Product Reference Guide

Transcription

1 Product Reference Guide

2 Table of Contents Introduction...1. Security Management...1. Device Management...1. Mobile VPN...1 Understanding the System Center Mobile Device Manager 2008 Market...3 Licensing System Center Mobile Device Manager Understanding the System Center Mobile Device Manager 2008 Infrastructure...5 How System Center Mobile Device Manager 2008 Works...7. Device Enrollment...7. Mobile VPN...8. Device Management...9. The Mobile Device Manager Client System Center Mobile Device Manager 2008 Deployment Topology Using with Key IT Services Security Management Active Directory Domain Join Policy Enforcement Using Active Directory/Group Policy Targeting Communications and Camera Disablement File Encryption Application Disablement and Enablement Remote Wipe OMA DM Compliance Device Management Single Point of Management for Mobile Devices Full OTA Provisioning and Bootstrapping OTA Software Distribution Based on WSUS Inventory and Reporting Capabilities Role based Administration Self-Help Portal Highly Scalable Architecture MMC Snap-ins and Windows PowerShell Cmdlets Control of Updates Delivered via Windows Mobile Update for Windows Mobile... 20

3 Mobile VPN Machine authentication and double envelope security Session Persistence and Fast Reconnect Inter-network Roaming Standards based Security Model System Center Mobile Device Manager 2008 Policy Password Policies Platform Lockdown Application Disablement Security Policies Device Encryption Mobile VPN Key Exchange Algorithms Software Distribution ActiveSync ActiveSync Peak and Off-peak S/MIME Appendix A: Inventory Information Appendix B: Glossary Appendix C: Hardware and Software Requirements Software Requirements Administrator Tools Hardware... 39

4 Introduction Microsoft System Center Mobile Device Manager 2008 is a comprehensive management solution that enables efficient control of Windows Mobile devices by providing more reliable, low-cost and consistent manageability within your existing Microsoft infrastructure, and security enhanced access to the corporate network. The Mobile Device Manager solution helps make Windows Mobile devices first-class citizens in the IT infrastructure by helping IT Professionals address evolving needs around security and management while connecting end users to the information they need, where and when they need it. IT Professionals need an end-to-end solution to help secure and manage Windows Mobile devices similar to solutions for the desktop environment today. IT Professionals also need a single point of security enhanced access to enable line-of-business (LOB) applications and end-user access to corporate information from Windows Mobile devices. For IT Professionals, Mobile Device Manger delivers on three core areas security management, device management and security enhanced access. Please note that all information in this document is subject to change. Security Management System Center Mobile Device Manager 2008 empowers IT Professionals with a robust security management platform for Windows Mobile devices that works with Active Directory, the most widely deployed enterprise network directory in the world. Windows Mobile devices have broad policy enforcement, with over 125 policies and superior targeting capabilities. IT Professionals have the ability to lock down communications and camera functionality and exercise more control over the software that can be installed and run on the device. Mobile Device Manager helps enhance the security of Windows Mobile devices, with expanded on-device encryption of sensitive corporate information and better mechanisms to help prevent theft or loss of corporate data. Device Management System Center Mobile Device Manager 2008 provides IT Professionals with a simple and comprehensive Windows Mobile device management solution to distribute software and understand device inventory in a complex organizational environment. This infrastructure is designed to reduce costs and complexities through a highly scalable and more reliable architecture. This architecture helps provide scalable and cost-effective device enrollment through over-the-air (OTA) provisioning and bootstrapping. Mobile Device Manager provides IT Professionals with improved visibility of devices in the enterprise through rich inventory and reporting tools based on Microsoft SQL Server 2005; device management is streamlined with role-based administration, MMC snap-ins, and Microsoft Windows PowerShell cmdlets. Enterprises are able to rapidly distribute productivity tools and software through over-the-air software distribution based on proven Microsoft technologies, such as Windows Software Update Services (WSUS) 3.0. Mobile Device Manager is fully Open Mobile Alliance Device Management (OMA DM) 1.3 compliant, as well. Mobile VPN System Center Mobile Device Manager 2008 helps deliver increased worker productivity with a single point for security enhanced, behind-the-firewall access to corporate data and LOB applications from Windows Mobile devices through a Mobile VPN optimized for the mobile environment. The Windows Mobile platform provides a rich environment for a broad range of LOB applications, through a cost-effective and easy-to-use platform. Mobile Device Manager offers a mobile-optimized VPN to help ensure a consistent user experience with session persistence and fast reconnect in the event of a loss of 1

5 transmission. Furthermore, data is accessed with enhanced security thanks to machine authentication and double envelope security. Mobile Device Manager ensures throughput and helps optimize battery life through the fast reconnect mechanism and session persistence. Enterprises have flexibility and greater choice in deployment, as Mobile Device Manager uses a standards based architecture. System Center Mobile Device Manager 2008 is designed to provide a seamless end-user experience across different data connection environments, as users may access their corporate assets over the Windows Mobile device s cellular or Wi-Fi connection. 2

6 Understanding the System Center Mobile Device Manager 2008 Market There is strong growth for mobile devices in the business market, based on deeper penetration of mobile messaging, and convergence with mobile LOB applications. IT Professionals are demanding the ability to align their mobile device and laptop strategies, provide generalized access infrastructure for both wireless , personal information manager (PIM), and LOB applications, and manage mobile devices like laptop computers, with no compromises for managing corporate data or the corporate network. Mobile Device Manager is designed to provide significant benefits for upper mid-market through large enterprise customers, who use a Windows Server infrastructure, and who may have a Microsoft Exchange Server 2003 SP2 or later server. It is important to note that Mobile Device Manager does not require Exchange Server, but does require Microsoft Windows Server 2003 SP2 or later. System Center Mobile Device Manager s features and benefits are designed to align closely with key customer priorities for a comprehensive server solution for management of Windows Mobile devices. For business decision makers, Mobile Device Manager offers the potential for enhanced end-user productivity, scalable and reliable device inventory and procurement, and lower support costs and total cost of ownership (TCO). Mobile Device Manager provides IT Professionals with security enhanced data and network access, a manageable and scalable IT infrastructure, and a standardized end-to-end solution that works with existing systems. End users have access to corporate data and information, a dependable and robust phone experience, and the benefits of superior productivity, including unified communications, all on the Windows Mobile platform with System Center Mobile Device Manager

7 Licensing System Center Mobile Device Manager 2008 System Center Mobile Device Manager 2008 follows licensing rules described in Server/Client Access License (CAL) section in Microsoft Licensing Product Use Rights. Mobile Device Manager requires a server license for the management server and a CAL for each applicable managed user or device. The table below lists offerings available for System Center Mobile Device Manager Microsoft Systems Center Mobile Device Manager 2008 Microsoft Systems Center Mobile Device Manager 2008 Offerings Microsoft Systems Center Mobile Device Manager 2008 Server License Microsoft System Center Mobile Device Manager 2008 user Client Access License (CAL) Microsoft Systems Center Mobile Device Manager 2008 device Client Access License (CAL) Microsoft Systems Center Mobile Device Manager 2008 with Microsoft SQL Server 2008 Technology Standard Edition (To be finalized) Features Permits one copy of Microsoft Systems Center Mobile Device Manager 2008 server software to be installed on one management server. Permits one user s mobile devices to be managed by Microsoft System Center Mobile Device Manager Permits one device (mobile phone, handheld computer, pager, telephone, personal digital assistant, scanner, or other electronic device) to be managed by Systems Center Mobile Device Manager Permits one copy of Microsoft Systems Center Mobile Device Manager 2008 server software to be installed on a single server and permits one copy of Microsoft SQL Server 2008 Technology to be used exclusively in support of the Systems Center Mobile Device Manager 2008 primary site server. Systems Center Mobile Device Manager 2008 requires Windows Server 2003 R2 and Microsoft SQL Server 2005 or later, to support its operational activities. Mobile Device Manager ships with Microsoft SQL Server 2008 Express Edition. For larger deployments of Mobile Device Manager, SQL Server 2008 Standard Edition is available separately or Mobile Device Manager 2008 with SQL Server 2008 technology is also available. The SQL Server technology in the latter may only be used to support System Center Mobile Device Manager

8 Understanding the System Center Mobile Device Manager 2008 Infrastructure In addition to the Mobile Device Manager enabled, Windows Mobile device, System Center Mobile Device Manager comprises of four main system components: One or more gateway (GW) servers One or more device management (DM) servers Enrollment (EN) server Microsoft SQL Server 2005 databases (DBs) Figure 1 provides a high-level overview of how these components work with existing IT infrastructure to provide an authenticated connection to LOB applications and to managed group policy and application packages. Group Policy and so ware package Cellular DBs DM Server Domain Controllers Managed Windows Mobile devices GW Server Wi-Fi EN Server Cer ficates Services and LOB applica on access Figure 1. System Center Mobile Device Manager system overview LOB Servers These Mobile Device Manager components are discussed in the following list: Gateway (GW) Server. The GW server typically is located in the perimeter network, also known as the demilitarized zone (DMZ) or screened subnet. This server provides the ingress for managed device sessions, and also forwards network and device management communications between the organization s network and the device. The GW server provides the end point for the device s network connection that: Authenticates incoming connections for authorized devices Allocates the device a stable IP address (to enable Direct Push technology updates and support application persistence) 5

