Predominantly focused on mobile device management, AirWatch is grounded in the notion of "mobility everywhere," making access to enterprise resources and device control as seamless as possible. As a mobile-first provider, AirWatch excels in device security and configuration management, extending to endpoint management and app enablement.
The AirWatch EMM platform was developed from the ground up to be easy to use and highly scalable, integrate with existing enterprise systems, and offer the flexibility of deployment in the cloud or on-premises.
There are four aspects to the AirWatch value proposition:
- Unified development platform
- Broad mobility solution set
- Multi-tenant, highly scalable architecture
- Advanced integration within the enterprise ecosystem
By developing all of its EMM components in-house, VMware offers a single unified administration console for AirWatch, including integrated management tools and a simplified user experience. This also makes supporting and upgrading the AirWatch platform easy for IT professionals.
AirWatch has an incredibly broad mobility solution set. Starting with MDM, geared toward managing just about any mobile device, running on any platform and encompassing any deployment type, including BYOD and corporate-owned, personally enabled (COPE) models.
With its extensive multi-tenancy and scalability capabilities, the platform can support tens of thousands of devices. This means support for not only a large number of devices, but also a fragmented ecosystem of mobile operating systems and original device manufacturers. Furthermore, AirWatch fits most businesses types, from small companies with a single administrator to multinational organizations with locations around the world.
The management console and the MyAirWatch documentation and support portal are everything IT admins need to get up and running and manage one to nearly infinite devices. There is not only a compelling management case, but also high ease of use, peace of mind and general usability. We give the company additional commendations for its ever-growing partner channel and focus on emerging areas of value.
Capabilities and Key Features
As an MDM solution at its core, AirWatch is designed to run silently in the background, while management capabilities can be increased or reduced to meet IT's needs. There is flexibility for how organizations procure and secure devices.
Mobile Application Management (MAM)
For end users, AirWatch has four types of apps: internal, public, purchased and web. These include varying amounts of integration and code to tie them to the enterprise, and IT can control, track and report on them similarly.
Like other leading MAM tools, AirWatch provides native, containerized personal information management (PIM) applications. However, AirWatch's PIM is behind other MDMs on usability.
On the app shop side, the HTML5-based AirWatch app catalog allows users to search, filter, sort and view required apps. Like the public app stores, you may view app information such as screenshots, version number and size. Each app must be requested and downloaded separately; there is no end-user bundling option. However, IT admins can push multiple apps at once for situations like employee onboarding.
The AirWatch app catalog can be custom branded and presented in multiple languages. To keep in line with industry standards and reduce duplication of effort, it can integrate with Apple, Google and Windows app stores to distribute public apps. The catalog can also collect user reviews and feedback.
Mobile Content Management (MCM)
AirWatch's Content Locker delivers secure document distribution, collaboration and mobile access to corporate documents. It offers all of the requisite file access and management capabilities, including secure over-the-air file distribution and access; protection of corporate content through isolation and encryption; restriction of editing, copying and pasting, printing, saving, sharing, and accessing content in unauthorized third-party applications; and full reporting through tracking document versions, document updates and user activity.
For content protection, Content Locker supports full digital rights management, and managed content may be uploaded to the web console for sharing and distribution. This keeps secure information in the bounds of the controlled system instead of scattered across users' synchronized machines (which is the case with Dropbox and OneDrive). Admins can also disable offline viewing to require content viewing within the AirWatch Content Locker.
AirWatch integrates directly with enterprise file systems, including Microsoft SharePoint, Office 365, Box, OneDrive and 30 content management integration services.
There are two additional intriguing features. Piggybacking on AirWatch's geofencing capabilities, you can restrict content to specific areas, such as within your corporate building or campus, even when there is no GPS signal. Content Locker also offers document classification: Files may be designated by importance or manually entered document categories. While this is an administrative burden to initiate and maintain, it is a step in the right direction toward the nirvana of auto-classification provided by expensive enterprise content management platforms.
Architecture and Administration
AirWatch designed its architecture to be both configurable and secure, regardless of whether a company chooses to deploy on-premises, in the AirWatch cloud, or as a combination of both. With an understanding that architecture is not a one-size-fits-all proposition, the core application servers are stateless by design and can operate behind a network load balancer for horizontal scaling. These features reduce the upfront investment cost and allow for additional remote capacity when needed. The architecture also supports the use of proxies and relay servers for ultimate network security.
