The technological advancements in the last decade have evolved the use of mobile devices such as smartphones and laptops in the corporate world. Before the pandemic, some organizations were skeptical about using these devices for official purposes, mainly due to security concerns and onboarding complexities.
But the paradigm shift wrought by the pandemic has forced organizations to allow remote work and corporate devices in the home. Educational institutions are also shifting towards the hybrid mode and planning their curriculum accordingly. Here’s an onboarding story of a university that successfully embraced BYOD solutions to deploy security at scale.
Leaders in the market, such as Microsoft Endpoint Manager (MEM) Intune and VMware Workspace ONE, provide advanced solutions for device management that offer Unified Endpoint Management (UEM). In this post, we’ll help you determine which of these options is best for your organization’s needs.
What Is Mobile Device Management?
Mobile device management (MDM) software facilitates securing corporate data by providing advanced security features to corporate devices (smartphones, laptops, and tablets) by one unified endpoint management. It also enables these devices to be remotely managed en masse so that IT can ensure their perimeter is protected.
Organizations rely on MDM to remotely manage the various devices’ endpoints, such as personal apps and cameras, which might be susceptible to cyber-attacks. Any network admin who implements sound network access control solutions always incorporates MDM into practice.
Workspace ONE vs. Intune: A High-Level Feature Comparison
Both Microsoft and VMware have many advanced technical features to perform better device management and provide secure access control to company data. Both offer an advanced platform to manage and control multiple corporate devices from a single console.
For a systematic evaluation of these features, we will categorize them into the following categories and help you make a better decision.
- UEM Core Functionality
- Application Management
- Security
- Customer Service
Unified Endpoint Management (UEM) Core Functionality
UEM refers to a system that performs complete desktop management, including corporate and personal devices, using advanced enterprise mobility software. The core functionality includes device enrollment and compliance and their capabilities to integrate remotely. Let’s see how each MDMs perform in this fundamental aspect.
Microsoft Endpoint Manager (MEM) Intune
Microsoft has an advantage here by utilizing the built-in capabilities of Windows and Azure AD’s Single Sign-On for a smooth enrollment process. The Enrollment Status Page (ESP) offers multiple provisioning options after enrollment along with sign-up options for new users. ESP also blocks access to devices and users until they are provisioned with the prerequisite apps. Importantly, it’s able to assist them in troubleshooting errors. ESP is used separately for new users and as a part of default out-of-box experience (OOBE) devices.
The Intune device profile has two separate sections of “Configuration Profiles” and “Endpoint Security,” which might be confusing. Apart from that, Intune offers innovative customization in caching, administrative templates, Defender ATP, Domain Joins, and more, making the profile management of devices very smooth.
VMware Workspace ONE
Workspace ONE (WS1) provides many innovative options for enrollment to its users, including WS1 HUB enrollment and command-line enrollment. The premium users can also use Azure AD (Microsoft Entra ID) Join for registration with their existing email ID. VMware also offers enrollment features similar to ESP, but it’s limited to only OOBE.
WS1 mainly manages policies under CSP (Configuration Service Providers) and Windows Baselines for profile deployment both at the user and device levels. The deployment provides users and devices with different options according to their access levels. VMware also offers different baselines coupled with CSPs to bridge the gap with traditional GPOs, a significant security enhancement.
Integration
MEM Intune provides a TeamViewer Connector for remote integrations, which is very easy and user-friendly to operate. The TeamViewer enables organizations to track and securely access all the unattended remote devices across multiple operating systems anytime without using VPNs.
On the other hand, Workspace utilizes Workspace ONE Assist to perform the integration remotely. WS1 Assist resolves many issues of employees in real-time remote environments across multiple platforms. The pricing of TeamViewer is considerably more budget-friendly than WS1 Assist, which may be the deciding factor in a purchasing decision, especially for small to mid-level enterprises.
Application Management
Application management is one of the vital aspects of device management to ensure users’ safe and secure access to the applications of their choice. Here we’ll discuss and evaluate how Intune and Workspace ONE deploys and integrates with both internal and third-party applications.
MEM Intune
MEM Intune implements application deployment using specific mechanisms, such as Win32 Apps, Microsoft Store Apps, MSIX, and more. To deploy Win32 applications, one can simply use Microsoft Win32 Content Prep Tool to assign the apps in the MEM console. Intune provides an innovative feature of conditional launch for managing applications. It also supports deep integration with many third parties applications like slack, zoom, adobe acrobat, and more.
Intune also utilizes MSIX packaging for different applications, which offers modern packaging to ensure the functionality of existing Apps is up to date. MSIX claims a success rate of 99.6% by optimizing the network bandwidth and disk space. The recently released cloud policies by Microsoft 365 enable admins to create and deploy policies on applications, giving MEM Intune extra leverage over the competitors.
