system center mobile device manager

Mobile Device Management for Windows Mobile devices

Exchange 2007System Center Mobile Device Manager

John Rhoton

Hewlett Packard

[email protected]

What is MDM?

• Automation● User configuration● Administration

• Standardization

• Remote Support● OTA (Over-the-air)

Agenda

• Enterprise Mobility Status

• Enterprise Challenges● Security● Management● Applications

• Mobile Device Management Approaches

• Mobile Device Management Technologies

But just what is mobility ?But just what is mobility ?Devices:

• Mobility = Mobile phones?• Mobility = Smart phones?• Mobility = PDAs ?

Wireless:• Mobility = Wireless LANs?• Mobility = GSM/GPRS?

Applications:• Mobility = Form-factor adaptation?• Mobility = Synchronisation?

Mobility on the rise!YO

Y

% s

hip

pin

g g

row

th

35

30

25

20

15

10

5

0

2006-2010Source: Gartner Dataquest, and IDC 2006

18.6%Mobile PCs

34.1%ConvergedMobile Phones

5.8%Mobile Phones

3.9%Desktop PCs

245 Million converged devices by 2010•140 Million Windows Mobile devices•Over 3 Billion mobile subscriptions

Status of Mobility

• Components Maturing● Exponential growth in mobile devices● Near-ubiquitous wireless access● Application mobilization accelerating

• Hype transforming into stealth

• Enterprise adoption● Organic● Consumer-driven

7 HP Confidential

What customers typically want from mobility

- Animated (0)

Legacy Legacy

Forms WorkflowSheets

Mobile Business Applications•Industry specific applications (i.e. Mobile construction workforce…)

•Field Sales Automation (SFA) •Field Force Automation (FFA)

•Paperless Forms (Police Force…)•Proof of Delivery (Transport)

•Field Service Bundle•Work Order Mgmt

•Parts & Inventory tracking•Expense Management

•Asset / Property Management•Merchandizing / FMCG Sales

•Healthcare, Public safety•Inspections, Data Capture

•Unified Communications – Fixed Mobile Convergence

•Mobile office (Mail, PIM, Calendar) (Baseline)•Mobile device management (Baseline)

•Mobile Device security (Optional)•Shared Mobile Device Management (Baseline)

•Shared MDM Device security (Optional)•End 2 End security (authentication, encryption, protection…)

Mobile Business Applications•Industry specific applications (i.e. Mobile construction workforce…)

•Field Sales Automation (SFA) •Field Force Automation (FFA)

•Paperless Forms (Police Force…)•Proof of Delivery (Transport)

•Field Service Bundle•Work Order Mgmt

•Parts & Inventory tracking•Expense Management

•Asset / Property Management•Merchandizing / FMCG Sales

•Healthcare, Public safety•Inspections, Data Capture

•Unified Communications – Fixed Mobile Convergence

•Mobile office (Mail, PIM, Calendar) (Baseline)•Mobile device management (Baseline)

•Mobile Device security (Optional)•Shared Mobile Device Management (Baseline)

•Shared MDM Device security (Optional)•End 2 End security (authentication, encryption, protection…)

Messaging

Mobility: Challenges

Mobile Content ProtectionAccess Control Solutions

• Native Pocket PC

• Biometric Authentication

• HP ProtectTools

• Pointsec

• Credant

• TrustDigital

• Utimaco

• Bluefire

Bluetooth securityIn

WLAN security• WPA/WPA2-Personal• WPA/WPA2-Enterprise

• Rogue Access Points

• Decoy Access points

April 11, 2023 12

Why MDM?

• Security: Ensure integrity of configuration

• Higher ease-of-use

• Deploying line-of-business applications

• Lower TCO

Reduction in Total Cost of Ownership

Cost per User per Year

MDM Benefit

Device Cost $250 8% Amortized over 2 years

Connectivity data

$900 30%

Connectivity voice

$800 27%

Backend/Ops

$504 17% -30% -$151 Setup & operate backend mobile application, change requests

Service Management

$192 6% -40% -$77 Setup users, connectivity, user management, change requests

User Support

$312 11% -30% -$94

$2958 100% -11% -$322

Cost reduction per user per year with MDM $322Net Reduction in TCO 11%Net Reduction in Annual Device Management Costs 32%

Source: HP & Gartner

April 11, 2023 14

Different MDM Approaches• Extension of Desktop Environment

● Altiris● Microsoft SC CM● HP Client Automation

• Comprehensive Solution Suite● Exchange 2007● Good

• Enterprise MDM Focused● Microsoft System Center Mobile Device Manager● iAnywhere Afaria● HP Enterprise Mobility Suite

