System Center Mobile Device Manager


Published on

Microsoft ExchangeConnections, Orlando, 2008

Published in: Technology, Business
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide
  • Microsoft ASP.NET Connections Updates will be available at _06/ASP_Connections
  • System Center Mobile Device Manager

    1. 1. Mobile Device Management for Windows Mobile devices Exchange 2007 System Center Mobile Device Manager John Rhoton Hewlett Packard
    2. 2. What is MDM? • Automation User configuration ● Administration ● • Standardization • Remote Support OTA (Over-the-air) ●
    3. 3. Agenda • Enterprise Mobility Status • Enterprise Challenges Security ● Management ● Applications ● • Mobile Device Management Approaches • Mobile Device Management Technologies
    4. 4. But just what is mobility ? Devices: • Mobility = Mobile phones? • Mobility = Smart phones? • Mobility = PDAs ? Wireless: • Mobility = Wireless LANs? • Mobility = GSM/GPRS? Applications: • Mobility = Form-factor adaptation? • Mobility = Synchronisation?
    5. 5. Mobility on the rise! 34.1% Converged Mobile Phones 35 245 Million converged devices by 2010 •140 Million Windows Mobile devices •Over 3 Billion mobile subscriptions 30 18.6% 25 Mobile PCs YOY % shipping growth 20 15 5.8% Mobile Phones 10 5 3.9% 0 Desktop PCs 2006-2010 Source: Gartner Dataquest, and IDC 2006
    6. 6. Status of Mobility • Components Maturing Exponential growth in mobile devices ● Near-ubiquitous wireless access ● Application mobilization accelerating ● • Hype transforming into stealth • Enterprise adoption Organic ● Consumer-driven ●
    7. 7. What customers typically want from mobility Forms Workflow Sheets Mobile Business Applications •Industry specific applications (i.e. Mobile construction workforce…) •Field Sales Automation (SFA) •Field Force Automation (FFA) •Paperless Forms (Police Force…) •Proof of Delivery (Transport) •Field Service Bundle •Work Order Mgmt •Parts & Inventory tracking •Expense Management •Asset / Property Management •Merchandizing / FMCG Sales •Healthcare, Public safety Messaging •Inspections, Data Capture •Unified Communications – Fixed Mobile Convergence Legacy •Mobile office (Mail, PIM, Calendar) (Baseline) •Mobile device management (Baseline) •Mobile Device security (Optional) •Shared Mobile Device Management (Baseline) •Shared MDM Device security (Optional) •End 2 End security (authentication, encryption, protection…) - Animated (0) 7 HP Confidential
    8. 8. Mobility: Challenges
    9. 9. Mobile Content Protection Access Control Solutions • Native Pocket PC • Biometric Authentication • HP ProtectTools • Pointsec • Credant • TrustDigital • Utimaco • Bluefire
    10. 10. Bluetooth Insecurity
    11. 11. WLAN security • WPA/WPA2-Personal • WPA/WPA2-Enterprise • Rogue Access Points • Decoy Access points
    12. 12. Why MDM? • Security: Ensure integrity of configuration • Higher ease-of-use • Deploying line-of-business applications • Lower TCO April 21, 2009 12
    13. 13. Reduction in Total Cost of Ownership Cost per User per MDM Benefit Year Device Cost $250 8% Amortized over 2 years Connectivity $900 30% data Connectivity $800 27% voice Backend/Ops $504 17% -30% -$151 Setup & operate backend mobile application, change requests Service $192 6% -40% -$77 Setup users, connectivity, user Management management, change requests User Support $312 11% -30% -$94 $2958 100% -11% -$322 Cost reduction per user per year with MDM $322 Net Reduction in TCO 11% Net Reduction in Annual Device Management Costs 32% Source: HP & Gartner
    14. 14. Different MDM Approaches • Extension of Desktop Environment Altiris ● Microsoft SC CM ● HP Client Automation ● • Comprehensive Solution Suite Exchange 2007 Intellisync ● ● Good RIM Blackberry ● ● • Enterprise MDM Focused Microsoft System Center Mobile Device Manager ● iAnywhere Afaria ● HP Enterprise Mobility Suite ● • Carrier MDM April 21, 2009 14
    15. 15. OMA DM Standard • Device Management protocol: Defined by the Open Mobile Alliance (OMA) group ● Current specification : 1.2 – April 2006 ● Based on SyncML ● Conceived for Carrier MDM ● • Designed for management of mobile devices Device Provisioning (1st time use) ● Device configuration – Enabling/Disabling features ● Software distribution ● – Firmware upgrade over the air (FOTA) » Firmware Update Management Object (FUMO) – Applications deployment on devices – Software upgrades Fault Management: report/ query status ● 15
