Windows Mobile 6.1 & Microsoft System Center Mobile Device Manager 2008
Roderick van der Graaf Mobile Communication Business Microsoft EMEA HQ
1 1. Update on Windows Mobile 6.1
2. Line of Business applications (LOB)
3. Introduction of System Center Mobile Device Manager 2008
4. Q&A
2 Microsoft Mobility Vision
From any device, any …access to people, recources and location… applications.
Access LOB E-Mail Applications Control
Managed Team Intranet Web PC Workspaces Applications Wired
INTERNET Unmanaged PC (Home PC, Kiosk, etc) Identity and Wireless Presence Documents Instant Mobile and and Files Messaging Traditional Firewall Devices Web and Video Calendaring Conferencing …Secured and managed by IT… 3 Leavering your IT-investments…
4 Windows Mobile Assets
Desktop
Infrastructure Office Communication Server
Development Tools
Windows Mobile Devices
Silicon Device Mobile ISVs and IHVs Solution Partners Vendors Manufacturers Operators Providers
5 Mobile Business Value Proposition
EasyDevice BusinessProductivityto Manage/Support Choice Value Enabling Lifestyle ReEasy-ReliabilityUseScalable- KnowledgeTo-Use CostSecure
6 Windows Mobile Roadmap*
2005 2006 2008 Future
5.0 6 6.1 “Next”
Productivity Advanced Mobile Device & Security Vision Areas Multi-media Communications Management Breakthrough Customization Increased Mobile User-Focused User Experience Direct Push Productivity Experience Great PC available Integrated Messaging & Companion for all devices** Mobile Business Productivity Device Performance Next Generation Platform
* Anticipated release schedule. Schedule and features are subject to change. **7 Direct Push email & Direct Push synchronization of Outlook calendar, contacts & tasks are available only with Microsoft Exchange Server 2003 SP2 & later Sample of WM 6.1 devices
8 Windows Mobile 6.1
Some key Enterprise Features……
9 Market Shifting Beyond Messaging
Fastest growth in rich mobile scenarios beyond e-mail Corporate data access and mobile LOB grows 5.4x from 2006–2011 Messaging-only grows 2.3x in the same time period
Mobile Corporate data 3.6 Mobile Messaging 0.9 access and 4.5 MM MM Messaging MM 6.3 MM mobile LOB Corporate 14.7 MM data access 19.8 MM and mobile LOB
10 Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports Line of business applications
“At what stage is your company in the adoption of these mobile applications?”
In production/upgrade underway/initial rollout Evaluating/piloting
Wireless email 71% 16% Personalized contacts and calendar 69% 14% Content/information for employees 43% 23% Sales force applications 25% 20% Field service applications 27% 18% Adoption shifts to LOB Logistics applications 23% 15% applications Customer facing applications 27% 17% Instant messaging 31% 20% SMS alerts 41% 16% Inventory management 30% 13%
Base: 404 executives at North American and European enterprises Source: Forrester's Business Technographics® 11 Windows Mobile & Application
We have over 18.000 mobile applications More than a third are business applications We build a showcase to what is possible…
http://www.microsoft.com/emea/windowsmobileapps/default.mspx
12 Aligning With Customer Priorities
End User Productivity Secure data and network access Anytime access to Scalable and reliable Manageable, scalable IT corporate info procurement infrastructure Dependable and resilient Minimize support costs Standardization versus phone experience and TCO point solutions Superior productivity including Integrate and align with unified communications existing systems Minimize training and support Time
“I need a strong ROI justification if “Make it just another device on my “Provide me with always available I am going to roll out mobile network that I control and manage, access to the people, information and devices to most of my organization and as an integral part of my existing applications I need even when I am and not just the managers” architecture and security on the go” framework”” --Director of business group for -Global pharmaceutical firm- Sales major manufacturer -VP of IT for Large Wall Street Bank Manager
13 System Center Mobile Device Manager 2008
Mobile Device Manager is a comprehensive server solution designed to improve security, management, and access for mobile devices in a cost-effective manner for enterprises with investments in Windows Server System™
Security Device Mobile Management Management VPN
Active Directory Domain Join Single point of management for Machine authentication and “double Policy enforcement using Active mobile devices in enterprise envelope security” Directory/Group Policy targeting Full Over the air (OTA) provisioning Session Persistence (125+ policies and settings) and bootstrapping Fast Reconnect Communications and camera OTA Software distribution based on Internetwork roaming disablement Windows Software Update Service Standards based (IKEv2, IPSEC File encryption (WSUS) 3.0 tunnel mode) Application allow and deny Inventory Remote wipe Microsoft SQL Server™ 2005–based OMA-DM Compliant reporting capabilities Role based administration MMC snap-ins and Powershell cmndlets WMU On/Off control 14 Server Architecture
Enrollment Server Architecture Principles Proxies request to enroll device Security first Mobile VPN Server Large scale Typically located in the network distributed solution perimeter Entry point to corporate Transparent compatibility network Extensibility and Forwards network and device future proofing management communications between a corporate network and their devices Device Management Server Based on OMA DM standards Proxies Policy to devices Enables software distribution
15 MDM 08 Deployment Topology
IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers
128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL
MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel
IPSEC VPN Tunnel
Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management
Microsoft Active Certificate Authority Directory
DMZ Corporate Intranet
16 Enrollment Server
Location: Intranet–based (domain joined server/service) Purpose: Manage the process flow of enrollment Create domain objects Create certificates Supply provisioning instructions Other: Best practice: Protected by a Proxy (e.g. Microsoft Internet Security and Acceleration (ISA) Server) Can co-exist on device management (DM) server in integrated implementation
17 End User Experience
Corporate Resources
Gateway/VPN Server
Enrollment and Device Management Server John 18 MDM 08 Deployment Topology
IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers
128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL
MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel
IPSEC VPN Tunnel
Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management
Microsoft Active Certificate Authority Directory
DMZ Corporate Intranet
19 Gateway Server
Location: Corporate DMZ (non-domain joined) Purpose: Authenticates incoming connections for authorized devices Assigns a stable internal IP address for the device Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the Internet Other: IPSec termination point Managed remotely
20 Mobile VPN Benefits
Performance Security IPSec Tunnel Mode Double envelope security Aggregate all traffic through a VPN technology allows single tunnel with a single nested secure connections NAT/Firewall Keep-Alive Outer layer – IPSec, IKEv2 IKEv2 tunnel from device IETF Standard to Gateway MOBIKE Inner layer – E2E Client-Server (SSL) IETF standard extension for mobility Defense in depth DMZ pre-auth - Based on device identity Extremely efficient, agile and End-to-End auth to self-healing connectivity solution corporate servers Back-end firewall filtering Gateway is not “domain-aware”
21 MDM 08 Deployment Topology
IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers
128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL
MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel
IPSEC VPN Tunnel
Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management
Microsoft Active Certificate Authority Directory
DMZ Corporate Intranet
22 Device Management Server
Location: Intranet based (domain joined server/service) Purpose: Primary administration and management service for all managed devices Functional hub for device Group Policy application, device software packages, and device data wipes Communicates with existing infrastructure servers, such as domain controllers, CA Proxies information and commands between core Windows Servers (AD/CA) and devices Other: OMA-DM compliant
23 Security Management Benefits
SCMDM extends Active Directory Group Policy to Windows Mobile devices
Many configuration settings now managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP
Extensible architecture
24 Device Management Benefits
Enterprise-wide OTA software distribution ® Leverages Windows Software Update Service (WSUS) 3.0 Rich targeting and packaging capabilities
Inventory and Reporting Robust hardware and software inventory capabilities SQL Server 2005 reporting services
25 Group Policy Flow
Group Policy Editor SYSVOL
Mobile Group Device Policy Management Service Server GPMC
OMA Proxy Engine Windows Database Mobile Device
26 Device Management
27 IT Infrastructure Details
Required: Not Required: Windows Server® 2003 Microsoft Exchange Server SP2 64-bit (any version) SQL Server 2005 Microsoft Systems Active Directory Management Server Microsoft CA Systems Center Group Policy ISA Server Windows Mobile 6.1
28 MDM Resouce Kit
Self Service Portal Best Practices Analyzer Device Tools Connect Now Tool VPN Diagnostics Tool Device Status Viewer Server Tools A whole host of good stuff…
29 Exchange ActiveSync Policies Exchange Server Standard CAL
Sync Authentication Encryption Configure message formats (HTML or Minimum number of complex Encrypt storage card plain txt) characters Require signed SMIME messages Include past email items Enable password recovery Require encrypted SMIME messages Email body truncation size Allow simple password Require Signed SMIME algorithm HTML email body truncation size Password Expiration (Days) Require encrypted SMIME algorithm Include past calendar items Enforce password history Allow SMIME encrypted algorithm (Duration) Windows file share access negotiation Require manual sync while roaming Windows SharePoint access Allow SMIME SoftCerts Allow attachment download Minimum password length Device encryption Maximum attachment size Timeout without user input Require password Require alphanumeric password Number of failed attempts Policy refresh interval Allow Non-provisionable devices
Color Key Exchange 2007 SP1 Exchange 2007 RTM Exchange 2003 SP2 Exchange ActiveSync Policies Exchange Server Enterprise CAL
Device Control Network Control Application Control Disable desktop ActiveSync Disable Wi-Fi Disable POP3/IMAP4 email Disable removable storage Disable Bluetooth Allow consumer email Disable camera Disable IrDA Allow browser Disable SMS and any MMS text Allow internet sharing from Allow unsigned applications messaging device Allow unsigned CABs Allow desktop sharing from Application allow list device Application block list
Color Key Exchange 2007 SP1 Exchange 2007 RTM Exchange 2003 SP2 Exchange 2007 SP1 DM Features
Device Encryption and Storage Card Encryption Unapproved Application List and Approved Application List
