system center mobile device manager
DESCRIPTION
Microsoft ExchangeConnections, Orlando, 2008TRANSCRIPT
Mobile Device Management for Windows Mobile devices
Exchange 2007System Center Mobile Device Manager
John Rhoton
Hewlett Packard
What is MDM?
• Automation● User configuration● Administration
• Standardization
• Remote Support● OTA (Over-the-air)
Agenda
• Enterprise Mobility Status
• Enterprise Challenges● Security● Management● Applications
• Mobile Device Management Approaches
• Mobile Device Management Technologies
But just what is mobility ?But just what is mobility ?Devices:
• Mobility = Mobile phones?• Mobility = Smart phones?• Mobility = PDAs ?
Wireless:• Mobility = Wireless LANs?• Mobility = GSM/GPRS?
Applications:• Mobility = Form-factor adaptation?• Mobility = Synchronisation?
Mobility on the rise!YO
Y
% s
hip
pin
g g
row
th
35
30
25
20
15
10
5
0
2006-2010Source: Gartner Dataquest, and IDC 2006
18.6%Mobile PCs
34.1%ConvergedMobile Phones
5.8%Mobile Phones
3.9%Desktop PCs
245 Million converged devices by 2010•140 Million Windows Mobile devices•Over 3 Billion mobile subscriptions
Status of Mobility
• Components Maturing● Exponential growth in mobile devices● Near-ubiquitous wireless access● Application mobilization accelerating
• Hype transforming into stealth
• Enterprise adoption● Organic● Consumer-driven
7 HP Confidential
What customers typically want from mobility
- Animated (0)
Legacy Legacy
Forms WorkflowSheets
Mobile Business Applications•Industry specific applications (i.e. Mobile construction workforce…)
•Field Sales Automation (SFA) •Field Force Automation (FFA)
•Paperless Forms (Police Force…)•Proof of Delivery (Transport)
•Field Service Bundle•Work Order Mgmt
•Parts & Inventory tracking•Expense Management
•Asset / Property Management•Merchandizing / FMCG Sales
•Healthcare, Public safety•Inspections, Data Capture
•Unified Communications – Fixed Mobile Convergence
•Mobile office (Mail, PIM, Calendar) (Baseline)•Mobile device management (Baseline)
•Mobile Device security (Optional)•Shared Mobile Device Management (Baseline)
•Shared MDM Device security (Optional)•End 2 End security (authentication, encryption, protection…)
Mobile Business Applications•Industry specific applications (i.e. Mobile construction workforce…)
•Field Sales Automation (SFA) •Field Force Automation (FFA)
•Paperless Forms (Police Force…)•Proof of Delivery (Transport)
•Field Service Bundle•Work Order Mgmt
•Parts & Inventory tracking•Expense Management
•Asset / Property Management•Merchandizing / FMCG Sales
•Healthcare, Public safety•Inspections, Data Capture
•Unified Communications – Fixed Mobile Convergence
•Mobile office (Mail, PIM, Calendar) (Baseline)•Mobile device management (Baseline)
•Mobile Device security (Optional)•Shared Mobile Device Management (Baseline)
•Shared MDM Device security (Optional)•End 2 End security (authentication, encryption, protection…)
Messaging
Mobility: Challenges
Mobile Content ProtectionAccess Control Solutions
• Native Pocket PC
• Biometric Authentication
• HP ProtectTools
• Pointsec
• Credant
• TrustDigital
• Utimaco
• Bluefire
Bluetooth securityIn
WLAN security• WPA/WPA2-Personal• WPA/WPA2-Enterprise
• Rogue Access Points
• Decoy Access points
April 11, 2023 12
Why MDM?
