BES / UEM MDM Comparison

BlackBerry UEM vs Microsoft Intune vs VMware Workspace ONE: Enterprise MDM Comparison

· 11 min read
BlackBerry UEM versus Microsoft Intune versus VMware Workspace ONE MDM comparison

Overview — Enterprise MDM Market in 2026

The enterprise MDM/UEM market in 2026 is dominated by three platforms: BlackBerry UEM, Microsoft Intune, and VMware (now Broadcom) Workspace ONE. According to IDC data, Microsoft Intune holds the largest market share by seat count, driven by its bundling with Microsoft 365 E3/E5 subscriptions. VMware Workspace ONE maintains a strong position in enterprises with heterogeneous device environments, particularly those combining Windows, macOS, iOS, Android, and Linux endpoints.

BlackBerry UEM, while smaller in absolute market share, holds a differentiated position in regulated industries including defense, government, finance, and healthcare due to its FIPS 140-2 certification and DISA Approved Products List (APL) listing.

The comparison below focuses on technical depth, security architecture, and deployment suitability for enterprise IT administrators choosing between platforms. All three platforms cover the core MDM fundamentals: over-the-air enrollment, policy enforcement, remote wipe, and app management. The meaningful distinctions emerge at the level of security architecture, compliance certification, ecosystem integration, and total cost of ownership — factors that weigh differently depending on the organization's vertical, regulatory posture, and existing infrastructure.

BlackBerry UEM — Strengths and Weaknesses

BlackBerry UEM evolved from the BlackBerry Enterprise Server (BES) lineage and carries decades of enterprise mobile security investment. Its security architecture, particularly the BlackBerry Dynamics SDK and container runtime, remains technically differentiated from both Intune and Workspace ONE.

Strengths

  • FIPS 140-2 validated cryptography and DISA APL approval for DoD deployments
  • BlackBerry Dynamics provides app-level encrypted containerization independent of the device's MDM enrollment state
  • Supports on-premises deployment for air-gapped or high-security environments where cloud-only management is not acceptable
  • BlackBerry Gateway (ZTNA) integration for zero-trust application access without a traditional VPN
  • Long-standing email security lineage with robust Exchange/ActiveSync policy support
  • CylancePROTECT AI-based on-device threat detection included in the Spark Suite

Weaknesses

  • Higher cost than Intune, particularly for organizations already holding Microsoft 365 E3 or E5 subscriptions
  • Smaller ecosystem of BlackBerry Dynamics-wrapped third-party apps compared to native iOS and Android MDM app management
  • Management console experience perceived as less intuitive compared to cloud-native competitors by administrators accustomed to modern SaaS tooling
  • BlackBerry's declining hardware market presence reduced name recognition among IT teams hired in recent years, creating internal adoption friction
  • No native integration with Google Workspace — limited email management capability in Google-centric environments

Microsoft Intune — Strengths and Weaknesses

Microsoft Intune has grown from a standalone MDM product to the central endpoint management layer of the Microsoft Security stack. Its bundling with Microsoft 365 subscriptions has made it the de facto default for the majority of commercial enterprises that have already committed to the Microsoft ecosystem.

Strengths

  • Included at no additional per-seat cost in Microsoft 365 E3, E5, and Business Premium subscriptions
  • Deep integration with Azure AD Conditional Access, Microsoft Entra ID, and Microsoft Defender for Endpoint
  • Co-management with Configuration Manager (SCCM) supports hybrid Windows environments during transition periods
  • Excellent macOS and Windows 10/11 MDM support via native protocols, including declarative device management (DDM)
  • Large administrator community, extensive Microsoft Learn documentation, and broad third-party tool support
  • Automated iOS and Android enrollment via Apple Business Manager and Android Zero-touch Enrollment