Block ROM Based Applications
Disable
Removable Storage IrDA Camera POP/IMAP WI-FI SMS and MMS Bluetooth
32 Which Solution Fits My Needs?
Scenarios Exch 2007 SP1 SCCM 2007 SCMDM 2008
Security Management Exchange 2007 SP1
SCCM 2007 Device SCMDM Management 2008
Mobile VPN
EAS WM 2003/5/6.0 Platforms Licensees CE 4.2/5.0 WM 6.1+ 33 Track Resources for Windows Mobile
Windows Mobile 6.1: http://www.microsoft.com/windowsmobile/6-1/default.mspx
Business Value Assessment Tool (Enterprise): http://www.microsoft.com/windowsmobile/business/calculator/default.mspx
Windows Mobile Application Showcase: http://www.microsoft.com/emea/windowsmobileapps/default.mspx
Mobile blog: http://blogs.msdn.com/jasonlan Useful Resources SCMDM 2008
MDM home page http://www.microsoft.com/systemcenter/mobile/default.mspx MDM TechCenter http://technet.microsoft.com/en-us/scmdm/default.aspx Trial Software http://technet.microsoft.com/en-us/scmdm/bb986596.aspx Resource Kit Tools http://technet.microsoft.com/en-us/scmdm/cc304591.aspx TechNet MDM Forum http://forums.technet.microsoft.com/en-US/SCMDM/threads/ 36 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
37
Device & Security Management New in Windows Mobile 6.1
Enterprise control over device features with ability to lock down communications and camera functionality
Expanded on-device security features for sensitive corporate information
Enterprise control over what software can be installed and run on the device
39 Device & Security Management New in Windows Mobile 6.1
Improved security management through use of Active Directory/Group Policy settings
Simplified administration, increased monitoring and flexible policy management
Expanded policy enforcement with over 125 policies and superior targeting capabilities
40 Microsoft System Center Mobile Device Manager 2008
Security
Mobile VPN Management
41
User-Focused Experience In all Windows Mobile 6.1 devices
Genuine Microsoft® Office Outlook® Mobile Faster access to my contacts Efficient management of mail Higher fidelity communications Built-in Information Rights Management Windows Live™ experience User-Focused Experience New in Windows Mobile 6.1
Improved control over alerts with multiple alarms
Better out-of-box experience and help with Getting Started center
Simpler setup for Bluetooth devices and Wi-Fi networks
More robust web browsing experience
44 Internet Explorer® Mobile New Enhancements Already available in Windows Mobile 6.1: More personalization – set home page Greater ease of use with zoom & page overview Available later this year: View of the “real web,” not just “mobile web” Supporting key technologies for rich experience Adobe Flash included Capable of viewing YouTube video Easier navigation – zoom & pan, mouse pointer 45
Messaging & Productivity In all Windows Mobile 6.x devices
Access information on the network, quickly Greater control and visibility to your calendar
Information search Search Improved on-line experience Messaging & Productivity New in Windows Mobile 6.1
Better organized and faster text messaging experience with chat- like text messaging
48 Messaging & Productivity Updates in Windows Mobile 6.1
Improved exchange of data from one application to another with cut/copy/paste
33% Reduction in data usage with Exchange 2007 Service Pack 1
Simpler message authoring and addressing with auto-complete
Access to data within the corporate firewall with Remote Desktop
More comprehensive on-device productivity with a larger set of Microsoft applications 49