Evaluating Microsoft Endpoint Manager vs. Workspace ONE UEM: 2022 Edition

Happy August everyone! It’s that time of the year where we check out the top two UEM products in the market and see where they stack up. This is our 3rd year of doing this immensely popular comparison! Our 2021 article has been popular-ish but not quite as popular as it was in years past. We hit about 3K hits on this article, but our original article  Intune vs. Workspace ONE UEM comparison from 2020 still reigns supreme. Let’s get everyone up to speed on the 2022 findings of Microsoft Endpoint Manager vs Workspace ONE UEM.

MEM vs Workspace ONE UEM 2021 Review

I thought it would be good to get everyone up to speed on last year’s article first. We covered these categories, which we will cover this year as well:

  • MDM Features
    • Microsoft caught up on device enrollments after finally making it less painful
    • VMware improved on the “Take me to Settings” experience
  • Administration
    • Both have Profile gaps, which are highly subjective based on your needs. VMware definitely needs to improve the Profile deployment experience across all platforms like they have with Android.
    • Microsoft still falling steadily behind on device compliance
  • Integration
  • Security
    • Microsoft made some major improvements with their security stack with Defender for Endpoint
    • VMware continued down their road of making WS1 Intelligence a huge factor for them
  • App Management
    • Microsoft continued doubling down on their App Protection Policies with conditional launch to bring a different spin on compliance
  • Analytics
    • VMware continues to tell a more compelling story with their WS1 Intelligence platform powered by its Data Lake to create compelling experiences

So that should bring you up to speed with what we learned last year. I think it’s time that we got started with MDM Features in Review!

Mobile Device Management 2022

So, as we discuss every year, MDM comes down to stuff that you can be in layman’s terms:

  • “What can I push to a device?”
  • “How is the enrollment process?”
  • Compliance
  • Device Organization

Let’s start by covering what an enrollment looks like now in Intune in 2022.

Microsoft Endpoint Manager MDM 2022 Highlights

Device Enrollment

You are going to see a recurring theme in the MDM 2022 highlights. Not MUCH has changed. The enrollments are actually identical still. I was hoping they would have improved a bit, but we’re still looking at the same deal. You can check out last year’s article for videos on the enrollments.

Device Profile and Configuration

Surprisingly, there was almost nothing changed this year. I have my updated spreadsheets attached.

Ironically, it was Microsoft who had the best advancements here in a year of quiet. They won out because VMware did not implement any of the iOS 15 new features directly into the console. They relied heavily on people using CustomXML which can be found here.

The new features that hit in 2022 for profiles and configuration are below:

  • Managed Pasteboard lets you now enforce copy/paste restrictions with your managed open/in
  • Forcing Siri to do Translation processing on device
  • Blocking iCloud Private Relay
  • Microsoft finally introduced some new features for Kiosks (Allowing AssistiveTouch, Invert Colors, Speak on Selected Text, Voice Control, VoiceOver Control, and Zoom Control).
  • Microsoft introduced key sizes for certificates via SCEP e.g. 2048-bit.
  • Microsoft also introduced managed Software Updates for iOS. They aren’t as robust as VMware, but they have some unique appeal as you can see below:

The value is interesting since you can deploy profiles for different regions based on their time zone along with specifying start/end times versus VMware who brings a bit more flexibility in that you can tell it what to do, when to start, and deploy it at specific OS versions with Smart Groups. I personally like VMware’s solution better as it has nice report as well.

Workspace ONE Introduces a Game Changer in Device Deployment Strategy

I know that I said that not much changed, but let’s talk about something that did. After a number of delays, Workspace ONE Freestyle Orchestrator finally hit production. I’ve written about it a few times, including some stuff on real world examples. Now, this is something that is only on Windows and MacOS so far, but I think it’s worth mentioning and hopefully we can talk more prominently about it next year once it hits iOS and Android.

The idea is pretty neat. They leverage conditional If/then rules to deploy profiles, apps, scripts, etc. to devices. The vision at VMware is for FSO to replace Smart Groups as the way that profiles are deployed to devices. An interesting example would be: “If you have this profile, then run this script” and it has some great potential as they help it mature further.

An example flow looks like this:

Feel free to check out my video demo on how Orchestrator works:

Thoughts on Profiles and Configuration

As I mentioned earlier, both were relatively quiet. The major callout is that Workspace ONE did not implement new features from iOS 15 into their console. They expect admins to deploy them via Custom XML profiles, which honestly breaks my heart. They were always quick to adapt and implement features like this. For the first time, they sort of called in sick on iOS 15. Hopefully this means they have bigger plans for profiles, but at this point its a disappointment. Well done Microsoft on continuing to grow the feature set and keep pace.

Microsoft has also continued to grow their “Settings Catalog” which is basically a one-stop-shop where you can cherry pick settings to put into a profile like tis below:

Device Compliance

The only real significant change in the device compliance story in 2022 for either vendor was the introduction of Workspace ONE UEM MTD powered by Lookout for Work. As I referenced here, VMware has beaten Microsoft to the punch on delivering embedded MTD capabilities into their management agent.

Microsoft has done similar things to a degree with their security agent and their tunnel product, but its still “another” app, which is not the goal. Simplifying the amount of vendor apps on user’s devices is huge and always a focus. Microsoft definitely needs to step up their game around compliance as its one of their biggest weaknesses.