Weaknesses

  • No app-level encrypted container — data separation relies on MAM policies and Conditional Access rather than a dedicated cryptographic container runtime
  • On-premises deployment is not available — Intune is cloud-only, a disqualifying constraint for air-gapped environments
  • Android management depth below BlackBerry Dynamics for regulated data scenarios requiring validated isolation
  • FIPS 140-2 compliance operates at the Azure infrastructure layer; no DISA APL listing for Intune as of 2026
  • Integration with non-Microsoft identity providers (Okta, Ping Identity) requires additional configuration effort

VMware Workspace ONE — Strengths and Weaknesses

VMware Workspace ONE traces its MDM lineage to AirWatch, acquired by VMware in 2014. Over the following decade, VMware expanded the platform beyond MDM into a broader digital workspace suite encompassing virtual app/desktop delivery, identity, and analytics. Broadcom's 2023 acquisition introduced significant licensing and organizational changes that have affected customer confidence.

Strengths

  • Unified endpoint management combining MDM (AirWatch heritage) with virtual desktop and app delivery via VMware Horizon
  • Strong macOS management with Freestyle Orchestrator enabling complex scripted workflows and conditional logic
  • Workspace ONE Intelligence provides analytics, automation, and risk-based compliance automation across the fleet
  • Best-in-class Linux device management (Ubuntu, CentOS, RHEL) — materially stronger than Intune or BlackBerry UEM
  • Well-suited for kiosk and dedicated-device deployments and rugged device management in field-service environments

Weaknesses

  • Broadcom's 2023 acquisition of VMware has created significant pricing and licensing uncertainty, with material increases reported for new and renewal contracts
  • Product roadmap continuity concerns persist under Broadcom ownership — Broadcom's track record with acquired enterprise software includes consolidation and end-of-life decisions
  • Complex multi-component architecture: Workspace ONE UEM, Workspace ONE Access, Intelligence, and Tunnel must be deployed and maintained separately
  • Higher total cost of ownership when combining all required components for feature parity with the bundled Intune + Defender stack
  • Support quality perception declined materially in enterprise customer surveys following the Broadcom acquisition

Head-to-Head Comparison Table

Feature BlackBerry UEM Microsoft Intune VMware Workspace ONE
iOS MDM depth Deep — ADE, DEP, supervised mode, Dynamics containers Deep — ADE, supervised, MAM without enrollment Deep — ADE, supervised, Freestyle Orchestrator
Android Enterprise Full — work profile, fully managed, dedicated Full — work profile, fully managed, dedicated Full — work profile, fully managed, COPE
Windows 10/11 MDM + Dynamics for Windows app container MDM + co-management with SCCM/ConfigMgr MDM + virtual app and desktop delivery via Horizon
macOS MDM (basic to good) MDM (good, improving with DDM) MDM + Freestyle Orchestrator (excellent)
Linux Limited Limited (improving) Strong — Ubuntu, CentOS, RHEL
Containerization BlackBerry Dynamics — AES-256 app-level container, FIPS 140-2 validated MAM policies only — no dedicated app-level encrypted container VMware Tunnel + MAM — no app-level encrypted container
Pricing model Per-user/month — $5–12+ depending on tier Bundled in M365 E3/E5; standalone ~$8/user/month Per-device or per-user — $5–15+/user/month depending on bundle
Deployment options Both — UEM On-Premises and UEM Cloud Cloud only Both — on-premises and SaaS
Security certifications FIPS 140-2 (app layer), DISA APL, DoD RMF FIPS 140-2 via Azure infrastructure; no DISA APL FIPS 140-2 via infrastructure; no DISA APL
Zero Trust support BlackBerry Gateway (ZTNA) — per-app access without VPN Conditional Access + Azure AD + Defender for Endpoint Workspace ONE Tunnel + Workspace ONE Access
Best for Regulated industries (DoD, finance, healthcare), security-first deployments, air-gapped environments Microsoft 365 shops, mid-market, broad platform diversity, Windows-heavy fleets Mixed-OS enterprise, virtual desktop + MDM, macOS-heavy and Linux-inclusive fleets

Security Architecture Comparison

The fundamental security architecture difference between the three platforms lies in how each achieves data separation between corporate and personal content. BlackBerry UEM with BlackBerry Dynamics creates a cryptographically isolated work container at the application layer.

Corporate data — email, documents, calendar entries, and data from Dynamics-wrapped third-party apps — is encrypted with AES-256 within the container and never leaves it in plaintext regardless of the device's MDM enrollment state.

If a device's MDM profile is removed or the device is jailbroken, corporate data inside Dynamics apps remains encrypted and inaccessible to the device's native operating system. This is the architecture that satisfies FIPS 140-2 at the application layer — not just the infrastructure layer — and it is the reason BlackBerry UEM holds DISA APL status.

Microsoft Intune's data separation model relies on Mobile Application Management (MAM) policies combined with Azure AD Conditional Access. Conditional Access blocks unapproved apps and unmanaged devices from receiving corporate data tokens. Intune's selective wipe removes corporate data from Microsoft apps (Outlook, Teams, OneDrive) and Intune MAM-enabled third-party apps. This architecture is effective for the majority of commercial enterprise use cases and integrates tightly with Microsoft Defender for Endpoint signals.

It does not, however, provide a cryptographic container runtime — corporate data at rest on the device in a managed app is not independently encrypted by Intune; it relies on the operating system's native data protection mechanisms.

VMware Workspace ONE's security model is architecturally closest to Intune's MAM approach. VMware Tunnel provides per-app VPN so managed apps connect to corporate resources through an encrypted tunnel, but this is a network-level protection rather than a data-at-rest container.

For environments operating under DoD, ITAR, or PCI-DSS requirements that mandate FIPS 140-2 validated data-at-rest encryption in a mobile app container, BlackBerry UEM with BlackBerry Dynamics is the only platform among the three with a validated solution at the application layer.

Pricing and Licensing Comparison

Pricing is one of the most significant differentiators in practice, particularly for organizations evaluating BlackBerry UEM against Microsoft Intune where M365 licensing is already in place.

BlackBerry UEM is licensed per user per month across several tiers. UEM Enterprise (MDM management plus basic email security) runs approximately $5–7 per user per month. BlackBerry Spark Suite, which adds the full BlackBerry Dynamics container runtime, runs approximately $9–12 per user per month. The Spark UEM Suite including Cylance AI threat protection and BlackBerry Gateway ZTNA is priced on request and typically negotiated at enterprise contract volume.

Microsoft Intune is included at no incremental per-seat cost in Microsoft 365 E3 ($36/user/month), E5 ($57/user/month), and Business Premium ($22/user/month) subscriptions. For organizations not on these plans, Intune Plan 1 is available standalone at approximately $8 per user per month.

The practical implication: the majority of mid-to-large enterprises already paying for M365 E3 or E5 are already licensed for Intune, making the marginal cost of Intune deployment zero relative to the subscription they are already paying.

VMware Workspace ONE has historically been licensed per device or per user per month. Workspace ONE Standard was approximately $5.33 per device per month; Advanced approximately $10.67; Enterprise tier on request.

Following Broadcom's 2023 acquisition, VMware's licensing model was restructured and pricing for new customers increased materially. Broadcom shifted toward larger bundled portfolio deals, making point-product Workspace ONE purchasing more complex. Organizations should obtain current quotes directly from Broadcom, as published list prices may not reflect current contract structures.

Which Platform Is Right for Your Organization?

Choose BlackBerry UEM when the organization operates in defense, government, financial services, or healthcare and is subject to compliance frameworks that mandate FIPS 140-2 validated encryption at the application layer, not just the infrastructure layer. UEM is the appropriate choice when air-gapped or on-premises-only deployment is required — Intune and Workspace ONE SaaS cannot satisfy this constraint. It is also the appropriate choice when a DISA APL-listed MDM solution is explicitly required for DoD network access.

Choose Microsoft Intune when the organization already subscribes to Microsoft 365 E3, E5, or Business Premium — Intune is included and adding it is primarily an implementation effort, not a budget decision.

Intune is the natural choice when Windows 10/11 and macOS are the primary management targets and when deep Conditional Access integration with Azure AD and Microsoft Defender for Endpoint is a priority.

For Microsoft-centric organizations without hard FIPS 140-2 container requirements, Intune provides strong security controls at effectively zero incremental cost.

Choose VMware Workspace ONE when the fleet includes Linux endpoints alongside iOS, Android, Windows, and macOS — Workspace ONE's Linux management capability is materially stronger than either competitor. Workspace ONE is also appropriate when virtual app and desktop delivery via VMware Horizon is part of the end-user computing strategy.

Workspace ONE Intelligence's automation and analytics are a differentiator for large, operationally mature IT teams that want risk-based compliance automation. For MDM security best practices that apply across all three platforms, see the MDM security coverage.

Frequently Asked Questions

Is BlackBerry UEM better than Microsoft Intune for security?

BlackBerry UEM provides deeper security through the BlackBerry Dynamics containerization layer, which creates an app-level encrypted workspace independent of the device MDM enrollment. Microsoft Intune's security relies on MAM policies and Conditional Access integration with Azure AD, which is effective but does not provide the same degree of cryptographic isolation as a dedicated container runtime.

For regulated industries with strict data separation requirements — defense, finance, healthcare — UEM's FIPS 140-2 validated container is typically preferred. For standard commercial enterprises already in the Microsoft ecosystem, Intune's security posture is sufficient for most compliance frameworks.

Can BlackBerry UEM and Microsoft Intune be used together?

Yes. Organizations can run UEM and Intune in parallel for different device populations or use cases. A common pattern places UEM on highly regulated devices — DoD endpoints, finance trading floor devices, clinical mobile devices — while Intune manages standard corporate devices in the Microsoft 365 ecosystem.

The two platforms do not share policy or license pools and must be administered separately. IT teams operating this model typically segment enrollment based on device purpose or user role rather than attempting to co-enroll a single device in both platforms simultaneously.

Does VMware Workspace ONE still receive active development under Broadcom?

Broadcom acquired VMware in November 2023 and has continued product development under the Workspace ONE brand. However, Broadcom has restructured VMware's customer-facing teams, consolidated sales models, and changed licensing structures, creating uncertainty for enterprise customers.

Broadcom's history with acquired enterprise software portfolios — including CA Technologies and Symantec — includes product consolidation and end-of-life decisions for lower-revenue product lines. Enterprises should verify the current support lifecycle, contractual commitments, and product roadmap directly with Broadcom before committing to new Workspace ONE deployments or material seat expansions.

What is the difference between MDM and MAM?

MDM (Mobile Device Management) manages the entire device — enforcing configuration policies, controlling which apps can be installed, and enabling full remote wipe of the device. MDM requires device enrollment, which gives the MDM server a management profile on the device.

MAM (Mobile Application Management) manages specific apps and their corporate data without requiring full device enrollment — a user's personal device can have corporate apps managed by MAM without the organization having control over the device itself.

Intune and Workspace ONE support both MDM and MAM in combination; BlackBerry UEM adds a third architectural layer via BlackBerry Dynamics, which provides app-level encryption independent of whether MDM enrollment is in place or not.

Which MDM platform has the best macOS support?

VMware Workspace ONE leads on macOS management depth via Freestyle Orchestrator, which enables complex scripted workflows, conditional logic, and multi-step configuration sequences that go beyond what MDM protocol alone supports.

Microsoft Intune's macOS support has improved significantly through 2025–2026 with declarative device management (DDM) support, settings catalog parity improvements, and Intune's expanding macOS configuration profile library. For most enterprise macOS management scenarios, Intune is now capable and continues to improve.

BlackBerry UEM's macOS capabilities cover standard MDM functionality but lack the workflow depth of Workspace ONE or the improving DDM coverage of Intune, making it less competitive for Mac-heavy organizations.