9 Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the Internet Device Management (DM) Server. The DM server is the primary administration and management service for all devices enrolled in the Mobile Device Manager solution. The DM server is the functional hub for device group policy application, device software packages, and device data wipes. This server communicates with existing infrastructure servers, such as domain controllers, and manages the translation of information and Introduc on Gateway Access Points Comple on Add Gateway Wizard Gateway Address Pool Gateway DNS/WINS Add Gateway Introduc on This wizard will guide you through the crea on of a new Microso System Center Mobile Device Manager Gateway. To complete this wizard, you will need the name of the access point you created when you installed the Gateway Server role. You will also need to know the Gateway IPSec address. Gateway Name: Read prerequisites before you con nue. Help Next> Cancel commands between the Mobile Device Manager servers and Windows Mobile devices. Enrollment (EN) Server. This server manages the process of requesting and retrieving security certificates for devices and of creating the Active Directory Domain Service objects that will represent these devices. Using these objects, it is possible to manage the devices as if they were members of a domain. The process uses a one-time password to perform security enhanced enrollment over un-trusted connections, such as the Internet and mobile data networks. This role enables users to enroll their devices while on the go, without connecting the devices to a computer or having physical access to the corporate network. The enrollment service can be run on a separate server for greater scalability. The EN server helps ensure that both the device and the server are mutually authenticated prior to accepting or issuing enrollment certificates. The EN server uses Active Directory to provide the identity store. Databases (DBs). The services on the DM server and EN server maintain databases for managing device configuration, tasks, and status settings. These SQL Server databases are pivotal in managing the configuration and updating of mobile clients. 6

10 How System Center Mobile Device Manager 2008 Works This section describes how a Windows Mobile device connects to the System Center Mobile Device Manager 2008 server. There are three main processes that we will discuss in this section device enrollment, Mobile VPN, and device management. 1. Device Enrollment. Before a device can use Mobile Device Manager to connect to the corporate intranet, it goes through a process of authentication and provisioning that helps to ensure that it is a recognized and verified member of an organization s Active Directory domain. As with any PC or server, membership in the domain equals manageability. This process is reversed through Mobile Device Manager s ability to revoke enrollment. 2. Mobile VPN. This is the authenticated and encrypted connection established between a Windows Mobile device and the GW server. Once in place, all network traffic from the device travels via a Mobile VPN through a WWAN or Wi-Fi connection, to the gateway (GW) server. 3. Device Management. A device can communicate with the DM server after it successfully negotiates the authenticated network access connection with the GW server. This communication allows the server to gather information about the device and then push the appropriate group policy settings and software packages out to it. The following sections describe these key processes in detail. Device Enrollment The Enrollment server role is the Mobile Device Manager component that helps provide a more secure over-the-air (OTA) process for requesting and retrieving certificates for mobile devices and for creating the Active Directory objects through which the device itself may be considered domain joined. The Mobile Device Manager solution is designed to be resilient against man-in-the-middle and spoofing attacks; DM Server GW Server DBs Domain Controller Managed Windows Mobile powered devices EN Server Cer ficate Services Figure 4. Device enrollment 7

11 to achieve this, it uses shared-secret encryption to perform security enhanced enrollment over typically non-secure connections, such as public General Packet Radio Service (GPRS) or other mobile data networks. Users can enroll their devices while on the go without having to cradle their devices with a PC or without having physical access to the corporate network. The enrollment process establishes the Windows Mobile device as a known and authenticated object in the Active Directory Domain Service, so that it may connect to the GW server. Figure 4 provides an overview of the components involved in the enrollment process: The steps in the device-enrollment process help provide a verified and security enhanced enrollment into the Mobile Device Manager-managed system: 1. The administrator uses a wizard to create a new device-enrollment request. 2. This process generates a one-time enrollment password that must be shared in an out-of-band manner with the user of the device that is to be enrolled. The PIN is, by design, one-time only, and has a limited lifetime (the default lifetime is 8 hours). 3. The user starts an enrollment wizard on the device and provides his/her address, which is used by the wizard to connect to the EN server. If the address for the EN server is not discovered, the user will be prompted for the server URL. 4. The enrollment wizard contacts the EN server and requests the Enterprise Trust Root Certificate. 5. The enrollment wizard authenticates the server response by verifying that the returned data was derived from the one-time enrollment password and the Enterprise Trust Root Certificate. 6. The enrollment wizard generates a certificate request and sends it to the EN server, along with a hash generated from the one-time enrollment password and the certificate request. 7. The EN server then creates an Active Directory Domain Service computer account for the device, and the machine certificate is issued based on the certificate request received from the device. The EN server then creates a link between this certificate and the device object in the Active Directory Domain Service. 8. The machine certificate is returned to the device, completing the process. The device then disconnects from the EN server. Completing these enrollment steps enables a device to be authenticated to a GW server and become a managed device. Mobile VPN Once a device successfully completes the enrollment process, it will be allowed to connect to the GW server to access the organization s internal network resources. Providing intranet access will require publishing those resources on the rear firewall. The necessary connection is created using the Mobile VPN client on the Windows Mobile device. This client uses IPSec to authenticate and encrypt data passed between the devices and the GW server. Figure 5 illustrates the process of creating the connection to the GW server from the device. The Windows Mobile device must create an IPSec tunnel to the GW server in order to access the organization s internal resources. The following steps are required: 1. The device initiates a connection request via the Mobile VPN client software included in the Mobile Device Manager client for Windows Mobile devices. 2. The GW server receives the connection request an IPSec and Internet Key Exchange Protocol version 2 (IKEv2) or IKEv2 Mobility and Multihoming (MOBIKE) protocol negotiation starts between the server and the device to negotiate the Mobile VPN connection parameters. 3. During this negotiation, the GW server authenticates the device by checking with the Certification 8

12 Firewall Firewall IPSec encrypted tunnel GW Server To the intranet SSL encrypted traffic To the Internet Figure 5. Mobile VPN Authority that the machine certificate of the device is valid and not revoked. 4. The device checks the GW server s machine certificate to help ensure it is trusted. 5. If these checks are completed successfully, the device and server will have authenticated themselves. 6. At this point, the device requests or renews a virtual IP address from the GW server. The server first checks that this is the only connection it has with the device (only one connection per certificate is allowed), and then issues an IP address from the available IPSec address pool configured as part of the GW server setup. 7. The device will use the IP address received from the server as the virtual IP address for the IPSec connection. Once the IP address is assigned and the connection parameters negotiation is complete, an IPSec-encrypted tunnel can be set up between the device and server. 8. This IPSec connection forwards all traffic through the IPSec tunnel to and from the device and the GW server. The GW server now manages all network traffic from the device and provides an end point for the Mobile VPN tunnel. The GW server can now route traffic from the device to the organization s internal network, or forward traffic towards a configured network proxy service or directly to the Internet, depending on the configuration defined by the network administrator(s). Typically, device network traffic leaving the GW server will be filtered by a firewall before reaching the intranet; however, this depends on the infrastructure design and the location of the GW server within the infrastructure. Device Management When a managed device has an active connection to a GW server, the DM server can start checking information about the device and applying any required group policy settings or software packages to it. As shown in Figure 6, this is a direct process between the DM server and the device. (The GW server only forwards network traffic to and from the device). The first time the managed device successfully connects to the organization s network using the GW server, it communicates with the DM server to report its configuration and check for changes. The following steps detail this process: 1. Once the device has successfully connected to the GW server, an OMA DM connection is initiated with the DM server. 2. The DM server authenticates the device using the device s machine certificate, the SSL authentication 9

13 Management Console DM Server IPSec tunnel GW Server Read Only Managed Windows Mobile powered devices DBs Domain Controller EN Server Figure 6. Device management process, and Active Directory Domain Service machine account mapping. Note that there is a one-to-one mapping between the machine s certificate and the domain machine account. 3. The DM server configures the device with an initial connection schedule and queries the device for information about its current configuration. Once this is returned, the device disconnects. 4. The DM server calculates the group policy settings and the initial managed applications required for the device. These settings are calculated and cached as OMA DM commands in the Mobile Device Manager database, for use when the client connects again. 5. The device reconnects to the DM server using the schedule it received during the first connection. At this point, the DM server pushes the OMA DM commands to the device to configure it. 6. Once the initial schedule and changes are complete, the device will be set to a default reconnection schedule of 8 hours. (This is configurable for anywhere between 2 and 8 hours). If the device needs to receive group policy settings or software packages, these are pushed down to the device from the DM server, though the GW server, and down the IPSec tunnel. The Mobile Device Manager Client The Mobile Device Manager client is provided via an update to the Windows Mobile software. All Windows Mobile devices running a future version of Windows Mobile will have this client built-in. There are two key elements to this client. First, these devices include the IPSec client, which is designed to permit more secure connectivity with the enterprise. The second feature of the Mobile Device Manager client is the mechanism by which users will be alerted to service interactions on their mobile devices, which will allow them to perform a range of update and configuration actions as defined by the administrator. The client is designed to enable OTA distribution and installation of software applications and firmware update packages to devices by using ad hoc methods, manual or end-user actions, or by being automatically delivered to the device on a regular basis. 10

