microsoft system center mobile device manager 2008
TRANSCRIPT
John Wyer
EMEA Marketing Manager
Mobile Communications Business
Microsoft Corporation
Background and Introduction
Customer Benefits
The Partner Opportunity
How it works
Resources
Questions
Strong growth in the business market based on deeper penetration of mobile messaging and convergence with mobile LOB applications
Increased IT demand to align smart converged handheld device strategy with laptops
Need for generalized access infrastructure for email + apps
Manage devices like laptops (no compromise on managing corporate data or terminals accessing corporate network
Microsoft efforts focused on the following target customers
Upper mid market through large enterprise customers
Exchange 2003+ mobile messaging
Windows Server infrastructure customers
Note: Sizing based on support for Microsoft solutions. Source: MED Finance
analysis and industry reports
5 Years
Fastest growth in rich mobile scenarios beyond e-mail
Corporate data access and mobile LOB grows 5.4x from 2006 - 2011
Messaging-only grows 2.3x in the same time period
Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports
Corporate data access and mobile LOB
Mobile Messaging
14.7 MM
19.8 MM
4.5 MMMobile
Messaging
6.3 MM
3.6 MM
0.9 MM
Corporate data access and mobile LOB
US$Mn; includes laptops 2004 2005 2006 2007 2008 2009
Finance, Insurance, and Real Estate 1,656.0 2,090.0 2,562.0 3,060.0 3,629.0 4,230.0
Government and Public Safety 1,334.0 1,716.0 2,121.0 2,560.0 3,040.0 3,546.0
Information and Communication
Technologies 1,219.0 1,474.0 1,743.0 1,940.0 2,185.0 2,412.0
Professional Services 989.0 1,232.0 1,533.0 1,840.0 2,185.0 2,574.0
Healthcare and Pharmaceuticals 1,012.0 1,232.0 1,449.0 1,620.0 1,824.0 2,016.0
Retail and Distribution 552.0 704.0 840.0 1,000.0 1,178.0 1,350.0
Transportation 345.0 418.0 483.0 540.0 589.0 648.0
Energy and Utilities 207.0 264.0 315.0 360.0 437.0 486.0
Manufacturing 161.0 198.0 252.0 320.0 380.0 450.0
Construction and Engineering 138.0 176.0 210.0 260.0 304.0 360.0
Hospitality and Travel 23.0 44.0 42.0 60.0 76.0 72.0
Agriculture 23.0 22.0 21.0 40.0 38.0 54.0
Other 920.0 1,188.0 1,470.0 1,780.0 2,128.0 2,502.0
Total 8,579.0 10,758.0 13,041.0 15,380.0 17,993.0 20,700.0
Revenue By Industry Sector
Strategy Analytics Projections 2004-2009
End User ProductivityScalable and reliable procurementMinimize support costs and TCO
Secure data and network access
Manageable, scalable IT infrastructure
Standardization vs. point solutions
Integrate and align with existing systems
Minimize training and support
Anytime access to corporate info
Dependable and resilient phone experience
Superior productivity including unified communications
“Provide me with always available access to the people, information and applications I need even when I am on the go”
-Global pharmaceutical firm-Sales Manager
“I need a strong ROI justification if I am going to roll out mobile devices to most of my organization and not just the managers”
--Director of business group for major manufacturer
“Make it just another device on my network that I control and manage, and as an integral part of my existing architecture and security framework””
-VP of IT for Large Wall Street Bank
Microsoft System Center Mobile Device Manager 2008
MANAGEMENT
SECURITY
ACCESS
System Center Mobile Device Manager will enable phones with Windows Mobile 6.1 and
beyond to be deployed and managed like PCs and laptops in the IT infrastructure, providing
network access to corporate data
Security
Management
Active Directory Domain Join
Policy enforcement using Active
Directory/Group Policy targeting
(>130 policies and settings)
Communications and camera
disablement*
File encryption
Application allow and deny
Remote wipe
OMA-DM compliant
Device
Management
Single point of management for
mobile devices in enterprise
Full OTA provisioning and
bootstrapping
OTA software distribution based on
WSUS 3.0
Inventory
SQL Server 2005-based reporting
capabilities
Role-based administration
MMC snap-ins and Powershell
cmndlets
WMU On/Off control
OMA-DM compliant
MobileVPN
Machine authentication and
―double envelope security‖
Session persistence
Fast reconnect
Internetwork roaming
Standards-based (IKEv2,
MobIKE, IPSEC tunnel mode)
Management Workload
Deployment: Inside firewall
Network Access Workload
Deployment: In DMZ
Utilize an enterprise’s current Active Directory® structure to deploy and manage Windows Mobile devices with:
Over 125 policies, including specific security policies for device management, encryption, and remote device wipe
Custom policies that can be created using Active Directory Management Templates
Password Policies
Require password
Password type
Password timeout
