Mobile Management Made Easy
Updated May 12, 2020
Mobile Management Made Easy
Score 10 out of 10
Vetted Review
Verified User
Overall Satisfaction with MobileIron
We use MobileIron Core (on-premises) to manage iOS devices for COPE (Company Owned, Personally Enabled) and single use devices. All mobile devices with access to our network or corporate services are managed by MobileIron through the IT department.
Pros
- Security is excellent. We are able to manage and protect corporate information and it integrates with our existing requirements and practices. Enforcing secure passcodes and device lock/location services enables us to track all assets.
- User experience is much improved as we can easily migrate users to new devices and there is consistent branding and app availability. When a user enrolls, their assigned apps are automatically deployed.
- With iOS devices, zero-touch deployment and configuration is a reachable goal.
- MobileIron provides excellent sales and post-sales service. In addition, their support model is excellent and we've never had a significant down.
Cons
- The Core product's UI is very much in need of a refresh, but it doesn't get the love because most customers choose the cloud product, which looks entirely different.
- Splunk integration does not work well and requires a lot of manual intervention. The Splunk MIApp doesn't work out of the box, at all.
- There is no longer a mobile app for system management. It existed once upon a time, but is strangely missing in a platform that is all about mobile management.
- We have decreased service interruptions caused by manual configuration of devices. We have one entire area that depends on a custom app and another on a custom web UI that requires a local WAN connection, and now we can pre-load and manage the configurations for these devices.
- We are now able to enforce device compliance and security standards by requiring specific minimum OS versions based on device type, and compliance actions are available to further enhance this capability.
- If a user needs an app or specific configuration, we simply add them to the appropriate Active Directory security groups. LDAP integration takes care of the rest.
- Jamf Pro and Workspace ONE Powered by AirWatch
Jamf is a great platform but does not offer the wide range of integrations. It feels like an Apple-centric product, and it is. Airwatch was pricier and did not offer enough compelling advantages when feature sets were compared, so it was hard to justify the additional cost. MobileIron has proven to be a wise investment because of their continued focus on information security, and the platform can be extended to our Macs and Windows 10 devices.
Using MobileIron
135 - Every employee with a COPE (Company Owned, Personally Enabled) device has MobileIron, all the way down to single-purpose/single-app devices used by line staff. We have two management profiles for personal-use devices; one has maximum restrictions applied and a second class has a less-restricted subset for staff who require extended rights to perform their job functions. For example: executives can make use of additional multimedia features for presentations and meetings, where the stricter rule set disallows most multimedia functions. No one can use the cloud, but again the extended rights profile permits some connectivity to corporate resources that are not allowed in the strict profile.
Single-app mode devices work great now that we've figured out how to deploy them. By this I mean that there is an iOS setting (Guided Access) that MUST be enabled before enrolling the device, or you're stuck with a device that needs a hard reset. This wasn't clear when we deployed the first batch of single-app devices, but now that's resolved. One great use case is an iPad that can only access one wireless network and only allows one website (internal) to be opened in Safari. I tasked my techs with breaking the security to get onto any other website, and none of them could do it. Very happy with the outcome!
Single-app mode devices work great now that we've figured out how to deploy them. By this I mean that there is an iOS setting (Guided Access) that MUST be enabled before enrolling the device, or you're stuck with a device that needs a hard reset. This wasn't clear when we deployed the first batch of single-app devices, but now that's resolved. One great use case is an iPad that can only access one wireless network and only allows one website (internal) to be opened in Safari. I tasked my techs with breaking the security to get onto any other website, and none of them could do it. Very happy with the outcome!
5 - With well-developed device profiles, management is very simple for most cases. Our helpdesk crew manages the daily requirements, of which there are generally few. Most of what we see now are forgotten passcodes, which can be reset easily (and forced to change every 90 days). We force secondary administrative approval for email on devices for audit purposes, but staff never need to worry about their Exchange ActiveSync password.
Certificates can be a pain point, however. The application owner (myself in this case) needs to be on top of managing SSL certificates, because devices can silently fail to check in or receive updates and it isn't always clear what the root cause is. I'd love to see the MI folks add some type of reminder to update when the certificate(s) near expiry so that it doesn't catch admins by surprise.
Certificates can be a pain point, however. The application owner (myself in this case) needs to be on top of managing SSL certificates, because devices can silently fail to check in or receive updates and it isn't always clear what the root cause is. I'd love to see the MI folks add some type of reminder to update when the certificate(s) near expiry so that it doesn't catch admins by surprise.
- Data loss prevention
- Programatically enforced security protocols and compliance
- Consistent deployment results
- Blacklisting/whitelisting apps - sorry, Facebook
- Automated and enforced policy acceptance for audit compliance
- Enhanced license management capabilities for apps
- Docs@Work is currently in development to provide secure access to company information
- We are planning to deploy a cross-platform BYOD solution using MobileIron tools, something we haven't yet provided
- Zero-touch configuration is planned for future implementation. The device will self-configure at power-on with no intervention required.
Evaluating MobileIron and Competitors
- Price
- Product Features
We wanted a mobile device management solution for single-purpose devices - employees needed access to one app, and it had specific requirements (correct SSID and configuration details) that made manual setup and maintenance painful. MobileIron was the only provider at the time who offered an on-prem solution that met all of the management requirements. Price was a secondary consideration; the management tool needed to do everything we required and we would have paid a bit more if necessary. Our single biggest mistake was thinking that the users would appreciate the consistency. They didn't (couldn't switch wireless networks and get on Facebook anymore) but it has made deployment a breeze and we know that every device goes out configured exactly the same, and new setups are just as simple. Mobileiron also helped us identify a problem with the app itself, which the vendor wanted to deny but couldn't thanks to logging and consistent application of assigned policies.
I do wish there had been some additional time for us to fully implement competing solutions - Jamf and Airwatch were both considered - but the complexity of introducing an on-prem solution required us to select a provider first and then put our resources behind it. Having worked with Airwatch in a different organization I knew that the feature set was comparable, but pre-sales conversations and working with us on pricing sealed it for MobileIron. Airwatch and Jamf weren't able to extend to Windows devices at the time; something we knew MobileIron had plans for during implementation, and this further simplified our selection based on our roadmap.
MobileIron Support
Pros | Cons |
---|---|
Quick Resolution Good followup Knowledgeable team Problems get solved Kept well informed No escalation required Support understands my problem Support cares about my success Quick Initial Response | None |
Yes - Yes it was resolved and in a timely fashion. There was was version upgrade that caused the logs to fill up. The support team was able to get a temporary fix in place to resolve the immediate problem and a long-term fix in the form of a patch was released in short order.
When we encountered the bug mentioned elsewhere in this review, it was addressed with light speed and fixed quickly. The support team was on top of the problem and knew the product exceptionally well and handled the fix with professionalism. Follow up was most appreciated. For support to make you feel like you are the only customer that they have is a hard thing to achieve, but the pros at MI do it every time.
Comments
Please log in to join the conversation