Mobile Device Clients Security Best Practices and Privacy Information
Applies To: System Center Configuration Manager 2007, System Center Configuration Manager 2007 R2, System Center Configuration Manager 2007 R3, System Center Configuration Manager 2007 SP1, System Center Configuration Manager 2007 SP2
Mobile devices present interesting security challenges in your enterprise environment. For example, mobile devices by their nature are more easily lost or stolen, which could provide attackers with access to e-mail and other network content if the device is not protected with a strong password. Microsoft System Center Configuration Manager 2007 allows you to better manage your mobile devices by enforcing configurations that enhance security such as passwords and certificates.
Use native mode whenever possible Native mode uses certificates issued by a PKI to provide mutual authentication between site systems and mobile device clients. Native mode is designed to be the most secure mode for Configuration Manager 2007. If you do not enable native mode, you must configure the distribution points that support mobile device clients to allow anonymous access.
Require mobile device clients to use passwords Password management on Windows Mobile for Pocket PC 5.0, Windows Mobile for Pocket PC Phone Edition 5.0 and Windows Mobile 5.0 Smartphone requires the Messaging and Security Feature Pack (MSFP). For more information, see the Windows Mobile Messaging and Security Feature Pack web page (http://go.microsoft.com/fwlink/?LinkId=80392).
After switching to a custom Web site, remove the default virtual directories When you change from using the default Web site to using a custom Web site, Configuration Manager 2007 does not automatically remove the old virtual directories. You should manually remove the virtual directories created under the default Web site. This is especially important if you configured the distribution point to Allow clients to connect anonymously (Required for mobile device clients) while using the default Web site, and then disable anonymous connections after switching to the custom Web site because the old virtual directories will still be configured for anonymous access. For the list of virtual directories created on BITS-enabled distribution points, see About BITS-Enabled Distribution Points.
Device management allows you to perform hardware inventory, software inventory, file collection, and software distribution on mobile device clients running an embedded version of Windows CE, including Windows Mobile. The privacy concerns that apply to client computers for inventory and software distribution also apply to mobile device clients. Software inventory and file collection are not enabled by default. You can configure what software inventory you want to collect and whether you want to collect files. Hardware inventory and software distribution are enabled by default. Before configuring mobile device management, consider your privacy requirements.
For additional information, see Configuration Manager 2007 Information and Support.
To contact the documentation team, email SMSdocs@microsoft.com.