Technet System Center Mobile Device Manager Presentation

Desktop Infrastructure Development Tools Windows Mobile Devices Partners Office Communication Server Silicon Vendors Device Manufacturers ISVs and IHVs Mobile Operators Solution Providers

Helping businesses thrive by enabling people with smart devices to perform their best when mobile

DEMO
Windows Mobile 6

30 new policies in SP1
New: Device Control, Application Control, Network Control
Enhanced: Authentication, Synchronizations, Encryption
33% reduction in bandwidth usage
Device Wipe
User confirmation for device wipe completion (OWA & Outlook)
Users/Admins can now cancel a device wipe request

Added the “Minimum number of complex characters” setting

Can configure how many past calendar and e-mail items show be synchronized with device
Control limit msg size
Allow sync when roaming
Allow HTML formatted mail

Allow removable storage
Allow camera
Allow Wi-Fi
Allow infrared
Allow internet sharing
Allow RDP
Allow Desktop Sync
Allow Bluetooth

Allow browser
Allow consumer mail
Allow unsigned apps
Allow unsigned installation packages

Use the infrastructure and solutions you already have
Leverage the partners you already trust
Utilise the information your staff already knows

Management Security Mobile VPN

Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile devices with:
Over 125 policies, including specific security policies for device management, encryption, and remote device wipe
Custom policies that can be created using Active Directory Management Templates

To enroll their devices, users simply need to:
Access the company’s portal for self-service enrollment
Enter their e-mail address
Enter a one-time PIN code for enrollment

Target users in specific Active Directory groups
Configure mobile applications such that users cannot uninstall them
Eliminate the need to distribute CAB files via Flash drives
Access powerful reporting systems for reviewing software distribution across a mobile device workforce

Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now:
View a broad range of device characteristics like device settings, certificates installed, software installed etc.
Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)

Administrators can remotely access Windows Mobile devices using Mobile Device Manager to:
Disable specific hardware functionality, such as the camera or Bluetooth connectivity
Remotely wipe security-compromised devices

Single point of access to the corporate network
Always-on, security-enhanced wireless communication
Behind-the-firewall access to business applications

Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Mutual User Auth SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD LHS NAP System Self Help Site Enrollment Service OMA Proxy CA Mobile VPN

MDM introduces three new server roles:
Enrollment Server
Proxies request to enroll device
Mobile VPN Server
Typically located in the network perimeter
Entry point to corporate network
Forwards network and device management communications between a corporate network and their devices
Device Management Server
Based on OMA DM standards
Architecture Principles
Security first
Large scale distributed solution
Transparent compatibility
Extensibility & future proofing

Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile Gateway Server Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service Device Management Server CA Mobile VPN

Location:
Intranet based (domain joined server/service)
Purpose:
Manage the process flow of enrollment
Create domain objects
Create certificates
Supply provisioning instructions
Other:
Best practice: protected by a Proxy (e.g. ISA)
Can co-exist on DM Server in integrated implementation

Create Acct. Issue Cert Negotiate SSL Root Submit Cert Request Receive Cert Public DNS Discovery

Private key and Enrollment Password never transmitted over the air
All traffic between client and server uses SSL
SSL negotiation does not require public root cert (e.g. VeriSign etc.)

Mobile VPN for both client and server
Standards based
IPSec Tunnel Mode
MobIKE
IKEv2
Enables access to corporate resources
LOB
Internet proxy servers

Location:
Corporate DMZ (non-domain joined)
Purpose:
Authenticates incoming connections for authorized devices
Assigns a stable internal IP address for the device
Enables fast resume/reconnect features for devices and applications
Negotiates keys to encrypt traffic over the internet
Other:
IPSEC termination point
Managed remotely

Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation

Performance
Technical features
IPSec Tunnel Mode
Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive
IKEv2
IETF Standard that includes address assignment (unlike IKEv1)
MobIKE (Mobile IKE)
IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas
Implications
Extremely efficient, agile and self-healing connectivity solution
Security
Double envelope security
VPN technology allows nested secure connections
Outer layer – IPSec, IKEv2 tunnel from device to GW
Inner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc)
Defense in depth
DMZ pre-auth
Based on device identity and health (not user)
End-to-End auth to corporate servers
“ Four factor” (2x2) authentication
Back-end firewall filtering
DMZ GW is not a vulnerability point

Security management
Enrollment
AD domain join
Wipe
Policy enforcement
Service enablement/disablement
Application deny/allow
Software distribution
Inventory and reporting

Location:
Intranet based (domain joined server/service)
Purpose:
Primary administration and management service for all managed devices
Functional hub for device Group Policy application, device software packages, and device data wipes
Communicates with existing infrastructure servers, such as domain controllers, CA
Proxies information and commands between core Windows Servers (AD/CA) and devices
Other:
OMA-DM compliant

DMZ WWAN Corpnet Internet

Required:
Windows Server 2003 SP2 64 bit
SQL Server 2005
Active Directory
Microsoft CA
Group Policy
Not Required:
Exchange Server (any version)
Systems Management Server
Systems Center
ISA Server*

Security Management Device Management Mobile VPN SCCM SCMDM Std CAL Ent CAL System Center Configuration Manager System Center Mobile Device Manager Exchange Mobile Scenarios

http://blogs.msdn.com	243
http://outsidethevox.blogspot.com	52
http://www.slideshare.net	9
http://www.mrmobileblog.com	3
file://	2
http://demo.communityserver.com	1
http://translate.googleusercontent.com	1

Technet System Center Mobile Device Manager Presentation

by jasonlan on Feb 28, 2008

Accessibility

Categories

Upload Details

Usage Rights

7 Embeds 311

Statistics

Technet System Center Mobile Device Manager Presentation Presentation Transcript