14 Mobile Device Manager Client Enrollment A Mobile Device Manager enabled device enrolls with a System Center Mobile Device Manager 2008 server through the use of the Windows Mobile device client. Users select Domain Enrollment in the Connections menu, and then provide their address and PIN. The device will then restart, and will confirm connectivity with the server. 1 Phone 2 Sounds 3 Profiles 4 Home Screen 5 Clock & Alarm 6 Connections 7 More... Enroll Done Your administrator will control access to some device features. Your device may be restarted. Back up data before continuing. Cancel Next Connections 1 VPN 2 WLAN 3 USB to PC 4 Domain Enroll Enroll Done To automatically detect your domain server, type your company address and click Next. Address: Example: name@contoso.com TaliRoth@contoso.com Privacy Statement Back Menu Next Domain Enrollment Enrolling in a domain will connect your device with company resources. You will need the enrollment password provided by your system administrator. To enroll this device, tap Enroll. Device Status: Not enrolled Domain: Done Enroll System Center Mobile Device Manager 2008 Deployment Topology This section provides an overview of the System Center Mobile Device Manager 2008 deployment topology, summarizing the overall infrastructure discussed in the previous sections. The diagram below shows how the Windows Mobile device connects via the Mobile VPN to the GW server. The GW server then connects to the enrollment service, as well as to the machine authentication server and the specific and LOB servers through an SSL-authenticated connection. The Windows Mobile device can then access the necessary assets in the corporate intranet through the back firewall and the SSL connections from the mobile GW server. The following diagram is a representation of the overall infrastructure of a System Center Mobile Device Manager 2008 server deployment with Windows Mobile devices. and LOB Servers Console WSUS Catalog Managed Device Ini al OTA Device Enrollment Mobile VPN Internet Front Firewall Mobile GW SSL User-mutual Auth or Similar Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth Enrollment Service Self Help Site CA R/O AD DMZ Corporate Intranet 11

15 Using with Key IT Services System Center Mobile Device Manager s extensibility and flexibility allows an organization to extend its infrastructure with features that allow it to manage its Windows Mobile devices. The Mobile Device Manager components work with key IT services and use them to allow the mobile devices to access selected business data. The primary IT services that Mobile Device Manager works with are: Active Directory Domain Service: The Windows directory service is used for storing machine/device identity, getting associated 802.1x certificates, and the group policy settings that configure the required settings on each managed mobile device. Examples include configuring ActiveSync settings or enabling a password required policy. Windows Software Update Services (WSUS): System Center Mobile Device Manager 2008 uses WSUS to allow applications to be distributed to managed devices. WSUS 3.0 is required, and will be installed if not present when Mobile Device Manager is installed. Additionally, Mobile Device Manager works with WSUS to check for and push application packages to managed devices. Certificate Services: Mobile Device Manager s client and server security model requires certificates. Mobile Device Manager works directly with your existing Public Key Infrastructure (PKI) for client and server certificate signing. Microsoft Certification Authority (or a third-party Certification Authority) can be added if no current PKI is in place, or if you wish to maintain a separate Certification Authority for device authentication. LOB Application Servers: Windows Mobile devices managed by Mobile Device Manager can gain access to your organization s LOB application servers, including: Exchange Servers: Mailboxes on an organization s Exchange Server(s) can be configured to grant access to Windows Mobile devices. Device users can use these services via the Microsoft Outlook Mobile interface. Custom application servers: In-house applications that provide Web services to mobile clients can be made available to the managed mobile devices. 12

16 Security Management System Center Mobile Device Manager 2008 empowers IT Professionals with a robust security management platform for Windows Mobile devices that leverages Active Directory/group policy, the most widely deployed enterprise network directory in the world, allowing IT Professionals to set and control policies in a single environment. Mobile Device Manager is designed to provide better mechanisms to prevent theft or loss of corporate data, thanks to expanded on-device security of sensitive corporate information, such as full on-device file encryption. Mobile Device Manager s always on connection (when connected to a carrier s wireless network or a Wi-Fi connection) allows IT Professionals to execute instant remote device wipe in the event of the theft or loss of the device, reducing the chances of corporate data falling into the wrong hands. IT administrators have the ability to lock down communications for compliance and confidentiality purposes, including disablement of Bluetooth, SMS/MMS, WLAN, Infrared, POP/IMAP , as well as camera functionality. Furthermore, Mobile Device Manager offers a robust set of over 125 policies to help meet critical security needs of IT Professionals, which can be targeted to devices based on Active Directory groups and device status. Enterprises have control over which applications are installed on the user s Windows Mobile device, thanks to the allow and deny functionality for applications. Mobile Device Manager offers IT Professionals the flexibility to support the configuration of new operating system features and applications, as well. Active Directory Domain Join Active Directory is one of the most widely deployed corporate directory services, and many IT Professionals have expressed a desire to manage their Windows Mobile devices like their Windows based desktop computers and laptop computers, through Active Directory. System Center Mobile Device Manager 2008 enables Windows Mobile devices to be listed and managed through Active Directory. Before a device can use Mobile Device Manager to connect to the corporate intranet, it goes through a process of authentication and provisioning that helps to ensure that it is a recognized and verified member of an organization s Active Directory domain. In this way, Windows Mobile devices are first-class IT citizens, just like their Windows based desktop and laptop counterparts. Policy Enforcement Using Active Directory/Group Policy Targeting In addition to being first class IT citizens through Active Directory, Windows Mobile devices can now be targeted and managed through group policy. Active Directory is used to store credentials for VPN and 802.1x based connections and the group policy settings that configure the required settings on each managed mobile device. Examples of such policy enforcements include, configuring ActiveSync settings or enabling a password required policy. Active Directory Management (ADM) templates can be used to create additional policies beyond what is provided out-of-box. A Windows Mobile device conforms to group policy settings just like a standard Windows based desktop or laptop computer. Using the updated group policy management tools, an administrator can assign specific Group Policy Objects (GPOs) to Organizational Units (OUs), and security groups, or, if required, block specific devices from receiving polices. This flexibility in assigning policies to specific devices or sets of devices provides powerful functionality for IT administrators to easily manage an entire fleet of mobile devices in an organization. 13

17 Communications and Camera Disablement As mobile devices become increasingly pervasive in all aspects of an organization, it is important to be able to manage the communications and camera functionality on these devices in certain situations. For example, in R&D labs, organizations often desire to ensure that mobile devices are not taking and transmitting photographs of sensitive information. Similarly, financial services firms often look to disable SMS/MMS and other communications services to ensure that sensitive, unmonitored data is not being transmitted. System Center Mobile Device Manager 2008 provides IT Professionals the ability to set powerful policies on Mobile Device Manager enabled Windows Mobile devices to manage and lock down communications and camera functionality. Administrators can set policies in the Mobile Device Manager to force devices to shut down a variety of these features, including: Camera Bluetooth SMS/MMS POP/IMAP File Encryption One increasingly important customer requirement is the ability to secure data that is stored on a Windows Mobile device. Windows Mobile enables users to encrypt documents stored on external storage cards, and Mobile Device Manager further extends this functionality to files and directories on the Windows Mobile device. This feature provides the IT administrator the ability to encrypt PIM information, directories with attachments, the My Documents folder, the Microsoft Internet Explorer Mobile Web cache directory, the Mobile Device Manager private key, and the domain password. File encryption uses the same PIN as the device lock PIN and AES-128 encryption. Furthermore, Mobile Device Manager allows IT administrators to turn device encryption on or off. Application Disablement and Enablement Currently, over 18,000 applications are available for Windows Mobile devices, and System Center Mobile Device Manager 2008 provides significant flexibility to IT Professionals for managing the applications that their users install and run on their devices. Mobile Device Manager allows IT administrators to either enable or disable specific applications or sets of applications. Disabled applications cannot be installed on a managed Windows Mobile device. System Center Mobile Device Manager can also set a list of enabled applications, which are the only applications that a user can install on a device. The ability to manage the specific applications loaded on a device is a powerful feature that enables IT administrators to better manage and help secure their organization s Windows Mobile devices. Remote Wipe The remote wipe service provides the ability for an IT Professional to immediately wipe data from a Windows Mobile device. Because of the Mobile Device Manager s always on connection (when connected to a carrier s wireless network or a Wi-Fi connection), when the wipe now command is issued, the device is wiped immediately, and does not have to wait for a synchronization with the server. The remote wipe service communicates with a domain controller to remove the Active Directory Domain Service object for the device. It will also communicate with the Certification Authority to revoke the certificate that the device was using. The command also ensures that the GW server and databases are updated so that the device will not be able to connect to the system using its previous credentials. The device can go through the enrollment process again if it needs to re-join the managed environment. 14

