1
Roderick van der GraafMobile Communication BusinessMicrosoft EMEA HQ
Windows Mobile 6.1 & Microsoft System Center Mobile Device Manager 2008
2
1. Update on Windows Mobile 6.1
2. Line of Business applications (LOB)
3. Introduction of System Center Mobile Device Manager 2008
4. Q&A
3
Access Control
Firewall
Mobile and
Traditional
Devices
Team
Workspaces
Web and Video
Conferencing
Documents
and Files
Calendaring
Instant
Messaging
Identity and
Presence
LOB
Applications
Intranet Web
ApplicationsManaged
PC
Unmanaged PC(Home PC, Kiosk, etc)
Wired
INTERNET
Wireless
From any device, any location…
…access to people, recources and applications.
…Secured and managed by IT…
Microsoft Mobility Vision
4
Leavering your IT-investments…
5
Silicon Vendors
DeviceManufacturers
ISVs and IHVsMobile Operators
SolutionProviders
Desktop
Infrastructure
Development
Tools
Windows
Mobile Devices
Partners
Office Communication Server
Windows Mobile Assets
6
Mobile Business Value Proposition
Productivity
Reliability
Cost
Business Value
Re-Use Knowledge
Easy to Manage/Support
Scalable
Secure
Device Choice
Easy-To-Use Enabling Lifestyle
7
“Next”
Productivity
Multi-media
Customization
Direct Push available for all devices**
Advanced Mobile Communications
Increased Mobile Productivity
Integrated Mobile Business Performance
Vision Areas
BreakthroughUser Experience
Great PC Companion Device
Next Generation Platform
2005 2006 Future
65.0
2008
6.1
Device & Security Management
User-Focused Experience
Messaging & Productivity
* Anticipated release schedule. Schedule and features are subject to change.
** Direct Push email & Direct Push synchronization of Outlook calendar, contacts & tasks are available only with Microsoft Exchange Server 2003 SP2 & later
Windows Mobile Roadmap*
8
Sample of WM 6.1 devices
9
Windows Mobile 6.1
Some key Enterprise Features……
10
Market Shifting Beyond Messaging
Fastest growth in rich mobile scenarios beyond e-mailCorporate data access and mobile LOB grows 5.4x from 2006–2011
Messaging-only grows 2.3x in the same time period
Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports
Corporate data access and mobile LOB
Corporate data access and mobile LOB
Mobile Messaging
Mobile Messaging
6.3 MM
3.6MM
0.9MM
14.7 MM
19.8 MM
4.5MM
11
“At what stage is your company in the adoption of these mobile applications?”
Source: Forrester's Business Technographics®
Base: 404 executives at North American and European enterprises
Inventory management
SMS alerts
Instant messaging
Customer facing applications
Logistics applications
Field service applications
Sales force applications
Content/information for employees
Personalized contacts and calendar
Wireless email
In production/upgrade underway/initial rollout Evaluating/piloting
30%
41%
31%
27%
23%
27%
25%
43%
69%
71%
13%
16%
20%
17%
15%
18%
20%
23%
14%
16%
Adoption shifts to LOB applications
Line of business applications
12
Windows Mobile & Application
http://www.microsoft.com/emea/windowsmobileapps/default.mspx
We have over 18.000 mobile applicationsMore than a third are business applications
We build a showcase to what is possible…
13
Aligning With Customer Priorities
End User Productivity
Scalable and reliable procurement
Minimize support costs and TCO
Secure data and network access
Manageable, scalable IT infrastructure
Standardization versus point solutions
Integrate and align with existing systems
Minimize training and support
Time
Anytime access to corporate info
Dependable and resilient phone experience
Superior productivity including unified communications
“Provide me with always available access to the people, information and applications I need even when I am on the go”
-Global pharmaceutical firm- Sales Manager
“I need a strong ROI justification if I am going to roll out mobile devices to most of my organization and not just the managers”
--Director of business group for major manufacturer
“Make it just another device on my network that I control and manage, and as an integral part of my existing architecture and security framework””
-VP of IT for Large Wall Street Bank
14
System Center Mobile Device Manager 2008
Mobile Device Manager is a comprehensive server solution designed to improve security, management, and access for mobile devices in a cost-effective manner for enterprises with investments in Windows Server System™
Security
Management
Active Directory Domain Join
Policy enforcement using Active Directory/Group Policy targeting (125+ policies and settings)
Communications and camera disablement
File encryption
Application allow and deny
Remote wipe
OMA-DM Compliant
Device
Management
Single point of management for mobile devices in enterprise
Full Over the air (OTA) provisioning and bootstrapping
OTA Software distribution based on Windows Software Update Service (WSUS) 3.0
Inventory
Microsoft SQL Server™ 2005–based reporting capabilities
Role based administration
MMC snap-ins and Powershellcmndlets
WMU On/Off control
MobileVPN
Machine authentication and “double envelope security”
Session Persistence
Fast Reconnect