Number of passwords remembered
Minimum password length
Wipe device after failed attempts
Allow user to reset authentication on the device
Code word frequency
Code word
Password expiration
Platform Lockdown
Turn off POP and IMAP messaging
Turn off SMS and MMS messaging
Certificate ManagementRemove following unmanaged certificates:
SPC/Privileged/Normal/Root/Intermediate certificates
Turn off camera
Turn off WLAN, Bluetooth, Infrared
Security Policies
Allow unsigned applications to run on devices
Grant manager role permissions to user
Allow unsigned .cab file installation
Turn on Storage Card Encryption
Set reboot session reset reminder
Device Encryption
Turn on device encryption
Specify file on encryption list
Exclude files from encryption
Mobile VPN Settings
Specify corporate secure connection name
Time interval between keep alive packets
Allow AES data encryption algorithm
Always connected when roaming
Allow user to enable and disable VPN
Software distribution
Enable client side targeting
To enroll their devices, users simply need to:
Access the company’s portal for self-service enrollment
Enter their e-mail address
Enter a one-time PIN code for enrollment
Target users in specific Active Directory groups
Configure mobile applications such that users cannot uninstall them
Eliminate the need to distribute CAB files via Flash drives
Access powerful reporting systems for reviewing software distribution across a mobile device workforce
Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now:
View a broad range of device characteristics like device settings, certificates installed, software installed etc.
Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)
Administrators can remotely access Windows Mobile devices using Mobile Device Manager to:
Disable specific hardware functionality, such as the camera or Bluetooth connectivity
Remotely wipe security-compromised devices
Single point of access to the corporate network
Always-on, security-enhanced wireless communication
Behind-the-firewall access to business applications
MDM introduces three new server roles:
Enrollment Server
Proxies request to enroll device
Mobile VPN Server
Typically located in the network perimeter
Entry point to corporate network
Forwards network and device management communications between a corporate network and their devices
Device Management Server
Based on OMA DM standards
Architecture PrinciplesSecurity first
Large scale distributed solution
Transparent compatibility
Extensibility & future proofing
• Location:
• Intranet based (domain joined server/service)
• Purpose:
• Manage the process flow of enrollment
• Create domain objects
• Create certificates
• Supply provisioning instructions
• Other:
• Best practice: protected by a Proxy (e.g. ISA)
• Can co-exist on Device Management Server in integrated implementation
Private key and Enrollment Password never transmitted over the air
All traffic between client and server uses SSL
SSL negotiation does not require public root cert (e.g. VeriSign etc.)
Mobile VPN for both client and server
Standards based
IPSec Tunnel Mode
MobIKE
IKEv2
Enables access to corporate resources
LOB
Internet proxy servers
• Location:
• Corporate DMZ (non-domain joined)
• Purpose:
Authenticates incoming connections for authorized devices
Assigns a stable internal IP address for the device
Enables fast resume/reconnect features for devices and applications
Negotiates keys to encrypt traffic over the internet
• Other:
• IPSEC termination point
• Managed remotely
Security management
Enrollment
AD domain join
Wipe
Policy enforcement
Service enablement/disablement
Application deny/allow
Software distribution
Inventory and reporting
• Location:
• Intranet based (domain joined server/service)
• Purpose:
Primary administration and management service for all managed devices
Functional hub for device Group Policy application, device software packages, and device data wipes
Communicates with existing infrastructure servers, such as domain controllers, CA
Proxies information and commands between core Windows Servers (AD/CA) and devices
• Other:
• OMA-DM compliant
Required:
Windows Server 2003 SP2 64 bit
SQL Server 2005
Active Directory
Microsoft CA
Group Policy
Not Required:
Exchange Server (any version)
Systems Management Server
Systems Center
ISA Server*
Enable ―Front Door‖ and continue to support ―Back Door‖ entries into the enterprise
400M+ mobile workers in the world! (these are also consumers)
Devices will still be used for business scenarios regardless of how they were purchased
Back Door devices should be allowed to participate in business scenarios and IT management
Question:
How can we set up, configure and control what the user can/can’t do on a Windows Mobile device?
