Introducing System Center Mobile Device Manager
At a Glance:
- A typical Mobile Device Manager system
- Extending Active Directory to Windows Mobile
- Enrolling, provisioning, and inventorying Windows Mobile devices
The launch of Microsoft System Center Mobile Device Manager 2008 is an exciting development for IT pros managing Windows Mobile devices on corporate networks. By providing device management, security management, and Mobile Virtual Private Network (VPN)
capabilities in a single product, this new offering can help lower administrative burdens and foster enhanced return on investment (ROI) for mobile device fleets.
Mobile Device Manager enables IT pros to use the existing Active Directory® and Group Policy infrastructure to enforce device settings. Over-the-air (OTA) device-management capabilities let IT pros deliver updates and applications to devices easily, while OTA self-provisioning makes deployment easier and more scalable. Mobile VPN gives end users access to data and applications behind the firewall while providing an always-on connection for administrators to control deployed devices. With all these capabilities in one extensible, customizable, and scalable product, Mobile Device Manager is a vital tool for today's IT pros.
The Need for Management
The mobile workforce is expected to continue its rapid growth in years to come. Mobile devices have historically been more difficult to manage than other network equipment due to the very fact of their mobility. They connect to the network in a variety of ways, and some devices are not as secure as others—they may exist outside the firewall, they use different operating systems from client devices, and they are small and easy to misplace or lose.
The expanded functionality of today's mobile devices provides enticing benefits to both enterprises and end users, but it also makes supporting those devices more complex. This may expose corporate data and networks to additional security risks, especially when devices are used to access sensitive line-of-business (LOB) applications and customer data. Such devices can create security emergencies if lost, stolen, or used improperly.
As the functionality gap between mobile devices and traditional network clients closes, there is a growing need to manage mobile devices just as if they were laptop or desktop computers. That is the idea behind Mobile Device Manager. As the Windows Mobile® platform continues to grow in popularity among business users, Mobile Device Manager will become a crucial aspect of Windows®-based IT management systems.
Mobile Device Manager is designed to provide end-to-end management and control of Windows Mobile Devices as easily as if those devices were networked PCs or laptops. It has three key functions:
Device Management Centralized functionality for provisioning, monitoring, and managing Windows Mobile devices, scalable to tens of thousands of users per server.
Security Management Better mechanisms for protecting sensitive data and keeping track of devices.
Mobile VPN Better access to behind-the-firewall data and applications with always-on functionality.
Mobile Device Manager is aligned with the overall System Center philosophy of equipping IT pros with tools to manage corporate assets as first-class citizens—on a par with desktop and laptop machines. It also provides a user interface that will be familiar to those who already use other System Center products.
This also means that Mobile Device Manager works well by design with an existing Windows-based infrastructure. To cite a few examples, it uses Active Directory and Group Policy; it works with existing Microsoft analysis and reporting tools (such as SQL Server®); and it is extensible using Microsoft® Management Console snap-ins and Windows PowerShellTM cmdlets.
The Mobile Device Manager System
Mobile Device Manager is highly scalable and can support tens of thousands of devices on a single instance, as well as multiple configuration options. Generally speaking, there are four main system components to the server side of Mobile Device Manager: a gateway server, a device management server, an enrollment server, and SQL Server databases (see Figure 1).
Figure 1** Typical Mobile Device Manager system **(Click the image for a larger view)
The gateway server is usually installed in the perimeter network. It acts as the terminal for a device's network connection, authenticates incoming device connections, provides stable IP addresses for devices, and performs other functions related to device or network connectivity.
The device management server is the hub of device administration and management, including Group Policy implementation, OTA software distribution, and device wipes. It works with existing domain controllers. Device management servers act as surrogate network clients for Windows Mobile devices, enabling those devices to communicate with other systems.
The enrollment server creates Active Directory Domain Service objects that represent mobile devices in the domain controller, enabling those devices to be managed like other domain members. This server also handles certificate requests and retrieval for mobile devices. It uses Active Directory as the basis for authenticating devices before accepting or issuing enrollment certificates. The SQL Server databases provide a repository for all the information related to device configuration, tasks, status settings, and so on.