18 OMA DM Compliance The Mobile Device Manager device management server uses an OMA DM session to communicate necessary tasks and actions with the Windows Mobile device. The device management server converts tasks into OMA DM commands, which are sent down to the Windows Mobile device. OMA DM is used not only for tasks, but also for the initial configuration with the Mobile Device Manager server. By using OMA DM, a standards based protocol, and exposing the OMA DM client APIs on Mobile Device Manager enabled Windows Mobile devices, the System Center Mobile Device Manager 2008 server is very extensible and flexible for users. 15

19 Device Management System Center Mobile Device Manager 2008 provides IT Professionals with a comprehensive Windows Mobile device management solution to distribute software and understand device inventory in a complex organizational environment. The enterprise-wide OTA software distribution uses WSUS 3.0, the most widely deployed Windows software update solution for businesses, with the rich targeting and packaging capabilities required by IT departments. Furthermore, Mobile Device Manager provides IT Professionals with rich inventory and reporting capabilities for both hardware and software; the reporting structure is based on the familiar, highly flexible and customizable SQL Server 2005 infrastructure. Single Point of Management for Mobile Devices System Center Mobile Device Manager 2008 brings together in one management solution features and functionality that in the past, if available, required numerous point solutions based on proprietary platforms. With advanced features such as policy enforcement, inventory and reporting, and software targeting in one solution, IT administrators can look to Mobile Device Manager for all of their Windows Mobile device management needs. Full OTA Provisioning and Bootstrapping System Center Mobile Device Manager 2008 is designed to make it easier for devices to enroll in the management server over the air. It is designed to deliver a simple and seamless experience to users who wish to enroll and connect Windows Mobile powered devices to a management server. The user provides an address, which he/she enters on his/her Windows Mobile device. The address is used to find the System Center Mobile Device Manager 2008 server to connect to; the user provides a PIN (which is provided separately to the user by the organization) to authenticate the enrollment. When the authentication and enrollment are complete, the device can connect to the GW server through the IPSec-encrypted tunnel, with SSL-authenticated data. On first connect, the System Center Mobile Device Manager 2008 server can push the standard applications and policies set by the IT administrator directly to the device, provisioning the device quickly. Mobile Device Manager s self-service enrollment model is designed to give IT Professionals a simple and scalable way to provision devices, saving valuable time, resources, and help desk support costs. Pre-Enrollment Wizard Introduc on Introduc on Name Device This wizard will help you pre-enroll a mobile device that it can be authen cated when it connects with your company network. Select User Create Pre- Enrollment Comple on Send an confirma on with enrollment password to device user. Pre-Enrollment Wizard Other user iden fier Introduc on Name Device Select User Create Pre-Enrollment Comple on Select User Anonymous Specify the user user of this device. Ac ve Directory user CN=krbtgt,CN=Users,DC=Enroll,DC=Contoso,DC=com Browse... You can use Group Policy to manage policy se ngs on devices that have an Ac ve Direc ry user name, You can also automa cally send an enrollment no ce to the Send an confirma on with enrollment password to device user. Ac ve Directory user. Other user iden fier Anonymous user You can use Group Policy to manage policy se ngs on devices that have an Ac ve Direc ry user name. You can also automa cally send an enrollment no ce to the Ac ve Directory user. Help Bank Next Cancel Help < Bank Next > Cancel 16

20 OTA Software Distribution Based on Windows Software Update Service (WSUS) 3.0 Introduc on So ware Package Target Devices Permit Uninstall Create Package Wizard Device Languages So ware Dependencies Registry Dependencies Create Installa on Package Comple on Help Comple on You have successfully completed the wizard. Elapsed me: 00:00:00 Summary: 1 item(s). 1 succeeded, 0 failed. So ware Package Test Cab has been created in the Windows Server Update Services database. The program data will be replicated to the source database. The package GUID is ee581de4-339f-4065-a61f-247e8a41e0cf. To distribute this package, go to the So ware Packages node and approve it for installa on. Select Ctrl+C to copy the contents of this page. Finish Completed Inventory and Reporting Capabilities << System Center Mobile Device Manager uses WSUS to allow applications to be distributed to managed devices. Additionally, Mobile Device Manager works with WSUS to check for and push application packages to managed devices. The DM server regularly checks with WSUS for newly published software packages, evaluating all the managed devices against the applicability rules of the packages and approval information. Using this information, the DM server determines which packages are applicable to each device and creates the required OMA DM commands in the database. When a device connects, it will download and install the packages offered to it by the DM server. As mobile devices proliferate across organizations, IT Professionals require the ability to have better inventory and reporting about the devices in the enterprise. System Center Mobile Device Manager 2008 uses a SQL Server 2005 based reporting infrastructure to provide IT Professionals with vital information about the specific Windows Mobile devices in the organization. This feature, as well as several predefined reporting templates, will be provided via a Web download. When the device is authenticated with the Mobile Device Manager device management server, critical information is collected about the device. For example, the IT administrator has access to a broad range of information, including the following: Operating system and version Device model, make, ID and language Hardware ID Device hardware specifications, and storage information User settings Please see Appendix A for a complete list of Inventory Capabilities Role based Administration Role based administration provides flexibility for an organization in terms of the administration privileges and management of Windows Mobile devices. For example, a helpdesk administrator may be defined as having access to a certain group of settings, which are appropriately defined by the IT administrator. The IT administrator may define different roles for specific needs, helping to ensure simplicity and ease-of-use and management of appropriate security access for various roles. Self-Help Portal System Center Mobile Device Manager 2008 offers a self-help portal for users, designed to make it easier for users to manage their own Windows Mobile devices. The self-help portal provides the following core benefits for users by allowing users to: View a list of all their managed devices, for better reporting and tracking Create a new enrollment record for new devices that they wish to manage Wipe a device 17

21 This self-help portal helps reduce the user s dependencies on the IT administrator and the corporate helpdesk, and further enhances the overall usability of Mobile Device Manager for end users. Highly Scalable Architecture Mobile Device Manager s highly scalable and reliable deployment capabilities support many users on a single server, reducing the cost and complexity to the enterprise. Mobile Device Manager offers significantly lower maintenance costs, greater scalability, increased performance, and reduced troubleshooting complexity compared to other solutions in the marketplace. Mobile Device Manager s architecture allows for flexible implementation options for the organization s servers. Different server configurations can be used, depending on the organization s scalability and availability requirements. Figure 3 provides an overview of the three primary server configurations. The follow list summarizes the three primary implementation options: Integrated Configuration. Install Mobile Device Manager components in a minimal configuration of two physical servers, with one domain-joined server in the intranet and one standalone/workgroup server in the perimeter network. While this mode provides a simple and robust implementation, it does not provide the most security enhanced configuration and can restrict an organization that has a large number of mobile devices to manage. Distributed Configuration (Recommended). Deploy each System Center Mobile Device Manager component (GW server, DM server, EN server, and databases) on dedicated physical servers. This is the recommended configuration for a production enterprise environment. This configuration allows for the greatest security and scalability. Load-balanced Configuration. Configure the GW server and the DM server in load-balanced arrays. This approach allows for high levels of scalability and availability for the managed mobile devices. Scalability Load-balanced Configura on DM Servers DBs Distributed Configura on (Recommended) DM Server GW Servers EN Server Interated Configura on DBs EN Server DBs GW Server GW Server DM & EN Server Figure 3. Server configurations Scalability System Center Mobile Device Manager 2008 is designed to be scalable and cost-effective for enterprises to deploy. Below are the typical target device capabilities for a distributed topology: 18

