Plan for mobile devices (SharePoint Server 2010)
Applies to: SharePoint Server 2010
This article describes the mobile features in Microsoft SharePoint Server 2010 and important considerations for how to plan for mobile devices.
A complete discussion about Microsoft SharePoint Server Internet or extranet topology design is beyond the scope of this article. For more information about extranet topologies, see Extranet topologies for SharePoint 2010 Products: Model.
In this article:
About mobile features
Configure mobile features
Plan for mobile device access
About mobile features
Mobile features enable users to work with SharePoint content from their mobile devices. SharePoint Server provides a lightweight interface for navigating and accessing SharePoint document libraries, lists, wikis, blogs, Web Part Pages, and back-end business data. The mobile features include the following:
Mobile views, which display a view of SharePoint sites that is optimized for mobile devices.
The ability to view Microsoft Office Word, Excel, and PowerPoint documents in mobile browsers. This feature requires that Office Web Apps be installed. For more information, see Office Web Apps (Installed on SharePoint 2010 Products).
Mobile search experience for finding people, contact information, SharePoint content, and data.
Mobile My Sites for staying in touch with colleagues.
Mobile alerts, which enable users to subscribe to Short Message Service (SMS) alerts. The alerts are sent to users' mobile devices when a SharePoint list or item is changed.
Configure mobile features
This section describes how to configure mobile features.
By default, mobile views are enabled for most lists or libraries that were created in SharePoint Server 2010. You must enable mobile views for custom lists, custom libraries, or for lists or libraries that were created in previous versions of SharePoint and have been upgraded to SharePoint Server 2010.
A browser definition file contains a list of the mobile browsers and devices that can access mobile views in SharePoint Server. SharePoint Server uses the file to determine whether to redirect a mobile browser to the mobile view of the site. For example, if a mobile browser or device is not listed in the browser definition file, a standard view of the site is displayed in the mobile browser. The browser definition file can be updated by product updates. You can also modify the file to change the redirect behavior of a mobile browser or to add a mobile browser or device to the list.
For more information about mobile views, see Configure mobile views (SharePoint Server 2010).
The mobile alert feature enables users to subscribe to alerts that are sent by using Short Message Service (SMS). The alerts are sent to users' mobile devices when changes are made to a SharePoint list or item. To take advantage of this feature, you must configure a mobile account that will be used to send the SMS alerts. For more information, see Configure a mobile account (SharePoint Server 2010).
Plan for mobile device access
Mobile device access is largely influenced by the decisions that you make in your server farm and environment planning. The following sections describe how design decisions you make for your server farm can affect mobile device access. We recommend that you include mobile device access planning in your overall server farm and environment planning.
For more information about server farm planning. see Plan authentication methods (SharePoint Server 2010), Logical architecture components (SharePoint Server 2010), and Design sample: Corporate deployment (SharePoint Server 2010).
SharePoint Server supports multiple authentication methods and authentication modes. Not all mobile browsers and devices work with all the available authentication methods. When you plan for mobile device access, you must:
Determine the mobile devices that you must support. Then, learn the authentication methods that are supported by the mobile devices. This information varies by manufacturer.
Determine the sites that you want to make available to your mobile device users.
Determine whether you want to make SharePoint sites accessible for mobile devices when the devices are used outside the corporate firewall. If you do, the method that you use to enable external access can also affect mobile device authentication.
Consider the tradeoffs between selecting an authentication method that is supported by most mobile devices, implementing multiple authentication methods in your Web application, or deciding to support only a few mobile devices.
Mobile device users can access a SharePoint site either by using a mobile browser or by using a rich client application such as Microsoft SharePoint Workspace Mobile 2010. This section summarizes how to make SharePoint sites accessible for mobile devices when the devices are used outside the corporate firewall. There are three methods for enabling external access:
Virtual private network server A virtual private network (VPN) server that supports Secure Sockets Layer (SSL), such as Microsoft Forefront Unified Access Gateway (UAG), enables you to publish SharePoint sites across the corporate firewall. The following steps summarize how to make a SharePoint site accessible from outside the corporate firewall when you use a VPN server:
Set up the VPN server.
Publish the SharePoint site on the VPN server.
Configure an alternate access mapping for the SharePoint site.
Add the SharePoint site to a zone that allows cross-firewall access.
Forefront UAG is the only VPN server that is supported by Microsoft Office Mobile 2010 on Windows Phone 7 and Windows Phone 6.5.
