UEM vs. MDM: Everything You Need to Know!
Microsoft's release of Windows 10 modernized how IT teams approach device management.
Windows 10 is not a strict evolution of Windows 7 and 8. It’s an evolution of Windows Phone 8 and 10, where an MDM API was available to manage all aspects of a device, such as DLP, restrictions, software distribution and so on.
UEM vs. MDM: how Windows 10 changed the game
The big change that arose with Windows 10? It now had features similar to those on mobile OS (and macOS) that alleviated the task of onboarding and provisioning devices within an enterprise endpoint management (EMM) solution.
With Windows 10, IT admins were now able to manage Windows, macOS, iOS and Android devices from the same centralized platform.
(Read more about Microsoft’s concept of modern device management in Windows 10.)
At the same time, when Internet of Things devices and others (such as kiosks) started to adopt and standardize around one of the “big four” OS (Windows IoT, also with MDM/EMM capabilities) and Android AOSP (TVs, boxes, kiosks, dedicated devices, etc), the same management capabilities started applying.
This is when EMM evolved into UEM (unified endpoint management), a single solution to drive any kind of device and display all insights through a “single pane of glass.”
UEM platforms are now open to interact with other solutions respecting this model through APIs. It allows solution providers to extend the services that modern managed devices can consume, without compromising the sandboxed OS model. This capability is another contributor to any debate about UEM vs. MDM.
MDM alone?
Just as Apple soon understood that MDM commands and configurations alone couldn’t fulfill all the key use cases that most customers expect on laptop and desktop devices, Microsoft found itself facing the very same situation.
Pure MDM features provide a reasonable amount of control for basic use cases. The more restrictive, the better.
Mature customers need a higher level of control, integrations and flexible specific use cases that are far beyond the available pure MDM features, a.k.a. those that don’t require any agent to work.
Legacy agent-based solutions should be able to enhance what MDM alone cannot do. But when both methods don’t go together, orchestrated by a single director solution, this “co-management” becomes a catastrophe rather than a benefit.
So, what’s the right way to go if you’re evaluating UEM vs. MDM?
Benefits of a mature UEM solution
A mature UEM solution can provide not only all the MDM features that each OS system supports, but also all the critical capabilities that MDM cannot provide, such as:
- Custom configuration profiles / CSP profiles → macOS / Windows.
- Custom scripting → macOS and Windows.
- Legacy configurations to silently configure software that is not using MDM to be configured, such as:
- Registry entries.
- PowerShell scripts.
- VBS scripts.
- Flexible software distribution: MDM-based software distribution is intended for apps that are public and usually not very large. Mature customers distribute and consume bigger software packages that need to be deployed in a very specific way, with flexibility to avoid impacting users during work hours.
- Flexible patching: always keeping updated to the latest version of a desktop OS is not always an option, so admins need to be able to have control of when and how to patch.
- Automated scripting: the ability to query devices and apply automated remediation actions based on results. This capability is what transforms troubleshooting tasks from minutes or hours to mere seconds.
- DEX score: the more complex your environment and the number of apps that your users handle for work, the more relevant the data is that you get from their devices. Gathering DEX scores from your users and their devices provides three big benefits:
- You get up-to-date sentiments from your internal customer experience while working with the tools you provide.
- You get a super-powerful tool based on metrics, machine learning and behavioral statistics to troubleshoot (in most cases) any issue that can be driving your DEX scores down, and possibly automate response actions to increase scores with low or no interaction with user devices.
- It translates device data, metrics and statistics into user quantifiable satisfaction, accountability and device/software performance.
But there’s even more to understand about UEM vs. MDM, and how Windows 10 moved the needle on device management.
Local admin rights
The most important concept to assimilate when it comes to modern device management as applied to desktop OS such as Windows or macOS? It’s that any centrally-imposed restriction will apply and win, even when a user has local admin rights.
This is a big change because most software is developed to run smoothly on an OS. When user permissions are restricted, this adds complexity because of the need to figure out how to make software run properly without having to lower the legacy level of security.
The same way that an admin can set the software and apps that are allowed to run and provide different levels of autonomy for users depending on profiles on iOS or Android, Windows 10/11 and macOS admins can do the same. That removes the complexity of limiting user permissions to adopt the desired security level.
As an example, let’s say we’re sending a set of restrictions based on native MDM API to allow only regular Windows software and corporate apps to run.
- If a user tries to install or run any non-approved software, the OS will decline to open it and inform them that the administrator has disabled this app.
