White Paper:

A Technical Comparison of
Mobile Management Solution
Features and Functions
 Contents
Executive Summary ......................................................................................................................................... 1
About Microsoft System Center Mobile Device Management ....................................................... 2
Feature Comparison Matrix .......................................................................................................................... 2
Managing Devices and Users ...................................................................................................................... 4
Group Assignment Via Active Directory .................................................................................. 4
Device Membership in Active Directory .................................................................................. 5
Policy Based Management and Configuration...................................................................... 6
OTA/Network Encryption and Mobile VPN ............................................................................ 7
On Device and File Encryption..................................................................................................... 9
Feature Lockdown......................................................................................................................................... 10
Bluetooth Lockdown...................................................................................................................... 11
Application and Data Distribution/Management ............................................................................. 11
LOB Application Data Push/Alert.............................................................................................. 13
Asset Tracking, Logging, and Reporting .............................................................................................. 13
Firmware and Update Management ...................................................................................................... 15
Help Desk and Troubleshooting ............................................................................................................. 15
Self Service....................................................................................................................................................... 16
Appendix .......................................................................................................................................................... 18
Methodology .................................................................................................................................... 18
Ratings ................................................................................................................................................ 19

i
 Executive Summary
Managing a fleet of mobile devices while ensuring end-to-end data integrity is a difficult task.
Users want their desktop at their fingertips, with reliable access not only to familiar productivity
tools such as email, calendar, and contact management, but critical line-of-business applications
as well.

For the IT team, fulfilling these expectations requires a delicate balancing act. Mobile devices not
only transmit data over public networks but are also uniquely vulnerable to loss and theft.
Security, both for the device and the critical data on it and for its connection to the corporate
network, is paramount. But policy enforcement to protect corporate data should not come at the
cost of user productivity, nor pose an undue burden to IT and the help desk.

Achieving this balance demands a flexible, end-to-end mobile management solution that helps IT
administrators more easily secure and manage mobile devices within a corporate network, while
providing secure, single-point access for line-of-business (LOB) applications and corporate data.
This requires an extensive set of features and capabilities that can make selecting the right
solution for your organization’s needs a complex task.

But it’s important to note that choosing a mobile management solution involves more than just
checking off an extensive set of features, some of which may be of interest to only a small
number of organizations or particular industries. If it doesn’t fit gracefully into your existing
management and server infrastructure, you’re unlikely to achieve the full return on investment
(ROI) and total cost of ownership (TCO) benefits possible.

To aid technical decision makers in discerning the right mobile management solution for their
organization, Microsoft commissioned an independent third-party systems integrator that
specializes in the deployment and maintenance of enterprise mobility solutions to compare the
capabilities of three leading mobile management solutions:

 Microsoft System Center Mobile Device Management 2008 (MDM 2008)

 Blackberry Enterprise Server Version 4.1.4 Service Pack 4 (BES 4.1 SP4)
 Motorola Good Mobile Messaging 5.0 (Good 5.0)

This technical comparison summarizes the results in a comparison matrix chart (Page 2) followed
by an explanation of each feature or capability and its significance in terms of the fundamental
mobile device challenges faced by IT professionals: management, control, maintenance, device
and communication security, scalability, and support. An appendix explains the methodology and
ratings used to create the comparison matrix, and offers a suggestion for weighting the results to
1
fit your organization’s specific needs.

1
As noted in the appendix, the comparison was executed by exercising the management interface to check
the availability of various functions; performance was not tested.

1
 About Microsoft System Center Mobile Device Manager
Microsoft System Center Mobile Device Manager 2008 (MDM) is a robust and cost-effective
solution that can be seamlessly deployed into an enterprise’s existing Microsoft infrastructure and
addresses in a comprehensive fashion the three core requirements of IT professionals: security
2
management, device management, and security-enhanced connectivity.

MDM’s ability to utilize Active Directory (AD) not only eases management by giving
administrators a single point and common interface from which to manage both personal
computers and mobile devices, but provides increased security by enabling them to more easily
apply security capabilities such as Public Key Infrastructure and permissions-based access to
resources. Administrators can use the familiar Windows Server Update Services (WSUS) platform
to deploy software to mobile devices and easily monitor compliance, while AD’s Group Policy
Objects functionality greatly eases the task of creating, enforcing, and monitoring policies on
mobile devices. MDM’s IPSec-based Mobile VPN helps protect sensitive data, and when
transmitting already-encrypted SSL traffic, the resulting double-envelope security offers enhanced
protection of critical corporate data.