• Security: Ensure integrity of configuration
• Higher ease-of-use
• Deploying line-of-business applications
• Lower TCO
Reduction in Total Cost of Ownership
Cost per User per Year
MDM Benefit
Device Cost $250 8% Amortized over 2 years
Connectivity data
$900 30%
Connectivity voice
$800 27%
Backend/Ops
$504 17% -30% -$151 Setup & operate backend mobile application, change requests
Service Management
$192 6% -40% -$77 Setup users, connectivity, user management, change requests
User Support
$312 11% -30% -$94
$2958 100% -11% -$322
Cost reduction per user per year with MDM $322Net Reduction in TCO 11%Net Reduction in Annual Device Management Costs 32%
Source: HP & Gartner
April 11, 2023 14
Different MDM Approaches• Extension of Desktop Environment
● Altiris● Microsoft SC CM● HP Client Automation
• Comprehensive Solution Suite● Exchange 2007● Good
• Enterprise MDM Focused● Microsoft System Center Mobile Device Manager● iAnywhere Afaria● HP Enterprise Mobility Suite
• Carrier MDM
● Intellisync● RIM Blackberry
OMA DM Standard• Device Management protocol:
● Defined by the Open Mobile Alliance (OMA) group● Current specification : 1.2 – April 2006● Based on SyncML● Conceived for Carrier MDM
• Designed for management of mobile devices● Device Provisioning (1st time use)● Device configuration – Enabling/Disabling features● Software distribution
– Firmware upgrade over the air (FOTA)» Firmware Update Management Object (FUMO)
– Applications deployment on devices– Software upgrades
● Fault Management: report/ query status 15
Exchange 2007 Service Pack 1New Exchange ActiveSync Policies
• 30 new policies in SP1● New: Device Control, Application Control, Network Control ● Enhanced: Authentication, Synchronizations, Encryption
• 33% reduction in bandwidth usage
• Device Wipe● User confirmation for device wipe completion (OWA & Outlook)● Users/Admins can now cancel a device wipe request
16
Configuring a Mobile Device Security Policy •If a Device does not
comply with policies it will not be allowed to synchronize.
• Exchange 2003 pushes policies to all users, enabling individual exemptions
• Exchange 2007 sets policies on an individual or group basis
17
Exchange ActiveSync PoliciesExchange Server Standard CAL
Color KeyColor KeyExchange 2007 SP1
Exchange 2007 RTM
Exchange 2003 SP2 18
Exchange ActiveSync PoliciesExchange Server Enterprise CAL
Color KeyColor KeyExchange 2007 SP1
Exchange 2007 RTM
Exchange 2003 SP2 19
Outlook Web Access
• User self-service
20
Outlook Web Access (2)
• Device inventory
• Device log
21
Outlook Web Access (3)
• Password self-reset
• Device remote-wipe
22
Device Management Technologies• Afaria
● XcelleNet, Sybase, and now iAnywhere● Mobile Device Management and Mobile Security Solution● Historically market leader in Managed Mobility Solutions
• HP Enterprise Mobile Suite (EMS)● Formerly Bitfone● OMA-DM interoperable● Heterogeneous (multi-platform) device set● Integration with OVCM (OpenView Configuration Manager)
• Microsoft SCMDM● Compliant with OMA DM● Mobile Device Management solution (System Center family)● Based on Windows infrastructure: AD – SQL ● Windows Mobile 6.1 devices only 23
Microsoft SCMDM
Security Security ManagementManagement
Active Directory Domain Join Policy enforcementusing Active Directory/Group Policy targeting (>125 policies)Communications and camera disablement*Application blacklisting and whitelisting File encryption Remote wipe
Device Device ManagementManagementFull OTA provisioning and bootstrapping OTA Software distribution based on WSUS 3.0Inventory SQL Server 2005 based reporting capabilities Role based administration MMC snap-ins and Powershell cmndletsOMA-DM compliant
MobileMobileVPNVPN
Machine authentication and “double envelope security”Session PersistenceFast ReconnectInternetwork roamingStandards based (IKEv2, MobIKE, IPsec tunnel mode)
Management WorkloadDeployment: inside firewall
Network Access WorkloadDeployment: in DMZ
Security Management BenefitsSCMDM extends Active Directory/Group Policy to Windows Mobile•AD is the most widely deployed enterprise network directory worldwide
● 80% + penetration in the U.S.● 55% + penetration in
G7 countries overall
•AD- GP is widely used by IT to configure policies for their desktops, laptops and servers
● Over 90% of Active Directory customers use Group Policy
•Over 130+ configuration settings for Windows Mobile can now be managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP•Extensible architecture
25
Device Management Benefits• Enterprise-wide OTA software distribution
● Leverages Windows Software Update Service (WSUS) 3.0 • Most widely deployed Windows software update solution across organizations of all size
(60%+ penetration)
