Silicon Silicon VendorVendor
ss
DeviceDeviceManufactureManufacture
rsrs
ISVs and ISVs and IHVsIHVs
Mobile Mobile OperatoOperato
rsrs
SolutionSolutionProviderProvider
ss
DesktopDesktop
InfrastructureInfrastructure
DevelopmentDevelopmentToolsTools
WindowsWindowsMobile DevicesMobile Devices
PartnersPartners
Office Communication Office Communication ServerServer
Helping businesses thrive by enabling Helping businesses thrive by enabling people with smart devices to perform their people with smart devices to perform their
best when mobilebest when mobile
DEMODEMO
Windows Mobile 6Windows Mobile 6
30 new policies in SP130 new policies in SP1New: Device Control, Application Control, Network New: Device Control, Application Control, Network Control Control
Enhanced: Authentication, Synchronizations, Enhanced: Authentication, Synchronizations, EncryptionEncryption
33% reduction in bandwidth usage33% reduction in bandwidth usage
Device WipeDevice Wipe User confirmation for device wipe completion (OWA & User confirmation for device wipe completion (OWA &
Outlook)Outlook) Users/Admins can now cancel a device wipe requestUsers/Admins can now cancel a device wipe request
Added the Added the “Minimum number “Minimum number of complex of complex characters” settingcharacters” setting
Can configure how Can configure how many past calendar many past calendar and e-mail itemsand e-mail itemsshow be show be synchronized with synchronized with devicedevice
Control limit msg Control limit msg sizesize
Allow syncAllow syncwhen roamingwhen roaming
Allow HTMLAllow HTMLformatted mailformatted mail
Allow removable Allow removable storagestorage
Allow cameraAllow camera
Allow Wi-FiAllow Wi-Fi
Allow infraredAllow infrared
Allow internet Allow internet sharingsharing
Allow RDPAllow RDP
Allow Desktop SyncAllow Desktop Sync
Allow BluetoothAllow Bluetooth
Allow browserAllow browser
Allow consumer Allow consumer mailmail
Allow unsigned Allow unsigned appsapps
Allow unsigned Allow unsigned installation installation packagespackages
Use the infrastructure and Use the infrastructure and solutions you already havesolutions you already haveLeverage the partners you Leverage the partners you already trustalready trustUtilise the information Utilise the information your staff already knowsyour staff already knows
ManagementManagement
SecuritySecurity
Mobile VPNMobile VPN
Utilize an enterprise’s current Utilize an enterprise’s current Active DirectoryActive Directory®® structure to structure to deploy and manage Windows deploy and manage Windows Mobile devices with:Mobile devices with:
Over 125 policies, including Over 125 policies, including specific security policies for device specific security policies for device management, encryption, management, encryption, and remote device wipeand remote device wipe
Custom policies that can be Custom policies that can be created using created using Active Directory Management Active Directory Management TemplatesTemplates
To enroll their devices, users To enroll their devices, users simply need to:simply need to:
Access the company’s portal Access the company’s portal for self-service enrollmentfor self-service enrollment
Enter their e-mail addressEnter their e-mail address
Enter a one-time PIN code for Enter a one-time PIN code for enrollmentenrollment
Target users in specific Active Target users in specific Active Directory groupsDirectory groups
Configure mobile applications Configure mobile applications such that users cannot such that users cannot uninstall themuninstall them
Eliminate the need to Eliminate the need to distribute CAB files via Flash distribute CAB files via Flash drivesdrives
Access powerful reporting Access powerful reporting systems for reviewing systems for reviewing software distribution across a software distribution across a mobile device workforcemobile device workforce
Manage and view all Windows Manage and view all Windows Mobile devices via a single, Mobile devices via a single, convenient interface. With convenient interface. With this, IT Pros can now:this, IT Pros can now:
View a broad range of device View a broad range of device characteristics like device characteristics like device settings, certificates installed, settings, certificates installed, software installed etc.software installed etc.