For more information about Forefront UAG, see Forefront Unified Access Gateway (UAG) (http://go.microsoft.com/fwlink/p/?LinkID=196384), SharePoint publishing solution guide (http://go.microsoft.com/fwlink/p/?LinkId=206256), and Deploying Forefront UAG for mobile devices.
Mobile proxy server Mobile proxy servers, such as Microsoft System Center Mobile Device Center and Blackberry Enterprise Server, help mobile devices work within the IT infrastructure of a company. To access a SharePoint site from outside the corporate firewall, the mobile proxy server must pass the mobile browser's HTTP headers directly through to SharePoint Server.
Direct Internet access The SharePoint site can be placed on the extranet. This method supports only Basic authentication. We recommend that you use a combination of technology and policy safeguards, such as SSL, with any Internet-facing servers.
For more information about mobile devices and external access, see Configure external access for mobile devices (SharePoint Server 2010).
Plan for SharePoint Workspace Mobile and Windows Phone 7
Microsoft SharePoint Workspace Mobile 2010, which is part of Microsoft Office Mobile 2010, is available on Windows Phone 7 and Windows Phone 6.5. SharePoint Workspace Mobile 2010 enables users to connect to a SharePoint site by using the Office Hub instead of the mobile browser. The following list describes planning considerations for SharePoint Workspace Mobile and Windows Phone 7:
Forefront UAG is the only VPN that is supported by Windows Phone 7.
NTLM is the only authentication method that is supported by SharePoint Workspace Mobile for intranet sites.
SharePoint Workspace Mobile does not support directly connecting to sites in the Internet zone. To connect by using SharePoint Workspace Mobile requires the following:
The SharePoint site is published over SSL on the Forefront UAG server.
The SharePoint site is published for SharePoint Workspace Mobile on the Forefront UAG server.
Users have configured the Forefront UAG settings on their Windows Phone device.
When a user connects to the published site, Forefront UAG identifies the user agent sent by SharePoint Workspace Mobile and responds with an HTTP 401 challenge. SharePoint Workspace Mobile uses the user credentials that are configured in the Forefront UAG settings of the mobile device to authenticate to Forefront UAG by using Basic authentication. Forefront UAG then authenticates the user to the SharePoint site.
A site that has a fully qualified domain name (for example, https://hrweb.contoso.com) is considered to be in the Internet zone by SharePoint Workspace Mobile.
By default, Windows Phone 7 users are redirected to the standard view of SharePoint sites. This is because the Windows Phone 7 user agent is not included in the SharePoint Server 2010 RTM version of the mobile definition file (compat.browser file). To see a mobile view of a site, users can append ?mobile=1 to the URL of the site. You can also add the Windows Phone 7 user agent to the compat.browser file. For more information about how to modify the compat.browser file, see Configure mobile views (SharePoint Server 2010).
The compat.browser file can be updated when product updates to SharePoint Server are released to include newer devices.
By default, the Windows Phone 7 mobile browser cannot authenticate to a site that is configured to use Security Assertion Markup Language (SAML) token-based authentication. As a workaround, you can edit the compat.browser file, find the entry for the Office Mobile Web Access user agent, and change the
false. This enables the mobile browser to redirect the user to the sign-in site for the SPTrustedIdentityTokenIssuer that is associated with the Web application. If the identity provider security token service (IP-STS) uses an authentication method that is not supported by the Windows Phone 7 device, such as two-factor authentication, the user will still be unable to authenticate to the site.
Documents that are protected by Information Rights Management (IRM) cannot be opened by Windows Phone 7.
For more information about Windows Phone 7 and SharePoint Workspace Mobile, see Windows Phone Help and how to (http://go.microsoft.com/fwlink/p/?LinkId=202166) and Use Microsoft SharePoint Workspace Mobile (http://go.microsoft.com/fwlink/p/?LinkId=192854).
This section discusses security considerations for mobile devices.
Mobile devices can contain sensitive data or documents. Because mobile devices can be lost or stolen, we recommend that you set policies around mobile devices to help protect sensitive data and documents. This can include securing the mobile device by using a PIN or lock, and ensuring that you can remotely wipe the data on the mobile device. Available programs and features vary by mobile device.
You can educate users about how they can help protect their user credentials. This can include signing out of sites when they are done, not enabling any option that keeps them signed in or remembers their password, and frequently deleting cookies in the mobile browser. This can help prevent others from using their user credentials to log on to a SharePoint site if their mobile device is lost or stolen.
We recommend that you enable SSL to secure communication between mobile browsers and SharePoint Server.