simplify security and device management final pres10 23final
DESCRIPTION
Windows Mobile Security System Center Mobile Device Manager 2008TRANSCRIPT
Jason LangridgeJason LangridgeEnterprise Mobility Solution SpecialistEnterprise Mobility Solution SpecialistMicrosoftMicrosoft
Email: Email: [email protected]
Blog : Blog : http://blogs.msdn.com/jasonlan
1.1. How can we setup/configure our Windows Mobile How can we setup/configure our Windows Mobile devices?devices?
2.2. Is there a way to control what the user can/can’t Is there a way to control what the user can/can’t do?do?
3.3. We want to be able to secure the data and the We want to be able to secure the data and the devices.devices.
4.4. How can we keep these devices up to date? How can we keep these devices up to date?
5.5. We would like to provide secure access to our We would like to provide secure access to our Intranet and other services.Intranet and other services.
Lets you deploy and manage Windows Mobile devices like you do
PCs/laptops in your IT infrastructure and provides security-enhanced
access to corporate data Security Security ManagementManagement
Active Directory Domain join
Policy enforcement using Active Directory/Group Policy targeting (>130 policies)
Communications and camera disablement*
File encryption
Application allow and deny
Remote wipe
OMA-DM compliant
Device Device ManagementManagement
Single point of management for mobile devices in enterprise
Full OTA provisioning and bootstrapping
OTA Software distribution based on WSUS 3.0
Inventory
SQL Server 2005 based reporting capabilities
Role based administration
MMC snap-ins and Powershell cmndlets
WMU On/Off controlcompliant
MobileMobileOptimized Optimized VPNVPN
Machine authentication and “double envelope security”
Session Persistence
Fast Reconnect
Internetwork roaming
Standards based (IKEv2, MobIKE, IPSEC tunnel mode)
Management Workload Deployment: Inside Firewall
Network Access WorkloadDeployment: in DMZ
Leverage existing servicesLeverage existing services
Active DirectoryActive Directory
Group PolicyGroup Policy
Windows Server Update ServicesWindows Server Update Services
Extends Active Directory Extends Active Directory & Group Policy to & Group Policy to Windows MobileWindows Mobile
130+ configuration 130+ configuration settings now managed settings now managed through Group Policy through Group Policy includingincluding
BluetoothBluetooth
WIFIWIFI
SMS/MMSSMS/MMS
IRIR
CameraCamera
POP/IMAPPOP/IMAP
Extensible architecture Extensible architecture
Enterprise-Enterprise-wide OTA wide OTA software software distribution distribution
Wide Selection Wide Selection of Inventory of Inventory and Reporting and Reporting optionsoptions
SmartcardSmartcard
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGWGW
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
OMAOMAProxyProxy
CACA
Mobile VPNMobile VPN
Different categories/differing terminologyDifferent categories/differing terminologyFront door vs Back Door devicesFront door vs Back Door devices
Enterprise Managed vs Consumer Enterprise Managed vs Consumer
Corporate vs Employee Liable Corporate vs Employee Liable
Initial problem - getting the client on the deviceInitial problem - getting the client on the device
Zero touch deployment and setupZero touch deployment and setup
• Administrator invokes enrollment request and sends One-Time PIN to the user (email, text message, voicemail, etc.)
• Or user uses Self-Help Portal to acquire One-Time Pin
Here’s your PIN
1234abcd
• User runs the “Enterprise Activation” wizard on the device
What is your email
address?
1. Takes SMTP address and looks for host MobileEnroll.domain.com
2. If host is located, connection to Enrollment Server will be initiated
3. If host is not found, user will be prompted for the FQDN of the Enrollment Server
4. Session establish over SSL (TCP 443)
5. User is prompted to enter their One-Time PIN
1. Web Service validates OTP
2. If valid, it passes session on to Network Service
3. OTP now cannot be re-used
EnrollmentServer
Passes AcrossOTP to WS
Session handedOver to NetworkService
1.1. Device is then “Domain Joined”Device is then “Domain Joined”
2.2. SC MDM Client is configured to use Mobile SC MDM Client is configured to use Mobile Gateway for all future connectivityGateway for all future connectivity
3.3. Enrollment is completeEnrollment is complete
4.4. Device is then setup/configured using Group Device is then setup/configured using Group PolicyPolicy
Key concernsKey concernsPreventing unauthorized applications from being run/installed
Disabling some of the devices capabilities (eg. Camera/Wifi)
Access to consumer services (eg. POP3/IMAP)
Mobile Device Manager Mobile Device Manager empowers you throughempowers you through
Active Directory IntegrationGroup Policies
Data stored on both the physical device and storage card Data stored on both the physical device and storage card
Windows Mobile 6 provides ability to encrypt storage card Windows Mobile 6 provides ability to encrypt storage card
System Center Mobile Device Manager providesSystem Center Mobile Device Manager provides
Enable Device Perimeter PIN passwordEnable Device Perimeter PIN password
Ability to enforce encryption on storage cardAbility to enforce encryption on storage card
Allow/Disallow the use of removable storageAllow/Disallow the use of removable storage
Remotely Wipe devicesRemotely Wipe devices
Important to separate update needs:Important to separate update needs:Device OS
Applications, Configuration and Settings
System Center Mobile Device Manager allows you to:System Center Mobile Device Manager allows you to:Distribute software and applications through Windows Server Update Services (WSUS)
Setup/configure/manage devices through Active Directory and Group Policy
WWANWWAN InternInternetet
WIFIWIFI
https://EAS
http://www.microsoft.com
DMZDMZ
WWANWWAN
CorpneCorpnett
InternInternetet
FWFW FWFWEmail Email
Or LOBOr LOB
ServersServers
MobileMobile
GatewayGateway
WIFIWIFI
NATNAT
https://EAS
http://www.microsoft.com
• Addressed 5 key security and management Addressed 5 key security and management concernsconcerns
• Showed how to improve and simplify mobile Showed how to improve and simplify mobile device management and security with device management and security with System System Center Mobile Device ManagerCenter Mobile Device Manager
For more information: For more information: www.windowsmobile.com/mobiledevicemanager/
Questions and AnswersQuestions and Answers
Submit text questions using the “Ask” Submit text questions using the “Ask” button. button.
Don’t forget to fill out the survey.Don’t forget to fill out the survey.
For upcoming and previously live webcasts: For upcoming and previously live webcasts: www.microsoft.com/webcast
Got webcast content ideas? Contact us at: Got webcast content ideas? Contact us at: http://go.microsoft.com/fwlink/?LinkId=41781
© 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in © 2007 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft
cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.AS TO THE INFORMATION IN THIS PRESENTATION.