Feature Comparison Matrix

Legend
Functionality Not Available 
Limited Functionality 
Average/Good Functionality 
Extensive Functionality 

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Managing Devices and Users -- -- --
Group Assignment via Active Directory   
Device Membership in Active Directory   
Policy Based Management and Configuration   
Number of Policies   
RSoP Data   
Encryption Services -- -- --
OTA/Network Encryption   

2
For a detailed examination of the ROI and TCO benefits of System Center Mobile Device Manager, please
refer to the ROI and TCO analysis tools at https://roianalyst.alinean.com/microsoft/mobile/launch.html, or the
white papers available at http://www.microsoft.com/windowsmobile/en-us/business/business-
resources/enterprise-business-knowledge-center.mspx

2
 MDM BES 4.1 Good
Feature
2008 SP4 5.0
3
Mobile VPN   GMC
On-Device Encryption   
Encrypt Specific Files/Locations   
Storage Card (SDIO) Encryption   
Feature Lockdown -- -- --
Wi-Fi   
Infrared   
Camera   
SMS/MMS   
Storage Card (SDIO)   
Phone   
Disable IP Modem/Tether   
Disable IMAP/POP   
Restrict Cable Sync   
Bluetooth Lockdown -- -- --
Restrict Radio   
Restrict Profiles   
Restrict Pairing/Discoverable   
Application and Data Distribution/Management -- -- --
Restrict to device features set   
Time based distribution   
Reporting of deployment   
Create custom action scripts   
Application Allow/Deny   
Block Unsigned Application Install   
Block Third-party Downloads   
4
LOB Application Data Push/Alert   GMC

3
Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).
4
Available only with the additional Good Mobile Connection (GMC) module and licensing (See page 1).

3
 MDM BES 4.1 Good
Feature
2008 SP4 5.0
Asset Tracking, Logging, and Reporting -- -- --
Software and Hardware Inventory   
Via log files   
Via Administration UI   
Collect log information from device   
MOM/SNMP   
Firmware Update Management -- -- --
OTA OS Update Push   
Cable Firmware Update   
Update Targeting   
Help Desk and Troubleshooting -- -- --
Help Desk and Administrative Console   
Role-Based Administration   
Device remote control   
OTA Provisioning and Bootstrapping   
Bulk Provisioning   
Self Service -- -- --
Self Enrollment   
Self Service Portal   
Server Management   
Breadth of Device Platform Support   
Hostability   

Managing Devices and Users

Provisioning devices and enforcing policies are fundamental activities for mobile device
management. How a mobile management solution handles user and device groups, and the
extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Group Assignment via Active Directory

Many mobile management solutions offer group management; however these groups are created
and managed within the middleware platform themselves, so that in organizations using
Microsoft Active Directory or another enterprise directory, membership must be maintained in
two locations, resulting in an increased management burden. An mobile management solution
whose policies and provisioning are based on Active Directory (AD) groups gives administrators
the ability to target groups of devices based on AD Group Policy Objects (GPOs), using the same

4
 interface and procedures as for desktop management. This not only simplifies management but
improves scalability.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Managing Devices and Users -- -- --
Group Assignment via Active Directory   

MDM
MDM allows targeting of policies through Active Directory using a common interface, Group
Policy Objects (GPO). Through GPO, administrators can assign customized policies for groups of
mobile phones and assign those policies to an organization unit (OU) within Active Directory. This
provides an easier transition between desktop computer and mobile device management.

BES
Rather than use existing groups in AD, BES uses its own group hierarchy for policy, software
deployment, and device management. These groups are created using the Blackberry Manager
console and stored in the configuration database native to BES. While this allows for simple bulk
provisioning and management, it is a separate group that must be created, managed, and
documented.

Good
Rather than use existing groups in AD, Good uses its own group hierarchy for policy, software
deployment, and device management. These groups are created in the Good Management
Console and stored on the Good server. Groups used in Good are designed for software
deployment and device management. While these groups are easy to assign and manage policy
for, they also present extra administrative effort to maintain and create groups outside of AD.

