific use cases and customer requirements but are of limited value in other situations.
Our rating is based on a broad range of input and long experience in that market segment. Input consists of experience from KuppingerCole advisory projects, feedback from customers using the products, product documentation, and a questionnaire sent out before creating the KuppingerCole Leadership Compass, and other sources.
8.3 Product Rating
KuppingerCole Analysts AG as an analyst company regularly evaluates products/services and vendors. The results are, among other types of publications and services, published in the KuppingerCole Leadership Compass Reports, KuppingerCole Executive Views, KuppingerCole Product Reports, and KuppingerCole Vendor Reports. KuppingerCole uses a standardized rating to provide a quick overview on our perception of the products or vendors. Providing a quick overview of the KuppingerCole rating of products requires an approach combining clarity, accuracy, and completeness of information at a glance.
KuppingerCole uses the following categories to rate products:
Security is a measure of the degree of security within the product / service. This is a key requirement and evidence of a well-defined approach to internal security as well as capabilities to enable its secure use by the customer are key factors we look for. The rating includes our assessment of security vulnerabilities and the way the vendor deals with them.
Functionality is a measure of three factors: what the vendor promises to deliver, the state of the art and what KuppingerCole expects vendors to deliver to meet customer requirements. To score well there must be evidence that the product / service delivers on all of these.
Deployment is measured by how easy or difficult it is to deploy and operate the product or service. This considers the degree in which the vendor has integrated the relevant individual technologies or products. It also looks at what is needed to deploy, operate, manage, and discontinue the product / service.
Interoperability refers to the ability of the product / service to work with other vendors’ products, standards, or technologies. It considers the extent to which the product / service supports industry standards as well as widely deployed technologies. We also expect the product to support programmatic access through a well-documented and secure set of APIs.
Usability is a measure of how easy the product / service is to use and to administer. We look for user interfaces that are logically and intuitive as well as a high degree of consistency across user interfaces across the different products / services from the vendor.
We focus on security, functionality, ease of delivery, interoperability, and usability for the following key reasons:
- Increased People Participation: Human participation in systems at any level is the highest area of cost and the highest potential for failure of IT projects.
- Lack of excellence in Security, Functionality, Ease of Delivery, Interoperability, and Usability results in the need for increased human participation in the deployment and maintenance of IT services.
- Increased need for manual intervention and lack of Security, Functionality, Ease of Delivery, Interoperability, and Usability not only significantly increase costs, but inevitably lead to mistakes that can create opportunities for attack to succeed and services to fail.
KuppingerCole’s evaluation of products / services from a given vendor considers the degree of product Security, Functionality, Ease of Delivery, Interoperability, and Usability which to be of the highest importance. This is because lack of excellence in any of these areas can result in weak, costly and ineffective IT infrastructure.
8.4 Vendor Rating
We also rate vendors on the following characteristics
- Market position
- Financial strength
Innovativeness is measured as the capability to add technical capabilities in a direction which aligns with the KuppingerCole understanding of the market segment(s). Innovation has no value by itself but needs to provide clear benefits to the customer. However, being innovative is an important factor for trust in vendors, because innovative vendors are more likely to remain leading-edge. Vendors must support technical standardization initiatives. Driving innovation without standardization frequently leads to lock-in scenarios. Thus, active participation in standardization initiatives adds to the positive rating of innovativeness.
Market position measures the position the vendor has in the market or the relevant market segments. This is an average rating over all markets in which a vendor is active. Therefore, being weak in one segment doesn’t lead to a very low overall rating. This factor considers the vendor’s presence in major markets.
Financial strength even while KuppingerCole doesn’t consider size to be a value by itself, financial strength is an important factor for customers when making decisions. In general, publicly available financial information is an important factor therein. Companies which are venture-financed are in general more likely to either fold or become an acquisition target, which present risks to customers considering implementing their products.
Ecosystem is a measure of the support network vendors have in terms of resellers, system integrators, and knowledgeable consultants. It focuses mainly on the partner base of a vendor and the approach the vendor takes to act as a “good citizen” in heterogeneous IT environments.
Again, please note that in KuppingerCole Leadership Compass documents, most of these ratings apply to the specific product and market segment covered in the analysis, not to the overall rating of the vendor.
