Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile devices with: Over 125 policies, including specific security policies for device management, encryption, and remote device wipe Custom policies that can be created using Active Directory Management Templates

To enroll their devices, users simply need to: Access the company’s portal for self-service enrollment Enter their address Enter a one-time PIN code for enrollment

Target users in specific Active Directory groups Configure mobile applications such that users cannot uninstall them Eliminate the need to distribute CAB files via Flash drives Access powerful reporting systems for reviewing software distribution across a mobile device workforce

Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now: View a broad range of device characteristics like device settings, certificates installed, software installed etc. Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)

Administrators can remotely access Windows Mobile devices using Mobile Device Manager to: Disable specific hardware functionality, such as the camera or Bluetooth connectivity Remotely wipe security- compromised devices

Single point of access to the corporate network Always-on, security-enhanced wireless communication Behind-the-firewall access to business applications

Smartcard Internet DMZ Corporate Intranet Front Firewall Initial OTA Device Enrollment Mobile GW Back Firewall SSL Mutual User Auth SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth and LOB Servers SSL User- mutual Auth or Similar Console Mobile Server Back-end R/O AD LHS NAP System Self Help Site Enrollment Service OMA Proxy CA Mobile VPN

MDM introduces three new server roles: Enrollment Server Proxies request to enroll device Mobile VPN Server Typically located in the network perimeter Entry point to corporate network Forwards network and device management communications between a corporate network and their devices Device Management Server Based on OMA DM standards Architecture Principles Security first Large scale distributed solution Transparent compatibility Extensibility & future proofing

Location: Location: Intranet based (domain joined server/service) Intranet based (domain joined server/service) Purpose: Purpose: Manage the process flow of enrollment Manage the process flow of enrollment Create domain objects Create domain objects Create certificates Create certificates Supply provisioning instructions Supply provisioning instructions Other: Other: Best practice: protected by a Proxy (e.g. ISA) Best practice: protected by a Proxy (e.g. ISA) Can co-exist on DM Server in integrated implementation Can co-exist on DM Server in integrated implementation

Create Acct. Issue Cert Negotiate SSL Root Submit Cert Request Receive Cert Public DNS Discovery

Private key and Enrollment Password never transmitted over the air All traffic between client and server uses SSL SSL negotiation does not require public root cert (e.g. VeriSign etc.)

Mobile VPN for both client and server Standards based IPSec Tunnel Mode MobIKEIKEv2 Enables access to corporate resources LOB Internet proxy servers

Location: Location: Corporate DMZ (non-domain joined) Corporate DMZ (non-domain joined) Purpose: Purpose: Authenticates incoming connections for authorized devices Assigns a stable internal IP address for the device Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the internet Other: Other: IPSEC termination point IPSEC termination point Managed remotely Managed remotely

18 Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation

Performance Technical features IPSec Tunnel Mode Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive IKEv2 IETF Standard that includes address assignment (unlike IKEv1) MobIKE (Mobile IKE) IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas Implications Extremely efficient, agile and self-healing connectivity solution Security Double envelope security VPN technology allows nested secure connections Outer layer – IPSec, IKEv2 tunnel from device to GW Inner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc) Defense in depth DMZ pre-auth Based on device identity and health (not user) End-to-End auth to corporate servers “Four factor” (2x2) authentication Back-end firewall filtering DMZ GW is not a vulnerability point

Security management Enrollment AD domain join Wipe Policy enforcement Service enablement/disablement Application deny/allow Software distribution Inventory and reporting

Location: Location: Intranet based (domain joined server/service) Intranet based (domain joined server/service) Purpose: Purpose: Primary administration and management service for all managed devices Functional hub for device Group Policy application, device software packages, and device data wipes Communicates with existing infrastructure servers, such as domain controllers, CA Proxies information and commands between core Windows Servers (AD/CA) and devices Other: Other: OMA-DM compliant OMA-DM compliant

23 DMZ WWAN Corpnet Internet

Required: Windows Server 2003 SP2 64 bit SQL Server 2005 Active Directory Microsoft CA Group Policy Not Required: Exchange Server (any version) Systems Management Server Systems Center ISA Server*

SecurityManagement DeviceManagement MobileVPN SCCMSCCM SCMDMSCMDM Std CAL Ent CAL System Center Configuration Manager System Center Mobile Device Manager Exchange Mobile Scenarios

Secure Mobile Messaging Only Mobile messaging with high security due to regulatory compliance requirements or internal security policies Key Messages Security management without Exchange Enterprise CAL Integration with AD/GP Inventory and reporting Secure Mobile Messaging Only Mobile messaging with high security due to regulatory compliance requirements or internal security policies Key Messages Security management without Exchange Enterprise CAL Integration with AD/GP Inventory and reporting LOB Only Rich LOB applications for task workers using ruggedized handhelds with no requirement for mobile messaging Key Messages Mobile VPN Over-the-air (OTA) app distribution Rich inventory and reporting App allow/deny LOB Only Rich LOB applications for task workers using ruggedized handhelds with no requirement for mobile messaging Key Messages Mobile VPN Over-the-air (OTA) app distribution Rich inventory and reporting App allow/deny LOB + Messaging Rich or lightweight LOB applications. Could also include high security requirements for mobile messaging Key Messages Mobile VPN Advanced device management features Security managemen t LOB + Messaging Rich or lightweight LOB applications. Could also include high security requirements for mobile messaging Key Messages Mobile VPN Advanced device management features Security managemen t Mobile Messaging Only Mobile messaging and PIM with lowest TCO and baseline security and manageability Key Message Exchange Standard CAL makes broad deployment straightforward and affordable Exchange Enterprise CAL adds server-side anti-virus and anti-spam + new management in Exchange Server 2007 SP1 Mobile Messaging Only Mobile messaging and PIM with lowest TCO and baseline security and manageability Key Message Exchange Standard CAL makes broad deployment straightforward and affordable Exchange Enterprise CAL adds server-side anti-virus and anti-spam + new management in Exchange Server 2007 SP1

© 2007 Microsoft Corporation. All rights reserved. This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.