Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Simplify Security And Device Management Final Pres10 23final


Published on

Windows Mobile Security System Center Mobile Device Manager 2008

Published in: Technology
  • Be the first to comment

Simplify Security And Device Management Final Pres10 23final

  2. Jason Langridge Enterprise Mobility Solution Specialist Microsoft Email: [email_address] Blog :
  3. <ul><li>How can we setup/configure our Windows Mobile devices? </li></ul><ul><li>Is there a way to control what the user can/can’t do? </li></ul><ul><li>We want to be able to secure the data and the devices. </li></ul><ul><li>How can we keep these devices up to date? </li></ul><ul><li>We would like to provide secure access to our Intranet and other services. </li></ul>
  4. Lets you deploy and manage Windows Mobile devices like you do PCs/laptops in your IT infrastructure and provides security-enhanced access to corporate data Management Workload Deployment: Inside Firewall Network Access Workload Deployment: in DMZ Security Management <ul><li>Active Directory Domain join </li></ul><ul><li>Policy enforcement using Active Directory/Group Policy targeting (>130 policies) </li></ul><ul><li>Communications and camera disablement* </li></ul><ul><li>File encryption </li></ul><ul><li>Application allow and deny </li></ul><ul><li>Remote wipe </li></ul><ul><li>OMA-DM compliant </li></ul>Device Management <ul><li>Single point of management for mobile devices in enterprise </li></ul><ul><li>Full OTA provisioning and bootstrapping </li></ul><ul><li>OTA Software distribution based on WSUS 3.0 </li></ul><ul><li>Inventory </li></ul><ul><li>SQL Server 2005 based reporting capabilities </li></ul><ul><li>Role based administration </li></ul><ul><li>MMC snap-ins and Powershell cmndlets </li></ul><ul><li>WMU On/Off controlcompliant </li></ul>Mobile Optimized VPN <ul><li>Machine authentication and “double envelope security” </li></ul><ul><li>Session Persistence </li></ul><ul><li>Fast Reconnect </li></ul><ul><li>Internetwork roaming </li></ul><ul><li>Standards based (IKEv2, MobIKE, IPSEC tunnel mode) </li></ul>
  5. <ul><li>Leverage existing services </li></ul><ul><ul><li>Active Directory </li></ul></ul><ul><ul><li>Group Policy </li></ul></ul><ul><ul><li>Windows Server Update Services </li></ul></ul>
  6. <ul><li>Extends Active Directory & Group Policy to Windows Mobile </li></ul><ul><li>130+ configuration settings now managed through Group Policy including </li></ul><ul><ul><li>Bluetooth </li></ul></ul><ul><ul><li>WIFI </li></ul></ul><ul><ul><li>SMS/MMS </li></ul></ul><ul><ul><li>IR </li></ul></ul><ul><ul><li>Camera </li></ul></ul><ul><ul><li>POP/IMAP </li></ul></ul><ul><li>Extensible architecture </li></ul>
  7. <ul><li>Enterprise-wide OTA software distribution </li></ul><ul><li>Wide Selection of Inventory and Reporting options </li></ul>
  8. Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth E-mail and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD WSUS Catalog Self Help Site Enrollment Service OMA Proxy CA Mobile VPN
  9. <ul><li>Different categories/differing terminology </li></ul><ul><ul><li>Front door vs Back Door devices </li></ul></ul><ul><ul><li>Enterprise Managed vs Consumer </li></ul></ul><ul><ul><li>Corporate vs Employee Liable </li></ul></ul><ul><li>Initial problem - getting the client on the device </li></ul><ul><li>Zero touch deployment and setup </li></ul>
  10. <ul><li>Administrator invokes enrollment request and sends One-Time PIN to the user (email, text message, voicemail, etc.) </li></ul><ul><li>Or user uses Self-Help Portal to acquire One-Time Pin </li></ul>Here’s your PIN 1234abcd
  11. <ul><li>User runs the “Enterprise Activation” wizard on the device </li></ul>What is your email address? <ul><li>Takes SMTP address and looks for host </li></ul><ul><li>If host is located, connection to Enrollment Server will be initiated </li></ul><ul><li>If host is not found, user will be prompted for the FQDN of the Enrollment Server </li></ul><ul><li>Session establish over SSL (TCP 443) </li></ul><ul><li>User is prompted to enter their One-Time PIN </li></ul>
  12. <ul><li>Web Service validates OTP </li></ul><ul><li>If valid, it passes session on to Network Service </li></ul><ul><li>OTP now cannot be re-used </li></ul>Enrollment Server Passes Across OTP to WS Session handed Over to Network Service
  13. <ul><li>Device is then “Domain Joined” </li></ul><ul><li>SC MDM Client is configured to use Mobile Gateway for all future connectivity </li></ul><ul><li>Enrollment is complete </li></ul><ul><li>Device is then setup/configured using Group Policy </li></ul>
  14. <ul><li>Key concerns </li></ul><ul><ul><li>Preventing unauthorized applications from being run/installed </li></ul></ul><ul><ul><li>Disabling some of the devices capabilities (eg. Camera/Wifi) </li></ul></ul><ul><ul><li>Access to consumer services (eg. POP3/IMAP) </li></ul></ul><ul><li>Mobile Device Manager empowers you through </li></ul><ul><ul><li>Active Directory Integration </li></ul></ul><ul><ul><li>Group Policies </li></ul></ul>
  15. <ul><li>Data stored on both the physical device and storage card </li></ul><ul><li>Windows Mobile 6 provides ability to encrypt storage card </li></ul><ul><li>System Center Mobile Device Manager provides </li></ul><ul><ul><li>Enable Device Perimeter PIN password </li></ul></ul><ul><ul><li>Ability to enforce encryption on storage card </li></ul></ul><ul><ul><li>Allow/Disallow the use of removable storage </li></ul></ul><ul><ul><li>Remotely Wipe devices </li></ul></ul>
  16. <ul><li>Important to separate update needs: </li></ul><ul><ul><li>Device OS </li></ul></ul><ul><ul><li>Applications, Configuration and Settings </li></ul></ul><ul><li>System Center Mobile Device Manager allows you to: </li></ul><ul><ul><li>Distribute software and applications through Windows Server Update Services (WSUS) </li></ul></ul><ul><ul><li>Setup/configure/manage devices through Active Directory and Group Policy </li></ul></ul>
  17. WWAN Internet WIFI https://EAS
  18. DMZ WWAN Corpnet Internet FW FW Email Or LOB Servers Mobile Gateway WIFI NAT https://EAS
  19. <ul><li>Addressed 5 key security and management concerns </li></ul><ul><li>Showed how to improve and simplify mobile device management and security with System Center Mobile Device Manager </li></ul><ul><li>For more information: </li></ul>
  20. Questions and Answers <ul><li>Submit text questions using the “Ask” button. </li></ul><ul><li>Don’t forget to fill out the survey. </li></ul><ul><li>For upcoming and previously live webcasts: </li></ul><ul><li>Got webcast content ideas? Contact us at:   </li></ul>
  22. © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.