    16. 16. Exchange 2007 Service Pack 1 New Exchange ActiveSync Policies • 30 new policies in SP1 New: Device Control, Application Control, Network Control ● Enhanced: Authentication, Synchronizations, Encryption ● • 33% reduction in bandwidth usage • Device Wipe User confirmation for device wipe completion (OWA & Outlook) ● Users/Admins can now cancel a device wipe request ● 16
    17. 17. Configuring a Mobile Device Security Policy • If a Device does not comply with policies it will not be allowed to synchronize. • Exchange 2003 pushes policies to all users, enabling individual exemptions • Exchange 2007 sets policies on an individual or group basis 17
    18. 18. Exchange ActiveSync Policies Exchange Server Standard CAL Color Key Exchange 2007 SP1 Exchange 2007 RTM 18 Exchange 2003 SP2
    19. 19. Exchange ActiveSync Policies Exchange Server Enterprise CAL Color Key Exchange 2007 SP1 Exchange 2007 RTM 19 Exchange 2003 SP2
    20. 20. Outlook Web Access • User self-service 20
    21. 21. Outlook Web Access (2) • Device inventory • Device log 21
    22. 22. Outlook Web Access (3) • Password self-reset • Device remote-wipe 22
    23. 23. Device Management Technologies • Afaria XcelleNet, Sybase, and now iAnywhere ● Mobile Device Management and Mobile Security Solution ● Historically market leader in Managed Mobility Solutions ● • HP Enterprise Mobile Suite (EMS) Formerly Bitfone ● OMA-DM interoperable ● Heterogeneous (multi-platform) device set ● Integration with OVCM (OpenView Configuration Manager) ● • Microsoft SCMDM Compliant with OMA DM ● Mobile Device Management solution (System Center family) ● Based on Windows infrastructure: AD – SQL ● 23 Windows Mobile 6.1 devices only ●
    24. 24. Microsoft SCMDM Device Security Mobile VPN Management Management • Full OTA provisioning and Active Directory Domain Join Machine authentication and bootstrapping Policy enforcementusing “double envelope security” • OTA Software distribution Active Directory/Group Session Persistence based on WSUS 3.0 Policy targeting (>125 Fast Reconnect • Inventory policies) Internetwork roaming • SQL Server 2005 based Communications and Standards based (IKEv2, reporting capabilities camera disablement* MobIKE, IPsec tunnel mode) • Role based administration Application blacklisting and • MMC snap-ins and whitelisting Powershell cmndlets File encryption • OMA-DM compliant Remote wipe Management Workload Network Access Workload Deployment: inside firewall Deployment: in DMZ
    25. 25. Security Management Benefits SCMDM extends Active Directory/Group Policy to Windows Mobile •AD is the most widely deployed enterprise network directory worldwide 80% + penetration in the U.S. ● 55% + penetration in ● G7 countries overall •AD- GP is widely used by IT to configure policies for their desktops, laptops and servers Over 90% of Active Directory ● customers use Group Policy •Over 130+ configuration settings for Windows Mobile can now be managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP 25 •Extensible architecture
    26. 26. Device Management Benefits • Enterprise-wide OTA software distribution Leverages Windows Software Update Service (WSUS) 3.0 ● • Most widely deployed Windows software update solution across organizations of all size (60% + penetration) • Rich targeting and packaging capabilities required by IT departments • Rich Inventory and Reporting Robust hardware ● and software inventory capabilities SQL Server 2005-based ● reporting infrastructure • Highly flexible • Customizable 26
    27. 27. Secured Corporate Data Access • Enables secure behind-the-firewall access to the corporate network and applications Any intranet data! (SAP, Siebel, intranet sites, SQL, etc) ● • Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios Thin and rich client apps ● Allows end-to-end security Securit Domain Controller Internal Corporate Site Headless gateway deployed in the DMZ y Privacy compliance Controlled access to Internal corporate resources from the mobile devices connected via Mobile VPN Efficie Corporate Internal Firewall Use best available channel ncy Adapt to network to minimize keep alive traffic (goal) Mobile VPN Gateway DMZ Extens Transparent to mobile application ible Transparent to LOB services Corporate External Firewall Internet Reliabi Always connected M lity N ob bi VP Allows pushed technology le e ile VP V ob N Mobile Operators Cellular Data WiFi Connection M Connection Simpli Minimum user configuration city Transparent to user and to applications 27
