6.1 & System Center Manager 2008

Roderick van der Graaf Mobile Communication Business Microsoft EMEA HQ

1 1. Update on Windows Mobile 6.1

2. Line of Business applications (LOB)

3. Introduction of System Center Mobile Device Manager 2008

4. Q&A

2 Microsoft Mobility Vision

From any device, any … to people, recources and location… applications.

Access LOB E-Mail Applications Control

Managed Team Intranet Web PC Workspaces Applications Wired

INTERNET Unmanaged PC (Home PC, Kiosk, etc) Identity and Wireless Presence Documents Instant Mobile and and Files Messaging Traditional Firewall Devices Web and Video Calendaring Conferencing …Secured and managed by IT… 3 Leavering your IT-investments…

4 Windows Mobile Assets

Desktop

Infrastructure Office Communication Server

Development Tools

Windows Mobile Devices

Silicon Device Mobile ISVs and IHVs Solution Partners Vendors Manufacturers Operators Providers

5 Mobile Business Value Proposition

EasyDevice BusinessProductivityto Manage/Support Choice Value Enabling Lifestyle ReEasy-ReliabilityUseScalable- KnowledgeTo-Use CostSecure

6 Windows Mobile Roadmap*

2005 2006 2008 Future

5.0 6 6.1 “Next”

Productivity Advanced Mobile Device & Security Vision Areas Multi-media Communications Management Breakthrough Customization Increased Mobile User-Focused User Experience Productivity Experience Great PC available Integrated Messaging & Companion for all devices** Mobile Business Productivity Device Performance Next Generation Platform

* Anticipated release schedule. Schedule and features are subject to change. **7 Direct & Direct Push synchronization of Outlook calendar, contacts & tasks are available only with Microsoft Exchange Server 2003 SP2 & later Sample of WM 6.1 devices

8 Windows Mobile 6.1

Some key Enterprise Features……

9 Market Shifting Beyond Messaging

Fastest growth in rich mobile scenarios beyond e-mail Corporate data access and mobile LOB grows 5.4x from 2006–2011 Messaging-only grows 2.3x in the same time period

Mobile Corporate data 3.6 Mobile Messaging 0.9 access and 4.5 MM MM Messaging MM 6.3 MM mobile LOB Corporate 14.7 MM data access 19.8 MM and mobile LOB

10 Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports Line of business applications

“At what stage is your company in the adoption of these mobile applications?”

In production/upgrade underway/initial rollout Evaluating/piloting

Wireless email 71% 16% Personalized contacts and calendar 69% 14% Content/information for employees 43% 23% Sales force applications 25% 20% Field service applications 27% 18% Adoption shifts to LOB Logistics applications 23% 15% applications Customer facing applications 27% 17% Instant messaging 31% 20% SMS alerts 41% 16% Inventory management 30% 13%

Base: 404 executives at North American and European enterprises Source: Forrester's Business Technographics® 11 Windows Mobile & Application

We have over 18.000 mobile applications More than a third are business applications We build a showcase to what is possible…

http://www.microsoft.com/emea/windowsmobileapps/default.mspx

12 Aligning With Customer Priorities

End User Productivity Secure data and network access Anytime access to Scalable and reliable Manageable, scalable IT corporate info procurement infrastructure Dependable and resilient Minimize support costs Standardization versus phone experience and TCO point solutions Superior productivity including Integrate and align with unified communications existing systems Minimize training and support Time

“I need a strong ROI justification if “Make it just another device on my “Provide me with always available I am going to roll out mobile network that I control and manage, access to the people, information and devices to most of my organization and as an integral part of my existing applications I need even when I am and not just the managers” architecture and security on the go” framework”” --Director of business group for -Global pharmaceutical firm- Sales major manufacturer -VP of IT for Large Wall Street Bank Manager

13 System Center Mobile Device Manager 2008

Mobile Device Manager is a comprehensive server solution designed to improve security, management, and access for mobile devices in a cost-effective manner for enterprises with investments in System™

Security Device Mobile Management Management VPN

Active Directory Domain Join Single point of management for Machine authentication and “double Policy enforcement using Active mobile devices in enterprise envelope security” Directory/Group Policy targeting Full Over the air (OTA) provisioning Session Persistence (125+ policies and settings) and bootstrapping Fast Reconnect Communications and camera OTA Software distribution based on Internetwork roaming disablement Windows Software Update Service Standards based (IKEv2, IPSEC File encryption (WSUS) 3.0 tunnel mode) Application allow and deny Inventory Remote wipe Microsoft SQL Server™ 2005–based OMA-DM Compliant reporting capabilities Role based administration MMC snap-ins and Powershell cmndlets WMU On/Off control 14 Server Architecture

