Technet System Center Mobile Device Manager Presentation

Silicon Silicon VendorVendor

ss

DeviceDeviceManufactureManufacture

rsrs

ISVs and ISVs and IHVsIHVs

Mobile Mobile OperatoOperato

rsrs

SolutionSolutionProviderProvider

ss

DesktopDesktop

InfrastructureInfrastructure

DevelopmentDevelopmentToolsTools

WindowsWindowsMobile DevicesMobile Devices

PartnersPartners

Office Communication Office Communication ServerServer

Helping businesses thrive by enabling Helping businesses thrive by enabling people with smart devices to perform their people with smart devices to perform their

best when mobilebest when mobile

DEMODEMO

Windows Mobile 6Windows Mobile 6

30 new policies in SP130 new policies in SP1New: Device Control, Application Control, Network New: Device Control, Application Control, Network Control Control

Enhanced: Authentication, Synchronizations, Enhanced: Authentication, Synchronizations, EncryptionEncryption

33% reduction in bandwidth usage33% reduction in bandwidth usage

Device WipeDevice Wipe User confirmation for device wipe completion (OWA & User confirmation for device wipe completion (OWA &

Outlook)Outlook) Users/Admins can now cancel a device wipe requestUsers/Admins can now cancel a device wipe request

Added the Added the “Minimum number “Minimum number of complex of complex characters” settingcharacters” setting

Can configure how Can configure how many past calendar many past calendar and e-mail itemsand e-mail itemsshow be show be synchronized with synchronized with devicedevice

Control limit msg Control limit msg sizesize

Allow syncAllow syncwhen roamingwhen roaming

Allow HTMLAllow HTMLformatted mailformatted mail

Allow removable Allow removable storagestorage

Allow cameraAllow camera

Allow Wi-FiAllow Wi-Fi

Allow infraredAllow infrared

Allow internet Allow internet sharingsharing

Allow RDPAllow RDP

Allow Desktop SyncAllow Desktop Sync

Allow BluetoothAllow Bluetooth

Allow browserAllow browser

Allow consumer Allow consumer mailmail

Allow unsigned Allow unsigned appsapps

Allow unsigned Allow unsigned installation installation packagespackages

Use the infrastructure and Use the infrastructure and solutions you already havesolutions you already haveLeverage the partners you Leverage the partners you already trustalready trustUtilise the information Utilise the information your staff already knowsyour staff already knows

ManagementManagement

SecuritySecurity

Mobile VPNMobile VPN

Utilize an enterprise’s current Utilize an enterprise’s current Active DirectoryActive Directory®® structure to structure to deploy and manage Windows deploy and manage Windows Mobile devices with:Mobile devices with:

Over 125 policies, including Over 125 policies, including specific security policies for device specific security policies for device management, encryption, management, encryption, and remote device wipeand remote device wipe

Custom policies that can be Custom policies that can be created using created using Active Directory Management Active Directory Management TemplatesTemplates

To enroll their devices, users To enroll their devices, users simply need to:simply need to:

Access the company’s portal Access the company’s portal for self-service enrollmentfor self-service enrollment

Enter their e-mail addressEnter their e-mail address

Enter a one-time PIN code for Enter a one-time PIN code for enrollmentenrollment

Target users in specific Active Target users in specific Active Directory groupsDirectory groups

Configure mobile applications Configure mobile applications such that users cannot such that users cannot uninstall themuninstall them

Eliminate the need to Eliminate the need to distribute CAB files via Flash distribute CAB files via Flash drivesdrives

Access powerful reporting Access powerful reporting systems for reviewing systems for reviewing software distribution across a software distribution across a mobile device workforcemobile device workforce

Manage and view all Windows Manage and view all Windows Mobile devices via a single, Mobile devices via a single, convenient interface. With convenient interface. With this, IT Pros can now:this, IT Pros can now:

View a broad range of device View a broad range of device characteristics like device characteristics like device settings, certificates installed, settings, certificates installed, software installed etc.software installed etc.