Device Membership in Active Directory

Device membership in Active Directory allows for device targeting in addition to user targeting.
This allows administrators to assign policy based on either the user’s membership or the device
membership within Active Directory. Other device management products maintain a separate
user database and only allow for user based targeting.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Managing Devices and Users -- -- --
Device Membership in Active Directory   

MDM
Device membership in Active Directory allows targeting and management of the device as if it
was a computer object on the domain. This helps IT professionals manage devices with common
interfaces such as Group Policy Objects and the Active Directory Users and Computers console
with little additional training.

5
 MDM enables management of mobile devices using Active Directory

In addition, device membership in Active Directory enables administrators to improve mobile

device security using several security capabilities, including Public Key Infrastructure (PKI), GPO
assignment, and permissions-based access to resources and internal websites. This promotes
communications security, protects corporate resources, and simplifies security management.

BES
When adding users to BES initially, the Global Address List (GAL) is displayed to allow
administrators to select users who have mailboxes accessible by the server. After adding a user,
the entry is made in the configuration database but is not housed in Active Directory. Only limited
information regarding BlackBerry service is stored in the user’s Exchange mailbox (e.g., PIN
number, encryption key, and hosting BES server name).

Good
Good also uses the GAL to initially find user mailboxes for account association. However, like BES,
Good will only create an account locally on the server. Information is not associated to AD
accounts outside of mailbox access.

Policy Based Management and Configuration

Device management and software configurations may be assigned and managed via policies.
These policies, in many cases, can be assigned to either individuals or groups. Policies are an
effective way to lock down a mobile environment, but figuring out the effect of those policies on
a specific user or device can be difficult. While many mobile management solutions can report a
policy that is effective for a user, the settings for that policy may not be easily viewable.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Managing Devices and Users -- -- --
Policy Based Management and Configuration   
Number of Policies   
RSoP Data   

MDM
Policies used in MDM are assigned using Group Policy Objects (GPO). Because GPO is the
underlying mechanism of device management, administrators can quickly determine the effect of

6
 policies on a specific user or device (or groups of them) using Resultant Set of Policies (RSoP).
While MDM does not have as many policies as BES, key policies are furnished to help alleviate the
mobile security concerns of many organizations.

Active Directory furnishes powerful tools for managing mobile device policies

BES
RIM has an extensive set of policies for device management and PIM synchronization, which are
managed via the BlackBerry Domain, a collection of BES servers that share a common database.
These policies may be created for either groups or individuals, but reporting of the policies in
effect per user is not available.

Good
While its policy set is not as extensive as that of BES, Good does offer some of the more widely-
desired device management policies. These policies are managed by user groups and can be
assigned to a group with only one individual member if necessary. Policies available for groups
are divided into six categories: Password, Options, Sync Control, OTA, Applications, and Data.

OTA/Network Encryption and Mobile VPN

The type and strength of over-the-air (OTA) encryption offered by a mobile management solution
is an important factor in its ability to provide secure remote access. While some platforms allow
administrators to choose an encryption method or key size, others simply enforce a standard level
of encryption or none at all. In addition, when considering mobile VPN, it is important to
distinguish between two kinds of VPN connectivity offered by mobile management solutions.
VPN that grants devices membership in the corporate network (like desktops and laptops) offers

7
 greater access to internal resources. By comparison, the more usual proxied VPN tunnel limits the
range of internal resources mobile devices can access.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Encryption Services -- -- --
OTA/Network Encryption   
Mobile VPN   GMC

MDM
MDM uses Active Directory to grant devices membership in the corporate network domain, with
connectivity over a mobile VPN. This helps to protect sensitive data and gives secured access to
the intranet, email, PIM, and line of business applications. Devices enrolled with MDM negotiate a
unique key for security-enhanced communications using an IPSec tunnel. All communications,
including intranet, email, PIM, and line of business application data must travel through this IPSec
tunnel between the corporate network and the device. There are no points of decryption between
the mobile device and the MDM Gateway Server (corporate network). By encapsulating Microsoft
Exchange email already encrypted via SSL, MDM’s Mobile VPN IPSec tunnel offers the additional
protection of double-envelope security.

Developers can use the .NET Framework to create applications that run securely on the handheld,
or to integrate existing back-end applications into a mobile environment. Many applications, such
as Microsoft Dynamics CRM, already possess such integration. MDM offers the choice of 3DES or
AES at 128, 192 and 256-bit key length for data encryption.

BES
BES offers only proxied VPN. The Blackberry Enterprise Server acts as a secure proxy to
mobile devices, so they are not part of the corporate network and have limited access to the
corporate intranet and applications. Users can access email, PIM data, and web-services
based application via the Blackberry Browser. Developers may use the Blackberry Mobile Data
System (MDS) application development framework to create or integrate applications to
communicate with devices through the BES proxy service, which creates an outbound-initiated
secure connection.

To create the encrypted tunnel between the proxy server and devices, BES can use either of two
encryption methods: 3DES and AES. Devices with software version 4.0 or higher can communicate
with AES encryption, while older devices can only encrypt and decrypt using 3DES. By design, BES
uses two-key 112-bit 3DES encryption and 256-bit AES encryption. If both 3DES and AES are
selected, the BES will negotiate the highest available encryption method (AES) based on device
compatibility.

Good
Good offers only proxied VPN. Like BES, all communications from devices are proxied through
Good servers via an encrypted tunnel using a 192-bit AES encryption key. The encryption method
cannot be changed, and is universal for all handhelds. The key is generated based on the OTA
activation pin assigned to a user account. Once the Good software is installed on a handheld, the
PIN is entered by a user to initiate activation. The first step in this activation process is the
generation of the AES key by the Good Management Console, which is sent to the device via SSL.

8
 The offering compared here, Good Mobile Messaging, does not offer any access to internal
resources other than email and PIM data. However, an optional module requiring additional
licenses, called Good Mobile Connection (GMC), will allow the Good client to access intranet sites
and other back-end data through a proxy. Developers can use Java or .NET for integration and
application development.

On Device and File Encryption

Even if communications between a mobile device and corporate servers are protected by
encryption, important data stored on the device can be compromised if it is lost or stolen. To help
alleviate this concern, many newer mobile management solutions offer the option for
administrators to enforce on-device encryption to help safeguard files and data stored on mobile
devices. While this improves security, it can adversely affect device performance.

Some solutions require the entire device to be encrypted; others permit encryption of individual
files, directories, or databases. The latter capability is important if the encryption methods
available have a performance impact.

It is also important that administrators be able to enforce encryption on files stored on expansion
memory (storage) such as SD Cards, Micro SD cards, and compact flash. This avoids the possibility
that an unauthorized or unintended user might bypass the device password by removing the
card.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Encryption Services -- -- --
On-Device Encryption   
Encrypt Specific Files/Locations   
Storage Card (SDIO) Encryption   

MDM
On-device encryption can be easily handled for Windows Mobile devices enrolled with a MDM
device management server by enabling AES encryption for all data stored on the device. Using
AES encryption provides maximum protection, but unlike ECC encryption used on newer RIM
devices, AES encryption may degrade performance of the device slightly while data is being
decrypted for access. This can be alleviated by encrypting only critical files or locations as
specified by an administrator.

Storage cards may also be encrypted using AES encryption to further safeguard sensitive data.
When users add files to an encrypted storage card with MDM, the files are not decrypted when
encryption is turned off. Users must individually open each file after encryption is turned off in
order to decrypt them. Files may still be written to the card by other devices but will not be
encrypted.

BES
While BES allows the entire device to be encrypted, it does not allow administrators to choose
individual files or locations to encrypt while the remainder of the device remains unprotected.
Devices with 4.1 device software and earlier used a 256-bit AES key to encrypt data. While this key
offers strong protection for data, it increased access times to stored data and degraded device

9
 performance. In device software version 4.2, RIM changed the encryption key to a selectable 160-
bit, 283-bit, or 571-bit elliptical curve cryptology (ECC) key, which offers better performance.
Users are prompted with Strong, Stronger, and Strongest to select the key size. Administrators
may also force one of these 3 key sizes via policy.

Administrators may also enforce encryption for data stored on external memory cards, protected
by a user password, the BlackBerry device key, or both. This setting determines the key used to
encrypt data on the card. Files may still be written to the card by other devices but will not be
encrypted.

Good
The Good client application can enforce 256-bit AES encryption on both specific folders and
databases on the device, which may be specified from the server administration console. While
this adds additional security, it does not provide protection for all data located on the device,
since there are other locations for data that cannot be protected using the Good management
interface.

Administrators may also require data stored on external memory to be encrypted as well, using a
user-specified password. Any existing data on the card must be erased before applying
encryption. Good creates a file on the memory card and mounts it as a separate disk volume on
the handheld. The file created consumes the entire amount of storage space on the card; thus, the
card cannot be used to store unencrypted data from another device.

Feature Lockdown
Most mobile devices have features, such as tethering, third-party email services, and cameras that
may not be desirable to an organization. Rather than force employees onto different devices, at a
potential loss of other capabilities, lockdown polices can restrict the use of these features. This
can improve security and reduce the help desk burden, as well as simplifying maintenance and
management.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Feature Lockdown -- -- --
Wi-Fi   
Infrared   
Camera   
SMS/MMS   
Storage Card (SDIO)   
Phone   
Disable IP Modem/Tether   
Disable IMAP/POP   
Restrict Cable Sync   

10
 Bluetooth Lockdown
Bluetooth’s short range communications services allow mobile devices to extend the office
experience. Devices such as printers, keyboards, headsets, and even automobiles can connect to
mobile devices for services, raising additional concerns about security. Mobile management
solutions help to alleviate this concern by offering lockdown policies for the Bluetooth radio
and/or profiles related to Bluetooth services.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Bluetooth -- -- --
Restrict Radio   
Restrict Profiles   
Restrict Pairing/Discoverable   

MDM
Policies may be enabled on MDM to completely disable the Bluetooth radio, or block specific
profiles. However, to block a profile, administrators must know the Universal Unique Identifier
(UUID) of that specific profile. In other device management platforms, the profiles are given in a
dropdown list. While the use of UUID’s allows administrators to be more flexible in blocking
Bluetooth profiles, it can be more difficult to set up the policy initially. It is not possible to restrict
discovery or pairing.

BES
The most robust middleware platform for Bluetooth security, BES allows administrators to restrict
specific service profiles such as serial, hands-free, or headset. BES also allows disabling
discoverability or pairing with devices, and can even require a password to enable Bluetooth on
the device. Newer BlackBerry devices are capable of Bluetooth tethering for IP modem
connections; this feature can be disabled using a BES policy.

Good
Good will allow administrators to disable Bluetooth completely. Alternatively, administrators may
restrict discoverability on devices to allow the pairing of a headset with the phone while ensuring
that other devices will not be able to pair unless the Good device detects them first.

Application and Data Distribution/Management

Many mobile applications on the market can be deployed wirelessly to devices. This includes
third-party applications and custom applications developed in-house by organizations. Users may
also install applications via cable or connection to a website. The ability to manage deployments
efficiently, as well as to block user installation of undesirable applications, are important for
lowering the IT and help desk burden of mobile device management.

11
 MDM BES 4.1 Good
Feature
2008 SP4 5.0
Application and Data Distribution/Management -- -- --
Restrict to device features set   
Time-based distribution   
Reporting of deployment   
Create custom action scripts   
Application Allow/Deny   
Block Unsigned Application Install   
Block Third-party Downloads   

MDM
Using MDM enables administrators to create custom software deployment packages for mobile
devices. Once these packages are created, administrators may deploy them by targeting the
device group, or target based on existing hardware on the device. WSUS offers extensive
reporting capabilities that allow administrators to monitor deployment to devices using filters to

specify the range of devices and updates desired.

WSUS allows extensive update report customization

MDM can prevent users from using applications supplied with the mobile device, or the
installation of unsigned applications. It cannot prevent the installation of signed third-party
applications.

BES
Applications can be pushed from the BES using software configurations. These software
configurations require the installation files be copied and indexed on the BES directly. After
indexing the files, administrators can build software configurations and apply custom software
policies to the configuration. These policies can override handset settings to give applications
access to GPS radios, keyboard application programming interfaces (API), or the phone.

