Unified Endpoint Management (UEM) 2021
This report provides an updated overview of the market for Unified Endpoint Management (UEM) and provides you with a compass to help you to find the solution that best meets your needs. We examine the market segment, vendor service functionality, relative market share, and innovative approaches to providing UEM solutions.
1 Introduction / Executive Summary
The landscape of enterprise and personal computing technology is continuously evolving. It didn't seem that long ago, where the work environment consisted of a desktop computer and a landline phone. Traditional management of the desktop computers relied on manual updates of software and patches that were layered on top of each other. Later, "Gold Images" of desktop operating systems were used to provide a good know state of the OS but still required patches on a routine schedule, which would become what was known as traditional management.
As mobile phones became economically available, laptops and tablets computers replaced many stationary desktop computers; the business could control the employee device regarding it's OS and software applications used as well as security controls when the device was within the perimeter of the organization. Client management tools were used to manage these environments. Client management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually.
Later, organizations needed to quickly deal with the introduction of the bring-your-own-device (BYOD) paradigm shift. Organizations required policies to define the boundaries of BYOD that included the ability to segregate the business data and applications from personal data and applications. Mobile device management (MDM) provided the tools to control the device functionality and help manage the lifecycle of these mobile devices and their platforms. Enterprise Mobility Management (EMM) solutions added mobile information as well as application and content management. The ability to push software, updates or patches to devices has become what is known as modern endpoint management.
Since then, work environments have continued to change. The range of endpoint device types have expanded past desktop, laptop, tablets, and mobile phone to now include printers, IoT devices, wearables like Apple Watch, and even newer types of endpoint devices that support virtual/augmented/mixed reality environments using headsets such as Oculus and HoloLens. Businesses are seeking to improve productivity and efficiency, while employees want to work from anywhere at any time. And with the more recent Covid-19 world we live in today, the requirement to work from home has become imperative, which requires the use of mobile devices to access enterprise applications and data as if they were in the office.
Given the complexity and growing number of different types of technologies involved in linking employees to corporate data both on-premises and in the cloud, mobile device management has gone through several iterations and approaches, with many enterprises now standardizing on a Unified Endpoint Management (UEM) approach.
This KuppingerCole Leadership Compass provides an overview of vendors and their product or service offerings in a certain market segment. This Leadership Compass focuses on Unified Endpoint Management from vendors from more localized geographic regions to vendors with a global presence. It considers these services in the context of the hybrid, on-premises, and cloud, with IT services delivery models commonly now found in enterprises.
- This Leadership Compass evaluates over 60% more UEM product vendors over the previous years.
- The UEM market is growing, and although maturing it continues to evolve.
- UEM is essential to business as a strategic approach to ensure overall IT security in a hybrid work environment.
- The level of endpoint intelligence has become a key differentiator between UEM product solutions.
- Device and Patch Management are the two strongest capabilities for the majority of products evaluated in this Leadership Compass.
- Varying levels of Application and Content Management appear as differentiators between UEM product solutions.
- The Overall Leaders are (in alphabetical order) Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- The Product Leaders (in alphabetical order) are Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- The Innovation Leaders (in alphabetical order) are Citrix, Entgra, IBM, Ivanti, ManageEngine, Matrix42, Microsoft, VMware.
- Leading vendors in innovation and market (a.k.a. the "Big Ones") in the UEM market are (in alphabetical order) Citrix, IBM, Ivanti, ManageEngine, Microsoft, VMware.
1.2 Market Segment
Endpoint Management is a market category that runs under a variety of names, such as Client Lifecycle Management, Unified Endpoint Management, and others. However, we see a clear trend towards comprehensive solutions supporting a variety of capabilities and types of endpoints. Thus, this Leadership Compass focuses on what is commonly referred to as Unified Endpoint Management. In this context, endpoints can be defined as traditional desktop or laptop computers, smartphones, tablets, wearables, printers, Internet of Things (IoT) devices, and even Virtual Reality (VR) headsets.
What is sometimes called client or service management involves capabilities such as OS deployment, software distribution, patch management, monitoring, and remote-control tools to support administration or to help automate other support functions that are typically executed manually. This type of management is also used to manage endpoint lifecycle, such as with UEM application management. Client management is a market segment in transition. Unified Endpoint Management (UEM) and Workspace Management are two of the major trends in client management.
A trend that has already become apparent in recent years has now become established. The separation between classic client management, which is usually based on Windows, and the management of mobile end devices (EMM, Enterprise Mobility Management) is now the exception rather than the rule. Most of the leading providers are focusing on Unified Endpoint Management, i.e., on solutions with which all types of end devices can be managed, from the variety of different desktops operating systems such as Windows, macOS, Linux or Chrome to mobile end devices with Android or iOS as the operating system.
The range of functions offered by such solutions now goes far beyond classic client management. It also includes the provision of configured work environments for employees, inventory, management of the operating system and applications, including security management, but also the management of content on end devices, for example, with the separation of personal and business apps and data.
Patch management, which a few years ago was often a separate product category, is also typically part of UEM solutions to the extent required today. Specialized solutions are still available, and patch management is also available in endpoint security solutions. However, most UEM products today also provide patch management functionality. Endpoint security can also be included in UEM, which sometimes intersects with other Endpoint Detection & Response (EDR) products. More information on this topic can be found in the KuppingerCole Buyer's Compass: Endpoint Detection & Response (EDR).
