IBM's MaaS360 with Watson is one of the top enterprise mobility management (EMM) options available today. It is offered as a hosted software as a service (SaaS), on-premises, hybrid and even as a managed service through IBM's managed service providers (MSPs) and managed security service (MSSP) groups. It includes support for a large number of devices, a comprehensive user interface, deep reporting and analytics, and scale.
View all our recommendations for mobile device management (MDM) solutions on our best picks page.
MaaS360 is anchored on a mature cloud infrastructure built over a decade. IBM aims to "maximize security without impacting usability," which it achieves through a strong architecture and the use of containers. IBM MaaS360 accommodates millions of endpoints, thousands of customers and tens of thousands of simultaneous administrative sessions.
To avoid issues with data recovery, containerized corporate apps and content are automatically backed up once a device is enrolled in the MaaS360 platform. Compared to AirWatch and Citrix, which have an entire device-level backup mechanism, IBM's segmentation of personal apps and information is a bit different; most notably, in that IBM relies on original device manufacturers' (ODM) services, such as Apple iCloud, Google Android or Microsoft's cloud. This separation of data could present an issue if a user is the subject of a criminal or civil investigation.
IBM offers the broadest selection of customer use cases of the EMM tools we reviewed. This is a powerful endorsement for MaaS360 and illustrates that IBM has figured out a way to increase the value proposition of a technology, rather than overdoing its technical aspects. And while there is no doubt that the solution is scalable, the features and functions help smaller organizations through a channel arrangement.
Capabilities and Key Features
The core use case of MaaS360 is centered around device registration and management. As demonstrated by both its capabilities and support for large customers, this case illustrates the strength of IBM's technology. While other solutions also promote enterprise scalability, MaaS360 is a leader in this area through hundreds of thousands of devices managed.
Mobile Device Management (MDM)
The end-user experience of MaaS360 is similar to AirWatch – the platform secures devices without getting in the way of people doing their jobs. Device support includes Apple (iOS), Android, Windows Phone, Amazon Kindle Fire, Windows desktop and Mac OS X. IBM also claims support for wearables, such as Android Wear, the Apple Watch and Apple TV. IBM also supports shared devices, notably kiosks and tablets, which helps keep self-service tools running smoothly.
The core of MaaS360's support surrounds Apple and Android, with enrollment encompassing Apple's Device Enrollment Program (DEP), Samsung's Mobile Enrollment and Samsung KNOX or Android for Work (AfW).
Device Enrollment and Activation
IBM has made it easy to enroll devices from an end-user experience. There are a wide variety of MDM activation options, but in the past few years, MaaS360 customers have been able to set up a website that allows users to self-enroll their devices.
Enrollments may be triggered by a one-time request code or automated based on enterprise directory user activation. This can be focused on a small group of new employees, contractors or those recently added to a mobile group in Active Directory. Bulk enrollments can be initiated via a user list file upload, or programmatically using API access.
Agent-based activation can also be used to enroll devices, which scripts and automates the overall installation using a simple web page link. This is configured and designed by administrators with MaaS360 Productivity Suite's orchestration process designer.
Mobile Application Management (MAM)
On the mobile application front, MaaS360 appears later to the game than some of the other app wrapping leaders and containerized innovators. IBM offers a mature app store that is available as a replacement or augmentation to the public app stores; it houses apps approved or customized to the customers' needs. App reputation scoring is handled by Veracode, an application security company.
There is a well-documented MaaS360 WorkPlace SDK, which embeds the containerization controls for apps, so that IT administrators can manage corporate data on any device, including personally-owned devices and single sign-on (SSO) using a container PIN, encryption, cut/copy/paste restrictions, whitelisting apps for the "Open in..." menu, and per-app VPN support.
Compared to some of the other EMM solutions, IBM's app wrapping and securing apps seems a notch behind. While it's acceptable, mobile app certificates are relatively new, there are limited analytic capabilities (which should be improved thanks to IBM's push for cognitive/business intelligence), and there is no SAML (XML-based authentication and authorization) support at the moment.
The end user experience is depends on what policies IT puts into place. MaaS360 has full native support while running on devices, which means fewer restrictions on what users can do. A full container on the device provides a separation between corporate data and personal data, while restricting the ability to share corporate information and apps outside of the corporate container.
The secure personal information management (PIM), developed by Fiberlink, is IBM's core software that has been adopted by nearly 80 percent of customers.