Enrollment Server Architecture Principles Proxies request to enroll device Security first Mobile VPN Server Large scale Typically located in the network distributed solution perimeter Entry point to corporate Transparent compatibility network Extensibility and Forwards network and device future proofing management communications between a corporate network and their devices Device Management Server Based on OMA DM standards Proxies Policy to devices Enables software distribution

15 MDM 08 Deployment Topology

IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers

128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL

MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel

IPSEC VPN Tunnel

Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management

Microsoft Active Certificate Authority Directory

DMZ Corporate Intranet

16 Enrollment Server

Location: Intranet–based (domain joined server/service) Purpose: Manage the process flow of enrollment Create domain objects Create certificates Supply provisioning instructions Other: Best practice: Protected by a Proxy (e.g. Microsoft Internet Security and Acceleration (ISA) Server) Can co-exist on device management (DM) server in integrated implementation

17 End User Experience

Corporate Resources

Gateway/VPN Server

Enrollment and Device Management Server John 18 MDM 08 Deployment Topology

IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers

128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL

MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel

IPSEC VPN Tunnel

Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management

Microsoft Active Certificate Authority Directory

DMZ Corporate Intranet

19 Gateway Server

Location: Corporate DMZ (non-domain joined) Purpose: Authenticates incoming connections for authorized devices Assigns a stable internal IP address for the device Enables fast resume/reconnect features for devices and applications Negotiates keys to encrypt traffic over the Internet Other: IPSec termination point Managed remotely

20 Mobile VPN Benefits

Performance Security IPSec Tunnel Mode Double envelope security Aggregate all traffic through a VPN technology allows single tunnel with a single nested secure connections NAT/Firewall Keep-Alive Outer layer – IPSec, IKEv2 IKEv2 tunnel from device IETF Standard to Gateway MOBIKE Inner layer – E2E Client-Server (SSL) IETF standard extension for mobility Defense in depth DMZ pre-auth - Based on device identity Extremely efficient, agile and End-to-End auth to self-healing connectivity solution corporate servers Back-end firewall filtering Gateway is not “domain-aware”

21 MDM 08 Deployment Topology

IPSEC Mobile VPN Exchange, SharePoint, Intranet and LOB Servers

128Bit SSL Tunnel SQL Server Initial OTA SSL User Enrollment via Authentication SSL

MDM 08 MMC Management Console MDM 08 Server Internet Gateway 128bit SSL Firewall Firewall Tunnel

IPSEC VPN Tunnel

Device Certificate Machine Certificate Enrollment WSUS One Time PIN Service for Enrollment Authentication Software for Mobile VPN Management

Microsoft Active Certificate Authority Directory

DMZ Corporate Intranet

22 Device Management Server

Location: Intranet based (domain joined server/service) Purpose: Primary administration and management service for all managed devices Functional hub for device Group Policy application, device software packages, and device data wipes Communicates with existing infrastructure servers, such as domain controllers, CA Proxies information and commands between core Windows Servers (AD/CA) and devices Other: OMA-DM compliant

23 Security Management Benefits

SCMDM extends Active Directory Group Policy to Windows Mobile devices

Many configuration settings now managed through Group Policy including control of , WIFI, SMS/MMS, IR, Camera, and POP/IMAP

Extensible architecture

24 Device Management Benefits

Enterprise-wide OTA software distribution ® Leverages Windows Software Update Service (WSUS) 3.0 Rich targeting and packaging capabilities

Inventory and Reporting Robust hardware and software inventory capabilities SQL Server 2005 reporting services

25 Group Policy Flow

Group Policy Editor SYSVOL

Mobile Group Device Policy Management Service Server GPMC

OMA Proxy Engine Windows Database Mobile Device

26 Device Management

27 IT Infrastructure Details

Required: Not Required: Windows Server® 2003 Microsoft Exchange Server SP2 64-bit (any version) SQL Server 2005 Microsoft Systems Active Directory Management Server Microsoft CA Systems Center Group Policy ISA Server Windows Mobile 6.1

28 MDM Resouce Kit

Self Service Portal Best Practices Analyzer Device Tools Connect Now Tool VPN Diagnostics Tool Device Status Viewer Server Tools A whole host of good stuff…

