MaaS360 MDM review

Cloud-based MDM gets the job done

A screenshot of IBM MaaS360 with IBM Watson

CloudPro Verdict

Pros

  • +

    Cloud-based; Integrates quickly with the corporate network; Sensibly priced

Cons

  • -

    Policy definition can take a while to get your head around, particularly if you're using AD integration

MaaS360 is a cloud-based MDM product, which, on the face of it, sounds utterly barking: how can you have something in the cloud that's providing secure access into your own network? We'll come onto that bit. (Incidentally as well as managing handsets and tablets there's also a laptop management option, but that's out of scope for this review).

There are two aspects to MDM the first (controlling and managing devices) you can do entirely with the cloud service, because in its basic form there's no need for the MDM system to know anything about your organisation or connect to it in any way. You register devices with the cloud service, define policies via the Web-based management GUI, and off you go.

Once your organisation has been set up on the MaaS360 portal it's a very simple job to register devices: initiate registration from the server and it'll send an email to the device's user (as long as you provide an email address, of course) which bounces the user into a simple setup wizard. Registering with the service bounces you into the appropriate app store (Android, iOS and Windows Phone are all supported) from where you download the core MaaS360 client app and run through the setup wizard. It's all very easy, and once the device is registered it'll be sent policy updates as they happen at the server end.

While we're talking about policies, let's have a look at what you can do with them. You'll generally define your basic policies by operating system (so you'll have a base iOS policy, a base Android policy, and so on) and then clone and adjust for special groups.

Policy settings start with passcode restrictions (length, complexity, etc). Then you work through assorted general security settings (SD card encryption, whether the user can install/remove apps, even things like whether the clipboard can be shared between applications) and then onward through application compliance (blacklisting or whitelisting apps based on name or the permissions they want to use), ActiveSync, WiFi, the list goes on.

That's just the basic device settings area, though. In the advanced section you can define email accounts, control the device background and lock screen, restrict network access (e.g. forbid WiFi unless it uses sufficiently complex encryption), prohibit BlueTooth pairing except for headsets.

Of course, in real life you'll want to connect your devices into your corporate network: on a basic level you'll want to control devices based on Active Directory users and group memberships, but you'll also want to be able to provide secure Web browsing and email connectivity on your corporate devices (just like you've been able to do on BlackBerry handsets for years, probably).

You do this by installing the Cloud Extender application on an internal server. The vendor reckons that this can generally be done in an hour or less; in my case it took a little longer but frankly it was a heck of a lot quicker than having to run up a whole new server application and add a bunch of firewall NAT rules for devices to make inbound connections.

Cloud Extender lets you hook into your corporate directory service but also provides support for a bunch of ancillary applications that can sit on users' phones including the two most important: a secure Web browser (which, via the Cloud Extender, allows the devices to browse your intranet natively and a secure mail app (so no more need to permit ActiveSync through the firewall for people's handsets' on-board mail applications).

Among the other services you can configure are mobile content management (corporate document access, in other words) and application management (distributing and managing both home-grown and external apps).

Reporting on the management GUI is clear: the front page dashboard is a collection of big, chunky icons that show red (bad), green (good) or blue (N/A) for various categories such as jailbroken iPhones and devices whose application set is out of compliance (e.g. they're running an app that's blacklisted).

As you'd expect you can drill into any category to find out more. I have to admit that my first impressions of the GUI was that it was a little non-intuitive but in the end I decided that actually it's fine once you've found your way around. Also there are some nice touches, such as the way that when you hit “Deploy” on a policy it tells you what's changed since the last version (which is way more helpful than just listing the setting of all of the bazillion options which you probably haven't touched).

My initial impression was that MaaS360 was a fairly nutty idea, but now I've used it for a while I really like it. Setup time is negligible and it does just seem to work; it took a little bit of playing to get the secure mail working but it was finger trouble rather than a system problem. The concept of MDM in the cloud sounds a little batty to begin with but the corporate integration module does just seem to do what it says on the tin.

There's only one potential downside to this kind of product, as with any cloud product: do you trust some little company (in this case FiberLink) that you've never heard of with your corporate device management? Well … yeah, I think we can tick that box, given that in November 2013 a consideration of $330m made FiberLink a subsidiary of a reasonably respectable crowd calling themselves IBM.

I really, really like MaaS360. What first seemed a strange idea actually turned into something clever, usable and (despite being an IBM product) sensibly priced. Since I started evaluating the product I've seen more ads for MaaS360 than you can shake a stick at, so clearly they're promoting it to death, but d'you know: I can't blame them. And I certainly wouldn't blame you for buying it.