In addition to these influencing factors of workspace and user device expectations, other factors need to be considered when deciding how client management will be designed in the future. These include changes in application provisioning, client management from the cloud, integration with ITSM (IT Service Management) solutions, and the different concepts for client management on the one hand and for the provision of virtual work environments, i.e., the Digital Workspaces, on the other.
Here are some considerations of UEM solutions that this Leadership Compass covers:
- Products that are more classic software solutions that are installed and operated locally
- Cloud and hybrid UEM solutions
- Providers that have options for operation "as a service" that allow complete UEM to be obtained as a service without the need to install and operate servers locally
- The areas of UEM that the solution focuses on (e.g. device, application, security, patching, etc.)
- The breadth of operating systems and device types that the solution can support
- The depth of endpoint life cycle management the solution provides
- The level of application software, packaging or patch management
- Solutions that provide endpoint content management and containment capabilities
- The strength of the solutions endpoint security.
Ultimately, the selection of any UEM solution on the market will depend on the organization's particular requirements, which may depend on many other aspects such as existing infrastructure management or other IT solutions currently being used today. For example, if a specialized endpoint security solution is already in use, this functional area of UEM solutions is less or not at all relevant. Or if the organization only needs to focus on device and patch management capabilities, then maybe some fully featured UEM solutions may not be required, and a UEM solution with those specific features may be a better fit. In all cases, it is recommended that a structured selection process should be carried out before the product decision is made
1.3 Delivery Models
Although all delivery models are looked at, it is worth considering the pros and cons of each delivery model against the use case for Unified Endpoint Management solutions. For instance, a Unified Endpoint Management solution that can serve smaller use cases while also integrating endpoint management for other organizational services should be delivered in such a way that allows setting up instances of the service immediately. Also, it is good to be aware that in most cases, public cloud solutions are generally multi-tenant, while some cloud services are actually single tenant. Other approaches use container-based deployments to provide consistent delivery of a vendor's solution, whether cloud-hosted or on-premises. Ultimately selecting the right Unified Endpoint Management solution delivery model will depend on the customer requirements and their use cases.
1.4 Required Capabilities
When evaluating the products, we start by looking at standard criteria such as:
- overall functionality
- size of the company
- number of customers
- number of developers
- partner ecosystem
- licensing models
- platform support
Each of the features and criteria listed above will be considered in the product evaluations below. We've also looked at specific USPs (Unique Selling Propositions) and innovative features of products which distinguish them from other offerings available in the market.
When looking at this market segment, we are evaluating solutions that support a broad range of features that span the management of the endpoint device themselves, management of applications on the endpoints, device content management, and security controls for the endpoint. Aside from the baseline features such as delegated administration, and reporting, etc., we expect to see at least some of the capabilities listed in the required capabilities below as necessary features. In addition, Endpoint Management solutions must support centralized management of the various types of endpoints, as well as endpoint applications and overall configuration.
Features such as License Management, Asset Management, Contract Management, Patch Management, or Help Desk Services are also considered but are not mandatory for this category of products. However, delivering a very comprehensive set of capabilities will influence our ratings.
Expected features include, amongst others:
Support for endpoint life cycle management that includes:
- Endpoint onboarding
- Remote access or wiping
- OS management
Application software management with deployment and packaging capabilities such as:
- Enterprise App Store enrollment of users and their devices
- Appling policies and controls to applications on the endpoint
- whitelisting or blacklisting applications
- Support for bulk distributions of applications or configurations
- Patch Management
- Distribute and apply endpoint device system patches from various vendors
- Patch deployment on a schedule or critical/emergency patches
- Patch vulnerability testing
- Reporting of endpoint system status (e.g., patch level),
- Missing patch discovery e.g., security hotfix, application, or others
- Some level of automation
Endpoint security that can support:
- Access policies
- Context-based access
- Single Sign-On (SSO)
- Certificate management
- Application code signing
- Some level of analytics and/or AI/ML to provide endpoint insight
- Analytics to monitor risks based on user, app, and endpoint behavioral patterns
- Ability to smartly assist or take action to remediate endpoint related issues
- Make recommendations based on endpoint state, security posture, etc.
Endpoint content management that can support:
- Ability to separate business from personal apps and data
- Prevent sensitive data leaks
- Apply rules and policies to documents and other content on the device
- Audit trails for device configuration changes and access to sensitive content
Administration and DevOps support
- Overall architecture (e.g., is it modular, scalable, extendable, etc.)
- Solution deployment and delivery models
- Available APIs, CLIs, SDKs, etc.
- Developer portal or other product documentation, tutorials, examples, etc.
- Supported standards
- User and admin UIs, dashboards, centralized endpoint visibility
- Integration options (ITSM, SIEM, third-party extensions, etc.)
- Level of automation
Support for various systems beyond Windows clients, such as mobile devices systems
- E.g., iOS, Android, Windows 10, macOS, Linux
- Support for several of the capabilities listed above
- Point solutions that support only isolated capabilities, such as:
- Support for windows devices only
- Support for desktop/workstation or servers only, not for mobile devices
- Support for only mobile devices using one type of operating system
- Support for only IT remote desktop access and troubleshooting
- Pure-play Enterprise Mobility Management solutions that don't support notebooks and PCs
We've reached out to a large number of vendors to provide a comprehensive overview of the current state of the market. Picking the right vendor finally always will depend on your specific requirements and your current and future landscape that will be managed.