Final Thoughts on Microsoft Endpoint Manager’s Mobile Device Management

I have to admit, this is the slowest the ball has moved up the hill since I started doing it. The real question is: “Does this mean that both vendors are doing a great job?” or “Does it mean they are stagnating at this juncture?”

I think with fairness we can admit that both vendors have a ton of stuff going on right now. Sometimes its hard to invest in the core MDM products when you are so focused on stuff like SASE, CASB solutions, Viva, etc.

Administration

Let’s cover some of the admin changes that we have seen over the last year on both platforms.

New Features that Have Hit Microsoft Endpoint Manager Administration

The first thing we can mention is the hardware section for iOS, which shows some hardware info like Device IDs etc:

Some of the other features they added are:

  • Sign in from other device during automated device enrollment (ADE)
  • Photo Library support for managed cloud storage for App Protection Policies
  • Push Notifications when a device ownership is changed
  • Microsoft Defender app inventory sync to Intune
  • Get Started and Apple Watch skip screens now available for ADE.
  • Configure if BYOD personal app data is sent to 3rd parties
  • Removal of Bypass Activation Lock button. They moved the new process here.

Overall, not a ton of changes as it still has that strong and consistent experience. I think the main areas are the evolution of the settings catalog (mentioned earlier) and notifications for ownership changes.

New Features that Have Hit WS1 Administration

I covered a few of the great new features late last year on my article for WS1 UEM 2109.

The main areas that have elevated the administration in Workspace ONE are:

  • Data Driven UI Profiles, like Android has (similar to the Settings Catalog, but I think overall is a smoother implementation)
  • Global Search that now supports wild cards to make finding devices much easier. You can check the video below:
  • Enhanced certificate revocation based on sampling
  • Reorganization of profiles/resources:
  • Freestyle Orchestrator

Overall Thoughts on Administration

I have a ton of concerns around administration in general right now. It feels like both companies are iterating pretty rapidly and making it hard for people to keep up. They are constantly trying to retire something, upgrade to something else, and people need to be able to shift.

With that shifting, comes mistakes and potential user impact. It’s a huge endeavor and I think there needs to be much more transparency and coaching to get people where they are trying to go.

Integration and Security

Integration and Security is mostly about MTD at this juncture I think. I believe its safe to say they are closely converging. We tend to integrate to improve our security posture and provide deeper insight into what we are trying to do.

Microsoft Endpoint Manager’s Enhancements on Integration and Security

Microsoft on one-hand has done really well over the last few years building something great with Microsoft Defender for Endpoint as I covered before. Over the last year, they have now introduced “App Sync” which sends an application inventory for iOS devices. The smart thing they did also was align well with Apple’s privacy focus by allowing companies to block this feature for BYOD devices.

They have also converged Endpoint and Tunnel into a single application, which is something we can all get behind. Anything that reduces the number of vendor apps on a device is a win for the user experience.

WS1’s Enhancements on Integration and Security

VMware on the other-hand has also made a major impact over the last year. Outside of the fact that they are going hard down the path of SASE to secure the edge, we are now being introduced to Workspace ONE UEM MTD. The platform is powered by Lookout and lets you deliver security in a few different flavors: a fully embedded experience into the WS1 Hub or a more fully featured experience with Lookout for Work on your device.

Check out the demo of the onboarding experience below to learn more:

Final Thoughts on Integration and Security

I did a fairly comprehensive comparison between both products a few months ago here. I think both products did a fairly solid job. In the end they were only separated by 2 points for different reasons/things. I really think the way that Workspace ONE Intelligence integrates tightly into their UEM platform to take action and protect the edge gives VMware a slight edge overall as a platform today.

Application Management

Application Management is more of the “not much has changed” story. App Protection Policies continue to evolve, application deployments continue to do their thing.

One thing that did come in was in iOS 15.1, which introduced a new feature that let’s you set required app store apps, which can deploy silently without devices needing to be supervised. Both vendors seem to have implemented that without a major issue. Overall, we definitely have continued to do a solid job on application management.

Analytics

Analytics is essentially the same as it was last year. Overall, both companies does a strong job whether its Workspace ONE Intelligence or Microsoft Endpoint Analytics. As shown last year, Intelligence is really doing a great job with their immersive dashboards:

Endpoint Analytics also offers a strong platform as well:

Final Thoughts

We can admit this was a fairly quiet year whether its that UEM has “Long COVID” or just not much has changed. Even at WWDC this year, the changes are nothing to get too crazy about. Ideally, we would like to see more progression and development.

At a minimum, Workspace ONE UEM Engineers have a ton of work to do by learning and getting ready to do that Freestyle Orchestrator magic. I’m sure your Intune Engineers (big difference being they also typically manage the PCs) have their own challenges around Defender, potentially the CASB, and the rest of the Intune suite. As I have always said, many people find that MEM/Intune meets their needs, but often more security-minded individuals struggle from its consistent challenges around compliance and security.

We need to continue to endure and focus on what really matters: driving a great user experience. My next stop: “Presenting in about 3 weeks at VMware Explore!” Hopefully, you will join me.

Leave a Reply

Scroll to Top
%d bloggers like this: