Your SlideShare is downloading. ×
0
 
 
 
 
Desktop Infrastructure Development Tools Windows Mobile Devices Partners Office Communication Server Silicon  Vendors Devi...
Helping businesses thrive by enabling people with smart devices to perform their best when mobile
DEMO <ul><li>Windows Mobile 6 </li></ul>
<ul><li>30 new policies in SP1 </li></ul><ul><ul><li>New:  Device Control, Application Control, Network Control  </li></ul...
<ul><li>Added the “Minimum number of complex characters” setting </li></ul>
<ul><li>Can configure how many past calendar and e-mail items show be synchronized with device </li></ul><ul><li>Control l...
<ul><li>Allow removable storage </li></ul><ul><li>Allow camera </li></ul><ul><li>Allow Wi-Fi </li></ul><ul><li>Allow infra...
<ul><li>Allow browser </li></ul><ul><li>Allow consumer mail </li></ul><ul><li>Allow unsigned apps </li></ul><ul><li>Allow ...
 
<ul><li>Use the infrastructure and solutions you already have </li></ul><ul><li>Leverage the partners you already trust </...
 
Management Security Mobile VPN
<ul><li>Utilize an enterprise’s current Active Directory ®  structure to deploy and manage Windows Mobile devices with: </...
<ul><li>To enroll their devices, users simply need to: </li></ul><ul><ul><li>Access the company’s portal for self-service ...
<ul><ul><li>Target users in specific Active Directory groups </li></ul></ul><ul><ul><li>Configure mobile applications such...
<ul><li>Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now: </li></...
<ul><li>Administrators can remotely access Windows Mobile devices using Mobile Device Manager to: </li></ul><ul><ul><li>Di...
<ul><ul><li>Single point of access to the corporate network </li></ul></ul><ul><ul><li>Always-on, security-enhanced wirele...
Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Mutual ...
<ul><li>MDM introduces three new server roles: </li></ul><ul><ul><li>Enrollment Server </li></ul></ul><ul><ul><ul><li>Prox...
Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL  Auth...
<ul><li>Location: </li></ul><ul><ul><li>Intranet based (domain joined server/service) </li></ul></ul><ul><li>Purpose: </li...
Create  Acct. Issue Cert Negotiate SSL Root Submit Cert Request Receive Cert Public DNS Discovery
<ul><li>Private key and Enrollment Password never transmitted over the air </li></ul><ul><li>All traffic between client an...
<ul><li>Mobile VPN for both client and server </li></ul><ul><li>Standards based </li></ul><ul><ul><li>IPSec Tunnel Mode </...
Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL  Auth...
<ul><li>Location: </li></ul><ul><ul><li>Corporate DMZ (non-domain joined) </li></ul></ul><ul><li>Purpose: </li></ul><ul><u...
Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation
<ul><li>Performance </li></ul><ul><li>Technical features </li></ul><ul><ul><li>IPSec Tunnel Mode </li></ul></ul><ul><ul><u...
<ul><li>Security management </li></ul><ul><ul><li>Enrollment </li></ul></ul><ul><ul><li>AD domain join </li></ul></ul><ul>...
Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL  Auth...
<ul><li>Location: </li></ul><ul><ul><li>Intranet based (domain joined server/service) </li></ul></ul><ul><li>Purpose: </li...
DMZ WWAN Corpnet Internet
<ul><li>Required: </li></ul><ul><ul><li>Windows Server 2003 SP2 64 bit </li></ul></ul><ul><ul><li>SQL Server 2005 </li></u...
Security  Management Device  Management Mobile VPN SCCM SCMDM Std CAL Ent CAL System Center Configuration Manager System C...
© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes n...
Upcoming SlideShare
Loading in...5
×

Technet System Center Mobile Device Manager Presentation

5,394

Published on

This is the presentation delivered at the 2 recent Technet events in Manchester and London as well as our EMEA Enterprise event in Dublin

Published in: Business, Technology
0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
5,394
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
273
Comments
0
Likes
2
Embeds 0
No embeds

No notes for slide
  • Transcript of "Technet System Center Mobile Device Manager Presentation"

    1. 5. Desktop Infrastructure Development Tools Windows Mobile Devices Partners Office Communication Server Silicon Vendors Device Manufacturers ISVs and IHVs Mobile Operators Solution Providers
    2. 6. Helping businesses thrive by enabling people with smart devices to perform their best when mobile
    3. 7. DEMO <ul><li>Windows Mobile 6 </li></ul>
    4. 8. <ul><li>30 new policies in SP1 </li></ul><ul><ul><li>New: Device Control, Application Control, Network Control </li></ul></ul><ul><ul><li>Enhanced: Authentication, Synchronizations, Encryption </li></ul></ul><ul><li>33% reduction in bandwidth usage </li></ul><ul><li>Device Wipe </li></ul><ul><ul><li>User confirmation for device wipe completion (OWA & Outlook) </li></ul></ul><ul><ul><li>Users/Admins can now cancel a device wipe request </li></ul></ul>
    5. 9. <ul><li>Added the “Minimum number of complex characters” setting </li></ul>
    6. 10. <ul><li>Can configure how many past calendar and e-mail items show be synchronized with device </li></ul><ul><li>Control limit msg size </li></ul><ul><li>Allow sync when roaming </li></ul><ul><li>Allow HTML formatted mail </li></ul>
    7. 11. <ul><li>Allow removable storage </li></ul><ul><li>Allow camera </li></ul><ul><li>Allow Wi-Fi </li></ul><ul><li>Allow infrared </li></ul><ul><li>Allow internet sharing </li></ul><ul><li>Allow RDP </li></ul><ul><li>Allow Desktop Sync </li></ul><ul><li>Allow Bluetooth </li></ul>
    8. 12. <ul><li>Allow browser </li></ul><ul><li>Allow consumer mail </li></ul><ul><li>Allow unsigned apps </li></ul><ul><li>Allow unsigned installation packages </li></ul>
    9. 14. <ul><li>Use the infrastructure and solutions you already have </li></ul><ul><li>Leverage the partners you already trust </li></ul><ul><li>Utilise the information your staff already knows </li></ul>
    10. 16. Management Security Mobile VPN
    11. 17. <ul><li>Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile devices with: </li></ul><ul><ul><li>Over 125 policies, including specific security policies for device management, encryption, and remote device wipe </li></ul></ul><ul><ul><li>Custom policies that can be created using Active Directory Management Templates </li></ul></ul>
    12. 18. <ul><li>To enroll their devices, users simply need to: </li></ul><ul><ul><li>Access the company’s portal for self-service enrollment </li></ul></ul><ul><ul><li>Enter their e-mail address </li></ul></ul><ul><ul><li>Enter a one-time PIN code for enrollment </li></ul></ul>
    13. 19. <ul><ul><li>Target users in specific Active Directory groups </li></ul></ul><ul><ul><li>Configure mobile applications such that users cannot uninstall them </li></ul></ul><ul><ul><li>Eliminate the need to distribute CAB files via Flash drives </li></ul></ul><ul><ul><li>Access powerful reporting systems for reviewing software distribution across a mobile device workforce </li></ul></ul>
    14. 20. <ul><li>Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now: </li></ul><ul><ul><li>View a broad range of device characteristics like device settings, certificates installed, software installed etc. </li></ul></ul><ul><ul><li>Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC) </li></ul></ul>
    15. 21. <ul><li>Administrators can remotely access Windows Mobile devices using Mobile Device Manager to: </li></ul><ul><ul><li>Disable specific hardware functionality, such as the camera or Bluetooth connectivity </li></ul></ul><ul><ul><li>Remotely wipe security-compromised devices </li></ul></ul>
    16. 22. <ul><ul><li>Single point of access to the corporate network </li></ul></ul><ul><ul><li>Always-on, security-enhanced wireless communication </li></ul></ul><ul><ul><li>Behind-the-firewall access to business applications </li></ul></ul>
    17. 23. Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Mutual User Auth SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD LHS NAP System Self Help Site Enrollment Service OMA Proxy CA Mobile VPN
    18. 24. <ul><li>MDM introduces three new server roles: </li></ul><ul><ul><li>Enrollment Server </li></ul></ul><ul><ul><ul><li>Proxies request to enroll device </li></ul></ul></ul><ul><ul><li>Mobile VPN Server </li></ul></ul><ul><ul><ul><li>Typically located in the network perimeter </li></ul></ul></ul><ul><ul><ul><li>Entry point to corporate network </li></ul></ul></ul><ul><ul><ul><li>Forwards network and device management communications between a corporate network and their devices </li></ul></ul></ul><ul><ul><li>Device Management Server </li></ul></ul><ul><ul><ul><li>Based on OMA DM standards </li></ul></ul></ul><ul><li>Architecture Principles </li></ul><ul><li>Security first </li></ul><ul><li>Large scale distributed solution </li></ul><ul><li>Transparent compatibility </li></ul><ul><li>Extensibility & future proofing </li></ul>
    19. 25. Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN
    20. 26. <ul><li>Location: </li></ul><ul><ul><li>Intranet based (domain joined server/service) </li></ul></ul><ul><li>Purpose: </li></ul><ul><ul><li>Manage the process flow of enrollment </li></ul></ul><ul><ul><li>Create domain objects </li></ul></ul><ul><ul><li>Create certificates </li></ul></ul><ul><ul><li>Supply provisioning instructions </li></ul></ul><ul><li>Other: </li></ul><ul><ul><li>Best practice: protected by a Proxy (e.g. ISA) </li></ul></ul><ul><ul><li>Can co-exist on DM Server in integrated implementation </li></ul></ul>
    21. 27. Create Acct. Issue Cert Negotiate SSL Root Submit Cert Request Receive Cert Public DNS Discovery
    22. 28. <ul><li>Private key and Enrollment Password never transmitted over the air </li></ul><ul><li>All traffic between client and server uses SSL </li></ul><ul><li>SSL negotiation does not require public root cert (e.g. VeriSign etc.) </li></ul>
    23. 29. <ul><li>Mobile VPN for both client and server </li></ul><ul><li>Standards based </li></ul><ul><ul><li>IPSec Tunnel Mode </li></ul></ul><ul><ul><li>MobIKE </li></ul></ul><ul><ul><li>IKEv2 </li></ul></ul><ul><li>Enables access to corporate resources </li></ul><ul><ul><li>LOB </li></ul></ul><ul><ul><li>Internet proxy servers </li></ul></ul>
    24. 30. Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN
    25. 31. <ul><li>Location: </li></ul><ul><ul><li>Corporate DMZ (non-domain joined) </li></ul></ul><ul><li>Purpose: </li></ul><ul><ul><li>Authenticates incoming connections for authorized devices </li></ul></ul><ul><ul><li>Assigns a stable internal IP address for the device </li></ul></ul><ul><ul><li>Enables fast resume/reconnect features for devices and applications </li></ul></ul><ul><ul><li>Negotiates keys to encrypt traffic over the internet </li></ul></ul><ul><li>Other: </li></ul><ul><ul><li>IPSEC termination point </li></ul></ul><ul><ul><li>Managed remotely </li></ul></ul>
    26. 32. Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation
    27. 33. <ul><li>Performance </li></ul><ul><li>Technical features </li></ul><ul><ul><li>IPSec Tunnel Mode </li></ul></ul><ul><ul><ul><li>Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive </li></ul></ul></ul><ul><ul><li>IKEv2 </li></ul></ul><ul><ul><ul><li>IETF Standard that includes address assignment (unlike IKEv1) </li></ul></ul></ul><ul><ul><li>MobIKE (Mobile IKE) </li></ul></ul><ul><ul><ul><li>IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas </li></ul></ul></ul><ul><li>Implications </li></ul><ul><ul><li>Extremely efficient, agile and self-healing connectivity solution </li></ul></ul><ul><li>Security </li></ul><ul><li>Double envelope security </li></ul><ul><ul><li>VPN technology allows nested secure connections </li></ul></ul><ul><ul><li>Outer layer – IPSec, IKEv2 tunnel from device to GW </li></ul></ul><ul><ul><li>Inner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc) </li></ul></ul><ul><li>Defense in depth </li></ul><ul><ul><li>DMZ pre-auth </li></ul></ul><ul><ul><ul><li>Based on device identity and health (not user) </li></ul></ul></ul><ul><ul><li>End-to-End auth to corporate servers </li></ul></ul><ul><ul><li>“ Four factor” (2x2) authentication </li></ul></ul><ul><ul><li>Back-end firewall filtering </li></ul></ul><ul><li>DMZ GW is not a vulnerability point </li></ul>
    28. 34. <ul><li>Security management </li></ul><ul><ul><li>Enrollment </li></ul></ul><ul><ul><li>AD domain join </li></ul></ul><ul><ul><li>Wipe </li></ul></ul><ul><li>Policy enforcement </li></ul><ul><li>Service enablement/disablement </li></ul><ul><li>Application deny/allow </li></ul><ul><li>Software distribution </li></ul><ul><li>Inventory and reporting </li></ul>
    29. 35. Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN
    30. 36. <ul><li>Location: </li></ul><ul><ul><li>Intranet based (domain joined server/service) </li></ul></ul><ul><li>Purpose: </li></ul><ul><ul><li>Primary administration and management service for all managed devices </li></ul></ul><ul><ul><li>Functional hub for device Group Policy application, device software packages, and device data wipes </li></ul></ul><ul><ul><li>Communicates with existing infrastructure servers, such as domain controllers, CA </li></ul></ul><ul><ul><li>Proxies information and commands between core Windows Servers (AD/CA) and devices </li></ul></ul><ul><li>Other: </li></ul><ul><ul><li>OMA-DM compliant </li></ul></ul>
    31. 37. DMZ WWAN Corpnet Internet
    32. 38. <ul><li>Required: </li></ul><ul><ul><li>Windows Server 2003 SP2 64 bit </li></ul></ul><ul><ul><li>SQL Server 2005 </li></ul></ul><ul><ul><li>Active Directory </li></ul></ul><ul><ul><li>Microsoft CA </li></ul></ul><ul><ul><li>Group Policy </li></ul></ul><ul><li>Not Required: </li></ul><ul><ul><li>Exchange Server (any version) </li></ul></ul><ul><ul><li>Systems Management Server </li></ul></ul><ul><ul><li>Systems Center </li></ul></ul><ul><ul><li>ISA Server* </li></ul></ul>
    33. 39. Security Management Device Management Mobile VPN SCCM SCMDM Std CAL Ent CAL System Center Configuration Manager System Center Mobile Device Manager Exchange Mobile Scenarios
    34. 40. © 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×