Internetwork roaming
Standards based (IKEv2, IPSEC tunnel mode)
15
Server Architecture
Enrollment ServerProxies request to enroll device
Mobile VPN ServerTypically located in the network perimeter
Entry point to corporate network
Forwards network and device management communications between a corporate network and their devices
Device Management ServerBased on OMA DM standards
Proxies Policy to devices
Enables software distribution
Architecture PrinciplesSecurity first
Large scale distributed solution
Transparent compatibility
Extensibility and future proofing
16
MDM 08 Deployment Topology
DMZ Corporate Intranet
MDM 08Gateway
Exchange, SharePoint, Intranetand LOB Servers
SSL User Authentication
MMCConsole
MDM 08 Management
Server
ActiveDirectory
WSUS Software
Management
MicrosoftCertificateAuthority
IPSEC Mobile VPN
128Bit SSL Tunnel
IPSECVPN Tunnel
Device CertificateEnrollment
Service
128bit SSL
TunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA Enrollment via
SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
17
Enrollment Server
Location: Intranet–based (domain joined server/service)
Purpose:Manage the process flow of enrollment
Create domain objects
Create certificates
Supply provisioning instructions
Other:Best practice: Protected by a Proxy (e.g. Microsoft Internet Security and Acceleration (ISA) Server)
Can co-exist on device management (DM) server in integrated implementation
18
End User Experience
John
Enrollment and Device
Management Server
Corporate
Resources
Gateway/VPN
Server
19
MDM 08 Deployment Topology
DMZ Corporate Intranet
MDM 08Gateway
Exchange, SharePoint, Intranetand LOB Servers
SSL User Authentication
MMCConsole
MDM 08 Management
Server
ActiveDirectory
WSUS Software
Management
MicrosoftCertificateAuthority
IPSEC Mobile VPN
128Bit SSL Tunnel
IPSECVPN Tunnel
Device CertificateEnrollment
Service
128bit SSL
TunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA Enrollment via
SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
20
Gateway Server
Location: Corporate DMZ (non-domain joined)
Purpose: Authenticates incoming connections for authorized devices
Assigns a stable internal IP address for the device
Enables fast resume/reconnect features for devices and applications
Negotiates keys to encrypt traffic over the Internet
Other:IPSec termination point
Managed remotely
21
Mobile VPN Benefits
PerformanceIPSec Tunnel Mode
Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive
IKEv2IETF Standard
MOBIKEIETF standard extension for mobility
Extremely efficient, agile and self-healing connectivity solution
SecurityDouble envelope security
VPN technology allows nested secure connections
Outer layer – IPSec, IKEv2 tunnel from deviceto Gateway
Inner layer – E2E Client-Server (SSL)
Defense in depth DMZ pre-auth - Based on device identity
End-to-End auth to corporate servers
Back-end firewall filtering
Gateway is not “domain-aware”
22
MDM 08 Deployment Topology
DMZ Corporate Intranet
MDM 08Gateway
Exchange, SharePoint, Intranetand LOB Servers
SSL User Authentication
MMCConsole
MDM 08 Management
Server
ActiveDirectory
WSUS Software
Management
MicrosoftCertificateAuthority
IPSEC Mobile VPN
128Bit SSL Tunnel
IPSECVPN Tunnel
Device CertificateEnrollment
Service
128bit SSL
TunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA Enrollment via
SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
23
Device Management Server
Location: Intranet based (domain joined server/service)
Purpose:Primary administration and management service for all managed devices
Functional hub for device Group Policy application, device software packages, and device data wipes
Communicates with existing infrastructure servers, such as domain controllers, CA
Proxies information and commands between core Windows Servers (AD/CA) and devices
Other:OMA-DM compliant
24
Security Management Benefits
SCMDM extends Active Directory Group Policy to Windows Mobile devices
Many configuration settings now managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP
Extensible architecture
25
Device Management Benefits
Enterprise-wide OTA software distribution Leverages Windows
®Software Update Service (WSUS) 3.0
Rich targeting and packaging capabilities
Inventory and Reporting
Robust hardware and software inventory capabilities
SQL Server 2005reporting services
26
Mobile
Device
Management
Server
Group Policy Flow
OMA
Proxy
Engine
SYSVOL
Group
Policy
Service
Group Policy Editor
GPMC
Windows Mobile Device
Database
27
Device Management
28
IT Infrastructure Details
Required:Windows Server® 2003 SP2 64-bit
SQL Server 2005
Active Directory
Microsoft CA
Group Policy
Windows Mobile 6.1
Not Required:Microsoft Exchange Server (any version)
Microsoft Systems Management Server
Systems Center
ISA Server
29
MDM Resouce Kit
Self Service Portal
Best Practices Analyzer
Device ToolsConnect Now Tool
VPN Diagnostics Tool
Device Status Viewer
Server ToolsA whole host of good stuff…
Exchange ActiveSync PoliciesExchange Server Standard CAL
Sync
Configure message formats (HTML or plain txt)