22 Server Role Potential Maximum Devices Gateway Server 5000 Device Management Server 10,000 20,000 Database Server 40,000 80,000 Enrollment Server Unlimited The enrollment server is only active the first time a device connects, allowing maximum simultaneous connections. For a fully integrated deployment (DM, DB, and EN all in one system), System Center Mobile Device Manager 2008 is designed to support a maximum of 2500 users. Please note that these figures are subject to change. MMC Snap-ins and Windows PowerShell Cmdlets The management console architecture allows servers and devices to be managed via both a graphical user interface (GUI) console and a command line based Windows PowerShell console. The Management Console snap-in is a GUI based management tool. It is a Microsoft Management Console (MMC 3.0) snap-in that enables administrators to manage Windows Mobile devices and the Mobile Device Manager servers. The Windows PowerShell console provides a powerful command line interface and associated snap-ins for the Mobile Device Manager services and databases. As shown in Figure 11, you can manage the System Center Mobile Device Manager 2008 components directly on the DM server via a server based management console, or remotely via a workstation based console. These consoles provide administrators with access to their management tasks. Whichever console is used, the requested tasks are performed by a collection of Windows PowerShell scripts called cmdlets. A cmdlet is a single-feature command that manipulates objects in Windows PowerShell. You can recognize cmdlets by their format a verb and noun separated by a hyphen (-). For example, Get-Help, Get-Process, and Start- Service. These cmdlets provide the logic that performs the primary management tasks in areas such as: DM server management Enrollment service management Priority tasks, such as Device Wipe Group policy management Device and task reporting Asset management Control of Updates Delivered via Windows Mobile Update for Windows Mobile Windows Mobile Update provides a mechanism for delivering critical fixes to Windows Mobile devices (version 6 and later). System Center Mobile Device Manager 2008 provides IT Professionals the ability to control the delivery of these Figure 11. Management Console architecture updates to their organization s Windows Mobile devices, with full on/off control of Windows Mobile Update through Mobile Device Manager. By having the option to turn off Windows Update for Windows Mobile, IT administrators can test updates, and more effectively plan for the deployment of updates. 19

23 Mobile VPN System Center Mobile Device Manager 2008 helps deliver increased worker productivity with a single point for security enhanced, behind-the-firewall access to corporate data and LOB applications for Windows Mobile devices through a cutting-edge Mobile VPN optimized for the mobile environment. The Mobile VPN allows users to access intranet data, including SAP, Siebel, intranet sites, and SQL Server data. System Center Mobile Device Manager 2008 aligns with the existing remote access model for desktops and laptops, and is highly scalable for a broad set of scenarios, including both thin and rich client applications. Machine Authentication and Double Envelope Security The System Center Mobile Device Manager 2008 architecture is designed for double envelope security for the Windows Mobile device to connect to the GW server, which is in the DMZ. In Double envelope security, the data is transmitted through an IPSec-encrypted tunnel, and the traffic is SSL-encrypted. This helps to ensure the security enhanced transmission of the data from the mobile device to the GW server and Mobile Device Manager. Application Authentication Firewall Firewall IPSec encrypted tunnel GW Server To the intranet SSL encrypted traffic To the Internet A managed Windows Mobile device that establishes an authenticated network access connection will be granted access to the IT services that have been published from the existing IT infrastructure. From this point, the permissions required to access these infrastructure services and applications is determined by the user credentials requested from the applications or services themselves. For example, if an internal Microsoft Office SharePoint site has been configured to allow anonymous connections, the device will be able to connect to that site. However, if user authentication is required by the SharePoint site, users will need to provide their credentials before they can browse the site. Session Persistence and Fast Reconnect Mobile Device Manager s Mobile VPN is built specifically for Windows Mobile devices to ensure the best possible user experience. The Mobile VPN technology enables an always on connection (when connected to a carrier s wireless network or a Wi-Fi connection) to give IT administrators the control they need, while 20

24 also improving the access and experience for the end user. In the event of a loss of transmission or dropped signal, Mobile Device Manager s fast reconnect technology allows a user to continue where he/she left off without having to re-authenticate. This feature helps provide a seamless connectivity experience for the end user, while also helping ensure that IT administrators have more control over their organization s Windows Mobile devices at all times. Inter-network Roaming Many Windows Mobile devices can support different methods of connecting to a network. The first is the mobile operator s cellular data network (which is connected, via a gateway device, to the Internet), and the second is an 802.1x based Wi-Fi connection. The Wi-Fi service could connect the device to a number of different types of networks. System Center Mobile Device Manager 2008 delivers a consistent end-user experience across a cellular operator or Wi-Fi connection with full inter-network roaming capabilities. Figure 2 illustrates both connection types and how the device can use them to access the GW server(s) in an organization. These connection types will impact how the managed mobile devices interact with an organization s Windows Mobile device Gateway Cellular Wi-Fi Hotspot External GW Server Direct Internal GW Server Cellular Operator Gateway LOB Applica on Servers Cellular Operator Internet Perimeter Network Intranet Figure 2. Device access connection methods infrastructure and how the devices are managed. The following list identifies the main access connection routes for a device: Cellular Data Connection. This is the standard cellular mobile data service using a system such as General Packet Radio Service (GPRS) or Code Division Multiple Access (CDMA). Devices make these connections via the cellular provider s data network, and are then connected to the Internet through a gateway device. From this point, the devices connect to the external GW server, where they are authenticated and connected to internal resources. 21

25 Wi-Fi Connection. These connections provide a route to the Internet via a Wi-Fi connection. Wi-Fi hotspots can be found in many public places, including airports and coffee shops around the world. With these connections, the device connects to the hotspot s network and is routed to the Internet. From there, the device connects to the external GW server for authentication and connection to internal resources. The ability for Windows Mobile devices to connect to the Mobile Device Manager server through either the cellular radio or the Wi-Fi connection provides significant flexibility in connecting to the Mobile Device Manager server. This allows users flexibility to choose how they wish to connect to the network, depending on their current location and the resources available to them, which might be either a cellular signal or a Wi-Fi signal. Standards based Security Model Mobile Device Manager s Mobile VPN is built on standards based technologies, allowing greater choice in how other networking servers interface with Windows Mobile devices. Since Mobile Device Manager is based on a number of open industry standards for mobile devices, deployment is designed to be extensible and flexible for easier use and greater flexibility for both users and IT administrators. System Center Mobile Device Manager 2008 uses the following key open industry standards: Open Mobile Alliance Device Management (OMA DM), the specification for device management IPSec and Internet Key Exchange Protocol version 2 (IKEv2) IKEv2 Mobility and Multihoming (MobIKE) protocol Software Component Management Object (SCOMO), a draft OMA specification for installing, removing, launching, and terminating software on mobile devices 22

26 System Center Mobile Device Manager Policy This section details the policy settings that are available by default on the System Center Mobile Device Manager 2008 server to enhance Windows Mobile device manageability. The policies detailed in this section are only the pre-configured policies; additional policies can be configured through ADM by the IT administrator and the organization, if the specified object exists in Active Directory. Password Policies Require password This policy setting allows the IT administrator to require users to set a password on their devices. If disabled, users will be able to disable their password through the control panel, and not lock their phones. Password type This policy setting allows administrators to require that users have a particular type of password, either an alphanumeric or a numeric PIN. Password timeout This policy setting allows the IT administrator to set the maximum amount of idle time after which the Windows Mobile device should automatically lock with a password. The Require Password policy setting must be enabled for this policy setting to take effect. If this policy is set, users devices will automatically lock after a set amount of idle time has elapsed. Users will need to enter their passwords in order to use most device functionality. Number of passwords remembered This policy setting allows IT administrators to prevent users from resetting their password to one of their previously set passwords. If configured to be N, users cannot re-use any of their last N passwords. Minimum password length This policy setting allows IT administrators to require that users device passwords be at least a certain specified length. The Require Password policy setting must be enabled for this policy setting to take effect. The minimum length can be set to anything between 1 40 alphanumeric characters. Wipe device after failed attempts This policy setting allows the IT administrator to configure the number of incorrect password attempts to accept before the device wipes all of its mounted storage volumes. Before the user s last attempt, he/she will be warned that all the data on the device will be wiped on the next failed attempt. Allow user to reset authentication on the device The authentication reset policy allows IT administrators to enable or disable the Reset Password option on the PIN lock screen. If enabled, the user can request for a password reset in case of a forgotten password, from Microsoft Office Outlook Web Access. If this option is disabled, then the menu option is also disabled on the device. 23

27 Code word frequency This policy allows the IT administrator to set how frequently the code word request is displayed when a user is incorrectly entering his/her PIN. Code word This policy allows the IT administrator to set the code word for authentication on the device. Password expiration This policy allows the IT administrator to set the number of days that a password is valid, before it needs to be changed. Platform Lockdown Turn off POP and IMAP messaging This policy setting allows IT administrators to specify whether the user may use IMAP4 or POP3 accounts. This policy setting affects only the Microsoft Outlook Mobile program. To prevent users from accessing IMAP4 or POP3 accounts using a third-party application, administration can restrict application execution by configuring the Application Disable policies or by configuring security policies to allow only those applications that are signed by trusted authorities to run. If disabled, any accounts that use IMAP4 or POP3 protocols are turned off. The user cannot synchronize any existing IMAP4 or POP3 accounts with the corresponding servers, and the user cannot set up a new IMAP4 or POP3 account either. The user may be able to view existing messages for IMAP4 or POP3 accounts if the messages were downloaded to the device before the policy setting was changed. Turn off SMS and MMS messaging This policy setting allows IT administrators to specify if the user can send and receive SMS and MMS text messages. This policy setting affects only built-in SMS and MMS applications. Users can be prevented from sending and receiving SMS and MMS text messages using a third-party application by configuring the Application Disable policies or by configuring security policies to allow only those applications that are signed by trusted authorities to run. Certificate Management System Center Mobile Device Manager 2008 enables IT administrators to remove the following types of unmanaged certificates: SPC certificates Privileged certificates Normal certificates Root certificates Intermediate certificates Turn off camera This policy setting allows IT administrators to specify if the user can use the camera on the device. This policy setting affects all camera functions, including, but not limited to, showing preview, taking photographs, and recording videos. When this policy setting is changed, a system reboot is enforced on the device when the policy is applied. 24