29 Exchange ActiveSync Policies Exchange Server Standard CAL

Sync Authentication Encryption Configure message formats (HTML or Minimum number of complex Encrypt storage card plain txt) characters Require signed SMIME messages Include past email items Enable password recovery Require encrypted SMIME messages Email body truncation size Allow simple password Require Signed SMIME algorithm HTML email body truncation size Password Expiration (Days) Require encrypted SMIME algorithm Include past calendar items Enforce password history Allow SMIME encrypted algorithm (Duration) Windows file share access negotiation Require manual sync while roaming Windows SharePoint access Allow SMIME SoftCerts Allow attachment download Minimum password length Device encryption Maximum attachment size Timeout without user input Require password Require alphanumeric password Number of failed attempts Policy refresh interval Allow Non-provisionable devices

Color Key Exchange 2007 SP1 Exchange 2007 RTM Exchange 2003 SP2 Exchange ActiveSync Policies Exchange Server Enterprise CAL

Device Control Network Control Application Control Disable desktop ActiveSync Disable Wi-Fi Disable POP3/IMAP4 email Disable removable storage Disable Bluetooth Allow consumer email Disable camera Disable IrDA Allow browser Disable SMS and any MMS text Allow internet sharing from Allow unsigned applications messaging device Allow unsigned CABs Allow desktop sharing from Application allow list device Application block list

Color Key Exchange 2007 SP1 Exchange 2007 RTM Exchange 2003 SP2 Exchange 2007 SP1 DM Features

Device Encryption and Storage Card Encryption Unapproved Application List and Approved Application List

Block ROM Based Applications

Disable

Removable Storage IrDA Camera POP/IMAP WI-FI SMS and MMS Bluetooth

32 Which Solution Fits My Needs?

Scenarios Exch 2007 SP1 SCCM 2007 SCMDM 2008

Security Management Exchange 2007 SP1

SCCM 2007 Device SCMDM Management 2008

Mobile VPN

EAS WM 2003/5/6.0 Platforms Licensees CE 4.2/5.0 WM 6.1+ 33 Track Resources for Windows Mobile

Windows Mobile 6.1: http://www.microsoft.com/windowsmobile/6-1/default.mspx

Business Value Assessment Tool (Enterprise): http://www.microsoft.com/windowsmobile/business/calculator/default.mspx

Windows Mobile Application Showcase: http://www.microsoft.com/emea/windowsmobileapps/default.mspx

Mobile blog: http://blogs.msdn.com/jasonlan Useful Resources SCMDM 2008

MDM home page http://www.microsoft.com/systemcenter/mobile/default.mspx MDM TechCenter http://technet.microsoft.com/en-us/scmdm/default.aspx Trial Software http://technet.microsoft.com/en-us/scmdm/bb986596.aspx Resource Kit Tools http://technet.microsoft.com/en-us/scmdm/cc304591.aspx TechNet MDM Forum http://forums.technet.microsoft.com/en-US/SCMDM/threads/ 36 © 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

37

Device & Security Management New in Windows Mobile 6.1

Enterprise control over device features with ability to lock down communications and camera functionality

Expanded on-device security features for sensitive corporate information

Enterprise control over what software can be installed and run on the device

39 Device & Security Management New in Windows Mobile 6.1

Improved security management through use of Active Directory/Group Policy settings

Simplified administration, increased monitoring and flexible policy management

Expanded policy enforcement with over 125 policies and superior targeting capabilities

40 Microsoft System Center Mobile Device Manager 2008

Security

Mobile VPN Management

41

User-Focused Experience In all Windows Mobile 6.1 devices

Genuine Microsoft® Office Outlook® Mobile Faster access to my contacts Efficient management of mail Higher fidelity communications Built-in Information Rights Management ™ experience User-Focused Experience New in Windows Mobile 6.1

Improved control over alerts with multiple alarms

Better out-of-box experience and help with Getting Started center

Simpler setup for Bluetooth devices and Wi-Fi networks

More robust web browsing experience

44 ® Mobile New Enhancements Already available in Windows Mobile 6.1: More personalization – set home page Greater ease of use with zoom & page overview Available later this year: View of the “real web,” not just “mobile web” Supporting key technologies for rich experience Adobe Flash included Capable of viewing YouTube video Easier navigation – zoom & pan, mouse pointer 45

Messaging & Productivity In all Windows Mobile 6.x devices

Access information on the network, quickly Greater control and visibility to your calendar

Information search Search Improved on-line experience Messaging & Productivity New in Windows Mobile 6.1

Better organized and faster text messaging experience with chat- like text messaging

48 Messaging & Productivity Updates in Windows Mobile 6.1

Improved exchange of data from one application to another with cut/copy/paste

33% Reduction in data usage with Exchange 2007 Service Pack 1

Simpler message authoring and addressing with auto-complete

Access to data within the corporate firewall with Remote Desktop

More comprehensive on-device productivity with a larger set of Microsoft applications 49