Evaluating Endpoint Manager vs. Workspace ONE UEM: 2021 Edition

Well folks, it has been a year since my immensely popular Intune vs. Workspace ONE UEM comparison from 2020. Roughly 7K hits later, we arrive in 2021 where we will revisit our opinions, introduce new capabilities, and update my official recommendation in the battle of Microsoft Endpoint Manager vs. Workspace ONE.

We will revisit the same categories:

  • Mobile Device Management Features
  • Administration
  • Integration
  • Security
  • Application Management
  • Anayltics

Mobile Device Management

When we discuss core MDM capabilities, it comes down the obvious categories e.g. “what can I push?”, “how does the enrollment stuff go?”, compliance, organizing devices, etc. Intune scored a 39/50 (essentially a C+) a year ago. Let’s get started and talk about Intune which has made some nice in-roads since last year.

Microsoft Endpoint Manager MDM Highlights

As we discussed a minute ago, Intune has made some major inroads in the last year. Core functionality has continue to be relatively the same, but we want to cover it properly. One change this year is we will show videos prevalently and will cover video examples of how Workspace ONE does it. Let’s get moving!

Device Enrollment

As I always say, device enrollment is the most important area realistically. The first impression you create for your users is crucial. First, we will check a demo showcasing the enrollment process in Endpoint Manager (MEM) vs. Workspace ONE UEM.

Once we watch those videos, we will cover some of the intricacies and where Microsoft Endpoint Manager gets it right and where they need to improve. Last year, they did a nice job making it user-centric. Let’s see how they improved.

Now that you saw how MEM offers the enrollment experience, let’s check out what VMware does. A nice thing to point out is last year’s article led to VMware enhancing the profile installation experience. Every now and then, what we do really matters.

Some Thoughts on Microsoft Endpoint Manager’s Enrollment

Last year, we hammered Intune about apps not pushing down right away. That has definitely improved without question. The whole “please wait” thing is a really bad user experience though. I mean seriously Microsoft is this 2006?

Additionally, the fact you still don’t have automatic categorization like Workspace ONE does with group mappings is not great. Sure people can “pick” their category but I don’t think that’s solid design.
Some Thoughts on VMware’s Enrollment

A few things to mention was VMware listening to me and improving their enrollment offering with the “Go to Settings” button:

Alternatively, we have to mention that they still cannot support iOS User Enrollment natively inside of the Intelligent Hub. It’s sort of a moot point with iOS 15 making it an organic part of their user experience:

Final Thoughts on Enrollments

As I mentioned above, Microsoft Endpoint Manager has made some improvements on enrollments since last year. They still have some work to do, but they’re getting closer. With Apple’s landscape and trajectory toward iOS 15, Microsoft seems to be better positioned as the insurgence of iOS User Enrollment is coming like I wrote about recently.

Device Profile and Configuration

As I mentioned last year, Microsoft does an excellent job at making iOS management great for administrators. Instead of having an extensive amount of profiles, they group stuff together relatively nicely. I am stepping up my game this year and doing a regressive analysis of all restrictions and features on iOS to figure out exactly the gaps that exist. Below, you will find my master spreadsheets that I built, but let’s break it down pretty basically.

Microsoft Endpoint Manager Configuration Gaps

My statement around MEM is always: “It comes down to if their gaps are your gaps”

You will find that most of the gaps they have below are not showstoppers, but some of them really shouldn’t be there. A user should be able to open unmanaged docs into your managed apps for one example. You should also be able to deliver stronger certificates, but I’ll leave it up to you to consider if that is crucial.

These are the restrictions gaps below that MEM cannot do, but Workspace ONE can

NameComments
Restrict Movies, TV Shows, and Apps based on Rating
Disable the ability to turn off Wi-Fi
Block Deprecated TLS versions
Alow documents from unmanaged sources in managed destinationsCan be solved with Intune App Protection Policies for Microsoft Apps.
Block Siri Server Logging
Block YouTube
Disable configuring restrictions
Block Wi-Fi Assist by SIM Card ID

These are the feature gaps:

Name
Set App Notifications as Critical to bypass settings
Set App Notifications to block from CarPlay
Can Group App Notifications
Web Content Filter Plug-in
WS1 supports legacy email protocols like POP or IMAP but who cares.
Ability to override previous password when you push a password to a device but you should never do that anyways.
Ability to specify default audio call app for email profile
Control Mail Drop
Can support key length for SCEP e.g. 2048 or 4096-bit key
Can support other formats that are .cer for certificate uploads
Should be able to support users uploading certs via self service
WiFi Passpoints
Supports Wi-Fi Trust Exceptions and Building EAP-TLS Trust
Supports Bypassing Captive Portals
Cisco Fastlane QoS Integration
PKCS certificates can specify key length, key type (signing or encryption), include the SID, and add EKU attributes.
Workspace ONE UEM Configuration Gaps

I was actually fairly surprised to see some of the gaps that Workspace ONE has this year. Their restriction gaps are:

SettingNotes
Block Apple Watch auto unlock
Disable near-field communication (NFC)
Allow users to boot devices into recovery mode with unpaired devices
Limit Apple personalized advertising
Block modification of diagnostics settingsWould be technically covered by “Allow Configuring Restrictions”
Block Screen TimeApparently disabling “Allow Configuring Restrictions” blocks this
Block modification of notifications settingsWould be technically covered by “Allow Configuring Restrictions”
Block changes to cellular plan settingsWould be technically covered by “Allow Configuring Restrictions”

Their device feature gaps are:

Name
Can specify Network Name and SSID
Block Users from disabling automatic VPN
VPN profile for per account VPN on Native Email Profile
Derived Credential Help URL
Notifications via email or Company Portal
Set as default realm for Kerberos SSO extension
Principal name for Kerberos SSO extension
Active Directory site code for Kerberos SSO extension
Cache name for Kerberos SSO extension
DNS Suffix for Kerberos SSO extension
Can block certain sites or can rely on the Apple AutoFilter Algorithm where you can also add additional whitelist/blacklist sites, which is the best practice.
Can support port and force TLS for AirPrint

I know that most people will say who cares about most of these. A few of them mattered to me. The support for the Apple AutoFilter Algorithm is pretty neat. I also like the support for Per-App VPN on native mail, which has been a major pain for years. Additionally, a few of the restrictions should exist like blocking unlock with the Apple Watch, NFC, and recovery mode are huge capabilities.

In all honesty, its not a huge deal with the custom XML capabilities in Workspace ONE UEM, but I would wager many people don’t even know these features exist. It’s definitely time to clean-up their profiles and make sure they don’t fall behind.

Device Compliance

Microsoft has made some nice improvements since last year on device compliance. In fairness, the device compliance was sort of mailed in. MEM supports the following compliance policies now:

  • Unable to setup email on the device
  • Jailbroken devices
  • OS version compliance
  • Microsoft Defender risk score

Sure they only added risk score, but rolling forward with a MTD and basing compliance policy on it is definitely a big improvement. We don’t need to cover Workspace ONE’s compliance, but I’ll quote what I said last year:

As mentioned above, Workspace ONE has a wide birth of compliance policy options, which is huge. Additionally, their Secure Email Gateway supports additional policies, such as whitelisting mail clients, versions, forcing attachment encryption and more. The compliance engine with WS1 UEM is a beast that many products integrate with directly, such as EDRs, NACs, and much more.

Final Thoughts on Microsoft Endpoint Manager’s Mobile Device Management

My overall thoughts are that Microsoft main almost no traction in this category in 2021. I think there are other categories they made major traction in, but they mostly were the same. Their score for this category is 6.5

Administration

Well, I’m sad to report that administration didn’t really change much. If you want to read the details, check out the old article here. Their score of 7/10 persists.

Integration

Integration is relatively similar as it was last year. The only thing that I noticed is they dropped Wandera as a MTD.

That’s the thing with integration. You only need a finite number of integrations before you’re “integrated. It might be nice to see them add some new partners perhaps around CASBs or other zero trust providers, but for now they have their bases covered. Their score holds at 8/10.

High-level architectural diagram for Microsoft Intune

Some Thoughts on Workspace ONE Integrations

I would say that not a ton has changed when it comes to VMware’s integrations, but I do wonder how they will grow in general. We do now that there are major changes coming to the Mobile Flows infrastructure, but that will introduce more complexity. The biggest issue with trying to be innovative and sustain growth is that sometimes your technological stack becomes harder.

VMware will need to ramp up their teams and make sure people are ready to support that “New World” because I can already see it will be very overwhelming for a number of people based on its design. Doubt me? Go ask a few people how has Microsoft Flows/Power Automate is.

Security

Microsoft Endpoint Manager has made some serious advancements on security over the last year. You may have seen my recent article where I covered a really solid Mobile Threat Defense (MTD) product called Microsoft Defender. I’ve been a big criticizer of Microsoft’s ineffectiveness to secure the attack surface on mobile devices.

We’ve also covered Conditional Access, which has been a huge asset for the Microsoft landscape. Even VMware has jumped onboard the Azure AD Conditional Access train as you can see in this video:

Basically conditional access works like this:

  • A set of Users or Groups
  • A set of Apps or the “Register Security Information” action
  • Conditions (Device Platforms, Locations, whether it applies to Browser or Thick Clients), and Device State (Azure AD Joined, Compliant Devices)

Based on a device matching that criteria, you can require certain actions to grant access:

  • MFA
  • Device Compliance
  • Hybrid Azure AD Join
  • Require to be an Approved Client App
  • Require MAM Policy

You can control session access in a few ways:

  • Block Downloads
  • Control how often the user has to re-authenticate

We also have session controls:

  • Force people to login more frequently like forcing Outlook to re-authenticate every hour.
  • Decide if you want the browser session to persist
  • Conditional Access App Control basically is a reverse proxy that protects your cloud data e.g. a CASB.

With all of this in mind, I now rank their security model at 9/10.