Application Shop and App Types
MaaS360 offers four types of apps, including Public, Private, Legacy Presentation and Links. A unique and important functionality of IBM's app store mechanism is the ability to bundle apps. This allows organizations to create groups of apps that can be automatically pushed to devices or downloaded by end users as a group, simplifying the holistic onboarding process.
The private apps utilize IBM's support for a full corporate app store, including the capability for user collaboration. This means users can rate and provide feedback on apps so co-workers can benefit from their experience. Applications can also use universal configuration information similar to the App Configuration for Enterprise (ACE) in VMware's AirWatch platform.
Mobile Content Management (MCM)
Although IBM's EMM solution embraces more of a third-party approach to mobile content management, you can still include corporate content in your backups.
MaaS360 offers a baseline level of file sync and share, including a highly-scalable cloud storage layer, across multiple device types, from mobile to PCs. There are also internal editing capabilities, and high-level integrations into network file shares, SharePoint, Box and Google Docs. IBM does not have a deep Microsoft Office partnership agreement like some of the other EMM solutions, which limits its attractiveness as an MCM tool.
However, the MaaS360 Secure Productivity Suite of applications integrate with Microsoft's IRM/RMS controls, which controls and monitors who can open and view documents. There is also restriction on file actions and encryption throughout the system enforced by the MaaS360 agent. In addition, there's integration with Box, based on a strategic partnership through SoftLayer.
Architecture, Administration and Support
Architecturally speaking, IBM MaaS360 is one of the top EMM solutions for scalability and support for large-scale environments. The multi-tenant architecture (using shared processing) supports a large number of devices, including smartphones, tablets and personal computers. However, since MaaS360 has been around in one form or another for over 20 years, the management console is visually and structurally more dated than other tools in the marketplace.
Functionally, the management console has all the policy and device management controls that administrators need. In our review, MaaS360 presented us with a "Quick Start" guided experience to take us through the process of creating initial policies and onboarding the first set of devices. The wizard-based approach goes through onboarding an end user (tenant), then enrolling and managing the first set of devices in as little as five minutes.
Setup and Initial Enrollment
Self-service is a focus for administrators from a platform and service enablement perspective. Quick-start wizards and self-service feature enablement are key components to ensure that IT admins can not only opt-in to beta programs and adopt new features, but also educate themselves on best practices and enablement. Self-service from an education, enablement, and action perspective continues to be a core focus of IBM MaaS360.
MaaS360 provides templates for building device, user and app policies. Templates are not industry specific, however are specific to the technology use case.
Device onboarding is straightforward for all types of devices, provided that the proper policies and device recognition is in place. Once devices are on-boarded, administrators can use features and capabilities intended to make them efficient for small or large deployments.
On the topic of application and content management, IBM has customers that manage over 1000 unique apps and thousands of documents. The user interface and workflows were designed to handle massive scale, even if the interface takes some getting used to.
Management of devices, apps, and data is the same and can be accomplished from a single console, which means complexities of multiple geographic systems is abstracted. Users are not required to manage each geography separately through separate accounts or through separate servers. This provides customers with lower costs and less complexity, which typically leads to higher system availability.
Support and Documentation
MaaS360 online documentation is helpful and easy to find. While we didn't have direct interaction with IBM's support team during our review process, the general feedback is that smaller customers (and those who own MaaS360 through channel partners) have struggled to get answers more than enterprise customers. This aligns with IBM's general direction to sell and support enterprises first, so it's not surprising.
The support is also excellent through IBM's Managed Security Service (MSS), which has several programs wrapped around MaaS360.
From a release perspective, IBM is nearly at the level of continuous software delivery. There are feature releases every four to six weeks, along with daily minor updates, which can account for as many as 800 changes each year. Nearly a quarter of updates and enhancements are directly tied to customer feedback.
MaaS360 allows IT staff to decide what policies to apply to specific use cases. There is complex group reconciliation in cases where group memberships conflict or overrule each other. One example is a vice president of sales who is both an executive and part of the sales organization. MaaS360 is capable of handling such a case so people don't run into access denial.
Compared to other tools, MaaS360 touts enforcing user privacy while balancing restrictions on where corporate data is allowed versus where it cannot go. This is similar in theory to AirWatch Privacy First, although IBM lacks the IAPP certification that AirWatch has.