    28. 28. SCMDM Architecture E-mail and LOB Servers OMA Proxy WSUS Catalog SSL User- Console mutual Auth or Similar Mobi SSL Machine le VP Mobile Initial N Mutual Auth Server OTA Device Back-end Enrollment Internet Enrollment R/O Service SSL Auth (PIN+Corp Root) Self Help Front Back Site Firewall Firewall Mobile AD CA GW Corporate Intranet DMZ 28 April 21, 2009 28
    29. 29. Server Architecture Architecture Principles • Enrollment Server ● Proxies request to enroll • Security first device • Large scale distributed • Mobile VPN Server solution ● Typically located in the • Transparent compatibility network perimeter ● Entry point to corporate • Extensibility & future network proofing ● Forwards network and device management communications between a corporate network and their devices • Device Management Server ● Based on OMA DM standards ● Proxies AD/GP to devices 29
    30. 30. The Enrollment Server E-mail and LOB Servers Device Managemen t WSUS Catalog Server SSL User- Console mutual Auth or Similar Mobil SSL Machine Mobile e VP N Mutual Auth Server Back-end Initial Enrollment Service OTA Device R/O SSL Auth Enrollment (PIN+Corp Root) Self Help Front Back Site Firewall Firewall Internet Mobile AD Gateway CA Server •Create domain objects Corporate Intranet •Create certificates DMZ
    31. 31. The Enrollment Process Create Acct. Negotiate SSL Root Submit Cert Request Receive Cert Issue Cert Discovery • Private key and Enrollment Password never transmitted over the air • All traffic between client and server uses SSL Public DNS • SSL negotiation does not require public root cert (e.g. VeriSign etc.) 31
    32. 32. The Mobile VPN E-mail and LOB Servers Device Managemen t WSUS Catalog Server SSL User- Console mutual Auth or Similar Mobil SSL Machine Mobile e VP N Mutual Auth Server Back-end Initial Enrollment Service OTA Device R/O SSL Auth Enrollment (PIN+Corp Root) Self Help Front Back Site Firewall Firewall Internet Mobile AD Gateway CA Server •Authenticates incoming connections Corporate Intranet •Assigns a stable internal IP address •Enables fast resume/reconnect DMZ
    33. 33. VPN Scenario: LOB Application Kerberos delegation LOB 2 Proxy (ISA) Double envelope FW security User Authentications: 1) Certificate 2) NTLM v2 3) Basic FW LOB1 33 33
    34. 34. Device Management Server E-mail and LOB Servers Device Managemen t WSUS Catalog Server SSL User- Console mutual Auth or Similar Mobil SSL Machine Mobile e VP N Mutual Auth Server Back-end Initial Enrollment Service OTA Device R/O SSL Auth Enrollment (PIN+Corap Root) Self Help Front Back Site Firewall Firewall Internet Mobile AD Gateway CA Server •Functional hub for device Group Policy application, device software Corporate Intranet packages, and device data wipes •Proxies information and commands between core Windows Servers DMZ (AD/CA) and devices 34
    35. 35. Bringing it all together Corpnet DMZ WWAN Internet Policy Information DM Server NAT FW FW Mobile VPN Enrollment Server 35 35
    36. 36. HP Enterprise Mobility Suite Enterprise HP Worldwide Hosting Facilities • Intranet • CRM • Application Portal FOR ENTERPRISE • Exchange® • Device Support HTTP S • Domino® HTTP S • S/W Maintenance • Groupwise® • WW Network Support F us ionDM fo r E nte rpris e • Device Troubleshooting • Corporate Directory Inte rne t • Active Directory ® • Device Security • Policy Mgmt • Asset Mgmt • IT Dash Board Existing IT Systems HTTP S Leading OEM Device HP Enterprise Devices TC /IP P /I P TC P Manufacturers SM S S SM WW Wire le s s Ope ra tor Ne tworks 36
    37. 37. Self Care Driven 37
    38. 38. Summary • Rapid acceleration of Mobility • Enterprise obstacles: Manageability & Security • Multiple Mobile Device Management options • Enterprise requirements will determine optimal choice Platform standardization ● VPN capabilities and LOB applications ● OMA-DM ●
    39. 39. Questions? Contact me at:
    40. 40. Your Feedback is Important Please fill out a session evaluation form and either put them in the basket near the exit or drop them off at the conference registration desk. Thank you!