Jason LangridgeJason LangridgeEnterprise Mobility Solution SpecialistEnterprise Mobility Solution SpecialistMicrosoftMicrosoft

Email: Email: jasonlan@microsoft.com

Blog : Blog : http://blogs.msdn.com/jasonlan

1.1. How can we setup/configure our Windows Mobile How can we setup/configure our Windows Mobile devices?devices?

2.2. Is there a way to control what the user can/can’t Is there a way to control what the user can/can’t do?do?

3.3. We want to be able to secure the data and the We want to be able to secure the data and the devices.devices.

4.4. How can we keep these devices up to date? How can we keep these devices up to date?

5.5. We would like to provide secure access to our We would like to provide secure access to our Intranet and other services.Intranet and other services.

Lets you deploy and manage Windows Mobile devices like you do

PCs/laptops in your IT infrastructure and provides security-enhanced

access to corporate data Security Security ManagementManagement

Active Directory Domain join

Policy enforcement using Active Directory/Group Policy targeting (>130 policies)

Communications and camera disablement*

File encryption

Application allow and deny

Remote wipe

OMA-DM compliant

Device Device ManagementManagement

Single point of management for mobile devices in enterprise

Full OTA provisioning and bootstrapping

OTA Software distribution based on WSUS 3.0

Inventory

SQL Server 2005 based reporting capabilities

Role based administration

MMC snap-ins and Powershell cmndlets

WMU On/Off controlcompliant

MobileMobileOptimized Optimized VPNVPN

Machine authentication and “double envelope security”

Session Persistence

Fast Reconnect

Internetwork roaming

Standards based (IKEv2, MobIKE, IPSEC tunnel mode)

Management Workload Deployment: Inside Firewall

Network Access WorkloadDeployment: in DMZ

Leverage existing servicesLeverage existing services

Active DirectoryActive Directory

Group PolicyGroup Policy

Windows Server Update ServicesWindows Server Update Services

Extends Active Directory Extends Active Directory & Group Policy to & Group Policy to Windows MobileWindows Mobile

130+ configuration 130+ configuration settings now managed settings now managed through Group Policy through Group Policy includingincluding

BluetoothBluetooth

WIFIWIFI

SMS/MMSSMS/MMS

IRIR

CameraCamera

POP/IMAPPOP/IMAP

Extensible architecture Extensible architecture

Enterprise-Enterprise-wide OTA wide OTA software software distribution distribution

Wide Selection Wide Selection of Inventory of Inventory and Reporting and Reporting optionsoptions

SmartcardSmartcard

InternetInternet

DMZDMZ

Corporate IntranetCorporate Intranet

FrontFrontFirewallFirewall

InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment

MobileMobileGWGW

BackBackFirewallFirewall

SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)

SSL MachineSSL MachineMutual AuthMutual Auth

E-mailE-mailand LOBand LOBServersServers

SSL User-SSL User-mutual Authmutual Auth

or Similaror Similar

ConsoleConsole

MobileMobileServerServer

Back-endBack-end

R/OR/O

ADAD

WSUS CatalogWSUS Catalog

Self HelpSelf HelpSiteSite

EnrollmentEnrollmentServiceService

OMAOMAProxyProxy

CACA

Mobile VPNMobile VPN

Different categories/differing terminologyDifferent categories/differing terminologyFront door vs Back Door devicesFront door vs Back Door devices

Enterprise Managed vs Consumer Enterprise Managed vs Consumer

Corporate vs Employee Liable Corporate vs Employee Liable

Initial problem - getting the client on the deviceInitial problem - getting the client on the device

Zero touch deployment and setupZero touch deployment and setup

• Administrator invokes enrollment request and sends One-Time PIN to the user (email, text message, voicemail, etc.)

• Or user uses Self-Help Portal to acquire One-Time Pin

Here’s your PIN

1234abcd

• User runs the “Enterprise Activation” wizard on the device

What is your email

address?

1. Takes SMTP address and looks for host MobileEnroll.domain.com

2. If host is located, connection to Enrollment Server will be initiated

3. If host is not found, user will be prompted for the FQDN of the Enrollment Server

4. Session establish over SSL (TCP 443)

5. User is prompted to enter their One-Time PIN

1. Web Service validates OTP

2. If valid, it passes session on to Network Service

3. OTP now cannot be re-used

EnrollmentServer

Passes AcrossOTP to WS

Session handedOver to NetworkService

1.1. Device is then “Domain Joined”Device is then “Domain Joined”

2.2. SC MDM Client is configured to use Mobile SC MDM Client is configured to use Mobile Gateway for all future connectivityGateway for all future connectivity

3.3. Enrollment is completeEnrollment is complete

4.4. Device is then setup/configured using Group Device is then setup/configured using Group PolicyPolicy

Key concernsKey concernsPreventing unauthorized applications from being run/installed

Disabling some of the devices capabilities (eg. Camera/Wifi)

Access to consumer services (eg. POP3/IMAP)

Mobile Device Manager Mobile Device Manager empowers you throughempowers you through

Active Directory IntegrationGroup Policies

Data stored on both the physical device and storage card Data stored on both the physical device and storage card

Windows Mobile 6 provides ability to encrypt storage card Windows Mobile 6 provides ability to encrypt storage card

System Center Mobile Device Manager providesSystem Center Mobile Device Manager provides

Enable Device Perimeter PIN passwordEnable Device Perimeter PIN password

Ability to enforce encryption on storage cardAbility to enforce encryption on storage card

Allow/Disallow the use of removable storageAllow/Disallow the use of removable storage

Remotely Wipe devicesRemotely Wipe devices

Important to separate update needs:Important to separate update needs:Device OS

Applications, Configuration and Settings

System Center Mobile Device Manager allows you to:System Center Mobile Device Manager allows you to:Distribute software and applications through Windows Server Update Services (WSUS)

Setup/configure/manage devices through Active Directory and Group Policy

WWANWWAN InternInternetet

WIFIWIFI

https://EAS

http://www.microsoft.com

DMZDMZ

WWANWWAN

CorpneCorpnett

InternInternetet

FWFW FWFWEmail Email

Or LOBOr LOB

ServersServers

MobileMobile

GatewayGateway

WIFIWIFI

NATNAT

https://EAS

http://www.microsoft.com

• Addressed 5 key security and management Addressed 5 key security and management concernsconcerns

• Showed how to improve and simplify mobile Showed how to improve and simplify mobile device management and security with device management and security with System System Center Mobile Device ManagerCenter Mobile Device Manager

For more information: For more information: www.windowsmobile.com/mobiledevicemanager/

Questions and AnswersQuestions and Answers

Submit text questions using the “Ask” Submit text questions using the “Ask” button. button.

Don’t forget to fill out the survey.Don’t forget to fill out the survey.

For upcoming and previously live webcasts: For upcoming and previously live webcasts: www.microsoft.com/webcast

Got webcast content ideas? Contact us at: Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781  

© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft

cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.AS TO THE INFORMATION IN THIS PRESENTATION.