Regardless of the different ownership and provisioning models (BYOD and COPE), all devices can be managed in a similar fashion from the AirWatch console. Upon initial registration, devices can be designated as BYOD or COPE and inherit policy restrictions specific to each use case. To make things easy, AirWatch allows IT administrators to set up "smart groups," where you can apply policies based on role, region, department or other groups within the company.
Device enrollment is a straightforward process. AirWatch enrollment focuses on profiles and the smart groups, which categorize devices and usage type. In our experience, these were quite simple to organize, with setup time ranging from a couple of minutes to just under an hour. This depends on how granular you want to get, the type of employee groupings, variety of device operating systems, or how regulated your industry is. The nice thing about smart groups is that they dictate a whole host of things at a macro level, such as default apps installed on devices, compliance policies and other profile settings.
For organizations looking to register, enable and monitor mobile devices, AirWatch's platform cannot be beat. This encompasses more than just identifying jailbroken or rooted devices. It is also about enforcing passcodes, setting encryption, finding compromised units and quickly rationalizing telecom usage (for enterprise devices paid for by the organization). Beyond the actual identification, AirWatch can send enterprise commands to the units out of compliance, though this is limited to what the mobile OS allows.
Another growing area of management focus is split billing, as organizations are increasingly mindful of how their enterprise dollars are being spent. While AirWatch has API-level integration for AT&T split billing, it falls behind more robust and widely adopted telecom options, including those sold by the wireless telcos. But one has to be aware that apps must actually tap into this. There are a few apps that support the SDK, which actually track per-app usage. Even though AT&T itself only uses the SDK to display the usage in the AirWatch Console, the actual groundwork is set for more providers and apps.
AirWatch actually has two tiers of cellular data usage and management: Foundational Telecom and Telecom Management. The former is a simple way to track basic telecom usage from enrolled devices in the MDM environment, while the latter requires more configuration.
On the administration side, AirWatch's console is built on a scalable architecture to support hundreds to thousands of devices. Role management dictates which device groups each administrator can access and manage, and then custom settings restrict the depth of device management information and features available to each console user. There is role-based access within the console, whereby a top-level manager can maintain control of all assets at a global level, while empowering other admins to control a subset of devices, users or locations. Admins can quickly create child/parent groups that inherit the policies and content assignments of selected groups.
AirWatch offers many built-in wizards to help IT admins set up and configure their mobile fleets. Customers have access to the AirWatch Recommended Configuration Guide and Worksheet to help them use best practices and apply to industry use cases. IT administrators can create and deploy configuration profiles to the device to customize the end-user experience by enabling or disabling a wide variety of settings. These include many of the usual suspects: cellular, Wi-Fi, VPN, passcode (length and type), email, ActiveSync, contacts, calendars, certificates, bookmarks and web clips. There are additional restrictions that are more familiar to Android users, notably camera, screen capture, Bluetooth, microSD card, tethering, YouTube, and default or public browser (for organizations that prefer a secure browser). AirWatch can control platform-specific settings such as Launcher (Android), Assigned Access (Windows Phone 8.1), Global HTTP Proxy and Single App Mode (iOS and Windows).
For enterprise applications, admins can publish recommended, featured and required apps. Once published, they can distribute, track, update and secure the applications over the air. In the case of deployment failure, admins can reprovision enterprise apps to the affected devices.
Organizations can deploy and manage internal (private or custom), public and purchased apps (including web link-based apps). Updates can be automatically installed over the air, depending on app size and corporate policies, or delayed until users are on Wi-Fi or in an authorized location, like on a VPN.
The AirWatch SDK is standard fare for building and deploying custom apps, which automatically include wrapper code for device and application management. AirWatch App Wrapping adds security features to internally developed iOS or Android applications, without requiring organizations to round-trip the apps' external parties for certification or code.
Admins get the same experience regardless of whether they are using the on-premises or cloud version, although updates and enhancements are applied sooner – and automatically – to the cloud version.
Security and Identity Management
AirWatch recognizes that there are many different user personas, so it supports access and identity management for the numerous variables, including device ownership, job type, seniority and level of security. AirWatch profiles, including permissions and policies, are based on user, location, function and/or job role. For the job role, this can be a higher-level grouping by employee, contractor, partner or student, synced to the enterprise directory (organization groups). These organization groups are quite broad, including entities within the organization and hierarchies with parent and child levels, and encompass multiple internal infrastructures at each tier.