28 Turn off wireless LAN This policy setting allows IT administrators to specify if the user can use Wireless LANs (Wi-Fi) with the device. A system reboot is required on the device when the policy is applied. If enabled, the user is not able to use Wi-Fi in any way. Turn off infrared This policy setting allows IT administrators to specify if the user can use Infrared (IR) communications on the device. This policy setting affects all Infrared Data Association (IrDA) functions on the device, including, but not limited to, beaming data and connecting to ActiveSync via IR. A system reboot is enforced on the device when the policy is applied. Turn off Bluetooth This policy setting allows IT administrators to specify if the user can use Bluetooth on the device. This policy setting affects all Bluetooth functions on the device, including, but not limited to, pairing with Bluetooth headsets and Bluetooth car kits. A system reboot is enforced on the device when the policy is applied. Turn off removable storage This policy setting allows IT administrators to specify if the user can use removable storage cards, such as Secure Digital (SD), microsd, minisd storage cards. Allowed Bluetooth profiles Proper es Se ng Explain Allowed Bluetooth profiles Not Configured Enabled Disabled Allowed Bluetooth profiles This policy setting allows IT administrators to specify the Bluetooth profiles that the user can use on the device. The Bluetooth profiles that are selected are allowed and all others are blocked. A system reboot is enforced on the device when the policy is applied. This policy setting is overridden if the policy that turns off Bluetooth completely is enabled. Show Contents List of Bluetooth UUIDs: Value Name { F F9B34FB} Configure the Windows Update for Windows Mobile Service This policy setting allows IT administrators to configure the level of user control for the Windows Update for the Windows Mobile service. The setting allows IT administrators to completely turn off the update service, leave it to be configured by the device user, or configure it to be turned on with predefined settings that cannot be changed by the device user. List of Bluetooth UUIDs: Previous Se ng If enabled, the following options are available: Switch Off: The update service is turned off for the device. The user cannot change the configuration. Switch On for User Config: The update service is turned on for the device. The user can change the settings. This option is identical in behavior to the update service when it is turned on in an unmanaged device. Switch On for Admin Lockdown: The update service is turned on for the device and configured to work in automatic mode with cell data connectivity enabled. The user cannot change this configuration. This Show... Click Show to see permi ed UUIDs or to add a new one. Value Next Se ng OK Cancel Add... Remove OK Cancel Apply 25

29 option puts the update service in automatic mode so that critical security updates are automatically downloaded over any network connection, except in instances of cellular roaming. The user is prompted to install any updates that are downloaded automatically. If this policy setting is not configured, the device will revert to the configuration choice made by the OEM when the device was manufactured. Configure device management when roaming This set of policy settings provides IT administrators with flexibility in the matter of controlling the behavior of the Mobile Device Manager client when the device is roaming. Allow device management This setting allows the IT administrator to choose whether or not the device can connect to the Mobile Device Manager server while roaming. Check frequency multiplier If IT administrators choose to Allow device management when roaming, then they can increase the time between server checks by increasing the value of the factor. Configure device management when roaming Proper es Se ng Explain Configure device management when roaming Not Configured Enabled Disabled Allow device management Allow so ware download and Windows Update Check frequency mul plier: 4 Allow software downloads and Windows Update for Windows Mobile This option allows IT administrators to configure managed software downloads and Windows Update for Windows Mobile. If enabled, managed downloads that are automatically initiated when a device is in roaming mode will continue as they would when not roaming. Additionally, the device will check for new updates on Windows Update servers just as it does when the device is not roaming. If the setting is not enabled, managed downloads that are automatically initiated when a device is in roaming mode will be paused. The device will not check for new updates on any firmware update server. When the device is no longer roaming, the download will continue normally. Previous Se ng Next Se ng OK Cancel Apply Blocked installa on no fica on text Proper es Se ng Explain Blocked installation notification text Not Configured Enabled Disabled Blocked installa on no fica on text: Application Disablement Blocked installation notification text This policy allows IT administrators to provide Previous Se ng and specify the notification text if an application s installation is blocked. Next Se ng OK Cancel Apply 26

30 Blocked execution notification text This policy allows IT administrators to provide and specify the notification text if application execution is blocked. Blocked in-rom applications Show Contents List of applica ons to block: Value Name \Windows\leMobile.exe Value Internet Explorer Mobile OK Cancel Add... Remove This policy allows IT administrators to block programs that may be provided in-rom. For example, IT administrators may wish to block access to the Internet on specific devices; therefore, they may wish to block access to Internet Explorer Mobile, which they can configure through this policy. The user will be able to view the Microsoft Internet Explorer Mobile application, but will not be able to access it. Allowed RAM-installed privileged applications This policy allows IT administrators to either allow or disable RAM-installed privileged programs, and IT administrators can choose specific programs to allow. Allowed RAM-installed unprivileged applications This policy allows IT administrators to either allow or disable RAM-installed unprivileged programs, and IT administrators can choose specific applications to allow. Security Policies Allow unsigned applications to run on devices This policy allows IT administrators to decide whether unsigned applications can run on a particular device. If allowed, then all unsigned applications are allowed to run on the device (depending on the existing device-specific policies, the user may be prompted for consent before an unsigned application is allowed to run). If the policy is disabled, then only signed applications or unsigned applications specifically allowed are allowed to run on the device. If the policy is not configured, then the device will revert to its default standard security model. Grant manager role permissions to user This policy allows IT administrators to configure policies for system administrative privileges. If this policy is not configured, the device will use its default policies. If the policy is enabled, then both SECROLE_USERAUTH and SECROLE_MANAGER can obtain full administrative access and users can potentially alter device security settings. If disabled, then only SECROLE_MANAGER has full administrative access to the device. Allow unsigned.cab file installation This policy allows IT administrators to configure the ability to install unsigned cabinet (.cab) files. If the policy is not configured, existing device-specific policies for allowing unsigned.cab files to be installed on the device are applied. If the policy is enabled, then unsigned.cab files are processed on the device with SECROLE_USERAUTH. However, if the policy is disabled, then only signed.cab files are allowed to install on the device. 27

31 Turn off user prompts on unsigned.cab file installation If the IT administrator allows unsigned applications or.cab files on the device, this policy configures user prompts when installing unsigned.cab files. If the policy is not configured, then existing device-specific policies for the user being prompted before unsigned applications are run on the device are applied. If the policy is enabled, then the user will be prompted for consent before unsigned applications are run on the device. However, if the policy is disabled, the user will not be prompted for consent before unsigned applications are run on the device. Allow Remote API access to ActiveSync This policy allows IT administrators to configure whether a Windows Mobile device can access desktop applications via Remote API (RAPI) access to ActiveSync. If this policy is enabled, then access is restricted to the device by desktop applications via ActiveSync RAPI to the SECROLE_USERAUTH. This means that if the user can carry out the operation on the device, he/she can carry out the same operation using RAPI from the desktop. However, if the policy is disabled, then the Desktop ActiveSync service shuts down and the user cannot sync , files or applications from the desktop or change any settings. Turn on storage card encryption This policy allows IT administrators to manage storage card encryption. If this policy is enabled, then any new files created on the storage card will be encrypted with a key tied to the device and the user cannot disable this setting. If disabled, the user can decide if he/she wants to encrypt files put on the storage card. Set reboot session reset reminder With the reboot session reset reminder, IT administrators can set the frequency with which the reboot reminder is displayed when a particular policy is enforced that requires a reboot. Device Encryption Turn on device encryption This policy allows IT administrators to turn on or off device encryption. If the policy is enabled, device encryption is turned on and use of password is enforced. If disabled or if the policy is not configured, device encryption is off. Specify file encryption list This policy setting allows IT administrators to specify additional files that should be encrypted when device encryption is turned on. This list of files is in addition to the files that are encrypted by default. If enabled, the files specified will be added to the encryption list. In case the policy is disabled or not configured, no files are added to the encryption list. This policy is in effect only when the Turn on device encryption policy is enabled. Exclude files from encryption This policy setting allows IT administrators to specify files that should not be encrypted when device encryption is turned on. If enabled, the specified files will not be encrypted. Otherwise, no files are added to the list of files that should not be encrypted. This policy is in effect only when the Turn on device encryption policy is enabled. 28