What is somewhat unique is that MaaS360 can allow IT to control only containerized corporate apps and content, while not having an MDM profile on the device. This is a boon for contract and temporary employees, or those whose employer does not reimburse for mobile service.
In this case, MaaS360 can be installed on non-managed devices. In addition, MAM, MCM, editing capabilities and a secure browser can all be installed independent of an MDM profile. This works great for contract workers or "out-of-network" physicians who require access to a healthcare system or hospital network.
Data security is handled across three vectors: Data in Use, Data at Rest and Data in Motion. These run the gamut of security in wrapped apps (such as limiting cut/copy/paste and sharing), encryption (FIPS 140-2 compliant AES 256-bit) and protected communication channels. In addition, MaaS360 enabled applications, including the Secure Browser and the Secure Documents, utilize the IBM MaaS360 Secure Enterprise Gateway that enforces SSL connections and additional AES256 end-to-end encrypted connections.
For devices that are no longer authorized (for example, when an employee or contractor leaves) or are lost or compromised, MaaS360 supports a comprehensive set of tools to remove corporate data from the devices. This granular approach offers flexibility to IT administrators in how they react to user and device security situations, including:
- Application Level Wipe: Remotely removes a single managed application and associated data
- Container Level Wipe: Remotely removes all data related to the Secure Productivity Suite application
- Selective Wipe: Remotely removes the entitlements enabled by the MDM enrollment (profiles, apps, etc.), but leaves the MDM profile on the device to allow for control
- Remove Control: Removes MDM control and all related entitlements, apps and data
- Full Factory Wipe: Wipes the device back to factory defaults
All the above actions can be performed by IT administrators, triggered by remote compliance rules or triggered by a local policy. For example, a "time-bomb" policy will wipe the corporate data from the device after a predetermined length of time. This is evaluated locally on the device by the MaaS360 agent.
As with other EMM solutions, these capabilities should be taken in with a level of caution. iOS devices still are only wiped by Apple; MaaS360 must send messages through the Apple ecosystem and devices have to be communicating with the network.
MaaS360 provides broad and comprehensive certificate support, including deployment and renewal of certificates (over SCEP and API) and association of certificates with VPN, Wi-Fi and email profiles. There is native support for Symantec, Microsoft and Entrust certs.
The service also has intelligent jailbreak (iOS) and root (Android) detection for both policy and identification of suspect or compromised devices.
Location-based services (LBS) are included as part of the MaaS360 compliance rules framework. While use cases vary wildly (from securing devices to allowing highly sensitive information when a user and device are in a secure location), this is a powerful next phase of device and security management, as demonstrated by IBM and other EMM providers.
MaaS360 customers use LBS geo-fencing to ensure workers can only access enterprise resources from inside a secure facility, such as a corporate headquarters or manufacturing plant, or even down to a specific room.
Reporting, Analytics and Visibility
In MaaS360, the realization of reporting, analytics and intelligence ranks about mid-pack in the world of mobile device management. This is predominantly driven by the quality of the admin interface as compared to others, and an intuitive ability to customize and interact with reports, rather than the depth of the reports themselves, which are quite good.
Administrator alerting is available for all compliance and operational issues. The alerts will detail the reason for the issue and the steps that need to be taken to remediate. Alerts are visible on the home page, and can be sent in structured emails to administrators or enterprise monitoring systems for automation, correlation and investigation.
On the reporting feature side, IBM MaaS360 has three types of dashboards: interactive, graphical summaries of mobile device operations, and compliance.
The Watson cognitive computing platform integrates smart search into MaaS360, which couples the high-level view of enterprise mobility with detailed visibility into hardware and software inventory reports, plus configuration and vulnerability details.
For advanced auditing and security analytic purposes, MaaS360 has direct, productized integration into IBM QRadar's security incident and event management (SIEM) platform. QRadar information is then used for auditing and logs have been used in trials and cases involving fraud. In addition, MaaS360 has partnered with dozens of third party providers such as Cisco, ForeScout, Aruba, F5, and Blue Coat, which use IBM's Web Services API to be able offer important integration between MDM and NAC and IPS systems for granular, real-time, device specific network access control.
Third-party reporting tools can consume data from CSV exports (manual and automated) or from the MaaS360 Web Services API.
Editor's Note: Looking for a mobile device management solution? Click the Compare Quotes button below to have our sister site Buyer Zone connect you with vendors that can help.
How Does Your Business Stack Up? Get a Free Business Report Card!Get My Report Card