Workspace ONE
Workspace provides Enterprise App Repository (EAR) for admins and users to deploy multiple applications smoothly, but it might be slow compared to Microsoft’s Intune. It has a significant auto-update feature in the provisioning of internal applications, which is very helpful in deploying applications. It has issues deploying the non-MSI Apps primarily due to its non-dependency on MSIX packaging.
Overall in app deployment, Microsoft has a slight edge over WS1 mainly because of MSIX packaging and innovative policies of the Office suites.
Security
One of the essential factors in choosing a reliable MDM is security. Both Microsoft Intune and WS1 have dedicated security teams that manage the initial configuration of security features in managed devices. Let’s see how each MDMs perform in this critical aspect.
MEM Intune
Microsoft uses Azure Active Directory Conditional Access policies to strengthen its security via multi-layered decision-making. Conditional Access is already accessible to the premium Azure AD users, and MEM Intune utilizes the same node to secure Mobile Device Compliance and Mobile Application Management (MAM) features.
Microsoft’s endpoint detection and response (EDR) is an added layer of security that provides extra protection in conjunction with Microsoft Defender Antivirus. However, most EDR features are active only when the Microsoft Defender acts passively. It provides additional security by detecting and promptly notifying any malicious activities missed by non-Microsoft antivirus.
Workspace ONE
VMware mainly relies on its Carbon Black and Workspace ONE Intelligence features for robust security in its digital workspace. Carbon Black is an endpoint protection platform (EPP) that provides comprehensive security to all endpoint devices using a user-friendly console by continuously monitoring suspicious activity 24/7.
WS1 intelligence services perform a deep analysis of all the devices and users and prepare a risk analytics score for the admins. It also provides automation workflows that enhance the accessibility of the platform without compromising the overall security. VMware has integrated Carbon Black and WS1 Intelligence in a standard suite called VMware Workspace Security solutions to provide one-stop customer solutions.
Customer Service
Being market leaders for a long time, Microsoft Intune and WS1 are rated highly by their customers. According to customer reviews collected from the PeerSpot forum, Microsoft Intune rates 3.9/5 stars while VMware WS1 rates 4.2/5 stars. In contrast, on G2, the Intune has been rated 4.4/5, while WS1 rates 4.1/5 stars. It’s worth noting that both Intune and WS1 are comparable in meeting customers’ expectations.
Let’s evaluate these reviews based on the different features to understand various end-users experiences.
Intune User Experience
Customers appreciate the general functionality of Intune in securing and managing devices, and they feel it integrates well with windows. Also, users preferred Intune for feature updates, product support, and roadmaps. Its single-pane view and auto-pilot feature also met the expectations of users. Users already using Microsoft suites felt an added advantage in using Intune, and it combines well with the other Microsoft products.
While customers were content with Intune’s windows services, few felt the MDM services needed improvement, especially in the administrative and reporting areas. They also felt the dashboard needed more improvement with added technical solutions for small use-cases with better reporting capabilities. Some organizations felt its pricing could be improved when scaling up, and few also felt constant changing the names of the products quite misleading.
Workspace User Experience
The initial setup and deployment of WS1 were relatively more effortless, which met the customers’ expectations. It has a simple layout and in-depth documentation, which customers felt added value to its UEM management. The add-ons like Carbon Black and WS1 Intelligence are significant extra value.
The reviews revealed that customers wanted more budget-friendly pricing from VMware. They also expected an integrated console for a standard view of all of the products in the suite with more responsive technical support. Some customers have to pay extra pricing for technical support and additional premium features, which were not in the case of Intune. For customized requirements like licensing, the initial setup is time-consuming, which is a significant concern for users of both Intune and WS1.
Onboarding for MDMs
Both Microsoft Intune and VMware Workspace ONE are market leaders with sound capabilities, and they continue to evolve to meet the ever-changing threat of cybersecurity. Microsoft has the home-field advantage in Windows via Office apps and Azure AD, but WS1 also has features to match the many capabilities of Microsoft Intune.
As we saw, both MDMs suffer from the lack of a solid onboarding process and can’t handle the entire authentication process by themselves. Fortunately, SecureW2 offers a solution that configures and auto-enrolls managed devices for certificate-based authentication and can deploy certificates to any MDM via API Gateways. Also, we can manage the entire lifecycle of certificates via our intuitive single-pane management interface.
For MEM Intune, we also provide an industry-unique enhancement feature that enables auto-revocation of certificates on expiry. Here’s our budget-friendly pricing and a one-stop gateway for your perfect onboarding solutions.