- The same logic applies to a command line interface, PowerShell console, task manager, etc.
- The result is that Windows and macOS devices are automatically built at registration to allow only the right software to run, removing any required interaction from IT.
If a device is also part of an Automated Device Enrollment program, like Microsoft's AutoPilot or Apple's Automated Device Enrollment (ADE), IT can send the device directly to the end user and the system will initiate the automatic provisioning alone.
Enterprise processes made easier
Another consideration in weighing UEM vs. MDM? How a mature UEM solution can enable high-value features for:
- Onboarding.
- Management.
- Policy enforcement.
- Software distribution.
- Security enforcement.
These no longer require a direct connection to the corporate network to be triggered. It only takes an internet connection, and even includes integrated countermeasures to ensure that a device is not being provisioned only for personal use.
This became crucial when the pandemic began in early 2020, as most companies had to quickly adopt a bring-your-own-device (BYOD) and laptop-based strategy. This had to quickly replace the historical fixed desktop workplace model, where devices sat inside the corporate network, protected by corporate perimetral security.
The success of this pivot illustrated how IT can save time, money and effort in managing all devices without interaction compared to legacy management models.
Today, IT executives demand a solution that’s able to connect from everywhere. There’s a growing demand to be able to use and secure access to a mix of SaaS and on-premise-based solutions that can provide service regardless of the network.
Because of this model, other concepts gained more importance, such as zero trust access, where security levels should be maintained in any situation — regardless of whether a device is inside the corporate network, or if it’s partially or fully managed. As the axiom goes, never trust, always verify.
What’s up next? Modern device management with UEM
Another wrinkle in the UEM vs. MDM story? Right now, some vendors already provide additional features based on apps that complete MDM/EMM-focused management. This way, organizations can extend the level of control, provide more features, retrieve and consume security data and fill gaps that the MDM API cannot solve alone.
As before, it first appeared in mobile OS, in the form of agent apps that provided capabilities such as:
- Device posture: detect, monitor and remediate compromised OS.
- Notifications: allows direct communication of alerts or messages to end users within the agent app.
- Location: when relevant, the management agent app can provide location insights and interact with the device.
- Mobile threat defense protection against cyberattacks based on device, app, network and anti-phishing attack surfaces.
- Private app store to allow users to install optional apps.
UEM native configurations are written and sent in the native language of each OS:
- Windows uses CSP (Configuration Service Provider) configurations, which are then sent to devices using CustomSyncML commands on the OMA-DM protocol.
- iOS/iPadOS/macOS/TvOS use Apple's MDM protocol.
- Android uses the Google FCM protocol and Managed Google Play APIs.
In the case of iOS/iPadOS, UEM vendors distribute an agent app to perform tasks (while adding more value) that an MDM API cannot do alone, such as:
- Device posture (jailbreak, root detection).
- Location.
- Notifications.
- Mobile threat defense.
In the case of Windows and macOS it comes as additional agent apps as well that work in tandem with UEM's native configurations. This adds more value by accomplishing tasks that are critical, but not included as part of the MDM API, as mentioned above.
Those co-manager apps provide any feature that may not be available as part of the MDM API protocol.
Examples include:
- Custom management profiles (custom CSPs, custom payloads, etc.)
- Scripts.
- Task sequence-based software distribution.
- Flexible patching.
- Risk-based vulnerability management.
- Risk-based access control to services.
The natural next step in this UEM vs. MDM evolution will be a mix of both models, optimized to run smoothly together by following development best practices. Which also adds some extra concepts that are now tightly tied to what analysts have started calling MDM 2.0.
In this new model, different fleets of devices are all registered to the UEM solution, but so are all other devices within the same network. By performing active and passive scans (discovery), the UEM solution ensures that all of them are naturalized, as it detects the devices that are not managed and that may create a security risk if they’re not up to date.
The device fleet is also naturalized to work with all the service providers and services the company is consuming, such as AD, AAD, Office365, Salesforce, Adobe and so on.
This also allows the UEM solution to build a persona that reflects the specific requirements of business units, processes or even users. It can save and share this information with other systems, such as ASM and ITSM solutions, which opens the door to automating tasks and adding AI, already a feature with Ivanti Neurons for UEM.
Perhaps the most important thing to keep in mind when contracting UEM vs. MDM is that unified endpoint management also means universal endpoint management. It gives organizations control over every asset and device that’s attached to their network, not just mobile ones. As the variety and complexity of endpoints multiply at dizzying speed, the “universality” of a good UEM solution is nearly invaluable.