32 Mobile VPN Specify corporate secure connection name This setting allows IT administrators to specify the display name for the Mobile VPN on Windows Mobile powered devices. The specified name can be up to 30 characters. If a name is not specified, the default display name is MyMobileVPN. Specify corporate secure gateway FQDN or IP address This setting allows IT administrators to specify the fully qualified domain name (FQDN) or IP address for the Mobile VPN gateway(s). This setting is specified during enrollment, and generally would not need to be reset. The maximum length is 255 characters when a fully qualified domain name is specified. Allow user to enable and disable the VPN This policy setting allows IT administrators to define if users can turn off the Mobile VPN on their Windows Mobile devices. If enabled, users can turn off the Mobile VPN. If the Mobile VPN is disconnected (such as when the gateway goes down or the base channel in a Windows Mobile device fails), users can manually trigger a connection retry. Always connected when roaming This policy setting allows IT administrators to send keepalive packets associated with the Mobile VPN while roaming. The Mobile VPN application automatically sends keepalive packets to keep the connection always-on. Sending keepalive packets allows push applications such as Remote Device Wipe to work. If keepalive packets are not sent, applications that require push functionality will not work. If this setting is enabled, the device will send Mobile VPN keepalive packets while roaming. If disabled, the device will not send Mobile VPN keepalive packets while roaming. In this case, the Mobile VPN will send traffic only on demand, as specified by applications on the Windows Mobile device. Disabling this setting does not block all traffic while roaming. There may be traffic flowing over the Mobile VPN connection triggered by applications on a Windows Mobile device, or by the user. If this policy is not configured, the default behavior is to disable sending Mobile VPN keepalive packets while roaming. Time interval between keepalive packets This policy setting allows IT administrators to specify the number of seconds between keepalive packets. The time interval can be set to a maximum of 7 days. If the policy is not defined, the default value is zero, which allows the device to detect the optimal time interval and use it. Setting the value too low causes increased data traffic and decreased battery life on the device. If the value is too high, the Mobile VPN can become disconnected, which then requires a reconnection. Allow AES data encryption algorithm This policy setting allows IT administrators to specify if the AES cipher can be used to encrypt data sent over the Mobile VPN. If this setting is enabled the Mobile VPN can use AES data encryption. However, if the setting is not defined, the default behavior is to allow both AES and Triple DES (3DES) encryption. If both AES and 3DES encryption algorithms are explicitly not allowed, the Mobile VPN fails. Allow Triple DES data encryption algorithm This policy setting allows IT administrators to specify if the Triple DES (3DES) cipher can be used to encrypt data sent over the Mobile VPN. If enabled, the Mobile VPN can use 3DES data encryption. If the policy is not defined, the default behavior is to allow both AES and 3DES encryption. If both AES and 3DES encryption are explicitly not allowed, the Mobile VPN fails. 29

33 IP address or name of corporate proxy server for Internet access This policy setting allows IT administrators to specify the fully qualified domain name or IP address for the proxy server used for Internet access by a Windows Mobile device when the Mobile VPN is active. An organization can choose to have all Internet access pass through a proxy server to filter, audit, or restrict access. If a proxy server is not specified, the Windows Mobile device will forward all Internet traffic to the Mobile VPN gateway for appropriate routing. By default, no proxy server is specified. Key Exchange Algorithms Allow Diffie-Hellman groups 2, 5, 14, 15 and 16 This policy setting allows IT administrators to specify if the Diffie-Hellman group 2, 5, 14, 15 or 16 protocols can be used by the Internet Key Exchange (IKE) protocol during Mobile VPN key exchange negotiations. If enabled, the Mobile VPN can use the specific Diffie-Hellman Group key exchange algorithms. If the policy is not defined, the default behavior is to allow all supported groups. If all Diffie-Hellman groups are explicitly not allowed, the Mobile VPN fails. Each of the specific Diffie-Hellman Groups (2, 5, 14, 15, or 16) can be specified individually as a specific policy. Software Distribution Enable client-side targeting This policy specifies the target group name or names that should be used to receive software distribution updates. If the status is set to Enabled, the specified target group information is sent to the Software Distribution service which uses it to determine which updates should be deployed to a particular device. If the Software Distribution service supports multiple target groups, this policy can specify multiple group names separated by semicolons. Otherwise, a single group must be specified. If the status is set to Disabled or Not Configured, no target group information will be sent to the Software Distribution service. This policy applies only when the Software Distribution service for this device is configured to support client-side targeting. ActiveSync Set message format (HTML or Plain text) This policy setting allows IT administrators to control the format in which messages are synchronized. This policy is typically used to reduce network bandwidth by forcing messages to be downloaded in plain text format. If enabled, the IT administrator can select the message format in which messages are downloaded and the option on the device that allows the user to select the download format is disabled. Otherwise, the user can select the default format in which messages are downloaded. Maximum age filter allowed This policy setting allows IT administrators to limit the amount of history that is synchronized with the device. On the device, the user can choose to download all messages within a specified time period, such as one day or two weeks. This policy sets the maximum time period that the user can select. Set maximum size limit for plain text messages This policy setting allows IT administrators to control the size of each plain text message synchronized to the device. On the device, the user can select the maximum size limit for messages downloaded during synchronization. This policy sets the maximum value that the user can select. 30

34 Set maximum size limit for HTML This policy setting allows IT administrators to control the size of each HTML message synchronized to the device. On the device, the user can select the maximum size limit for messages downloaded during synchronization. This policy sets the maximum value that the user can select. The user can still choose to download a specific message in its entirety. Set age limit for calendar items This policy setting allows IT administrators to limit the amount of calendar history that is synchronized with the device. On the device, the user can choose to download all calendar items within a specified time period, such as two weeks or one month. This policy sets the maximum time period that the user can select. Set maximum attachment size allowed Allow synchronization when roaming This policy setting allows IT administrators to control the size of attachments that may be downloaded automatically with messages. Administrators may wish to set this policy in order to reduce network bandwidth consumption. If administrators enable this policy setting, they can specify the maximum size of attachments that may be downloaded automatically. When this happens, users have to manually download attachments that are larger than the size specified. This policy setting allows IT administrators to disable the Always-up-to-date Exchange ActiveSync feature while roaming. Disabling this setting helps reduce mobile device users roaming costs. If this policy is not defined, the default behavior is to enable this policy setting and Always-up-to-date Exchange ActiveSync is turned on while roaming. Turn off Desktop PIM Sync This policy setting allows IT administrators to prevent the user from synchronizing , contact, calendar, and task items with a desktop computer using ActiveSync. If enabled, the user cannot synchronize , contact, calendar, or task items using ActiveSync. Users can still synchronize with Exchange Servers over-the-air, and can continue to synchronize other types of information (such as media and files) with the desktop. Server name This policy setting allows IT administrators to help users automatically establish an Exchange partnership by specifying the front-end (FE) Exchange Server name. This policy may be set if the organization is not using Exchange Server 2007 with the Autodiscover feature. If enabled, the FE Exchange Server name is entered as the default server address for users to use when configuring access to the Exchange Server on their devices. 31

35 ActiveSync Peak and Off-peak Peak start time and peak end time This policy setting allows IT administrators to specify when the peak service period begins and ends for scheduling Exchange ActiveSync synchronization. Peak is defined as the days and hours when wireless voice and data charges are highest. The peak start time and peak end times can be configured separately. Synchronization frequency during peak and off-peak times This policy setting allows IT administrators to define the maximum time interval that the user can set for scheduling Exchange ActiveSync synchronization during the peak and off-peak service period. Peak is defined as the days and hours when wireless voice and data charges are highest. This policy helps control data costs. If enabled, IT administrators can select the maximum time interval. The user can change the Exchange ActiveSync frequency schedule for the peak service period to any value that is less frequent than the policy setting. This policy may be set separately for peak and off-peak times. Peak days This policy setting allows IT administrators to select which days of the week are considered peak days for scheduling Exchange ActiveSync synchronization. Peak is defined as the days and hours when wireless voice and data charges are highest. If enabled, IT administrators can select each day of the week that you want to specify as a peak day. The user cannot change the peak days. S/MIME Require message signing This policy setting allows IT administrators to specify whether the Inbox program requires that all messages must be signed. This policy is applicable only if the organization is using Microsoft Exchange Server 2003 SP2 or Microsoft Exchange Server 2007 SP1. The user must have a certificate on the mobile device. Require message encryption This policy setting allows IT administrators to specify whether the Inbox program requires all messages to be encrypted. This policy is applicable only if you are using Exchange Server 2003 SP2 or Exchange Server 2007 SP1. In order to use Secure/Multipurpose Internet Mail Extensions (S/MIME), it must be enabled for use by Outlook Web Access (OWA) or Exchange ActiveSync (EAS) on the Exchange Server. Recipients must have a published public key (typically stored in Active Directory) accessible to the Exchange Server in order to receive encrypted messages. A user who attempts to send an message to a recipient who does not have a published public key will receive an undeliverable message error. If enabled, then all messages must be encrypted. Set signing algorithm This policy setting allows IT administrators to specify which algorithm is to be used to sign a message. If enabled, IT administrators can specify whether the default, Secure Hash Algorithm (SHA), or Message Digest 5 (MD5) algorithm is used for signing messages. Encryption algorithm This policy setting allows IT administrators to specify which algorithm is to be used to encrypt a message. If enabled, IT administrators can specify one of the following encryption algorithms: default, triple DES, DES, RC2 128-bits, RC2 60-bits, or RC2 40-bits. If the policy is disabled or not configured, then the default encryption algorithm is used. 32

