Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308.

Securely Deploying Windows Mobile in Your Enterprise

Vik ThairaniMobility Technical Sales ConsultantMobile Communication Business -Microsoft Corp.WMB308

Session Objectives and Takeaways

OverviewAuthenticating against your Corporate EnvironmentSecure Intranet AccessSecuring Data in TransportSecuring Data on the DeviceSecuring Devices for Malware and VirusesQ&A

Architecture

DMZ Corporate Intranet

ISA Server /Reverse Proxy

Exchange 2003 / 2007 Topology

Exchange Front-End/CAS

Server

ExchangeMailbox Server

128Bit SSLTunnel

Firewall Firewall

Subscription to Mailbox

MAPIClients

Internet

Active Directory

SharePoint 2003/2007 Server

SharePointRequest Proxy via

Exchange CAS

128Bit SSL Tunnel

SCMDM 08 Deployment TopologySystem Center Mobile Device Manager 2008

DMZ Corporate Intranet

SCMDM 08Gateway

Exchange, SharePoint, Intranet and LOB Servers

SSL User Authentication

MMCConsole

SCMDM 08 Management

Server

ActiveDirectory

WSUS Software Management

MDM Enrollment Server

IPSEC MobIKE VPN

128Bit SSL Tunnel

IPSECVPN

128bit SSLTunnelFirewall Firewall

One Time PIN for Enrollment

Initial OTA DeviceEnrollment via SSL

Machine Certificate Authentication for Mobile VPN

SQLServer

Internet

Optional ISA orReverse Proxy

128Bit SSL

Tunnel

Device CertificateEnrollment

Service

Authenticating Against Your Corporate Network

SSL Tunneling vs. SSL BridgingWildcard Cert SupportElevated Root Cert install support in WM6

Certificate AuthenticationISA 2006 when Domain Joined Can Cert Auth in the DMZ

Standard Authentication

2 Factor Authentication with RSA

RSA must be installed on the IIS serverRSA Agent must be 5.3 or Greater

DMZ Pre-Authentication via ISA

Split Tunneling via ISA ListenersRadiusLDAP

Cert Authentication with Domain Joined ISA 2006

MDM 2008

11

Mobile Device Manager 2008 – 2 Factor Authentication

• Machine authentication and “double envelope security”

• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,

IPSec tunnel mode)

Network Access WorkloadDeployment: In DMZ

MobileVPN

Secure Intranet Access

Secure Intranet Access (VPN)

Built in VPNL2TP and PPTP

Mobile VPN included in MDM 2008Issues with Traditional VPNs

MDM 2008

14

Mobile Device Manager 2008 VPN

• Machine authentication and “double envelope security”

• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,

IPSec tunnel mode)

Network Access WorkloadDeployment: In DMZ

MobileVPN

Securing Data in Motion

SSL / MobileIKE

SSL RC4, 3DES, AES 128, AES 256*

MobIKEv2 IPSEC Tunnel

Wireless LAN Security

WiFi 802.1x user authentication usingProtected EAP (PEAP)EAP/TLS (certificate-based)WPA / TKIP

Wi-Fi Certificate Enroller provided by OEMBuilt in Certificate Enroller for Windows Mobile 6 in Active sync 4.5Windows Mobile 6 Includes built in PFX, CER, .P7B installer

S/MIME

Windows Mobile 5.0 Requires Smart-Card readerWindows Mobile 6.0 Supports Soft-CertificatesExchange 2007 SP1 Does Support SMIME

Mobile Device Manager 2008

19

Mobile Device Manager 2008 - IPSEC

• Machine authentication and “double envelope security”

• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,

IPSec tunnel mode)

Network Access WorkloadDeployment: In DMZ

Management WorkloadDeployment: Inside firewall

MobileVPN

Securing Data on Device

On Device Encryption

Encrypted PIM Data (WM 6.1 w/ Exchange 2007, MDM)

AES 128SD Card (WM 6)

AES 128LOB Custom Applications (CryptoAPI, MDM 2008)

3DES, AES128, AES 256

Information Rights Management

Windows Mobile 6 Supports IRM with MailRead OnlyNo Creation

Office for Windows Mobile 6 supports IRM for Office Documents

Device Policies available with Exchange 2003/2007

Device LockNew Pin Enhancements (Pin Recovery, History)