Once the infrastructure is up and running, Mobile Device Manager has three types of interactions with mobile devices: device enrollment; the establishment of Mobile VPN connections; and device management. Device enrollment is the process by which a device joins the Active Directory domain. Mobile Device Manager uses a "shared secret"—an expirable one-time password—to enable devices to be enrolled over non-secure connections. Once enrolled, a device can make a Mobile VPN connection to the gateway server through which network traffic from the device is routed. Using the Mobile VPN connection, the administrator or the system can perform device management, pushing software and settings to the device.
Extending Active Directory to Windows Mobile
Hybrid or ad hoc IT security approaches can be riskier than a fully integrated approach to security. Mobile Device Manager is designed to help reduce such risks by providing a way to manage mobile devices such as Windows PCs using the existing Active Directory Domain Services infrastructure. The result is streamlined identity and access management, more consistent policy targeting, and one-stop security configuration.
Just as with PCs or servers, Group Policy Objects related to Windows Mobile devices can be assigned to Organizational Units (OUs), security groups, and Windows Management Instrumentation (WMI) filters. Administrators can also prevent specific devices from getting Group Policy settings.
There are more than 130 settings and policies for Windows Mobile devices, enabling fine-grained control over a variety of functions. Here's just a sample:
- Password settings include password requirement; type and minimum length; password expiration; and local device wipe after a specified number of failed tries (including user notification of the number of tries remaining).
- Platform lockdown settings enable administrators to selectively enable or disable device functionality including camera, wireless LAN, infrared, Bluetooth, and removable storage. Post Office Protocol (POP), Internet Message Access Protocol (IMAP), Short Message Service (SMS), and Multimedia Messaging Service (MMS) messaging can all be turned off, and Windows Update for Windows Mobile can be disabled.
- Mobile Device Manager provides granular application control. It can prevent devices from running unsigned applications or applications with non-approved signatures, or allow specific unsigned applications at the administrator's discretion.
- To help protect data, the administrator can enforce encryption of files created on removable storage cards (with the encryption key tied to the device). Device encryption is also available for protection of sensitive data on the device. Besides the files that are protected by default, the administrator can specify additional files to be encrypted.
- Mobile VPN settings determine what control users have over their devices' VPN connections and can also be used to set data encryption levels.
- ActiveSync® settings set message format, e-mail age filters, size limits, synchronization settings, and more.
- S/MIME settings can require message signing, message encryption, or the use of specific algorithms.
These settings, and others, support a wide range of scenarios. They let IT pros decide which kinds of applications can run on which devices. Hardware features can be enabled or disabled OTA—for example, cameras can be disabled to help prevent the accidental or intentional compromise of sensitive information. Data encryption can be enforced on devices, removable storage cards, or both to reduce the likelihood that lost or stolen devices or cards will deliver proprietary data into the hands of unauthorized individuals.
Other security management tools are also part of Mobile Device Manager. With thousands of apps available for Windows Mobile devices, there is a clear need for administrators to have control over those that can or cannot be installed. Mobile Device Manager lets you create and enforce application Allow and Block Lists for just that purpose. It also provides powerful remote wipe capabilities. Because of the always-on VPN connection to devices, devices can be wiped immediately without waiting for them to connect to the network and synchronize. When a device is wiped remotely, it is removed from the domain controller and its certificate is revoked. If a device is later recovered, it can be set to rejoin the domain after re-enrolling with a new one-time password.
Keeping Mobile Devices in Check
Mobile Device Manager is designed to make managing Windows Mobile devices on the network as easy as possible by providing complete device management functionality in a single solution, including OTA provisioning; OTA software and update distribution; and comprehensive and centralized inventory management.
OTA self-enrollment is a feature likely to win the hearts of busy IT pros and end users. A user enters an e-mail address on a Windows Mobile 6.1 device, which attempts to locate the Mobile Device Management Server based on the given e-mail address. If the server is not found, the user is prompted to enter the address of the Management Server manually. Once the server is found and it is determined that the user may enroll, the user is asked to enter a one-time passcode that is pregenerated by the administrator.
The e-mail address and the passcode are used to authenticate the user and to enroll his device in the Management Server. When this is done, administrator-defined settings and policies are pushed down to the device. The self-enrollment approach is designed to increase the scalability of Windows Mobile device deployments and to reduce the time and money necessary to get those devices up and running.
