Skip to content

Key Concepts

The Key Concepts section aims to take you through the main concepts used within and applied to Unified Endpoint Management. Brief introductions to the concepts and terminology used will enable an easier understanding of the domain.

Unified Endpoint Management (UEM)

Unified Endpoint Management (UEM), or UEM is an approach that helps organizations manage, monitor, and secure a wide range of enterprise devices/end-user devices. It provides consistent management across different operating systems and locations through a single platform.

UEM combines the capabilities of Mobile Device Management (MDM) and Mobile Application Management (MAM), offering a single tool for managing both devices and the applications running on them.

Learn more about Entgra UEM server.

Enterprise Devices

An enterprise device is a physical computing unit capable of performing one or more tasks. These devices are categorized based on their purpose and functionality in organizational environments:

  • Mobile Devices: Handheld devices typically used for everyday tasks such as making phone calls, sending emails, and setting alarms. Entgra UEM Server supports managing Android, iOS, and Windows mobile devices.
  • IoT Devices: Devices specifically designed to operate in a connected environment via the internet. They collect data through embedded sensors and exchange it with other devices. Entgra UEM Server supports managing Android Sense, Arduino, Raspberry Pi, and custom IoT device types.

Entgra UEM Server enables organizations to enroll, secure, manage, and monitor devices, regardless of the mobile operator, service provider, or organization.

Evolution of UEM

The evolution of Unified Endpoint Management (UEM) started with Mobile Device Management (MDM), which gave IT teams full control over company-owned devices. MDM allowed tasks like provisioning, encryption, app management, and remote wiping, making it suitable for early workplace needs.

As personal smartphones became popular, Bring Your Own Device (BYOD) policies emerged, leading to the development of Mobile Application Management (MAM). MAM focused on securing corporate apps and data while respecting employee privacy, ensuring a balance between security and personal use.

Enterprise Mobility Management (EMM) was introduced when MAM struggled to manage the growing number of apps. EMM combined MDM and MAM to secure corporate data and manage devices like mobile phones and off-site laptops, enhancing both security and user experience for remote and distributed workforces.

Finally, UEM was developed to unify device management across all endpoints, including onsite and remote devices, into a single platform. This streamlined management processes and addressed the needs of modern organizations with diverse and flexible working environments.

MDM

MDM allows organizations to remotely control, monitor, and enforce policies on enterprise devices. Entgra UEM provides a Device Management portal for MDM, enabling administrators to enforce security policies, deploy apps, track devices, and ensure compliance.

MAM

MAM allows organizations to control and secure applications on enterprise devices. Entgra UEM Server enables the management of Android, iOS, and Windows mobile applications. It supports two UIs to help Mobile App Creators/Publishers manage mobile applications:

  • App Publisher: This UI allows you to create and manage mobile applications.
  • App Store: This UI enables you to install and update mobile applications on devices. It also includes social features such as ratings and likes, which help Mobile App Creators understand the popularity and usability of their applications.

Device Ownership Models

Ownership models in the context of UEM refer to how devices are categorized based on who owns them and how they are used within an organization. These models determine the level of control and security policies an organization can enforce on the devices. The main ownership models include:

  • Bring Your Own Device (BYOD): Employees use their personal devices for work purposes. The organization has limited control, typically focusing on securing work-related applications and data, while leaving the personal use of the device untouched.
  • Corporate-Owned, Personally Enabled (COPE): The organization owns the device, but employees are allowed to use it for personal purposes as well. IT manages the corporate aspects of the device while allowing employees some flexibility with personal use.
  • Fully Managed: The organization owns and controls the device, which is used exclusively for business purposes. The IT department has full control over the device's configuration, security settings, applications, and data.
  • Kiosk (Dedicated Devices): These devices are typically owned by the organization and are configured for a specific, single purpose. The device is locked down to only allow access to the necessary application(s) or functionality, preventing users from accessing other features or settings. Common examples of dedicated devices include kiosk terminals such as ATMs or vending machines that only run one app and restrict users from performing any other tasks.
  • Work Profile Enrollment: A work profile creates a containerized space on the device where user data and apps are separated from work-related apps and data, providing a clear division between personal and corporate information. This is the recommended enrollment type for BYOD scenarios, as it ensures the privacy of the user’s data while securing corporate data in a protected container to prevent leakage.

Enrollment

The process of onboarding a new device to the server is called Enrollment. This process typically involves the end user entering their username and password in an agent application or scanning a QR code through the agent application to authenticate the user and enroll the device with the server. There are multiple methods for performing enrollment, and depending on the method used, the operations that can be executed on the device may vary.

Learn more about enrollment.

Device Groups

Entgra UEM Server allows you to group multiple enrolled devices, enabling you to monitor and manage them collectively.

Learn more about device groups.

Operations

Each device supports a set of operations depending on its platform (i.e., Android, iOS, Windows), such as screen lock, device unlock, and device reboot. Entgra UEM Server facilitates these operations, allowing them to be performed remotely via the Device Management Console.

Learn more about operations.

Policies

A policy is a set of configurations enforced on a device that influences its functionality. Policies can control device settings, alert users when the device is not functioning as expected, and much more. For example, you can disable the camera on a mobile device through a policy.