Reduce the learning curve Reduce the learning curve since it is based on the since it is based on the familiar Microsoft familiar Microsoft Management Console (MMC)Management Console (MMC)
Administrators can remotely Administrators can remotely access Windows Mobile access Windows Mobile devices using Mobile Device devices using Mobile Device Manager to:Manager to:
Disable specific hardware Disable specific hardware functionality, such as the functionality, such as the camera or Bluetooth camera or Bluetooth connectivityconnectivity
Remotely wipe security-Remotely wipe security-compromised devicescompromised devices
Single point of access to the Single point of access to the corporate networkcorporate network
Always-on, security-enhanced Always-on, security-enhanced wireless communicationwireless communication
Behind-the-firewall access to Behind-the-firewall access to business applicationsbusiness applications
SmartcardSmartcard
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGWGW
BackBackFirewallFirewall SSL MutualSSL Mutual
User AuthUser Auth
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
LHSLHSNAP SystemNAP System
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
OMAOMAProxyProxy
CACA
Mobile VPNMobile VPN
MDM introduces three new server MDM introduces three new server roles:roles:
Enrollment ServerEnrollment ServerProxies request to enroll Proxies request to enroll devicedevice
Mobile VPN ServerMobile VPN Server
Typically located in the Typically located in the network perimeternetwork perimeter
Entry point to corporate Entry point to corporate networknetwork
Forwards network and Forwards network and device management device management communications between communications between a corporate network and a corporate network and their devicestheir devices
Device Management ServerDevice Management Server
Based on OMA DM Based on OMA DM standardsstandards
Architecture Architecture PrinciplesPrinciplesSecurity firstSecurity first
Large scale distributed solutionLarge scale distributed solution
Transparent compatibilityTransparent compatibility
Extensibility & future proofingExtensibility & future proofing
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemeManagementnt
ServerServer
CACA
Mobile VPNMobile VPN
•Location:Location:• Intranet based (domain joined server/service)Intranet based (domain joined server/service)
•Purpose:Purpose:• Manage the process flow of enrollmentManage the process flow of enrollment• Create domain objectsCreate domain objects• Create certificatesCreate certificates• Supply provisioning instructionsSupply provisioning instructions
•Other:Other:• Best practice: protected by a Proxy (e.g. ISA)Best practice: protected by a Proxy (e.g. ISA)• Can co-exist on DM Server in integrated Can co-exist on DM Server in integrated
implementationimplementation
Create Acct.
Issue Cert
Negotiate SSL Root
Submit Cert Request
Receive Cert
Public DNS
Discovery
Private key and Enrollment Password Private key and Enrollment Password never transmitted over the airnever transmitted over the air
All traffic between client and server All traffic between client and server uses SSLuses SSL
SSL negotiation does not require SSL negotiation does not require public root cert (e.g. VeriSign etc.)public root cert (e.g. VeriSign etc.)
Mobile VPN for both client and serverMobile VPN for both client and server
Standards basedStandards basedIPSec Tunnel ModeIPSec Tunnel Mode
MobIKEMobIKE
IKEv2IKEv2
Enables access to corporate Enables access to corporate resourcesresources
LOBLOB
Internet proxy serversInternet proxy servers
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemeManagementnt
ServerServer
CACA
Mobile VPNMobile VPN
•Location:Location:• Corporate DMZ (non-domain joined)Corporate DMZ (non-domain joined)
•Purpose:Purpose:Authenticates incoming connections for Authenticates incoming connections for authorized devicesauthorized devices
Assigns a stable internal IP address for the Assigns a stable internal IP address for the devicedevice
Enables fast resume/reconnect features for Enables fast resume/reconnect features for devices and applicationsdevices and applications
Negotiates keys to encrypt traffic over the Negotiates keys to encrypt traffic over the internetinternet
•Other:Other:• IPSEC termination pointIPSEC termination point• Managed remotelyManaged remotely