8.5 Rating Scale for Products and Vendors
For vendors and product feature areas, we use a separate rating with five different levels, beyond the Leadership rating in the various categories. These levels are
- Strong positive: Outstanding support for the subject area, e.g. product functionality, or outstanding position of the company for financial stability.
- Positive: Strong support for a feature area or strong position of the company, but with some minor gaps or shortcomings. Using Security as an example, this can indicate some gaps in fine-grained access controls of administrative entitlements. For market reach, it can indicate the global reach of a partner network, but a rather small number of partners.
- Neutral: Acceptable support for feature areas or acceptable position of the company, but with several requirements we set for these areas not being met. Using functionality as an example, this can indicate that some of the major feature areas we are looking for aren’t met, while others are well served. For Market Position, it could indicate a regional-only presence.
- Weak: Below-average capabilities in the product ratings or significant challenges in the company ratings, such as very small partner ecosystem.
- Critical: Major weaknesses in various areas. This rating most commonly applies to company ratings for market position or financial strength, indicating that vendors are very small and have a very low number of customers.
8.6 Inclusion and Exclusion of Vendors
KuppingerCole tries to include all vendors within a specific market segment in their Leadership Compass documents. The scope of the document is global coverage, including vendors which are only active in regional markets such as Germany, Russia, or the US.
However, there might be vendors which don’t appear in a Leadership Compass document due to various reasons:
- Limited market visibility: There might be vendors and products which are not on our radar yet, despite our continuous market research and work with advisory customers. This usually is a clear indicator of a lack in Market Leadership.
- Declined to participate: Vendors might decide to not participate in our evaluation and refuse to become part of the Leadership Compass document. KuppingerCole tends to include their products anyway if sufficient information for evaluation is available, thus providing a comprehensive overview of leaders in the market segment.
- Lack of information supply: Products of vendors which don’t provide the information we have requested for the Leadership Compass document will not appear in the document unless we have access to sufficient information from other sources.
- Borderline classification: Some products might have only small overlap with the market segment we are analyzing. In these cases, we might decide not to include the product in that KuppingerCole Leadership Compass.
The target is providing a comprehensive view of the products in a market segment. KuppingerCole will provide regular updates on their Leadership Compass documents.
We provide a quick overview about vendors not covered and their offerings in chapter Vendors and Market Segments to watch. In that chapter, we also look at some other interesting offerings around the market and in related market segments.
© 2022 KuppingerCole Analysts AG all rights reserved. Reproduction and distribution of this publication in any form is forbidden unless prior written permission. All conclusions, recommendations and predictions in this document represent KuppingerCole's initial view. Through gathering more information and performing deep analysis, positions presented in this document will be subject to refinements or even major changes. KuppingerCole disclaim all warranties as to the completeness, accuracy and/or adequacy of this information. Even if KuppingerCole research documents may discuss legal issues related to information security and technology, KuppingerCole do not provide any legal services or advice and its publications shall not be used as such. KuppingerCole shall have no liability for errors or inadequacies in the information contained in this document. Any opinion expressed may be subject to change without notice. All product and company names are trademarks ™ or registered trademarks ® of their respective holders. Use of them does not imply any affiliation with or endorsement by them.
KuppingerCole Analysts support IT professionals with outstanding expertise in defining IT strategies and in relevant decision-making processes. As a leading analyst company, KuppingerCole provides first-hand vendor-neutral information. Our services allow you to feel comfortable and secure in taking decisions essential to your business.
KuppingerCole Analysts AG, founded in 2004, is a global, independent analyst organization headquartered in Europe. We specialize in providing vendor-neutral advice, expertise, thought leadership, and practical relevance in Cybersecurity, Digital Identity & IAM (Identity and Access Management), Cloud Risk and Security, and Artificial Intelligence, as well as for all technologies fostering Digital Transformation. We support companies, corporate users, integrators and software manufacturers in meeting both tactical and strategic challenges and make better decisions for the success of their business. Maintaining a balance between immediate implementation and long-term viability is at the heart of our philosophy.
For further information, please contact firstname.lastname@example.org.