Learn more about policies.

Policy Profile

In Entgra UEM Server, a collection of policies is called a profile. Policy profiles allow you to apply multiple policies to a device collectively. Entgra UEM Server includes predefined policies for Android, iOS, and Windows to manage mobile devices and also supports the creation of custom policies for IoT devices.

Multi-Tenancy

Multi-tenancy is an architecture where a single instance of a software application serves multiple distinct organizations or tenants. Each tenant’s data is isolated and kept secure, ensuring privacy and preventing cross-tenant data access. In the context of Entgra UEM Server, multi-tenancy enables organizations to manage and secure their devices, applications, and resources independently, within a single UEM instance. This allows IT administrators to configure, manage, and monitor different tenants while ensuring each tenant has control over their own devices, policies, and data.

Learn more about tenants.

APIs

An Application Programming Interface (API) is a way of exposing software functionality without revealing its implementation. APIs enable software applications to interact with each other and exchange data. Below is a list of APIs supported by Entgra UEM Server:

  • Device Management APIs: These APIs expose the device management functionality of the Entgra UEM Server's Device Management Console. They can also be used to facilitate device management through a third-party UI.
  • Device APIs: These APIs ensure communication between devices and the Entgra UEM Server.
  • App Management APIs: These APIs expose the app publishing and app portal functionality associated with the Entgra UEM Server's App Publisher and App Store. They can also facilitate app publishing and app portal functionality through third-party UIs.
  • API Management APIs: These APIs expose API publishing and API portal functionality within the Entgra UEM Server.
  • Certificate Management APIs: These APIs implement Simple Certificate Enrollment Protocol (SCEP) to enable Entgra UEM Server to authenticate and authorize devices with SSL certificates.

Learn more about APIs.

Extensions

  • Device Agents: A device agent is a software program installed on a hardware device that enables communication between the device and the Entgra UEM Server.
  • Transport Extensions: Transport extensions allow you to establish new communication channels between a device and the Entgra UEM Server.
  • Authentication Extensions: By default, WOS2 IoT Server supports OAuth, basic authentication, mutual SSL, and certificate-based authentication mechanisms. If new device types require a different authentication method, authentication extensions can be used to support these requirements.
  • UI Extensions: UI extensions allow you to customize the user interface for new device types.

Security

Security refers to the methods used to protect computer systems from damage, disruption, and unauthorized access, while minimizing risks and vulnerabilities. Entgra UEM Server implements security at both the application and transport levels.

Application-level Security

Application-level security refers to the security requirements at the application level. Following is a list of concepts related to application-level security:

Encryption

Encryption is the process of converting data or messages (plaintext) into a secret code (ciphertext) using an algorithm (cipher). Only authorized entities with the correct key or password can decrypt the data and access its original content.

Authentication

Authentication is the process of verifying the identity of an entity using one or more of the following factors:

  • Knowledge Factor: Something the user knows, such as a password, PIN, or security question.
  • Ownership Factor: Something the user has, such as an identity card, mobile phone, or security token.
  • Inherence Factor: Something the user is or does, such as biometrics.

Authentication can be implemented in the following forms:

  • Single-Factor Authentication: This mechanism uses one factor to authenticate an entity (e.g., password).
  • Two-Factor Authentication: This mechanism uses two factors to authenticate an entity (e.g., password and security token).
  • Multi-Factor Authentication: This mechanism uses more than two factors to authenticate an entity.

Entgra UEM Server uses OAuth, Basic Auth, JWT, and mutual SSL for authentication.

Authorization

Authorization is the process by which an entity is granted permission to access resources, such as data, services, or systems. Typically, authorization occurs after authentication. Entgra UEM Server uses Role-Based Access Control (RBAC) and scopes to implement authorization.

Certificates

A certificate (also known as an SSL certificate) is an encryption tool issued by a trusted Certification Authority (CA) that secures data transmission between a client and a server. Entgra UEM Server uses Simple Certificate Enrollment Protocol (SCEP) to securely enroll and authenticate iOS devices by issuing a unique certificate for each device.

Tokens

A token is a credential created by an authentication server that grants an entity access to protected resources. Entgra UEM Server uses tokens to identify devices and determine their ability to access protected resources.

Scopes

Scopes define the permission model that determines the specific actions or resources an entity can access when invoking an API.

Single Sign-On (SSO)

Single sign-on (SSO) allows users to enter their credentials once and gain access to multiple applications without needing to re-enter their credentials for each one. Once signed in to an application, users are not prompted for their credentials to access other applications until the session terminates.

Entgra UEM Server supports SSO for its web applications, including the Device Management Console, API Store, App Publisher, and App Store.

Role-Based Access Control (RBAC)

Role-based access control (RBAC) is a type of access control that restricts access to resources based on the roles assigned to users. Each role defines specific permissions, and users are granted access to resources according to the permissions associated with their assigned role.

Transport-Level Security

Transport-level security (TLS) is a mechanism that secures communication over the internet and intranet by encrypting data during transmission. Entgra UEM Server implements transport-level security using mutual SSL, certificates, and keystores to ensure the integrity and confidentiality of the data exchanged.