Walter Pitrof Technology Solution Professional Microsoft Switzerland
What is new in Windows Mobile 6.1 ? System Center Mobile Device Manager 2008 Prerequisites Architecture MDM Enrollment Server MDM Device Management Server MDM Gateway Server Roadmap Licensing
Enterprise control over what software can be installed and run on the device Enterprise control over device hardware with ability to lock down communications and camera functionality Expanded on-device security features for sensitive corporate information
Expanded policy enforcement with over 125 policies and superior targeting capabilities Improved security management through use of Active Directory/Group Policy settings Simplified administration, increased monitoring and flexible policy management
Better organized and faster text messaging experience with chat- like text messaging
Improved exchange of data from one application to another with cut/copy/paste Access to full message downloads with POP/IMAP fetch Simpler message authoring and addressing with auto-complete Access to data within the corporate firewall with Remote Desktop More comprehensive on-device productivity with a larger set of Microsoft applications
SCMDM prerequisites: Windows Server 2003 Standard or Enterprise Edition (x64) Windows Server 2003 Service Pack 2. IIS6.0 ASP.Net Framework, version 2.0 MMC 3.0 Powershell (64-bit version) SQL 2005 SP2 WSUS 3.0 SP1 Important: To install the SCMDM 2008 solution in your IT infrastructure, the domain functional level may be set to 2003 if using Windows Server 2003, or configured for native mode on Windows Server 2000 platforms. Mixed mode is not supported for the SCMDM 2008 deployment.
Utilize an enterprise’s current Active Directory ® structure to deploy and manage Windows Mobile 6.1 devices with: Over 125 policies, including specific security policies for device management, encryption, and remote device wipe Custom policies that can be created using Active Directory Management Templates
To enroll their devices, users simply need to: Access the company’s portal for self-service enrollment Enter their address Enter a one-time PIN code for enrollment
Target users in specific Active Directory groups Configure mobile applications such that users cannot uninstall them Eliminate the need to distribute CAB files via Flash drives Access powerful reporting systems for reviewing software distribution across a mobile device workforce
Manage and view all Windows Mobile 6.1 devices via a single, convenient interface. With this, IT Pros can now: View a broad range of device characteristics like device settings, certificates installed, software installed etc. Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)
Administrators can remotely access Windows Mobile devices using Mobile Device Manager to: Disable specific hardware functionality, such as the camera or Bluetooth connectivity Remotely wipe security- compromised devices
Single point of access to the corporate network Always-on, security-enhanced wireless communication Behind-the-firewall access to business applications
System Center Mobile Device Manager will enable Windows Mobile phones to be deployed and managed (device and security) like PCs and laptops in the IT infrastructure, providing network access to corporate data SecurityManagement Active Directory Domain Join Policy enforcement using Active Directory/Group Policy targeting (>125 policies and settings) Communications and camera disablement* File encryption Application allow and deny Remote wipe OMA-DM Compliant DeviceManagement Single point of management for mobile devices in enterprise Full OTA provisioning and bootstrapping OTA Software distribution based on WSUS 3.0 Inventory SQL Server 2005 based reporting capabilities Role based administration MMC snap-ins and Powershell cmndlets WMU On/Off control OMA-DM compliant MobileVPN Machine authentication and “double envelope security” Session Persistence Fast Reconnect Internetwork roaming Standards based (MobIKE IKEv2, IPSEC tunnel mode) Management Workload Deployment: inside firewall Network Access Workload Deployment: in DMZ
Enrollment Server Proxies request to enroll device Mobile VPN Server Typically located in the network perimeter Entry point to corporate network Forwards network and device management communications between a corporate network and their devices Device Management Server Based on OMA DM standards Proxies AD/GP to devices Architecture Principles Security first Large scale distributed solution Transparent compatibility Extensibility & future proofing
Location: Intranet based (domain joined server/service) Purpose: Manage the process flow of enrollment Create domain objects Create certificates Supply provisioning instructions Other: Best practice: protected by a Proxy (e.g. ISA) Can co-exist on DM Server in integrated implementation
Administrator invokes enrollment request and sends One- Time PIN to end user via out-of-band mechanism ( , text message, voic , etc.) Or user uses Self-Help Portal to acquire One-Time Pin Here’s your PIN
User runs the “Enterprise Activation” wizard on the device (1) What is your address? 1.Takes SMTP address and looks for host MobileEnroll.domain.com 2.If host is located, connection to Enrollment Server will be initiated. 3.If host is not found, user will be prompted for the FQDN of the Enrollment Server 4.Session establish over SSL (TCP 443) 5.User is prompted to enter their One-Time PIN.