Reduce the learning curve Reduce the learning curve since it is based on the since it is based on the familiar Microsoft familiar Microsoft Management Console (MMC)Management Console (MMC)

Administrators can remotely Administrators can remotely access Windows Mobile access Windows Mobile devices using Mobile Device devices using Mobile Device Manager to:Manager to:

Disable specific hardware Disable specific hardware functionality, such as the functionality, such as the camera or Bluetooth camera or Bluetooth connectivityconnectivity

Remotely wipe security-Remotely wipe security-compromised devicescompromised devices

Author

Is it OK to distort logos?

Single point of access to the Single point of access to the corporate networkcorporate network

Always-on, security-enhanced Always-on, security-enhanced wireless communicationwireless communication

Behind-the-firewall access to Behind-the-firewall access to business applicationsbusiness applications

SmartcardSmartcard

InternetInternet

DMZDMZ

Corporate IntranetCorporate Intranet

FrontFrontFirewallFirewall

InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment

MobileMobileGWGW

BackBackFirewallFirewall SSL MutualSSL Mutual

User AuthUser Auth

SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)

SSL MachineSSL MachineMutual AuthMutual Auth

E-mailE-mailand LOBand LOBServersServers

SSL User-SSL User-mutual Authmutual Auth

or Similaror Similar

ConsoleConsole

MobileMobileServerServer

Back-endBack-end

R/OR/O

ADAD

LHSLHSNAP SystemNAP System

Self HelpSelf HelpSiteSite

EnrollmentEnrollmentServiceService

OMAOMAProxyProxy

CACA


MDM introduces three new server MDM introduces three new server roles:roles:

Enrollment ServerEnrollment ServerProxies request to enroll Proxies request to enroll devicedevice

Mobile VPN ServerMobile VPN Server

Typically located in the Typically located in the network perimeternetwork perimeter

Entry point to corporate Entry point to corporate networknetwork

Forwards network and Forwards network and device management device management communications between communications between a corporate network and a corporate network and their devicestheir devices

Device Management ServerDevice Management Server

Based on OMA DM Based on OMA DM standardsstandards

Architecture Architecture PrinciplesPrinciplesSecurity firstSecurity first

Large scale distributed solutionLarge scale distributed solution

Transparent compatibilityTransparent compatibility

Extensibility & future proofingExtensibility & future proofing

InternetInternet

DMZDMZ




MobileMobileGatewayGateway

ServerServer

BackBackFirewallFirewall






ConsoleConsole


Back-endBack-end

R/OR/O

ADAD

WSUS CatalogWSUS Catalog



Device Device

ManagemeManagementnt

ServerServer

CACA


•Location:Location:• Intranet based (domain joined server/service)Intranet based (domain joined server/service)

•Purpose:Purpose:• Manage the process flow of enrollmentManage the process flow of enrollment• Create domain objectsCreate domain objects• Create certificatesCreate certificates• Supply provisioning instructionsSupply provisioning instructions

•Other:Other:• Best practice: protected by a Proxy (e.g. ISA)Best practice: protected by a Proxy (e.g. ISA)• Can co-exist on DM Server in integrated Can co-exist on DM Server in integrated

implementationimplementation

Create Acct.

Issue Cert

Negotiate SSL Root

Submit Cert Request

Receive Cert

Public DNS

Discovery

Private key and Enrollment Password Private key and Enrollment Password never transmitted over the airnever transmitted over the air

All traffic between client and server All traffic between client and server uses SSLuses SSL

SSL negotiation does not require SSL negotiation does not require public root cert (e.g. VeriSign etc.)public root cert (e.g. VeriSign etc.)

Mobile VPN for both client and serverMobile VPN for both client and server

Standards basedStandards basedIPSec Tunnel ModeIPSec Tunnel Mode

MobIKEMobIKE

IKEv2IKEv2

Enables access to corporate Enables access to corporate resourcesresources

LOBLOB

Internet proxy serversInternet proxy servers

InternetInternet

DMZDMZ





ServerServer







ConsoleConsole


Back-endBack-end

R/OR/O

ADAD




Device Device


ServerServer

CACA


•Location:Location:• Corporate DMZ (non-domain joined)Corporate DMZ (non-domain joined)

•Purpose:Purpose:Authenticates incoming connections for Authenticates incoming connections for authorized devicesauthorized devices

Assigns a stable internal IP address for the Assigns a stable internal IP address for the devicedevice

Enables fast resume/reconnect features for Enables fast resume/reconnect features for devices and applicationsdevices and applications