• Carrier MDM

● Intellisync● RIM Blackberry

OMA DM Standard• Device Management protocol:

● Defined by the Open Mobile Alliance (OMA) group● Current specification : 1.2 – April 2006● Based on SyncML● Conceived for Carrier MDM

• Designed for management of mobile devices● Device Provisioning (1st time use)● Device configuration – Enabling/Disabling features● Software distribution

– Firmware upgrade over the air (FOTA)» Firmware Update Management Object (FUMO)

– Applications deployment on devices– Software upgrades

● Fault Management: report/ query status 15

Exchange 2007 Service Pack 1New Exchange ActiveSync Policies

• 30 new policies in SP1● New: Device Control, Application Control, Network Control ● Enhanced: Authentication, Synchronizations, Encryption

• 33% reduction in bandwidth usage

• Device Wipe● User confirmation for device wipe completion (OWA & Outlook)● Users/Admins can now cancel a device wipe request

16

Configuring a Mobile Device Security Policy •If a Device does not

comply with policies it will not be allowed to synchronize.

• Exchange 2003 pushes policies to all users, enabling individual exemptions

• Exchange 2007 sets policies on an individual or group basis

17

Exchange ActiveSync PoliciesExchange Server Standard CAL

Color KeyColor KeyExchange 2007 SP1

Exchange 2007 RTM

Exchange 2003 SP2 18

Exchange ActiveSync PoliciesExchange Server Enterprise CAL

Color KeyColor KeyExchange 2007 SP1

Exchange 2007 RTM

Exchange 2003 SP2 19

Outlook Web Access

• User self-service

20

Outlook Web Access (2)

• Device inventory

• Device log

21

Outlook Web Access (3)

• Password self-reset

• Device remote-wipe

22

Device Management Technologies• Afaria

● XcelleNet, Sybase, and now iAnywhere● Mobile Device Management and Mobile Security Solution● Historically market leader in Managed Mobility Solutions

• HP Enterprise Mobile Suite (EMS)● Formerly Bitfone● OMA-DM interoperable● Heterogeneous (multi-platform) device set● Integration with OVCM (OpenView Configuration Manager)

• Microsoft SCMDM● Compliant with OMA DM● Mobile Device Management solution (System Center family)● Based on Windows infrastructure: AD – SQL ● Windows Mobile 6.1 devices only 23

Microsoft SCMDM

Security Security ManagementManagement

Active Directory Domain Join Policy enforcementusing Active Directory/Group Policy targeting (>125 policies)Communications and camera disablement*Application blacklisting and whitelisting File encryption Remote wipe

Device Device ManagementManagementFull OTA provisioning and bootstrapping OTA Software distribution based on WSUS 3.0Inventory SQL Server 2005 based reporting capabilities Role based administration MMC snap-ins and Powershell cmndletsOMA-DM compliant

MobileMobileVPNVPN

Machine authentication and “double envelope security”Session PersistenceFast ReconnectInternetwork roamingStandards based (IKEv2, MobIKE, IPsec tunnel mode)

Management WorkloadDeployment: inside firewall

Network Access WorkloadDeployment: in DMZ

Security Management BenefitsSCMDM extends Active Directory/Group Policy to Windows Mobile•AD is the most widely deployed enterprise network directory worldwide

● 80% + penetration in the U.S.● 55% + penetration in

G7 countries overall

•AD- GP is widely used by IT to configure policies for their desktops, laptops and servers

● Over 90% of Active Directory customers use Group Policy

•Over 130+ configuration settings for Windows Mobile can now be managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP•Extensible architecture

25

Device Management Benefits• Enterprise-wide OTA software distribution

● Leverages Windows Software Update Service (WSUS) 3.0 • Most widely deployed Windows software update solution across organizations of all size

(60%+ penetration)

• Rich targeting and packaging capabilities required by IT departments

• Rich Inventory and Reporting● Robust hardware

and software inventory capabilities

● SQL Server 2005-based reporting infrastructure• Highly flexible

• Customizable

26

Allows end-to-end securityHeadless gateway deployed in the DMZPrivacy compliance

Security

Use best available channelAdapt to network to minimize keep alive traffic (goal)

Efficiency

Transparent to mobile application Transparent to LOB services

Extensible

Always connectedAllows pushed technology

Reliability

Minimum user configurationTransparent to user and to applications

Simplicity

Secured Corporate Data Access• Enables secure behind-the-firewall access to the corporate network and applications

● Any intranet data! (SAP, Siebel, intranet sites, SQL, etc)

• Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios

● Thin and rich client apps

DMZDMZ

Internal Corporate SiteInternal Corporate SiteDomain ControllerDomain Controller

Mob

ile V

PN

Mob

ile V

PN

Mobile VPN

Mobile VPN

Mobile Operators Cellular DataMobile Operators Cellular DataConnectionConnection

Internet

WiFi ConnectionWiFi Connection

Mobile VPN GatewayMobile VPN Gateway

Corporate Internal FirewallCorporate Internal Firewall

Controlled access to InternalControlled access to Internalcorporate resources from thecorporate resources from themobile devices connected viamobile devices connected via

Mobile VPNMobile VPN

Corporate External FirewallCorporate External Firewall

27

28 April 11, 2023

InternetInternet

DMZDMZ

Corporate IntranetCorporate Intranet

FrontFrontFirewallFirewall

InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment

MobileMobileGWGW

BackBackFirewallFirewall

SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)

SSL MachineSSL MachineMutual AuthMutual Auth

E-mailE-mailand LOBand LOBServersServers

SSL User-SSL User-mutual Authmutual Author Similaror Similar

ConsoleConsole

MobileMobileServerServer

Back-endBack-endR/OR/O

ADAD

WSUS CatalogWSUS Catalog

Self HelpSelf HelpSiteSite

EnrollmentEnrollmentServiceService

OMAOMAProxyProxy

CACA


SCMDM Architecture

28

Server Architecture• Enrollment Server

● Proxies request to enroll device

• Mobile VPN Server● Typically located in the

network perimeter● Entry point to corporate

network● Forwards network and device

management communications between a corporate network and their devices

• Device Management Server● Based on OMA DM standards● Proxies AD/GP to devices

Architecture Principles• Security first• Large scale distributed solution• Transparent compatibility• Extensibility & future proofing

29

The Enrollment ServerThe Enrollment Server

InternetInternet

DMZDMZ




MobileMobileGatewayGateway

ServerServer





SSL User-SSL User-mutual Authmutual Auth

or Similaror Similar

ConsoleConsole


Back-endBack-end

R/OR/O

ADAD




Device Device

ManagemenManagementt

ServerServer

CACA


•Create domain objects•Create certificates

The Enrollment Process

Create Acct.

Issue Cert

Negotiate SSL Root

Submit Cert Request

Receive Cert

Public DNS

Discovery

• Private key and Enrollment Password never transmitted over the air

• All traffic between client and server uses SSL• SSL negotiation does not require public root

cert (e.g. VeriSign etc.)

31

The Mobile VPNThe Mobile VPN

InternetInternet

DMZDMZ





ServerServer







ConsoleConsole


Back-endBack-end

R/OR/O

ADAD




Device Device


ServerServer

CACA


•Authenticates incoming connections•Assigns a stable internal IP address•Enables fast resume/reconnect

FW

33

VPN Scenario: LOB Application

FW

LOB1

Proxy (ISA)

LOB2

Double envelope security

User Authentications:1) Certificate2) NTLM v23) Basic

Kerberos delegation

33

Device Management ServerDevice Management Server

InternetInternet

DMZDMZ





ServerServer


SSL AuthSSL Auth(PIN+Corap Root)(PIN+Corap Root)





ConsoleConsole


Back-endBack-end

R/OR/O

ADAD




Device Device


ServerServer

CACA


34

•Functional hub for device Group Policy application, device software packages, and device data wipes•Proxies information and commands between core Windows Servers (AD/CA) and devices

35

DM Server

Bringing it all together

FWFW

Mobile VPN

DMZ

WWAN

Corpnet

Internet

NAT

Policy Information

Enrollment Server

35

SMS

TCP/IP

WW Wireless Operator Networks

HP Enterprise Devices

SMS

TCP/IP

HP Enterprise Mobility Suite

HP Worldwide Hosting Facilities

Enterprise

HTTPS

Internet

HTTPS

• Device Support• S/W Maintenance• WW Network Support

FusionDM for Enterprise

• Device Troubleshooting• Device Security• Policy Mgmt• Asset Mgmt• IT Dash Board

• Exchange®• Domino®• Groupwise®

• Corporate Directory• Active Directory ®

• Intranet• CRM• Application Portal

Existing IT Systems

HTTPS

FOR ENTERPRISE

Leading OEM Device Manufacturers

36

Self Care Driven

37

Summary

• Rapid acceleration of Mobility• Enterprise obstacles: Manageability &

Security• Multiple Mobile Device Management options• Enterprise requirements will determine

optimal choice● Platform standardization● VPN capabilities and LOB applications● OMA-DM

Questions?

Contact me at: [email protected]

Your Feedback is Important

Please fill out a session evaluation form and either put them in the basket near

the exit or drop them off at the conference registration desk.

Thank you!

system center mobile device manager

Technology