Review

Review: AirWatch takes mobile device management to the next level

Network World |

mobile device management 1
Thinkstock

AirWatch 8.1 is a sophisticated control plane for mobile devices that meets the needs of large enterprises. It stacks up well against other MDM apps we’ve tested, and features container demarcation plus elements of data loss prevention.

AirWatch controls end user access to applications and other resources like email, and works across a wide variety of phone, tablet, and notebook/desktop devices. For some device platforms, containerization can be managed by policy, down to the level of permitting or denying things like built-in camera activation.

A VMware unit, AirWatch has the advantage of being completely autonomous from the big sellers of phones and their carriers, and it also boasts third-party associations that add to its overall systems integrity.

We tested AirWatch in the cloud as a SaaS application, and found it very compelling, rapidly accessible, and easily joined to your existing systems infrastructure. Airwatch’s cloud-based UI is good, even on smaller displays.

For administrators, there are buttons linking to videos on what to do in various contexts. Wizards can drive most of the app, and even newbie administrators ought to be able to get things moving quickly.

What’s compelling? It’s approachable for all levels of administrator and covers many devices, often with selections tailored specifically for a brand; an example would be understanding Android, but also some of the nuances of Android Samsung phones.

We could start in a minimalistic administrative fashion, or extend control to a fleet of diverse mobile devices. We could navigate by wizard or by elemental fine control -- and the controls can be extensive, with sophisticated policy relationships. In turn, customized (in some cases organizational branding) screens tell users what’s going on at installation/device enrollment time.

Third-party add-ins help AirWatch, too. An example is a relationship with AppThority, a mobile applications analyzer company that vets mobile applications by disassembling them and exposing what they do and the known implications, capability-by-capability. These add-ins are optional, but several are available from the VMware Store.

There are many often-unrealized actions a mobile application can perform -- including informing servers of user location, their contacts, and even upload pictures, docs, and user files. The combination of AirWatch with such applications can be quite powerful -- if administrators are willing to use set-policy controls with third party app data.

AirWatch offers control via profiles for specifics of Blackberry 10; Android; Mac OS X, Apple TV, and iOS; Windows/Windows Rugged; ChromeOS; Tizen; and Symbian.

Setup and Installation

AirWatch was tested as a SaaS application. There are numerous steps involved and much thought should be given to how to most effectively use AirWatch.

But it’s also possible to just breeze in and wing it, if you’re experienced with phones, policies, your directory service (LDAP or AD) infrastructure, and your control desires.

There are wizards aplenty, executed sequentially, so as to build a basic framework that works for AirWatch administrative beginners. Parsers check each field and page and wouldn’t let us save incomplete forms or nonsense. Links to chapter and verse inside of a help system aren’t there for manual configurations or wizards, although the contexts are usually well-explained. There are also videos to view at important stages.

The portal that AirWatch offered for our test has the keys to the kingdom, and although strong passwords are mandated, secondary authentication and ACLs involving more than just username/password authentication isn’t found. Our singular warning is that the portal is the nervous system of enterprise control over the applied security of the domain, and we recommend a secondary authentication mechanism and browsers known to force highest encryption for use of the portal. The portal must be profoundly protected.

The supplied Getting Started routine of Wizards involves:

  • Setup including Apple MDM and APNS certificate management (for iOS devices), then an email domain link.
  • Enroll actions for devices, a Device Dashboard, and Hub to monitor Compliance, Violations, Devices with Blacklisted or Required Apps, Devices without Profiles, Devices without Latest Apps, most installed apps.
  • Secure/Security, enabling policies for encryption and passwords, also Restrictions and Compliance Policy Controls.
  • Profiles for device-specific usage characteristics configuration, privacy permissions, and a customized Terms of Use for enrolled users.
  • Grouping for organizational device/policy delineation, user groups for like-type characteristic group management, and “Smart Groups” that are like-type enrolled devices based on life cycle or other common characteristics.
  • Enterprise Integration, which mates AirWatch with organizational directory services, Exchange Active-Sync (where present), and internal/external certificate authorities, which in turn, enable custom code, content tracking, third-party certificate-based data loss prevention/DLP apps, and the establishment of an organizational mobile app gateway.
  • Advanced Enrollment that places constraints on number of devices that can be managed per/by user, adding choices for customized enrollment procedures and organizationally specific contact/help desk/support information.
  • Container app provisioning steps for enrolled devices, and defining the characteristics of the sandboxed components, which aren’t controlled directly under AirWatch active MDM control.
  • Email management and integration.
  • Administrative accounts and controls.

Each of the Getting Started submenu selections has a percentage-of-task completed progress bar, as well as a video link that describes the process, and a bit of how this process relates to overall management of devices. One doesn’t have to complete everything at once, we found, leaving nagging/reminders in the remaining incomplete percentage bars. Usually, but not always, the help instructions, video, and actual procedure are in sync; we found only a couple of minor discrepancies.

AirWatch allows organizational email integration, including actively permitting access to email from enrolled devices. Email controlled in this way is limited to Microsoft Exchange, 2003+ and Office365, IBM Domino, Novell GroupWise, and Google Apps for Work or those that might be able to successfully emulate one of these, but not VMware’s Zimbra platform.

+ Further reading: MDM features and functions compared +

We integrated AirWatch with our Microsoft 2012R2 Certificate Authority, and our Microsoft Exchange 2013 mail platform as a proof of concept, and Microsoft Active Directory integration with these two elements—mail and CA—worked successfully and without incident.

This allowed us to import organizational units, users, and certs somewhat effortlessly. We used a gateway access node that ran an app for email gateway access on Windows hardware configured as a proxy. The setup steps are not entirely transparent, but those understanding Office365 and/or Exchange services, should have no difficulty in configuring this proxy. The proxy system is a single point of failure, and so needs to either be monitored, or multiple failover proxy servers (easy to do, no licensing problems beyond cost of additional redundant paths) are recommended.

Related:
1 2 Page 1
Page 1 of 2
Bing’s AI chatbot came to work for me. I had to fire it.
Shop Tech Products at Amazon