How does BlackBerry UEM handle Zero Trust?

BlackBerry UEM integrates with BlackBerry Gateway, a Zero Trust Network Access (ZTNA) service that grants per-app access to corporate resources without requiring a full VPN tunnel. Device compliance posture signals from UEM — enrollment state, policy compliance, OS version, threat level from CylancePROTECT — gate BlackBerry Gateway access decisions in real time.

Non-compliant or compromised devices are denied access at the application level rather than the network perimeter. BlackBerry Gateway also integrates with BlackBerry Protect (Cylance AI) for threat intelligence, providing a unified signal for access decisions that spans device management, threat detection, and network access control.

Is Microsoft Intune FIPS 140-2 compliant?

Microsoft Azure infrastructure, on which Intune runs, uses FIPS 140-2 validated cryptographic modules at the infrastructure layer — data in transit and at rest within Azure storage is handled by validated modules.

However, Intune does not provide an app-level FIPS 140-2 validated container runtime equivalent to BlackBerry Dynamics. The distinction matters for compliance programs that specify FIPS 140-2 validation at the application layer specifically, such as DoD-aligned frameworks.

For compliance programs where FIPS at the infrastructure layer is sufficient — and many commercial frameworks fall into this category — Intune's Azure-backed encryption satisfies the requirement.

What happened to AirWatch?

AirWatch was acquired by VMware in January 2014 for approximately $1.54 billion, making it one of the largest acquisitions in the enterprise mobility management market at the time. VMware rebranded the AirWatch MDM platform as VMware Workspace ONE UEM over the following years, integrating AirWatch's device management capabilities with VMware's identity (Workspace ONE Access, formerly VMware Identity Manager) and analytics layers.

When Broadcom acquired VMware in November 2023, the product continued under the Workspace ONE brand. AirWatch as a standalone product brand is no longer used, but the core MDM engine it developed remains the foundation of Workspace ONE UEM.

How do BES/UEM licensing costs compare to Intune for a 1,000-user organization?

For a 1,000-user organization comparing pure MDM costs: Intune standalone (Plan 1) runs approximately $8,000 per month. Microsoft 365 E3 — which includes Intune — is approximately $36,000 per month but covers the full Microsoft productivity and security suite.

BlackBerry UEM Enterprise runs approximately $5,000–7,000 per month at 1,000 seats; the Spark Suite with Dynamics containers runs approximately $9,000–12,000 per month. For pure MDM cost without the M365 bundle, BlackBerry UEM Enterprise is cost-competitive with standalone Intune.

For the majority of enterprises already subscribed to M365 E3 or E5, the incremental cost of adding Intune is effectively zero — making BlackBerry UEM's value proposition a security architecture argument rather than a price argument at those organizations.

Conclusion

BlackBerry UEM, Microsoft Intune, and VMware Workspace ONE each serve distinct enterprise segments, and all three cover the baseline MDM requirements adequately. The right choice in 2026 depends less on feature parity at the MDM protocol layer and more on vertical-specific security requirements, existing ecosystem investment, and total cost of ownership over a three-to-five-year horizon.

BlackBerry UEM's app-level cryptographic container remains the differentiator for regulated industries where a validated separation boundary is a hard requirement, not a preference.

Microsoft Intune's bundling with M365 makes it the default starting point for most commercial enterprises; the question becomes whether Intune's security model is sufficient, not whether it is available. VMware Workspace ONE holds its position for organizations that need Linux management depth, integrated virtual desktop and app delivery, or advanced automation via Workspace ONE Intelligence.

Organizations evaluating a switch between platforms should run a structured 30-day proof-of-concept on a representative device population covering the platform's weakest area relative to their requirements. For organizations currently running BES 12 and evaluating an upgrade path, see the BES 12 to UEM migration guide. For broader coverage of MDM platform vulnerabilities, patch cycles, and CVE analysis across all three platforms, see MDM platform vulnerabilities.