• Rich targeting and packaging capabilities required by IT departments
• Rich Inventory and Reporting● Robust hardware
and software inventory capabilities
● SQL Server 2005-based reporting infrastructure• Highly flexible
• Customizable
26
Allows end-to-end securityHeadless gateway deployed in the DMZPrivacy compliance
Security
Use best available channelAdapt to network to minimize keep alive traffic (goal)
Efficiency
Transparent to mobile application Transparent to LOB services
Extensible
Always connectedAllows pushed technology
Reliability
Minimum user configurationTransparent to user and to applications
Simplicity
Secured Corporate Data Access• Enables secure behind-the-firewall access to the corporate network and applications
● Any intranet data! (SAP, Siebel, intranet sites, SQL, etc)
• Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios
● Thin and rich client apps
DMZDMZ
Internal Corporate SiteInternal Corporate SiteDomain ControllerDomain Controller
Mob
ile V
PN
Mob
ile V
PN
Mobile VPN
Mobile VPN
Mobile Operators Cellular DataMobile Operators Cellular DataConnectionConnection
Internet
WiFi ConnectionWiFi Connection
Mobile VPN GatewayMobile VPN Gateway
Corporate Internal FirewallCorporate Internal Firewall
Controlled access to InternalControlled access to Internalcorporate resources from thecorporate resources from themobile devices connected viamobile devices connected via
Mobile VPNMobile VPN
Corporate External FirewallCorporate External Firewall
27
28 April 11, 2023
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGWGW
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Author Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-endR/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
OMAOMAProxyProxy
CACA
Mobile VPNMobile VPN
SCMDM Architecture
28
Server Architecture• Enrollment Server
● Proxies request to enroll device
• Mobile VPN Server● Typically located in the
network perimeter● Entry point to corporate
network● Forwards network and device
management communications between a corporate network and their devices
• Device Management Server● Based on OMA DM standards● Proxies AD/GP to devices
Architecture Principles• Security first• Large scale distributed solution• Transparent compatibility• Extensibility & future proofing
29
The Enrollment ServerThe Enrollment Server
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemenManagementt
ServerServer
CACA
Mobile VPNMobile VPN
•Create domain objects•Create certificates
The Enrollment Process
Create Acct.
Issue Cert
Negotiate SSL Root
Submit Cert Request
Receive Cert
Public DNS
Discovery
• Private key and Enrollment Password never transmitted over the air
• All traffic between client and server uses SSL• SSL negotiation does not require public root
cert (e.g. VeriSign etc.)
31
The Mobile VPNThe Mobile VPN
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemenManagementt
ServerServer
CACA
Mobile VPNMobile VPN
•Authenticates incoming connections•Assigns a stable internal IP address•Enables fast resume/reconnect
FW
33
VPN Scenario: LOB Application
FW
LOB1
Proxy (ISA)
LOB2
Double envelope security
User Authentications:1) Certificate2) NTLM v23) Basic
Kerberos delegation
33
Device Management ServerDevice Management Server
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corap Root)(PIN+Corap Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemenManagementt
ServerServer
CACA
Mobile VPNMobile VPN
34
•Functional hub for device Group Policy application, device software packages, and device data wipes•Proxies information and commands between core Windows Servers (AD/CA) and devices
35
DM Server
Bringing it all together
FWFW
Mobile VPN
DMZ
WWAN
Corpnet
Internet
NAT
Policy Information
Enrollment Server
35
SMS
TCP/IP
WW Wireless Operator Networks
HP Enterprise Devices
SMS
TCP/IP
HP Enterprise Mobility Suite
HP Worldwide Hosting Facilities
Enterprise
HTTPS
Internet
HTTPS
• Device Support• S/W Maintenance• WW Network Support
FusionDM for Enterprise
• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board
• Exchange®• Domino®• Groupwise®
• Corporate Directory• Active Directory ®
• Intranet• CRM• Application Portal
Existing IT Systems
HTTPS
FOR ENTERPRISE
Leading OEM Device Manufacturers
36
Self Care Driven
37
Summary
• Rapid acceleration of Mobility• Enterprise obstacles: Manageability &
Security• Multiple Mobile Device Management options• Enterprise requirements will determine
optimal choice● Platform standardization● VPN capabilities and LOB applications● OMA-DM
Questions?
Contact me at: [email protected]
Your Feedback is Important
Please fill out a session evaluation form and either put them in the basket near
the exit or drop them off at the conference registration desk.
Thank you!