Device PasswordNew Password Requirements

Exchange 2007 allows for group based PolicesNew Exchange 2007 Policies

SD Card encryption

Exchange 2007 Device Control

Disable desktop ActiveSync Disable removable storage Disable camera Disable SMS and any MMS text messaging Network Control

Exchange 2007 Device Control

Disable Wi-Fi Disable Bluetooth Disable IrDA Allow internet sharing from device Allow desktop sharing from device Application Control

Exchange FunctionalityFeatures 2007 S E Features 2007 S E

Password Required X X X Min Device Pwd Complex Characters X XAllow non-provisionable devices X X X Require Device Encryption X X

Allow Simple Device Password X X X Require Encrypted SMIME Messages X XAlphanumeric Password X X X Require Encryption SMIME Algorithm X X

Attachments Enabled X X X Require Manual Sync When Roaming X XInactivity Timeout X X X Require Signed SMIME Algorithm X X

Max Attachment Size X X X Require Signed SMIME Messages X XMax Failed Password Attempts X X X Allow Bluetooth X

Min Password Length X X X Allow Browser XPassword Expiration X X X Allow Camera X

Password History X X X Allow Consumer Email XPassword Recovery Enabled X X X Allow Desktop Sync X

Policy Refresh Interval X X X Allow Internet Sharing XStorage Card Encryption X X X Allow IrDA X

UNC Access Enabled X X X Allow POP/IMAP Email XWSS Access Enabled X X X Allow Remote Desktop X

Allow HTML Email X X Allow Storage Card X

Allow SMIME Encryption Algorithm Negotiation X X Allow Text Messaging X

Allow SMIME Soft Certs X X Allow Unsigned Applications XMax Calendar Age Filter X X Allow Unsigned Installation Packages X

Max Email Age Filter X X Allow Wi-Fi XMax Email Body Truncation Size X X Approved Application List X

Max Email HTML Body Truncation Size X X Unapproved InROM Application List X

2007 = Exchange 2007 | S = Exchange 2007 SP1 Standard CAL | E = Exchange 2007 SP1 Enterprise CAL

Mobile Device Manager 2008

27

Mobile Device Manager 2008 - Security

• Active Directory® Domain Join • Policy enforcement using Active

Directory/group policy targeting (>125 policies)

• Communications and camera disablement*

• File encryption • Application allow and deny• Remote wipe • OMA DM compliant

*Part of LTK requirement

Security Management

Management WorkloadDeployment: Inside firewall

Antivurus and Firewalls

Antivirus and Firewalls

Mitigating Attack Vectors on Windows MobileOfficeInternet ExplorerApplication Install

Entry Points on your Corporate EnvironmentDesktopExchange

APIs available for Windows Mobile

Exchange Advanced Policies

Allow browserAllow consumer mailAllow unsigned appsAllow unsigned installation packages

Mobile Device Manager 2008

31

Mobile Device Manager 2008 – Software Distribution

• Single point of management for mobile devices in enterprise

• Full over-the-air (OTA) provisioning and bootstrapping

• OTA software distribution based on Windows Software Update Service (WSUS) 3.0

• Inventory• Microsoft SQL Server™ 2005–based

reporting capabilities • Role–based administration • MMC snap-ins and Microsoft

Windows PowerShell™ cmdlets• WMU On/Off control

Management WorkloadDeployment: Inside firewall

Device Management

PartnersManagement and SecurityCredantTrust DigitalAfariaOdyssey

VPNBluefire (Cisco)Net Motion (IPSEC Mobile)Checkpoint (SSL)

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Windows Mobile® ResourcesTechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm

TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile

MSDN Center – Windows Mobilehttp://msdn.microsoft.com/windowsmobile

Webcasts and Podcasts for IT – Windows Mobilehttp://www.microsoft.com/events/series/msecmobility.aspx

General Information – Windows Mobilehttp://www.windowsmobile.com

General Information – System Center Mobile Device Manager 2008http://www.windowsmobile.com/mobiledevicemanager

Windows Marketplace Developer Portalhttp://developer.windowsmobile.com

Windows Mobile® is giving away Blackjack IIs !

Stop by the Windows Mobile Technical Learning Center to learn how to enter

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.