AirWatch integrates with Active Directory and other LDAP services, certificate authorities, PKIs, email infrastructures, and other enterprise systems both in the cloud and on-premises. Most enterprise customers integrate with directory services to leverage existing credentials for authentication, including starting with and building upon user groups according to current user organization and permissions. There are also monitoring and response controls, such as detecting changes in directory synchronization, automatically performing updates and fixes across all out-of-compliance devices, and even wiping devices when users are removed from groups. Wipes require the actual devices to be online, and sending messages to Apple for iOS. EMM providers can't wipe Apple mobile devices themselves and must rely on Apple to take the action; they can notify Apple but can't actually perform the device wipe.
As necessary, admins can assign profiles, push applications, push and enforce compliance policies, and send content based on role and group membership. Backup and restore capabilities focus on enterprise resources managed in the web console and can be reprovisioned to devices if necessary. Third-party cloud backups allow or prevent device backup to the cloud.
Optionally, AirWatch can blacklist other public cloud service applications and enforce application policies through configurable compliance rules and actions. For iOS devices, it can detect and view real-time information on the last iCloud backup time if iCloud backup is enabled.
AirWatch embraces virtualization as part of the core ethos of its parent company. At a macro level, VMware Workspace Suite includes Horizon desktop virtualization, Identity Manager, Horizon FLEX and AirWatch EMM. VMware Workspace includes a portal that can be used to provision device applications, SaaS applications, virtual desktops and hosted applications to any device except those running the BlackBerry OS. VMware Workspace uses Microsoft Active Directory to provide user authentication to get access to applications. For SaaS applications that support SAML, Workspace can federate the user's identity to the SaaS application, providing single sign-on functionality.
Documentation and Support
AirWatch has a tremendous website that includes support, resources, research, wikis, documentation and videos. This complements an already robust set of digital documentation that comes with the product. AirWatch goes way beyond a standard help portal; it even includes analyst reports and links to additional information.
Customers can submit requests, then track the process. In our testing, response was a bit slower than anticipated, without an indication of projected resolution time. Our access rights case was solved by our liaison rather than the standard tech support, but technical support did own the case and followed up in a clear, professional manner.
Integration and Compatibility
AirWatch has a strong device management foundation with support for a wide variety of smartphones, tablets and personal computers. On the secure device front, AirWatch provides full support and integration for Samsung Knox, Samsung SAFE and BlackBerry devices. It has a bidirectional relationship with Samsung: Samsung Business Solutions resells AirWatch, and AirWatch is able to resell Knox Workspace.
The platform's technical architecture is best evidenced in large deployments, where the platform's segmentation capabilities and out-of-the-box templates give IT admins the flexibility to support and analyze their mobile environments. With deployments and testing environments now surpassing 200,000 simultaneous devices, AirWatch has the horsepower to both technically support and manage devices through a unified browser-based console. This might be overkill for smaller businesses, but it shines in an enterprise.
A nice touch is that IT admins can enroll and manage their entire device fleet over the air, either through Wi-Fi or cellular connections.
Integration is comprehensive within the AirWatch suite of offerings, including advanced SOAP and REST interfaces connecting to original equipment manufacturers and value-added technology partners. The integration layer supports components across the AirWatch suite, while providing support for new mobile operating systems and deep device management capabilities. Within the core product, there is a collection of APIs, allowing external programs to use core product functionality and data.
The available (exposed) web services include user enrollment, device registration, device groups, user information, device data, remote device commands and bulk actions, device and system events and notifications, application groups, volume purchase program management, product provisioning, and tags.
There are technically seven categories of integration: Directory Services, Certificates, Email, Corporate Networks, Content/Collaboration Systems, System Information and Event Management, and industry-standard APIs (SOAP and REST). These work bidirectionally, regardless of whether AirWatch is on-premises or in the public cloud. The integrations are only limited by network configuration and firewall rules.
Editor's Note: Looking for a mobile device management solution? Click the Compare Quotes button below to have our sister site Buyer Zone connect you with vendors that can help.
How Does Your Business Stack Up? Get a Free Business Report Card!Get My Report Card