Increased control over the applications installed on mobile devices
Set a certain set of LOB applications as the only applications allowed on the device
Block certain applications on the device
Provides increased flexibility
OTA provisioning ensures optimal experience with LOB application
Device settings can be optimized for the LOB application during OTA provisioning
LOB applications can be installed on device during first provisioning
Flexible LOB application distribution and deployment
LOB applications can be distributed to mobile devices through WSUS 3.0
Applications can be updated OTA via WSUS 3.0
Maintain inventory and reporting on LOB applications
Inventory capabilities report LOB applications installed on each device, ensuring consistency in availability and deployment
OMA DM compliance
Standards–based OMA DM architecture provides flexibility for LOB applications
Question:
We want to be able to secure the data and the devices – how can we do this?
Securing the Data
• Mobile Device Manager extends
Active Directory®/Group Policy to
Windows Mobile
• Over 130+ configuration policies and
settings for Windows Mobile can now
be managed through Group Policy
including control of Bluetooth, Wi-Fi,
SMS/MMS, IR, camera, and
POP/IMAP
• Administrator can now select to
encrypt both the SD card and the
internal memory of the device
• Microsoft® SQL Server™ compact
edition configurations
Fully relational DB in 2-3MB footprint
Powerful data synchronization technology
Remote data access
Merge replication
Tight integration
Microsoft® Visual Studio® .NET 2005
SQL Server 2005
Database encryption and replication over SSL
Support across Windows Mobile platforms
Question:
How can we keep these devices up-to-date?
Maintaining Devices
In the past, updating applications was a manual process
Now we can push updates and software in much the same way that Windows administrators push software using Group Policies for Microsoft® Windows® XP and Microsoft® Windows Vista® computers
Question:
We would like to provide secure access to out intranet and other services – how can we do this?
Goal: Secure remote mobile access into corporate networks
Legacy solutions are inadequate
Options Limitations
SSL VPN Security: SSL termination in DMZ breaks the end-to-end security
Efficiency: The TCP flow control is not optimized to mobile networks
Direct Web connection
to intranet
Security: No pre-authentication - direct access to corporate network
Efficiency: No connection aggregation (per application keep-alive)
IP VPN
(L2TP, IPSec/IKEv1 )
Security
Pre-authentication in DMZ
Unrestricted access to corporate network
Resiliency
Fails on change of IP address and needs to be reconnected
Failure is visible to applications
Efficiency: L2TP establishment is slow and consumes more bandwidth
Simplicity: Require RADIUS deployment
Standard IPSec tunnel mode (with device authentication)DMZ pre-authentication to meet enterprise standardsSupports e2e native corporate security
Security
Standard IPSec tunnel mode (with device authentication)DMZ pre-authentication to meet enterprise standardsSupports e2e native corporate security
Efficiency
Transparent to client applications and LOB services Extensibility
Resilient to short disconnects and IP address changesSeamless network transition (WIFI<->WWAN)Resiliency
Minimum user configurationTransparent to user and to applications Simplicity
Security Management
Device Management
Partners can set up and support their customers in managing the customers’ devices directly
Partners can benefit from a new services revenue stream by providing SCMDM deployment and integration
Authenticated Network Access
Partners can offer and deploy a single security and management platform with value-added services around WM
Partners have security-enhanced access into the customer’s environment and ability to replicate sensitive information on accessible extranet
Partners can provide infrastructure attach services and solutions, including Windows Server®, Exchange Server, SQL Server, and Office Communications Server
Partners can effectively deliver and manage LOB applications throughout the lifecycle of the mobile solution.
Partner Value Props
Vision: Help partners build out their mobility practices and create additional business benefits with SCMDM & their value-add services
Unleashed sales force on mobility!• New sales of products and services
• New service revenue
• Sold as a Server/CAL model through Microsoft Volume Licensing
Solve customer issues! • Removes dependency on customer deployments of specific
versions of Exchange Server for device management
• Building and deploying new System Center Mobile Device Manager 2008 installations
Deeper penetration and recurring revenue • Delivering and managing Line of Business (LOB) applications for
mobile workers
• Enhancing System Center Mobile Device Manager-based mobile infrastructure with Windows Server, Exchange Server, SQL Server, and Office Communications Server
• Ease of deployment empowers IT to roll device out at large scale
Current customers with the following technology:
Exchange Server 2003–2007
SharePoint Server
Small Business Server
Microsoft CRM
Customers with:
Mobile works
Service industries
Please refer to on-demand Webcast on these specific opportunities
Security
Management
Device
Management
MobileVPN
SCCM SCMDM
Std CAL
Ent CAL
System Center Configuration
Manager
System Center Mobile Device
ManagerExchangeMobile Scenarios
Sold as Server/CAL model
• Typical deployment 2-3 servers (gateway, DM, enrollment)
• CALs offered per-user or per-device
• Windows Server licenses and CALs required for OS
• Pricing TBD
Integration with Microsoft Volume Licensing
• Available in all VL programs worldwide—EA, Select, Open, Open Value, Academic
• Standalone only with potential future integration with Enterprise CAL Suite or other packaged offers
