Desktop Infrastructure Development Tools Windows Mobile Devices Partners Office Communication Server Silicon Vendors Device Manufacturers ISVs and IHVs Mobile Operators Solution Providers

Helping businesses thrive by enabling people with smart devices to perform their best when mobile

DEMO Windows Mobile 6

Windows Mobile 6

30 new policies in SP1 New: Device Control, Application Control, Network Control Enhanced: Authentication, Synchronizations, Encryption 33% reduction in bandwidth usage Device Wipe User confirmation for device wipe completion (OWA & Outlook) Users/Admins can now cancel a device wipe request

30 new policies in SP1

New: Device Control, Application Control, Network Control

Enhanced: Authentication, Synchronizations, Encryption

33% reduction in bandwidth usage

Device Wipe

User confirmation for device wipe completion (OWA & Outlook)

Users/Admins can now cancel a device wipe request

Added the “Minimum number of complex characters” setting

Added the “Minimum number of complex characters” setting

Can configure how many past calendar and e-mail items show be synchronized with device Control limit msg size Allow sync when roaming Allow HTML formatted mail

Can configure how many past calendar and e-mail items show be synchronized with device

Control limit msg size

Allow sync when roaming

Allow HTML formatted mail

Allow removable storage Allow camera Allow Wi-Fi Allow infrared Allow internet sharing Allow RDP Allow Desktop Sync Allow Bluetooth

Allow removable storage

Allow camera

Allow Wi-Fi

Allow infrared

Allow internet sharing

Allow RDP

Allow Desktop Sync

Allow Bluetooth

Allow browser Allow consumer mail Allow unsigned apps Allow unsigned installation packages

Allow browser

Allow consumer mail

Allow unsigned apps

Allow unsigned installation packages

Use the infrastructure and solutions you already have Leverage the partners you already trust Utilise the information your staff already knows

Use the infrastructure and solutions you already have

Leverage the partners you already trust

Utilise the information your staff already knows

Management Security Mobile VPN

Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile devices with: Over 125 policies, including specific security policies for device management, encryption, and remote device wipe Custom policies that can be created using Active Directory Management Templates

Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile devices with:

Over 125 policies, including specific security policies for device management, encryption, and remote device wipe

Custom policies that can be created using Active Directory Management Templates

To enroll their devices, users simply need to: Access the company’s portal for self-service enrollment Enter their e-mail address Enter a one-time PIN code for enrollment

To enroll their devices, users simply need to:

Access the company’s portal for self-service enrollment

Enter their e-mail address

Enter a one-time PIN code for enrollment

Target users in specific Active Directory groups Configure mobile applications such that users cannot uninstall them Eliminate the need to distribute CAB files via Flash drives Access powerful reporting systems for reviewing software distribution across a mobile device workforce

Target users in specific Active Directory groups

Configure mobile applications such that users cannot uninstall them

Eliminate the need to distribute CAB files via Flash drives

Access powerful reporting systems for reviewing software distribution across a mobile device workforce

Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now: View a broad range of device characteristics like device settings, certificates installed, software installed etc. Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)

Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now:

View a broad range of device characteristics like device settings, certificates installed, software installed etc.

Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)

Administrators can remotely access Windows Mobile devices using Mobile Device Manager to: Disable specific hardware functionality, such as the camera or Bluetooth connectivity Remotely wipe security-compromised devices

Administrators can remotely access Windows Mobile devices using Mobile Device Manager to:

Disable specific hardware functionality, such as the camera or Bluetooth connectivity

Remotely wipe security-compromised devices

Single point of access to the corporate network Always-on, security-enhanced wireless communication Behind-the-firewall access to business applications

Single point of access to the corporate network

Always-on, security-enhanced wireless communication

Behind-the-firewall access to business applications

Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Mutual User Auth SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD LHS NAP System Self Help Site Enrollment Service OMA Proxy CA Mobile VPN

MDM introduces three new server roles: Enrollment Server Proxies request to enroll device Mobile VPN Server Typically located in the network perimeter Entry point to corporate network Forwards network and device management communications between a corporate network and their devices Device Management Server Based on OMA DM standards Architecture Principles Security first Large scale distributed solution Transparent compatibility Extensibility & future proofing

MDM introduces three new server roles:

Enrollment Server

Proxies request to enroll device

Mobile VPN Server

Typically located in the network perimeter

Entry point to corporate network

Forwards network and device management communications between a corporate network and their devices

Device Management Server

Based on OMA DM standards

Architecture Principles

Security first

Large scale distributed solution

Transparent compatibility

Extensibility & future proofing

Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN

Location: Intranet based (domain joined server/service) Purpose: Manage the process flow of enrollment Create domain objects Create certificates Supply provisioning instructions Other: Best practice: protected by a Proxy (e.g. ISA) Can co-exist on DM Server in integrated implementation

Location:

Intranet based (domain joined server/service)

Purpose:

Manage the process flow of enrollment

Create domain objects

Create certificates

Supply provisioning instructions

Other:

Best practice: protected by a Proxy (e.g. ISA)

Can co-exist on DM Server in integrated implementation

Create Acct. Issue Cert Negotiate SSL Root Submit Cert Request Receive Cert Public DNS Discovery

Private key and Enrollment Password never transmitted over the air All traffic between client and server uses SSL SSL negotiation does not require public root cert (e.g. VeriSign etc.)

Private key and Enrollment Password never transmitted over the air

All traffic between client and server uses SSL

SSL negotiation does not require public root cert (e.g. VeriSign etc.)

Mobile VPN for both client and server Standards based IPSec Tunnel Mode MobIKE IKEv2 Enables access to corporate resources LOB Internet proxy servers

Mobile VPN for both client and server

Standards based

IPSec Tunnel Mode

MobIKE

IKEv2

Enables access to corporate resources

LOB

Internet proxy servers

Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN

Location: Corporate DMZ (non-domain joined) Purpose: Authenticates incoming connections for authorized devices Assigns a stable internal IP address for the device Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the internet Other: IPSEC termination point Managed remotely

Location:

Corporate DMZ (non-domain joined)

Purpose:

Authenticates incoming connections for authorized devices

Assigns a stable internal IP address for the device

Enables fast resume/reconnect features for devices and applications

Negotiates keys to encrypt traffic over the internet

Other:

IPSEC termination point

Managed remotely

Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation

Performance Technical features IPSec Tunnel Mode Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive IKEv2 IETF Standard that includes address assignment (unlike IKEv1) MobIKE (Mobile IKE) IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas Implications Extremely efficient, agile and self-healing connectivity solution Security Double envelope security VPN technology allows nested secure connections Outer layer – IPSec, IKEv2 tunnel from device to GW Inner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc) Defense in depth DMZ pre-auth Based on device identity and health (not user) End-to-End auth to corporate servers “ Four factor” (2x2) authentication Back-end firewall filtering DMZ GW is not a vulnerability point

Performance

Technical features

IPSec Tunnel Mode

Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive

IKEv2

IETF Standard that includes address assignment (unlike IKEv1)

MobIKE (Mobile IKE)

IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas

Implications

Extremely efficient, agile and self-healing connectivity solution

Security

Double envelope security

VPN technology allows nested secure connections

Outer layer – IPSec, IKEv2 tunnel from device to GW

Inner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc)

Defense in depth

DMZ pre-auth

Based on device identity and health (not user)

End-to-End auth to corporate servers

“ Four factor” (2x2) authentication

Back-end firewall filtering

DMZ GW is not a vulnerability point

Security management Enrollment AD domain join Wipe Policy enforcement Service enablement/disablement Application deny/allow Software distribution Inventory and reporting

Security management

Enrollment

AD domain join

Wipe

Policy enforcement

Service enablement/disablement

Application deny/allow

Software distribution

Inventory and reporting

Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN

Location: Intranet based (domain joined server/service) Purpose: Primary administration and management service for all managed devices Functional hub for device Group Policy application, device software packages, and device data wipes Communicates with existing infrastructure servers, such as domain controllers, CA Proxies information and commands between core Windows Servers (AD/CA) and devices Other: OMA-DM compliant

Location:

Intranet based (domain joined server/service)

Purpose:

Primary administration and management service for all managed devices

Functional hub for device Group Policy application, device software packages, and device data wipes

Communicates with existing infrastructure servers, such as domain controllers, CA

Proxies information and commands between core Windows Servers (AD/CA) and devices

Other:

OMA-DM compliant

DMZ WWAN Corpnet Internet

Required: Windows Server 2003 SP2 64 bit SQL Server 2005 Active Directory Microsoft CA Group Policy Not Required: Exchange Server (any version) Systems Management Server Systems Center ISA Server*

Required:

Windows Server 2003 SP2 64 bit

SQL Server 2005

Active Directory

Microsoft CA

Group Policy

Not Required:

Exchange Server (any version)

Systems Management Server

Systems Center

ISA Server*

Security Management Device Management Mobile VPN SCCM SCMDM Std CAL Ent CAL System Center Configuration Manager System Center Mobile Device Manager Exchange Mobile Scenarios

© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.