Security in Workspace ONE

VMware tells a great story when it comes to security. They have their Workspace ONE Trust Network which focuses heavily on a seamless security experience by securing the entire stack. My main criticism is that they bought a great security platform in Carbon Black, but they are still without a MTD of their own. With such a strong security presence, VMware delivers a great suite of services between the Unified Access Gateway, NSX, VMware Horizon, and their UEM platform, but they need to get Carbon Black unified into their UEM strategy.

Application Management

Application Management in MEM isn’t an area that needs much discussion. I already scored them a 10/10 based on their ability to use App Protection Policies. Microsoft delivers a deep level of integration with their apps and some 3rd parties like:

  • Adobe Acrobat
  • Box
  • Zoom
  • Slack
  • ServiceNow and many more!

Something that I didn’t cover with App Protection Policies last year is a newer capability called conditional launch. It’s a neat feature where you can now set device or app conditions that will further control your apps. You may want to make sure certain OS versions or risk levels block access to critical corporate apps.

So you may get the theme by now. By using Microsoft Defender, you let that device threat level flow through everything you do to achieve a strong zero trust strategy.

Honestly, the only area that Microsoft isn’t the strongest in is internal app deployment. VMware has a capability that will allow you to deploy new distribution profiles to apps without needs to push out a new app version, which is huge. Additionally, the Intune SDK has had a tendency to stab customers in the back recently with plenty of app breaks like Outlook because of SDK bugs. Microsoft’s App Deployment store sticks at 10/10.

Some Thoughts on Workspace ONE App Deployment

Workspace ONE App Deployments have basically been the same with one huge exception: Azure AD Conditional Access. Now, Microsoft has let them ingest the Workspace ONE compliance data to achieve true conditional access, which is a major game-changer. We discussed that earlier obviously, but we can’t neglect to stress just how amazing it is.

VMware’s development on App Deployment on mobile is only limited by the APIs that vendors open up to them. They have done a very solid job on using Apple’s APIs and we can hope that they implement the new iOS 15 capabilities that are on their way.

The one thing that I always bring up because its a huge exclusive feature is Workspace ONE’s ability to update internal app provisioning profiles without deploying a new application. This has been a lifesaver considering how often developers have broken apps over the course of my career.

Enterprise iOS App Distribution Part 2: App IDs and Provisioning Profiles

Analytics and Reporting

Analytics and reporting have not changed all that much in the last year. They do offer relatively solid dashboards, but their issue will always be replication. Data does not get refreshed quickly enough and this “could” be an issue for some companies.

Microsoft Intune reports - Microsoft Intune | Microsoft Docs

Some may opt to spend the money and implement the Intune Data Warehouse for deeper reporting capabilities, which I strongly recommend. You can read about it here.

The Intune Data Warehouse: enabling deeper reporting capabilities – now in  public preview! - Microsoft Tech Community

The last thing that I wanted to mention like I did last year was to look at Endpoint Analytics. Endpoint Analytics is similar to many user experience products that does a nice job of giving you insight into your employee experience:

Recommended software in Endpoint Analytics - Microsoft Endpoint Manager |  Microsoft Docs

Some Thoughts on Workspace ONE App Reporting and Analytics

We don’t really need to say much when it comes to VMware’s analytics and intelligence strategy. They finally saved us by sunsetting SQL Server Reporting Services and moved to Workspace ONE Intelligence which lets us run much more effective reports. You can build subscriptions and update data live to deliver the intelligence you need.

WorkSpace ONE Intelligence Custom Reports available + Free Trial of other  features – Arsen Bandurian: Technical Blog

Most people don’t realize that Workspace ONE Intelligence doesn’t require licensing to leverage their reporting capabilities. Obviously, if you want the automation and integrations aspects it will need an Enterprise license or some other product like the security suite that delivers Intelligence licensing.

VMware is doing a great job when it comes to their overall strategy around reporting, which we can hope continues. Their biggest challenge is how to make Intelligence more affordable so company adoption increases.

My Overall 2021 Assessment of Microsoft Endpoint Manager

So the entire article has come to these last few paragraphs. We all know the VMware and Microsoft battle wages on today. Don’t let anyone tell you any different. This is a cost conversation and always will be.

Microsoft does an excellent job of strategically grouping products into groups where you can get a ton of value for a fair investment (most of the time). Many of you are likely being pressured quarterly if not monthly to move to MEM. So, the question: “Do I think you can actually move there?”

At this point, my answer is yes. That’s a yes IF you have licensing for Microsoft Endpoint Manager. I would only strongly consider the move if you can deal with their replication slowness and can deliver a MTD with it. Ideally coupling that with Azure AD Conditional Access is a great partnership.

In many cases, if you opt to keep Workspace ONE and can couple that with Azure AD Conditional Access you now have a best-in-class zero trust strategy centered around protecting your productivity tools. Microsoft still has some work to do in a few areas though I’ll say:

  • Same Day support for iOS is severely lacking. New features take around a month to hit on Intune
  • Device Grouping must be automated like it is in Workspace ONE
  • Certificate templates need to be enhanced to meet the growing needs of an enterprise
  • DEP support is really weak and needs setup assistant support
Fight Punch GIF by Godzilla vs. Kong

Leave a Reply

Scroll to Top
%d bloggers like this: