Device Management Solutions Explained: MDM vs EMM vs UEM
The IT world loves its three-letter acronyms. As part of that world, Apple device management is no different. If you deploy and manage fleets of Mac computers and iPhone or iPad devices for an organization, you’ve no doubt heard plenty of them. In particular, if you’ve spent any time researching ways to manage devices in your organization, you may have seen references to:
- MDM;
- EMM; and
- UEM.
If you’ve come across any or all of these acronyms, you’ve probably wondered what they mean, and, more importantly, how they differ from one another. We’re here to clarify these terms.
The most important thing to understand up front: For the most part, these acronyms are not technical terms for which there are standard, widely accepted definitions. Rather, they are marketing terms that vendors, analysts, and customers use in different senses to describe a broad category of apps and services—and they don’t always agree on what they mean.
What is Mobile Device Management (MDM)?
That disagreement starts with the definition of MDM itself, particularly when it comes to Apple devices.
Historically, IT admins used on-premises systems like Active Directory and a big firewall to manage and secure devices—primarily desktop computers—that always remained at the office. The managed devices had fast, always-on connections (wired or wireless) to the organization’s management systems, and were always protected—from outside threats, at least—by the firewall.
As users began to increasingly use work computers outside the office, many IT departments began configuring those computers to use Virtual Private Network (VPN) connections to the organization’s network, to facilitate management and security.
But then mobile devices such as phones and tablets that existing solutions weren’t designed for began to infiltrate the office. Hence the advent of mobile device management solutions, which were initially targeted exclusively at phones and, to a lesser extent, tablets.
At first, management measures were simple, such as mandating password protection and enabling admins to lock or wipe devices remotely. But over the years management tools evolved to include implementing data encryption, configuring devices remotely, tracking device location, security monitoring, and more.
Apple’s iPhone was, of course, one of the most widely adopted of those first business-friendly mobile devices. The release of the iPhone in 2007 was the catalyst that eventually led to Apple getting involved in device management. (For an excellent deep-dive into this, see Charles Edge’s History Of Apple's Mobile Device Management.)
In 2008, Apple announced support for profiles—XML files that allowed IT teams to install apps and configurations—delivered via the iPhone Configuration Utility. That solution soon evolved into Apple’s MDM framework, which delivered profiles through a combination of HTTP, transport layer security, and push notifications.
In 2016, Apple shared that spec freely, and third-party vendors began building products on top of it. Over time that original MDM spec evolved to incorporate a wider range of functionality beyond profiles, including content distribution (via Apple’s Volume Purchase Program), operating system updates, device supervision (for increased management), and eventually support for the Mac. Apple continues to evolve the spec now, with the ongoing introduction of declarative device management.
Over time, “MDM” came to be used to refer to device management solutions that worked on non-Apple platforms, including Microsoft and Android. But Apple-specific solutions provide more granular control over devices that use the macOS, iOS, and iPadOS operating systems. For example, only an Apple MDM solution works hand-in-glove with Apple Business Manager, the web portal that enables admins to maintain an inventory of an organization’s Apple devices, enroll those devices into management, and generate Managed Apple IDs for admins and users.
So in the context of Apple devices, one way to differentiate the acronym MDM from the others that we’ll discuss in a minute is: MDM refers to device-management solutions that utilize Apple’s MDM framework.
That’s not, unfortunately, how market researchers always used the term. Gartner, for example, defines MDM as “software that provides: software distribution, policy management, inventory management, security management, and service management for smartphones and media tablets.” It’s a broader definition than Apple’s, in that it covers solutions that manage Windows, Android, and other platforms. But it’s more limited, in that it covers only phones and tablets—not computers.
Software reviews site G2 says that an MDM solution should “enable the remote configuration, locking, wiping, detection, and encryption of devices” and “report on device activity.” But it still emphasizes the “mobile” in MDM: “Mobile device management software is used by businesses to optimize the functionality and security of their fleet of mobile devices, including smartphones and tablets.”
That “mobile” is a bit of a hedge: Such devices can “include” smartphones and tablets; presumably, the phrase also covers laptop computers. But what about solutions that take advantage of Apple’s MDM framework to manage desktop computers just as well?
That said, “mobile” does underscore one important evolution in device management: Instead of expecting all managed devices to reside inside the firewall, MDM has evolved to be effective in a world in which users and devices can be anywhere—in the building or working from home or a coffee shop—and might change locations from day to day (or hour to hour).
What is Enterprise Mobility Management (EMM)?
As the needs of the mobile workforce evolved, Apple’s baseline MDM wasn’t always able to encompass everything vendors wanted to include in their device management solutions. Most took to adding functionality outside of that spec. Some vendors—and Gartner—switched to calling such solutions “Enterprise Mobility Management,” or EMM.
Solutions labeled “EMM” may differ widely in functionality. Such tools may help integrate MDM with other enterprise systems, while also adding tools to manage both mobile applications and content. Those tools themselves may be given three-letter acronyms of their own, which can only add to the confusion:
Identity and Access Management (IAM) helps implement user authentication as well as policy-based rights and permissions. An EMM solution may allow IT teams to assign users to groups, with each group accorded the same set of permissions and restrictions.
Mobile Application Management (MAM) allows for the distribution, security, and patching of software running on mobile devices. It helps admins provision fleets of devices with consistent sets of apps. Such solutions may also prevent the installation of unsafe apps and block or allow individual app features.
Mobile Content Management (MCM) enables organizations to distribute data or documents. Whether or not a user (or an application) can access certain content could depend on policies based on user roles or even location.
Not surprisingly, many of the vendors that marketing research firms include under the rubric of MDM are also included in their lists of EMM solutions.
What is Unified Endpoint Management (UEM)?
Compared to EMM, a third category—unified endpoint management, or UEM—is more concrete. The big differentiator between UEM and MDM or EMM: UEM solutions can typically manage a variety of devices—phones, tablets, and computers—that run operating systems from a variety of vendors, all from a single console.
So instead of needing one management tool for Apple devices and another for those that run some form of Windows or Android, a single UEM solution might be able to manage them all. It may also help teams manage a wider range of devices, including Internet of Things (IoT), wearables and handhelds.
UEM may roll up the functionality of MDM and EMM on those disparate platforms. As G2 puts it, “UEM is a unification of other endpoint-focused management solutions, such as endpoint management software, mobile application management (MAM) software, mobile device management (MDM) software, patch management software, and more.“
While a centralized, unified management platform might sound great in theory, it can actually be messy in practice. There are sufficient differences in the management frameworks for different device ecosystems—Apple’s vs. Microsoft’s and others—that a single tool may not deliver the same level of functionality as one that’s optimized for a single platform. And with Apple, Google, Microsoft, and others following their own release cycles, methods of deployment, provisioning programs, and so much more, finding a way to bridge them in one interface is a formidable, if not impossible, task.
MDM vs. EMM vs. UEM
The fact is that neither UEM nor EMM has caught on in common parlance. Most people use MDM as shorthand to refer to all device management capabilities. That's in part because the categorization of a solution matters far more to marketers than to customers. Those who need to manage devices—of whatever sort—care only about what a solution can do and whether or not it solves a problem, not what its competitive set is labeled.
Editor's note: This post was substantially updated from its original form on 3/30/23.
About Kandji
Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints, with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we bring much-needed harmony between IT, InfoSec, and Apple device users.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.
See Kandji in Action
Experience Apple device management and security that actually gives you back your time.