Once assigned, applications are deployed to devices every four hours (time-based distribution).
This application polling interval can be overridden in the registry as a static entry if desired.
However, changing this registry setting will affect all users on the server. Service Pack 4 for BES
version 4.1 allows administrators to deploy applications immediately and bypass the four-hour
timer.

12
 Reporting on application deployment is provided via a status block in the user status pane of the
administration console, but does not offer the extensive filtering capabilities found in MDM.

BES can also disallow specific applications from being installed on the device. However in order to
achieve this, administrators must first copy and index the installation files on the BES directly and
create a software configuration with a policy set to disallow the installation. A policy also exists to
block third-party application downloads.

Good
Applications may be pushed from the Good server by administrators, with deployment managed
through user groups. Applications can be inherited from the default “All Users” group or applied
directly to a group. If an administrator wishes to deploy custom software to mobile devices, the
software is uploaded to the Good NOC for hosting. A URL and GUID are then assigned to the
software to identify it back to the Good server it was uploaded from, and made available to
handhelds. By default, users are reminded to install software three times in a 24 hour period.
Administrators can override this to a custom setting or force mandatory installations.

Administrators may also disallow applications from being run on the handheld. However, in Good
version 5, administrators may only disallow native applications. These native applications include
pictures & video, solitaire, and ActiveSync on Windows Mobile devices.

LOB Application Data Push/Alert

In addition to deploying software, some platforms have the capability to automatically push
application data to handhelds. This gives mobile devices access to up-to-date information from
back-end systems such as SAP, CRM, or other database or web service-driven applications in the
organization, simplifying management and improving scalability.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
LOB Application Data Push/Alert   GMC

MDM
MDM does not support push data alerts for internal applications.

BES
BES supports push alerts for application data using a listener port on BES that will send data to
the mobile application when data is updated. BES also supports the ability to create web-based
application alerts using a browser push channel. This alert changes the appearance of the device-
side icon when information on the web site is updated. Applications developed using the
Blackberry Mobile Device System (MDS) framework can also push data to devices.

Good
With the addition of Good Mobile Connection (GMC), the Good platform can send push alerts to
users as internal application data changes.

Asset Tracking, Logging, and Reporting

Asset tracking can be difficult with a mobile infrastructure. Being able to log and report on
deployed hardware and software configurations is fundamental to mobile device management,

13
 especially when planning upgrades or future deployments. Keeping track of device upgrades,
swaps, mobile phone numbers, and serial numbers/unique identifiers simplifies management and
maintenance and improves scalability. Logging of user activities can also be useful for improving
security.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Asset Tracking, Logging, and Reporting -- -- --
Software and Hardware Inventory   
Via log files   
Via Administration UI   
Collect log information from device   
MOM/SNMP   

MDM
MDM offers a robust set of data reported back from mobile devices that can enable
administrators to plan future deployments. This data includes platform version, installed software,
and installed hardware. MDM may also be coupled with Microsoft Operations Manager (MOM) to
capture Simple Network Monitoring Protocol (SNMP) traps from the MDM servers to provide
proactive troubleshooting of server issues. Device management data is stored entirely in SQL,
enabling the generation of custom reports using any SQL reporting tools.

BES
Reports exported from BES show some data exported into a comma separated value (CSV)
format: user name, mailbox path, mobile phone number, PIN number, handheld model, and
software version. Data extracted from this export can be used to reconcile wireless bills or track
assets. Additional data may be shown in the administration console. This data includes a detailed
list of applications, ESN/IMEI serial numbers, hardware capabilities, free/available memory, and
active carrier, which may be extracted from the configuration database using custom SQL scripts.

Logging for BES is also available through log files located in the installation directory (by default)
and named according to the service related to the log. Although they are cryptic, the log files
provide very detailed information on user activity. Log levels and location may be changed by
administrators. Support for MOM/SNMP is available via third-party applications.

Good
Good’s reports, exported as a CSV file, show data similar to that available from BES, including user
name, device serial number, handheld ID/platform, mobile phone number, network ID/carrier, and
mailbox path. The data can also be viewed in the administration console, where additional
information may be displayed, such as handheld state and software version numbers. No software
inventory is available on Good outside of reporting software assignment groups.