Include past email items
Email body truncation size
HTML email body truncation size
Include past calendar items (Duration)
Require manual sync while roaming
Allow attachment download
Maximum attachment size
Authentication
Minimum number of complex characters
Enable password recovery
Allow simple password
Password Expiration (Days)
Enforce password history
Windows file share access
Windows SharePoint access
Minimum password length
Timeout without user input
Require password
Require alphanumeric password
Number of failed attempts
Policy refresh interval
Allow Non-provisionable devices
Encryption
Encrypt storage card
Require signed SMIME messages
Require encrypted SMIME messages
Require Signed SMIME algorithm
Require encrypted SMIME algorithm
Allow SMIME encrypted algorithm negotiation
Allow SMIME SoftCerts
Device encryption
Color KeyExchange 2007 SP1
Exchange 2007 RTM
Exchange 2003 SP2
Exchange ActiveSync PoliciesExchange Server Enterprise CAL
Device Control
Disable desktop ActiveSync
Disable removable storage
Disable camera
Disable SMS and any MMS text messaging
Network Control
Disable Wi-Fi
Disable Bluetooth
Disable IrDA
Allow internet sharing from device
Allow desktop sharing from device
Application Control
Disable POP3/IMAP4 email
Allow consumer email
Allow browser
Allow unsigned applications
Allow unsigned CABs
Application allow list
Application block list
Color KeyExchange 2007 SP1
Exchange 2007 RTM
Exchange 2003 SP2
32
Exchange 2007 SP1 DM Features
Device Encryption and Storage Card Encryption
Unapproved Application List andApproved Application List
Block ROM Based Applications
Disable
Removable Storage
Camera
WI-FI
Bluetooth
IrDA
POP/IMAP
SMS and MMS
33
Which Solution Fits My Needs?
Security
Management
Device
Management
MobileVPN
SCCM 2007 SCMDM 2008Scenarios
SCCM2007 SCMDM
2008
PlatformsWM 2003/5/6.0
CE 4.2/5.0 WM 6.1+
Exch 2007 SP1
Exchange 2007 SP1
EAS Licensees
Track Resources for Windows Mobile
Mobile blog:http://blogs.msdn.com/jasonlan
Windows Mobile 6.1:http://www.microsoft.com/windowsmobile/6-1/default.mspx
Business Value Assessment Tool (Enterprise):http://www.microsoft.com/windowsmobile/business/calculator/default.mspx
Windows Mobile Application Showcase:http://www.microsoft.com/emea/windowsmobileapps/default.mspx
Useful Resources SCMDM 2008
MDM home pagehttp://www.microsoft.com/systemcenter/mobile/default.mspx
MDM TechCenterhttp://technet.microsoft.com/en-us/scmdm/default.aspx
Trial Softwarehttp://technet.microsoft.com/en-us/scmdm/bb986596.aspx
Resource Kit Toolshttp://technet.microsoft.com/en-us/scmdm/cc304591.aspx
TechNet MDM Forumhttp://forums.technet.microsoft.com/en-US/SCMDM/threads/
36
37
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
39
Enterprise control over what software can
be installed and run on the device
Enterprise control over device features with ability to
lock down communications and camera functionality
Expanded on-device security features
for sensitive corporate information
Device & Security ManagementNew in Windows Mobile 6.1
40
Expanded policy enforcement with over 125
policies and superior targeting capabilities
Improved security management through use of
Active Directory/Group Policy settings
Simplified administration, increased monitoring
and flexible policy management
Device & Security ManagementNew in Windows Mobile 6.1
41
Microsoft System Center Mobile Device Manager 2008
Management
Security
Mobile VPN
User-Focused ExperienceIn all Windows Mobile 6.1 devices
Genuine Microsoft® Office Outlook® Mobile
Faster access to my contacts
Efficient management of mail
Higher fidelity communications
Built-in Information Rights Management
Windows Live™ experience
44
User-Focused ExperienceNew in Windows Mobile 6.1
Improved control over alerts with multiple alarms
Better out-of-box experience and
help with Getting Started center
Simpler setup for Bluetooth devices
and Wi-Fi networks
More robust web browsing experience
45
Internet Explorer® MobileNew Enhancements
Already available in
Windows Mobile 6.1:More personalization – set home page
Greater ease of use with zoom & page overview
Available later this year:View of the “real web,” not just “mobile web”
Supporting key technologies for rich experience
Adobe Flash included
Capable of viewing YouTube video
Easier navigation – zoom & pan, mouse pointer
Messaging & ProductivityIn all Windows Mobile 6.x devices
Access information on the network, quickly
Greater control and visibilityto your calendar
Information search
Improved on-line experienceSearch
48
Messaging & ProductivityNew in Windows Mobile 6.1
Better organized and
faster text messaging
experience with chat-
like text messaging
49
Messaging & ProductivityUpdates in Windows Mobile 6.1
Improved exchange of data from one application
to another with cut/copy/paste
33% Reduction in data usage with Exchange 2007
Service Pack 1
Simpler message authoring and addressing
with auto-complete
Access to data within the corporate
firewall with Remote Desktop
More comprehensive on-device productivity
with a larger set of Microsoft applications