FW
32
FW
LOB1
Proxy (ISA)
LOB2
Double envelope security
User Authentications:1) Certificate2) NTLM v23) Basic
Kerberos delegation
PerformancePerformanceTechnical featuresTechnical features
IPSec Tunnel ModeIPSec Tunnel ModeAggregate all traffic Aggregate all traffic through a single tunnel through a single tunnel with a single NAT/Firewall with a single NAT/Firewall Keep-AliveKeep-Alive
IKEv2IKEv2IETF Standard that IETF Standard that includes address includes address assignment (unlike IKEv1)assignment (unlike IKEv1)
MobIKE (Mobile IKE)MobIKE (Mobile IKE)IETF standard for IETF standard for transparent auto recovery transparent auto recovery of IPSec tunnels w/o re-of IPSec tunnels w/o re-negotiations of Sasnegotiations of Sas
ImplicationsImplicationsExtremely efficient, agile Extremely efficient, agile and self-healing and self-healing connectivity solutionconnectivity solution
SecuritySecurityDouble envelope security Double envelope security
VPN technology allows VPN technology allows nested secure connectionsnested secure connections
Outer layer – IPSec, IKEv2 Outer layer – IPSec, IKEv2 tunnel from device to GWtunnel from device to GW
Inner layer – E-2-E Client-Inner layer – E-2-E Client-Server mechanisms (SSL, Server mechanisms (SSL, IPSec transport, etc)IPSec transport, etc)
Defense in depthDefense in depth DMZ pre-authDMZ pre-auth
Based on device identity Based on device identity and health (not user)and health (not user)
End-to-End auth to corporate End-to-End auth to corporate serversservers
““Four factor” (2x2) Four factor” (2x2) authentication authentication
Back-end firewall filteringBack-end firewall filtering
DMZ GW is not a DMZ GW is not a vulnerability pointvulnerability point
Security managementSecurity managementEnrollmentEnrollment
AD domain joinAD domain join
WipeWipe
Policy enforcementPolicy enforcement
Service enablement/disablementService enablement/disablement
Application deny/allowApplication deny/allow
Software distributionSoftware distribution
Inventory and reportingInventory and reporting
InternetInternet
DMZDMZ
Corporate IntranetCorporate Intranet
FrontFrontFirewallFirewall
InitialInitialOTA DeviceOTA DeviceEnrollmentEnrollment
MobileMobileGatewayGateway
ServerServer
BackBackFirewallFirewall
SSL AuthSSL Auth(PIN+Corp Root)(PIN+Corp Root)
SSL MachineSSL MachineMutual AuthMutual Auth
E-mailE-mailand LOBand LOBServersServers
SSL User-SSL User-mutual Authmutual Auth
or Similaror Similar
ConsoleConsole
MobileMobileServerServer
Back-endBack-end
R/OR/O
ADAD
WSUS CatalogWSUS Catalog
Self HelpSelf HelpSiteSite
EnrollmentEnrollmentServiceService
Device Device
ManagemeManagementnt
ServerServer
CACA
Mobile VPNMobile VPN
•Location:Location:• Intranet based (domain joined server/service)Intranet based (domain joined server/service)
•Purpose:Purpose:Primary administration and management Primary administration and management service for all managed devicesservice for all managed devices
Functional hub for device Group Policy Functional hub for device Group Policy application, device software packages, and application, device software packages, and device data wipesdevice data wipes
Communicates with existing infrastructure Communicates with existing infrastructure servers, such as domain controllers, CAservers, such as domain controllers, CA
Proxies information and commands between Proxies information and commands between core Windows Servers (AD/CA) and devicescore Windows Servers (AD/CA) and devices
•Other:Other:• OMA-DM compliantOMA-DM compliant
37
DM Server
FWFW
Mobile VPN
DMZ
WWAN
Corpnet
Internet
NAT
Policy Information
Enrollment Server
Required:Required:Windows Server Windows Server 2003 SP2 64 bit2003 SP2 64 bit
SQL Server 2005SQL Server 2005
Active DirectoryActive Directory
Microsoft CAMicrosoft CA
Group PolicyGroup Policy
Not Required:Not Required:Exchange Server Exchange Server (any version)(any version)
Systems Systems Management Management ServerServer
Systems CenterSystems Center
ISA Server*ISA Server*
Security Security ManagementManagement
Device Device ManagementManagement
MobileMobileVPNVPN
SCCMSCCM SCMDMSCMDM
Std CALStd CAL
Ent CALEnt CAL
System Center Configuration
Manager
System Center Mobile Device
ManagerExchangeMobile Scenarios
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.