Log files for Good are housed in the installation directory. These log files are very cryptic and in a
proprietary format. Logs can be easily uploaded to Good technical support from the
administration UI.

14
 Firmware and Update Management
Firmware and operating system updates are an important part of mobile device management.
Just as with desktop and laptop computers, updates can improve security by protecting against
the latest virus threats, which are increasingly a concern for mobile devices. As well, such updates
may be able to add new features to existing mobile devices, such as direct push email, wireless
email reconciliation, PIM synchronization, and IP modem support. This simplifies maintenance and
preserves an organization’s investment in their mobile infrastructure.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Firmware Update Management -- -- --
OTA OS Update Push   
Cable Firmware Update   
Update Targeting   

MDM

MDM itself does not offer over-the-air firmware or OS updates. Critical security fixes related to
Microsoft software are provided by Windows Update for Windows Mobile in coordination with
the device manufacturers and the Microsoft Security Response Center. Patches not related to
security issues are provided by the mobile operator, and can be delivered to a Windows Mobile 6
device via the mobile operator’s device management server. Windows Mobile fully supports the
Firmware Over-The-Air OMA-DM standard.

BES
BES does not support over-the-air firmware updates, but does offer device updates via USB cable
from either the BlackBerry Desktop Manager or the BlackBerry Manager administration console.

Good
While Good does not offer over-the-air device firmware or OS updates, it can keep the Good
client software updated via the administration console. When a new client software version
becomes available, administrators may select the new version for automatic deployment. New
client software may also be targeted based on device platform.

Help Desk and Troubleshooting

Not just users but administrators are becoming more mobile, so remote management of mobile
devices is a desirable feature, and can improve scalability. Many mobile management solutions
offer the ability to lock down the administration console with a password (other than that of a
user login) and assign role-based administrative control. This enables help desk personnel to
install the administration console on remote computers for decentralized administration. Some
mobile management solutions may also offer web-based administration to overcome concerns
about security and limited administrative access.

15
 MDM BES 4.1 Good
Feature
2008 SP4 5.0
Robust Helpdesk and Troubleshooting Functionality -- -- --
Helpdesk and Administrative Console   
Role-Based Administration   
Device remote control   
OTA Provisioning and Bootstrapping   
Bulk Provisioning   

MDM
Role-based administration for MDM is controlled via groups in Active Directory. This allows
administrators to use the same interface for administrator permissions as found in device policy,
thus simplifying management. By contrast, in Good and IMS, roles are defined and customized
directly from the administration console.

BES
Administrators or help desk personnel requiring access to a BES can do so by using a local
installation of BlackBerry Manager. This installation connects to the configuration database used
to host the BES environment and uses the login account of the administrator or help desk
representative to determine the amount of administrative access. Security administrators can set
several pre-defined levels of access based on role. The lowest role available has access to
troubleshooting features, but cannot add or remove users and licensing. Using groups, junior and
senior administrators can provision activation passwords for users in bulk. This allows for
deployment of devices to entire teams with minimal administrative effort.

Good
Good allows service administrators to assign custom or pre-set roles to help desk or audit
administrators, who can install the Good administrative console on their desktop to access the
system. Windows logon credentials are passed to the Good server to authenticate roles for
administrators. Users can be added to the administration console in bulk, automatically
generating an activation email for each user.

Self Service
Allowing users to provision themselves can help reduce the call volume to help desk personnel.
Mobile management solutions can extend this level of self service with a web portal that allows
users to provision devices without IT involvement.

MDM BES 4.1 Good

Feature
2008 SP4 5.0
Self Service Capabilities -- -- --
Self Enrollment   
Self Service Portal   

16
 MDM
The self service portal that may be optionally installed with MDM allows users to enroll their own
devices, perform remote wipes if the device is lost or stolen, and even reset their PIN. This helps
users quickly disable a device when they believe it to be lost or stolen, and reactivate a device
they receive from IT without an additional support call.

BES
With BlackBerry Administration Server, administrators may install the Web Desktop Manager to
allow users to set their own Enterprise Activation password for provisioning. This web portal also
allows users to access all of the features of BlackBerry Desktop Manager software, providing they
have installed the required files as prompted on their first visit to the site. Users must first be
added to a BES before they are able to log in to the Web Desktop Manager site.