Negotiates keys to encrypt traffic over the Negotiates keys to encrypt traffic over the internetinternet

•Other:Other:• IPSEC termination pointIPSEC termination point• Managed remotelyManaged remotely

FW

32

FW

LOB1

Proxy (ISA)

LOB2

Double envelope security

User Authentications:1) Certificate2) NTLM v23) Basic

Kerberos delegation

PerformancePerformanceTechnical featuresTechnical features

IPSec Tunnel ModeIPSec Tunnel ModeAggregate all traffic Aggregate all traffic through a single tunnel through a single tunnel with a single NAT/Firewall with a single NAT/Firewall Keep-AliveKeep-Alive

IKEv2IKEv2IETF Standard that IETF Standard that includes address includes address assignment (unlike IKEv1)assignment (unlike IKEv1)

MobIKE (Mobile IKE)MobIKE (Mobile IKE)IETF standard for IETF standard for transparent auto recovery transparent auto recovery of IPSec tunnels w/o re-of IPSec tunnels w/o re-negotiations of Sasnegotiations of Sas

ImplicationsImplicationsExtremely efficient, agile Extremely efficient, agile and self-healing and self-healing connectivity solutionconnectivity solution

SecuritySecurityDouble envelope security Double envelope security

VPN technology allows VPN technology allows nested secure connectionsnested secure connections

Outer layer – IPSec, IKEv2 Outer layer – IPSec, IKEv2 tunnel from device to GWtunnel from device to GW

Inner layer – E-2-E Client-Inner layer – E-2-E Client-Server mechanisms (SSL, Server mechanisms (SSL, IPSec transport, etc)IPSec transport, etc)

Defense in depthDefense in depth DMZ pre-authDMZ pre-auth

Based on device identity Based on device identity and health (not user)and health (not user)

End-to-End auth to corporate End-to-End auth to corporate serversservers

““Four factor” (2x2) Four factor” (2x2) authentication authentication

Back-end firewall filteringBack-end firewall filtering

DMZ GW is not a DMZ GW is not a vulnerability pointvulnerability point

Security managementSecurity managementEnrollmentEnrollment

AD domain joinAD domain join

WipeWipe

Policy enforcementPolicy enforcement

Service enablement/disablementService enablement/disablement

Application deny/allowApplication deny/allow

Software distributionSoftware distribution

Inventory and reportingInventory and reporting

InternetInternet

DMZDMZ





ServerServer







ConsoleConsole


Back-endBack-end

R/OR/O

ADAD




Device Device


ServerServer

CACA


•Location:Location:• Intranet based (domain joined server/service)Intranet based (domain joined server/service)

•Purpose:Purpose:Primary administration and management Primary administration and management service for all managed devicesservice for all managed devices

Functional hub for device Group Policy Functional hub for device Group Policy application, device software packages, and application, device software packages, and device data wipesdevice data wipes

Communicates with existing infrastructure Communicates with existing infrastructure servers, such as domain controllers, CAservers, such as domain controllers, CA

Proxies information and commands between Proxies information and commands between core Windows Servers (AD/CA) and devicescore Windows Servers (AD/CA) and devices

•Other:Other:• OMA-DM compliantOMA-DM compliant

37

DM Server

FWFW

Mobile VPN

DMZ

WWAN

Corpnet

Internet

NAT

Policy Information

Enrollment Server

Required:Required:Windows Server Windows Server 2003 SP2 64 bit2003 SP2 64 bit

SQL Server 2005SQL Server 2005

Active DirectoryActive Directory

Microsoft CAMicrosoft CA

Group PolicyGroup Policy

Not Required:Not Required:Exchange Server Exchange Server (any version)(any version)

Systems Systems Management Management ServerServer

Systems CenterSystems Center

ISA Server*ISA Server*

Security Security ManagementManagement

Device Device ManagementManagement

MobileMobileVPNVPN

SCCMSCCM SCMDMSCMDM

Std CALStd CAL

Ent CALEnt CAL

System Center Configuration

Manager

System Center Mobile Device

ManagerExchangeMobile Scenarios

© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.

Technet System Center Mobile Device Manager Presentation

Business

device mobile vpn server

mobile device manager

mobile device workforce

mobile applications

similar console mobile

device settings

remote device

management security