36 Encryp on algorithm Proper es? x Negotiate encryption algorithm Se ng Explain This policy setting allows IT administrators Encryp on algorithm Not Configured Enabled Disabled to specify whether the Inbox program can negotiate the encryption algorithm in case a recipient s certificate does not support the specified encryption algorithm. If enabled, IT Encryp on Algorithm Default Triple DES DES RC2 128-bits RC2 60-bits RC2 40-bits administrators can choose to specify that the Inbox program cannot negotiate the encryption algorithm, or that it can negotiate to a strong algorithm or to any algorithm. Previous Se ng Next Se ng OK Cancel Apply Allow soft certificates This policy setting allows IT administrators to determine whether software certificates can be used to sign outgoing messages. IT administrators can use this security policy with a tool that can be created to allow people to import certificates. If the policy is either enabled or not configured, software certificates can be used to sign messages. 33

37 Appendix A: Inventory Information The following information is collected by the System Center Mobile Device Manager 2008 reporting and inventory server. Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Certificate Store Date/Time/Clock Date/Time/Clock Date/Time/Clock Date/Time/Clock Date/Time/Clock Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information Device Information User Certificates System Certificates Root Certificates Root User Certificates Root System Certificates Privileged Execution Unprivileged Execution SPC Certificates My Certificates CA Certificates Alarm Time Alarm On Time Time Zone Date Installed Applications Available Storage Total Storage Backlight Timeout on AC Power Device Type Backlight at Timeout Battery Strength Processor Type Available RAM Total RAM Product Version OS Version OS Device Identifier Device Manufacturer Device Model DM Version Device Language Inbox: Autosave Inbox: Include Original in Reply Inbox: Read HTML Mail Device Wipe Threshold Inbox: Save Sent Messages Inbox: Show Date/Time 34

38 Owner Information Owner Information Owner Information Owner Information Owner Address Owner Name Owner Notes Owner Telephone Number Software Certificate Policy Network PIN Prompt Policy Password Required Policy Bluetooth Policy HTML Message Policy S/MIME Signing Policy S/MIME Encryption Policy S/MIME Signing Algorithm Policy S/MIME Encryption Algorithm Policy OMA CP Network PIN Policy OMA CP User PIN Policy OMA CP User Network PIN Policy Message Encryption Policy SharePoint Access Policy Desktop Quick Connect Authentication Policy Auto Run Policy RAPI Policy Unsigned CABs Policy Unsigned Applications Policy Unsigned Themes Policy TPS Policy Message Authorization Retry Policy SLM Policy SIM Policy Unauthorized Message Policy OTA Provisioning Policy WSP Push Policy Grant Manager Policy Grant User Authentication Policy Trusted WAP Proxy Policy Unsigned Application Prompt Policy SL DRM Encrypt Removable Storage Card Policy VPN Bluetooth mode NAP Proxy ROM Package Device Sounds Sync: Set Peak Days Sync: Allow SSL 35

39 Sync: Body Truncation Sync: Calendar Age Filter Sync: Device Sync: Age Filter Sync: Cross Pollination Sync: MIME Truncation Sync: Mailbody Truncation Sync: Mail Attachments Sync: Peak Off Frequency Sync: Outbound Mail Delay Sync: Peak Frequency Sync: Peak Start/End Time Sync: Radio Enabled Sync: Save Sent Items Sync: Send Now Sync: When Roaming Sync: Versions Sync: Calendar Sync: Contacts Sync: Mail Sync: Domain Sync: Server Sync: User Disable Camera Enable Video Disable SMS Send Menu Hide Preferred Network Selection Hide Network Selection Phone Name OMA DM Retry Limit 36

40 Appendix B: Glossary AD/GP Back-end Core Distributed Implementation DM Server Domain Join Double Envelope EN Gateway Gateway Cluster GCM Active Directory/group policy. Also referred to as the core. The domain-joined System Center Mobile Device Manager 2008 components located within the internal network. The back-end components residing in the corporate network behind the inner firewall. Collectively, all System Center Mobile Device Manager 2008 components, except for the Gateway server, comprise the core. Mobile Device Manager and infrastructure components installed separately (also applies to components being further distributed over dedicated servers). The Device Management server. The mechanism by which the Enrollment Server will use appropriate permissions to create the Active Directory Domain Service object for the device and link it to the associated User object. An SSL session transported within an IPSec session. The Enrollment server. The Alerter Gateway and the Mobile Device Manager Gateway; this is a server that resides in the perimeter network, typically between the inner and outer firewalls. Group of Gateway servers installed in the perimeter network. Also defined as Gateway Array. Gateway Central Management. IKEv2 IPSec Key Exchange, Version 2. Integrated Implementation IPSec TM ISA Load Balancer LOB Lockdown Mode MOBIKE OMA DM One-time PIN Out-of-band OTA Perimeter Network Proxy Proxy Cluster SyncML WSUS All Mobile Device Manager and infrastructure components located on a single server. IPSec Tunnel Mode. Internet Security and Acceleration Server. Either Microsoft ISA Server 2004 or Microsoft ISA Server 2006 (Enterprise Edition or Standard Edition) A hardware appliance that controls the flow of traffic to and from a Mobile Device Manager array. This does not refer to Windows network load balancing (NLB). Line-of-business application. When the System Center Mobile Device Manager Gateway is in lockdown mode, it means that it refuses all device connections and terminates existing device connections. Mobile IKE IKEv2 Mobility and Multihoming. Open Mobile Association Device Management. Enrollment Key. Mechanism for distributing Enrollment PIN. Over-the-air. Refers to device firmware upgrades. The network between the inner and outer firewalls. No Active Directory domain members should reside here. Device Manager (used interchangeably with DM). Load-balanced OMA DM servers. Also defined as a Proxy Array. Sync Markup Language (as defined in OMA DM standard). Microsoft s implementation of SyncML, is OMA DM XML. Windows Software Update Services 37

41 Appendix C: Hardware and Software Requirements The following tables list the software and hardware that are required for a System Center Mobile Device Manager 2008 deployment. Software Requirements Server Role Operating System Applications and Services Active Directory Domain Controller (DC) Microsoft SQL Server 2005 Device Management server (DM) Gateway server (GW) Enrollment server (EN) Administrator Tools Administrator Tools Microsoft Windows Server 2003 with SP1 Microsoft Windows Server 2003 with SP1 Windows Server 2003 with SP2 (64-bit) Windows Server 2003 with SP2 (64-bit) Windows Server 2003 with SP2 (64-bit) Applications and Services Active Directory Domain Name System (DNS) Enterprise Certification Authority Member of the Active Directory domain IIS 6.0 and World Wide Web (WWW) Publishing Service Microsoft SQL Server 2005 Standard Edition with SP1 Member of the Active Directory domain IIS 6.0 and World Wide Web Publishing Service Microsoft.NET Framework 2.0 Microsoft Windows PowerShell 1.0 WSUS 3.0 SP1 Standalone server IIS 6.0 and World Wide Web Publishing Service Member of the Active Directory domain IIS 6.0 and World Wide Web Publishing Service Microsoft.NET Framework 2.0 WSUS Extensions WSUS Console Microsoft.NET Framework 2.0 Group Policy Extensions GPMC 32-bit architecture or Windows Vista 64-bit Edition (cannot be installed on any of the x64 server platforms). System Center Mobile Device Manager 2008 Management Console Microsoft Management Console (MMC) 3.0 Microsoft Windows PowerShell 1.0 Microsoft.NET Framework 2.0 Hardware Hardware Server Memory Storage Network Recommendation Computer with two processors, 2000 MHz or faster. Recommend 2700 MHz or faster. 2 GB RAM minimum. Recommend 4 GB of RAM or higher. 100 GB free disk space 1 network adapter for DC, SQL, DM, and ES servers 2 network adapters for the GW server 38

42 Ini al OTA Device Enrollment Internet Front Firewall and LOB Servers Console Mobile GW SSL User-mutual Auth or Similar Back Firewall SSL Auth (PIN+Corp Root) SSL Machine Mutual Auth Self Help Site R/O CA AD DMZ Corporate Intranet WSUS Catalog Mobile VPN Managed Device SCMDM Deployment Topology Enrollment Service 39