Good
Good does not offer a self-service portal.

17
 Appendix

Methodology
The products were installed on servers in accordance with their specified system requirements, so
that the management interface could be fully exercised. Performance was not tested; the goal was
to understand the functionality of each product’s feature set in the following nine important areas
of mobile device management:

Managing Devices and Users

Provisioning devices and enforcing policies are fundamental activities for mobile device
management. How a mobile management solution handles user and device groups, and the
extent of the policies it offers, can have a big impact on manageability, scalability, and security.

Encryption Services
Encryption is necessary both for secure remote access to corporate data and applications (mobile
VPN) and to protect data on the device itself in case of loss or theft. The type of encryption used
can have an impact on performance.

Mobile VPN
This may not be necessary (may be included in Encryption Services above, TBD)

Feature Lockdown
The ability to disable various features on mobile devices (e.g., Bluetooth, tethering, or third-party
email services) improves security, expands the range of devices that can be supported, and eases
management and maintenance.

Application and Data Distribution

It is important for a mobile management solution to make the process of pushing applications or
data out to mobile devices as easy and flexible as possible. In addition, the ability to control what
applications users may install on a mobile device improves security, reduces the help desk
burden, and eases management and maintenance.

Asset Tracking, Logging, and Reporting

Being able to log and report on deployed hardware and software configurations is fundamental
to mobile device management, especially when planning upgrades or future deployments.
Logging of user activities can also be useful for improving security.

Firmware Update Management

The ability to update a mobile device’s operating system and feature set is not only critical for
security, but helps preserve an organization’s hardware investment.

Helpdesk and Troubleshooting

Not just users but administrators are becoming more mobile, so remote management of mobile
devices is a desirable feature, and can improve scalability. Role-based administration adds
flexibility.

18
 Self Service
Allowing users to perform a limited set of provisioning operations can reduce the IT management
and helpdesk burden.

Ratings
For each product, its functionality for each capability was rated with one of four ratings.

Functionality Not Available: the product does not offer the functionality needed to support this
feature or capability

Limited Functionality: the product supplies some of the functionality needed to support this
capability

Average/Good Functionality: the product supplies most of the functionality needed to support
this capability

Extensive Functionality: the product supplies extensive functionality in support of this capability

Although a weighted-average weighting method is generally more useful, the weightings depend
on the specific needs of an organization, so these un-weighted ratings are offered as a starting
point. By assigning a point value to each rating level, and then weighting each feature within a set
of features (e.g., Feature Lockdown) in accordance with its importance to your organization, you
may obtain a clearer sense of how each of the solutions review here matches your needs.

19
 The information contained in this white paper represents the current view of Microsoft
Corporation on the issues discussed as of the date of publication. Because Microsoft must
respond to changing market conditions, it should not be interpreted to be a commitment on the
part of Microsoft, and Microsoft cannot guarantee the accuracy of any information presented
after the date of publication.

This white paper is for informational purposes only. MICROSOFT MAKES NO WARRANTIES,
EXPRESS, IMPLIED, OR STATUTORY, AS TO THE INFORMATION IN THIS DOCUMENT.

Complying with all applicable copyright laws is the responsibility of the user. Without limiting the
rights under copyright, no part of this document may be reproduced, stored in or introduced into
a retrieval system, or transmitted in any form or by any means (electronic, mechanical,
photocopying, recording, or otherwise), or for any purpose, without the express written
permission of Microsoft Corporation.

Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual
property rights covering subject matter in this document. Except as expressly provided in any
written license agreement from Microsoft, the furnishing of this document does not give you any
license to these patents, trademarks, copyrights, or other intellectual property of Microsoft.

Unless otherwise noted, the example companies, organizations, products, domain names, e-mail
addresses, logos, people, places and events depicted herein are fictitious, and no association with
any real company, organization, product, domain name, email address, logo, person, place or
event is intended or should be inferred.

©2009 Microsoft Corporation. All rights reserved. Microsoft Active Directory, Operations
Manager, System Center Mobile Device Management 2008, and Windows System Update Services
are trademarks of the Microsoft group of companies. The names of actual companies and
products mentioned herein may be the trademarks of their respective owners.

20