Mobile Device Manager's OTA software distribution capabilities are based on Windows Software Update Services (WSUS) 3.0, the software update toolkit already used by many IT pros around the world. As shown in Figure 2, WSUS 3.0 delivers the targeting and application-packaging functionality necessary for complex IT needs. Software can be delivered automatically to appropriate devices based on rules and policies set by the administrator. As with server and client updates, mobile device updates and patches can be automated using WSUS 3.0. Just as crucially, automatic updates can be turned off for deployment planning and testing.
Figure 2** Software distribution wizard **(Click the image for a larger view)
One of the biggest challenges of managing mobile equipment deployed at scale is simply keeping track of everything. Mobile Device Manager centralizes inventory information and provides flexible, customizable reports based on SQL Server 2005—again, utilizing software that many users will already have on board and be familiar with. Administrators can collect more than a hundred items of inventory information, including (but not limited to) operating system and version, device model, installed applications, and security policies. The inventory is extensible, allowing the administrator to add items and registry settings.
For even more flexibility, you can control the Mobile Device Manager using Microsoft Management Console snap-ins if you favor a graphical user interface (see Figure 3) or with the Windows PowerShell console if you prefer a command line. Either way, the system is extensible and customizable—essential for enterprise users who want the software to fit their organization.
Figure 3** Mobile Device Manager Console **(Click the image for a larger view)
Information workers have been e-mailing and messaging one another on mobile devices for years. Today, one of the most useful developments in mobile device technology is the ability to access business data and apps that reside behind the firewall. With increased access, new security risks arise, so the added functionality must be carefully managed to prevent vulnerabilities. Mobile Device Manager provides cutting-edge Mobile VPN capabilities, enabling users to access intranet data ranging from Microsoft DynamicsTM Customer Relationship Management (CRM) to SAP to Siebel. The model is built to match existing remote-access strategies for desktop and laptop PCs (see Figure 4).
Figure 4** Mobile VPN settings **(Click the image for a larger view)
The Mobile VPN connects the device to the gateway server using a double-envelope security feature, wherein data is transmitted in SSL-encrypted form through an IPsec-encrypted tunnel. Once the device is authenticated, the user has access to resources as specified by the resource-specific policy in combination with the user's credentials.
The Mobile VPN technology used by Mobile Device Manager enables an always-on connection to be established, which not only gives users improved access but helps ensure that IT pros can keep devices updated with current policies and settings—and wipe a device immediately if it is lost or stolen. Even if a session is interrupted, fast reconnect helps ensure that the device session continues without the need for re-authentication. Mobile Device Manager allows for a smooth transition between Wi-Fi and cellular networks while maintaining connectivity.
The security technology used in Mobile Device Manager Mobile VPN is based on industry standards, including Open Mobile Alliance for Device Management (OMA DM), Internet Key Exchange (IKE) version 2, and OMA Software Component Management Object (SCOMO). This helps make the system more extensible and customizable for specific situations faced by IT pros working in complex environments.
A Complete Solution
Mobile Device Manager delivers a complete set of tools for managing Windows Mobile devices, accessible through a single interface. It utilizes Active Directory and Group Policy to provide security tools that help protect data, devices, and the network. Device management is made easier by OTA enrollment, provisioning, and updating, as well as by powerful inventory tools. Mobile VPN is designed to deliver the functionality that enterprises and users want without compromising security.
All this is integral to the idea of making the jobs of IT pros easier by allowing mobile devices to be managed on the network as first-class citizens. Mobile Device Manager gives IT pros the power to deliver quality end user experiences, reduce administrative overhead, and provide better ROI for management—and that's a combination worth calling home about.
Thanks to Brian Hoskins, Derek Snyder, Prithvi Raj, Lax Madapaty, and Katharine Holdsworth for their contributions to this article.
Matt Fontaine is a freelance technology writer and consultant working with BuzzBee Company. He attends to a wide array of industries including high-performance computing, enterprise software, actuary, commercial real estate, engineering, construction, and consumer packaged goods. Matt is a proud alumnus of The Evergreen State College.
© 2008 Microsoft Corporation and CMP Media, LLC. All rights reserved; reproduction in part or in whole without permission is prohibited.