In recent times, Group Policy and other on-premise management suites show their age. Microsoft continues to keep traditional tools in maintenance mode while pushing organizations into a SCCM + Intune environment. Often, this environment is expensive and difficult to maintain. There is no getting around mobile device support. These devices are on your network and accessing your resources whether you choose to support them or not. In my opinion, a hands-off approach leads to more shadow IT services from your users. Of course, this can be linked to a greater chance of data exposure or resource compromise.
To manage mobile devices, you need a robust MDM. In this article, I will review Mobile Device Manager Plus from ManageEngine. Mobile Device Manager Plus (MDMP) is supported in either an on-premise setup (which requires a segmented gateway server and a management server) or a cloud-based setup. To keep my comparison in line with other MDMs that I have used, I used the cloud-based environment. Except for conditional access to Exchange in the on-premise version, both infrastructure types are identical in features.
Easily Enroll Devices into ManageEngine’s MDMP
For many MDMs, enrollment can be a pain. The process would either require a lot of manual IT work or only be automated for a small set of devices. None of this is true for MDMP! It has broad support for iOS/Mac, Android/Chrome OS and Windows devices (including Microsoft Surfaces) through Windows Modern Management. It had day one support for the recently released Android Pie and Apple iOS 12. MDMP supports nearly every device management strategy; from Choose Your Own to Company Issued. If you decide to go the choose your own route, you can allow employees to enroll their own devices and segment out company resources into protected silos. All of this applies to BYOD management as well.
Regarding device lifecycle support, MDMP fully supports all three platforms from enrollment to decommissioning. For IT enrollment, MDMP utilizes the bulk setup platforms from each ecosystem (Apple Device Enrollment Program, Android Admin Enrollment, and Windows Autopilot) to streamline setup. This works well for company-issued devices. For personally owned devices, enrollment can be initiated by you and easily completed by the owner of the device. To start this enrollment, a custom email invitation or text message is sent to the user with an enrollment link. After validating their domain username and password, the enrollment can complete.
You can also allow users to self-enroll devices by providing a generic enrollment URL to them. Self-enrollment can be authenticated with Active Directory and restricted to certain AD security groups. For us, we can allow automatic enrollment for staff but limited enrollment for student devices. Finally, ManageEngine appears to be working on network-based enrollment. I found this future feature interesting as it would probably boost enrollment for staff-owned devices.
Managing Devices with MDMP
Coming from a deployment and client management background, these were the features that I was most excited to test out. These features are divided out into four subcategories: device settings, applications, security, and content (data).
Device settings are your Group Policy equivalent. From here, you can push out wireless configurations, VPN settings[note]Always On VPN settings for Windows 10 do not appear to be supported – this may be a Microsoft issue though[/note], email profiles, and other items that typically required you to touch someone’s nasty phone. Similar to a GPO, you can configure a profile for different device classes and then deploy these to groups of devices. For us, a staff member could self-enroll their device and automatically get their wireless settings configured and have an email profile setup.
With MDMP, you can both push applications as well as configure custom app stores for your users. The great thing about this view is that from the admin side, you only need to work in one window to manage applications across all OS platforms. I am always getting asked questions like “What do I use to access my files from my phone?” or “What email app should I get?”. A custom app store gives me a single place to direct my staff too. The screenshot, below, shows a snippet of the App Repository with applications for iOS, Android, and Windows ready to deploy.
Security Settings and Content control are closely related. These features allow you to control specific device updates, prevent potentially troublesome[note]Rooted or Jail-broken[/note] devices from connecting, and locate/wipe devices. With profiles, company content can be stored in a secure vault to provide some company data protection. In our environment, we are always worried about student data being exposed, so this feature is a huge plus! Because company content can be isolated, this information can be individually removed from devices remotely. This provides a selective wipe of data and makes it a lot easier to decommission user enrolled devices. Related to security is the ability to update mobile devices to the latest OS remotely. This is accomplished through an OS update policy and can be scheduled for your end users.
Call me old school but the coolest feature to me is remote control of mobile devices. Due to hardware limitations, remote control only works on Samsung and Sony devices right now. When connecting to a Samsung device, you can connect over cellular or wireless. You can also view or control the screen. Finally, enrolled Samsung devices support remote control without any additional apps. Screen sharing works on all recent Android and iOS devices though. Being able to help an employee out by seeing their screen (or remotely controlling it) is so much better than trying to walk that person through troubleshooting steps over the phone!
Final Thoughts on ManageEngine’s Mobile Device Manager Plus
To summarize, MDMP is feature rich and very flexible! For small organizations, it is completely free and fully featured up to 25 devices. Once you need to manage more than 25 devices, you can either use the standard/lite version ($10 per device per year) or the fully featured version ($18 per device per year). In our environment, the standard version would be a good fit for student devices and the fully featured version would be our choice for staff. If mobile devices are still a pain for you to manage, give ManageEngine’s solution a try or read other customer reviews here.