Mobile Device Manager System Overview
System Center Mobile Device Manager consists of the following four main system components:
- One or more computers that are running MDM Gateway Server
- One or more computers that are running MDM Device Management Server
- One computer that is running MDM Enrollment Server
- Microsoft SQL Server 2005 databases
Except for Microsoft SQL Server 2005, these components require 64-bit editions of Windows Server 2003 with Service Pack 2 (SP2). You can run Microsoft SQL Server 2005 on a 32-bit platform. However, Microsoft SQL Server 2005 SP2 or a later version is required.
The following illustration shows a high-level overview of how these components work with existing IT infrastructure to provide an authenticated connection to line-of-business (LOB) applications, managed Group Policy, and application packages.
The following list describes these components:
MDM Gateway Server: Typically, MDM Gateway Server is located in the perimeter network, also known as the DMZ or screened subnet. This server provides the ingress for managed device sessions, and handles network and device management communications between the company network and the device. MDM Gateway Server provides the endpoint for the device network connection that includes the following:
- Authenticates incoming connections for authorized devices.
- Allocates a stable IP address for the device to enable Direct Push updates and support application persistence.
- Enables fast resume and reconnect features for devices and applications.
- Negotiates keys to encrypt traffic over the Internet.
Multiple computers that are running MDM Gateway Server may exist in multiple perimeter networks throughout the enterprise environment. You can also load balance traffic across multiple computers that are running MDM Gateway Server.
MDM Device Management Server: MDM Device Management Server is the primary administration and management service for all managed devices. MDM Device Management Server is the functional hub for device Group Policy application, device software packages, and device data wipes. This server communicates with existing infrastructure servers, such as domain controllers, and manages the translation of information and commands between the MDM system and managed devices. MDM Device Management Server may exist as multiple, identically configured load balance servers.
MDM Enrollment Server: This server manages the requests for and retrieving of certificates for devices and for creating the Active Directory Domain Service objects that will represent these devices. By using these objects, you can manage the devices as if they were members of a domain. The process uses a one-time password to perform security-enhanced enrollment over untrusted connections, such as the Internet and mobile data networks. This role enables users to enroll their devices from anywhere without connecting the devices to a computer or having physical access to the company network. For more information about device enrollment, see the section, Device Enrollment with Mobile Device Manager.
MDM Enrollment Server makes sure that both the device and the server authenticate mutually before it accepts or issues enrollment certificates. MDM Enrollment Server uses Active Directory to provide the identity store.
Databases: The services on MDM Device Management Server and MDM Enrollment Server maintain databases to manage device configuration, tasks, and status settings. These SQL databases are essential to the process of updating and managing devices.
Encryption such as Secure Sockets Layer (SSL) is not configured between MDM system components and your SQL server database. You must rely on internal company security to help prevent interception, altering, or tampering of messages between the database and MDM system components. You can use Internet Protocol security (IPsec) communication to help prevent malicious intent with this data channel.
With MDM in place, security-enhanced network access is available from managed devices to your company LOB applications. Additionally, you can use Group Policy and software packages to manage the enrolled Windows Mobile devices.
To manage a Windows Mobile device from the MDM system, the device must be running Windows Mobile 6.1. This version of the operating system contains the application that is required to manage the device from the MDM system, and supports the standards that enable the device to establish an authenticated and encrypted communications channel to MDM Gateway Server.
MDM is based on several open industry standards for mobile devices. By using these standards, MDM extends a company infrastructure with features to manage devices by using familiar tools and capabilities.
MDM is based on the following standards:
- Open Mobile Alliance Device Management (OMA DM)
- IPsec and Internet Key Exchange Protocol Version 2 (IKEv2)
- IKEv2 Mobility and Multihoming (MOBIKE) protocol
- Software Component Management Object (SCOMO)
MDM components work with key IT services to give managed devices access to selected business data. The following shows the primary IT services that work with MDM:
- Active Directory Domain Service: The Windows-based operating system directory service stores credentials for virtual private network (VPN) and 802.1X-based connections and the Group Policy settings that configure the required settings on each managed device. Examples include configuring ActiveSync settings or enabling a “password required” policy.
- MDM software distribution: MDM software distribution uses Windows Server Update Services (WSUS) to allow for the distribution of applications to managed devices. The administrator uses MDM software distribution to create, monitor, and push application packages to managed devices.
- Certificate services: The MDM client and server security model requires X.509 certificates. MDM works directly with your existing Public Key Infrastructure (PKI) for client and server certificate signing. If no current PKI is in place, or if you want to maintain a separate certification authority for device authentication, you can add a Microsoft enterprise certification authority. The Windows Server 2003 Enterprise Edition operating system certification authority is the only fully supported issuing certification authority for MDM.
- LOB application servers: Windows Mobile devices managed by MDM can gain more secure access to your company LOB application servers. This includes the following:
- Exchange servers: Outlook Mobile grants direct access to your company Exchange servers. This provides Windows Mobile devices access to calendar and e-mail services.
- Custom application servers: You can make any custom-built applications for your organization that provide Web services to mobile clients, available to managed devices.
- For information about OMA DM, see this OMA Web site: http://go.microsoft.com/fwlink/?LinkId=31849.
- For information about SCOMO, see OMA specification for installing, uninstalling, launching, and terminating software on mobile devices at this OMA Web site: http://go.microsoft.com/fwlink/?LinkId=31849.
IKEv2 and MOBIKE
- For the Internet Engineering Task Force (IETF) specification, see Mobile IPv6 Operation with IKEv2 and the revised IPsec Architecture, at this IETF Web site: http://go.microsoft.com/fwlink/?LinkId=98108.