Projected Availability Spring 2008
• Price list and Volume Licensing projected availability Spring 2008
• Sim-ship all languages
1. Where can I get more information?
2. How do I sell Mobile Device Manager?
3. What is the key resource for Windows Mobile products for partners?
4. What training is available?
5. Who is the best customer for this product?
6. How do I get on the Beta? (at Connect.microsoft.com)
https://partner.microsoft.com/US/program/competencies/mobilitysolutions
As a Mobility Solutions partner you will get news and announcements on:
Upcoming training
Schedule of related events
Product announcements
Partner marketing tools
And as a Mobility Solutions partner you get software for internal use!
New Mobility Solutions training will be available on the Partner Learning Center:
https://training.Partner.microsoft.com/plc/search_adv.aspx?ssid=783c495a-7cd0-4e03-a24a-631a94740594
Business Value for Partners Webcast (February 25, 2008 8:00 AM PT) https://training.partner.microsoft.com/plc/details.aspx?systemid=1787852&page=/plc/search_adv.aspx
Selling MDM and Related Products/Services Webcast (February 26, 2008 8:00 AM PT)
https://training.partner.microsoft.com/plc/details.aspx?systemid=1787853&page=/plc/search_adv.aspx
Licensing Programs Webcast (February 27, 2008 8:00 AM PT)https://training.partner.microsoft.com/plc/details.aspx?systemid=1787878&page=/plc/search_adv.aspx
Technical Review of MDM Webcast (February 28, 2008 8:00 AM PT)https://training.partner.microsoft.com/plc/details.aspx?systemid=1787877&page=/plc/search_adv.aspx
Overview for Mobile Operators Webcast (February 29, 2008 8:00 AM PT)
https://training.partner.microsoft.com/plc/details.aspx?systemid=1787880&page=/plc/search_adv.aspx
Microsoft System Center Mobile Device Manager 2008 Online tutorial: https://training.partner.microsoft.com/plc/details.aspx?systemid=1746109&page=/plc/search_adv.aspx
Generalhttp://www.microsoft.com/windowsmobile/default.mspx
http://www.microsoft.com/windowsmobile/mobileoperators/default.mspx
http://www.microsoft.com/systemcenter/mobile/default.mspx
Mobility Solutions Competency https://partner.microsoft.com/global/program/competencies/40019126
Partner Marketing Center https://partner.microsoft.com/global/salesmarketingsection/smcampaigns
Resources by Customer and Marketing Segment Small Business Mobility Solutions
https://partner.microsoft.com/program/competencies/40031816
Midsize Mobility Solutions https://partner.microsoft.com/program/competencies/40029383
Line-of-Business Mobility Solutions https://partner.microsoft.com/program/competencies/40037304
Windows Mobile Direct Sales Resource Center http://windowsmobilesales.com
Windows Mobile Business Value Calculator http://www.microsoft.com/windowsmobile/business/calculator/default.mspx
Business Portal http://www.microsoft.com/windowsmobile/business/default.mspx
Partner Directory http://www.microsoft.com/windowsmobile/providers/mpdsearch.aspx
Training https://partner.microsoft.com/US/program/competencies/mobilitysolutions/40029316
http://www.msreadiness.com/competency.aspx?cid=590
http://windowsmobiletraning.com
Case Studieshttp://www.microsoft.com/windowsmobile/business/success/default.mspx
http://www.microsoft.com/resources/casestudies/
White Papershttp://www.microsoft.com/windowsmobile/business/strategy/default.mspx
Technical Supporthttp://technet.microsoft.com/default.aspx
http://msdn.microsoft.com/mobile/security (mobile security)
http://supportcenter.windowsmobiletraining.com (device troubleshooting)
Use Windows Mobile devices
Check out the resources (previous slides)
Identify the low-hanging fruit
Organizations with Exchange Server 2003
Companies looking to ―go beyond e-mail‖
Watch for the Windows Mobile Security and Device Management Webcast Series
© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.