1. Web Service validates OTP. 2. If valid, it passes session on to Network Service. 3. OTP now cannot be re-used. Enrollment Server Passes Across OTP to WS Session handed Over to Network Service
1. AD Object (Computer) is created and Linked to User Object 2. Certificate is requested on the behalf of the user/device and sent to Mobile Device to be stored in local certificates store. 3. SQL database is updated. 4. Certificate is stored in AD. 1 - Create AD Object in Mobile Devices OU 2 - Request Machine Certificate and send to Mobile Device. 3 - Update SQL Database with configuration information “SCMDM” Enrollment Server Domain Controller Enterprise Certificate Authority SQL – Store certificate in AD – Link Machine and User objects.
1. Device is now “Domain Joined” 2. SCMDM Client is configured to use SCMDM Gateway for all future connectivity 3. Device ‘knows’ FQDN of Device Management Server and PKI Chain of trust 4. IIS Session is terminated 5. Enrollment is complete
Allows end-to-end security Headless gateway deployed in the DMZ Privacy compliance Security Use best available channel Adapt to network to minimize keep alive traffic (goal) Efficiency Transparent to mobile application Transparent to LOB services Extensible Always connected Allows pushed technology Reliability Minimum user configuration Transparent to user and to applications Simplicity Features to help secure behind-the-firewall access to the corporate network and applications Any intranet data! (e.g. SAP, Siebel, intranet sites, SQL, ) Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios DMZ Internal Corporate SiteDomain Controller Mobile VPN Mobile Operators Cellular Data Connection Internet Mobile VPN Gateway Corporate Internal Firewall Controlled access to Internal corporate resources from the mobile devices connected via Mobile VPN Corporate External Firewall
Location: Corporate DMZ (non-domain joined) Purpose: Authenticates incoming connections for authorized devices Assigns a stable internal IP address for the device Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the internet Other: IPSEC termination point Managed remotely
34 Double envelope security User Authentications: 1) Certificate 2) NTLM v2 3) Basic Kerberos delegation
Security management Enrollment AD domain join Wipe Policy enforcement Service enablement/disablement Application deny/allow Software distribution Inventory and reporting
Location: Intranet based (domain joined server/service) Purpose: Primary administration and management service for all managed devices Functional hub for device Group Policy application, device software packages, and device data wipes Communicates with existing infrastructure servers, such as domain controllers, CA Proxies information and commands between core Windows Servers (AD/CA) and devices Other: OMA-DM compliant
40 DMZ WWAN Corpnet Internet
“7” Productivity Multi-media Customization Direct Push available for all devices** Advanced Mobile Communications Increased Mobile Productivity Integrated Mobile Business Performance Vision Areas Breakthrough User Experience Great PC Companion Device Next Generation Platform Future Device & Security Management User-Focused Experience Messaging & Productivity
Availability April 2008 EA, Select, Open, ISV Server/CAL Offerings Availability April 2008 EA, Select, Open, ISV Pricing* Server License CHF xxxx,-; CAL CHF xx,- (per user or device) SA 25% of license price Server/CAL Offerings Availability April 2008 EA, Select, Open, ISV Pricing* Server License CHF xxxx,-; CAL CHF xx,- (per user or device) SA 25% of license price SQL Server™ Runtime Offerings SCMDM Server w/SQL runtime Server/CAL Offerings Availability April 2008 EA, Select, Open, ISV Pricing* Server License CHF xxxx,-; CAL CHF xx,- (per user or device) SA 25% of license price Not in CAL Suite Standalone only at this time Potential for the CAL Suites in the future SQL Server™ Runtime Offerings SCMDM Server w/SQL runtime Server/CAL Offerings *Select c pricing
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.