John Wyer

EMEA Marketing Manager

Mobile Communications Business

Microsoft Corporation

Background and Introduction

Customer Benefits

The Partner Opportunity

How it works

Resources

Questions

Strong growth in the business market based on deeper penetration of mobile messaging and convergence with mobile LOB applications

Increased IT demand to align smart converged handheld device strategy with laptops

Need for generalized access infrastructure for email + apps

Manage devices like laptops (no compromise on managing corporate data or terminals accessing corporate network

Microsoft efforts focused on the following target customers

Upper mid market through large enterprise customers

Exchange 2003+ mobile messaging

Windows Server infrastructure customers

Note: Sizing based on support for Microsoft solutions. Source: MED Finance

analysis and industry reports

5 Years

Fastest growth in rich mobile scenarios beyond e-mail

Corporate data access and mobile LOB grows 5.4x from 2006 - 2011

Messaging-only grows 2.3x in the same time period

Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports

Corporate data access and mobile LOB

Mobile Messaging

14.7 MM

19.8 MM

4.5 MMMobile

Messaging

6.3 MM

3.6 MM

0.9 MM

Corporate data access and mobile LOB

US$Mn; includes laptops 2004 2005 2006 2007 2008 2009

Finance, Insurance, and Real Estate 1,656.0 2,090.0 2,562.0 3,060.0 3,629.0 4,230.0

Government and Public Safety 1,334.0 1,716.0 2,121.0 2,560.0 3,040.0 3,546.0

Information and Communication

Technologies 1,219.0 1,474.0 1,743.0 1,940.0 2,185.0 2,412.0

Professional Services 989.0 1,232.0 1,533.0 1,840.0 2,185.0 2,574.0

Healthcare and Pharmaceuticals 1,012.0 1,232.0 1,449.0 1,620.0 1,824.0 2,016.0

Retail and Distribution 552.0 704.0 840.0 1,000.0 1,178.0 1,350.0

Transportation 345.0 418.0 483.0 540.0 589.0 648.0

Energy and Utilities 207.0 264.0 315.0 360.0 437.0 486.0

Manufacturing 161.0 198.0 252.0 320.0 380.0 450.0

Construction and Engineering 138.0 176.0 210.0 260.0 304.0 360.0

Hospitality and Travel 23.0 44.0 42.0 60.0 76.0 72.0

Agriculture 23.0 22.0 21.0 40.0 38.0 54.0

Other 920.0 1,188.0 1,470.0 1,780.0 2,128.0 2,502.0

Total 8,579.0 10,758.0 13,041.0 15,380.0 17,993.0 20,700.0

Revenue By Industry Sector

Strategy Analytics Projections 2004-2009

End User ProductivityScalable and reliable procurementMinimize support costs and TCO

Secure data and network access

Manageable, scalable IT infrastructure

Standardization vs. point solutions

Integrate and align with existing systems

Minimize training and support

Anytime access to corporate info

Dependable and resilient phone experience

Superior productivity including unified communications

“Provide me with always available access to the people, information and applications I need even when I am on the go”

-Global pharmaceutical firm-Sales Manager

“I need a strong ROI justification if I am going to roll out mobile devices to most of my organization and not just the managers”

--Director of business group for major manufacturer

“Make it just another device on my network that I control and manage, and as an integral part of my existing architecture and security framework””

-VP of IT for Large Wall Street Bank

Microsoft System Center Mobile Device Manager 2008

MANAGEMENT

SECURITY

ACCESS

System Center Mobile Device Manager will enable phones with Windows Mobile 6.1 and

beyond to be deployed and managed like PCs and laptops in the IT infrastructure, providing

network access to corporate data

Security

Management

Active Directory Domain Join

Policy enforcement using Active

Directory/Group Policy targeting

(>130 policies and settings)

Communications and camera

disablement*

File encryption

Application allow and deny

Remote wipe

OMA-DM compliant

Device

Management

Single point of management for

mobile devices in enterprise

Full OTA provisioning and

bootstrapping

OTA software distribution based on

WSUS 3.0

Inventory

SQL Server 2005-based reporting

capabilities

Role-based administration

MMC snap-ins and Powershell

cmndlets

WMU On/Off control

OMA-DM compliant

MobileVPN

Machine authentication and

―double envelope security‖

Session persistence

Fast reconnect

Internetwork roaming

Standards-based (IKEv2,

MobIKE, IPSEC tunnel mode)

Management Workload

Deployment: Inside firewall

Network Access Workload

Deployment: In DMZ

Utilize an enterprise’s current Active Directory® structure to deploy and manage Windows Mobile devices with:

Over 125 policies, including specific security policies for device management, encryption, and remote device wipe

Custom policies that can be created using Active Directory Management Templates

Password Policies

Require password

Password type

Password timeout

Number of passwords remembered

Minimum password length

Wipe device after failed attempts

Allow user to reset authentication on the device

Code word frequency

Code word

Password expiration

Platform Lockdown

Turn off POP and IMAP messaging

Turn off SMS and MMS messaging

Certificate ManagementRemove following unmanaged certificates:

SPC/Privileged/Normal/Root/Intermediate certificates

Turn off camera

Turn off WLAN, Bluetooth, Infrared

Security Policies

Allow unsigned applications to run on devices

Grant manager role permissions to user

Allow unsigned .cab file installation

Turn on Storage Card Encryption

Set reboot session reset reminder

Device Encryption

Turn on device encryption

Specify file on encryption list

Exclude files from encryption

Mobile VPN Settings

Specify corporate secure connection name

Time interval between keep alive packets

Allow AES data encryption algorithm

Always connected when roaming

Allow user to enable and disable VPN

Software distribution

Enable client side targeting

To enroll their devices, users simply need to:

Access the company’s portal for self-service enrollment

Enter their e-mail address

Enter a one-time PIN code for enrollment

Target users in specific Active Directory groups

Configure mobile applications such that users cannot uninstall them

Eliminate the need to distribute CAB files via Flash drives

Access powerful reporting systems for reviewing software distribution across a mobile device workforce

Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now:

View a broad range of device characteristics like device settings, certificates installed, software installed etc.

Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)

Administrators can remotely access Windows Mobile devices using Mobile Device Manager to:

Disable specific hardware functionality, such as the camera or Bluetooth connectivity

Remotely wipe security-compromised devices

Single point of access to the corporate network

Always-on, security-enhanced wireless communication

Behind-the-firewall access to business applications

MDM introduces three new server roles:

Enrollment Server

Proxies request to enroll device

Mobile VPN Server

Typically located in the network perimeter

Entry point to corporate network

Forwards network and device management communications between a corporate network and their devices

Device Management Server

Based on OMA DM standards

Architecture PrinciplesSecurity first

Large scale distributed solution

Transparent compatibility

Extensibility & future proofing

• Location:

• Intranet based (domain joined server/service)

• Purpose:

• Manage the process flow of enrollment

• Create domain objects

• Create certificates

• Supply provisioning instructions

• Other:

• Best practice: protected by a Proxy (e.g. ISA)

• Can co-exist on Device Management Server in integrated implementation

Private key and Enrollment Password never transmitted over the air

All traffic between client and server uses SSL

SSL negotiation does not require public root cert (e.g. VeriSign etc.)

Mobile VPN for both client and server

Standards based

IPSec Tunnel Mode

MobIKE

IKEv2

Enables access to corporate resources

LOB

Internet proxy servers

• Location:

• Corporate DMZ (non-domain joined)

• Purpose:

Authenticates incoming connections for authorized devices

Assigns a stable internal IP address for the device

Enables fast resume/reconnect features for devices and applications

Negotiates keys to encrypt traffic over the internet

• Other:

• IPSEC termination point

• Managed remotely

Security management

Enrollment

AD domain join

Wipe

Policy enforcement

Service enablement/disablement

Application deny/allow

Software distribution

Inventory and reporting

• Location:

• Intranet based (domain joined server/service)

• Purpose:

Primary administration and management service for all managed devices

Functional hub for device Group Policy application, device software packages, and device data wipes

Communicates with existing infrastructure servers, such as domain controllers, CA

Proxies information and commands between core Windows Servers (AD/CA) and devices

• Other:

• OMA-DM compliant

Required:

Windows Server 2003 SP2 64 bit

SQL Server 2005

Active Directory

Microsoft CA

Group Policy

Not Required:

Exchange Server (any version)

Systems Management Server

Systems Center

ISA Server*

Enable ―Front Door‖ and continue to support ―Back Door‖ entries into the enterprise

400M+ mobile workers in the world! (these are also consumers)

Devices will still be used for business scenarios regardless of how they were purchased

Back Door devices should be allowed to participate in business scenarios and IT management

Question:

How can we set up, configure and control what the user can/can’t do on a Windows Mobile device?

Increased control over the applications installed on mobile devices

Set a certain set of LOB applications as the only applications allowed on the device

Block certain applications on the device

Provides increased flexibility

OTA provisioning ensures optimal experience with LOB application

Device settings can be optimized for the LOB application during OTA provisioning

LOB applications can be installed on device during first provisioning

Flexible LOB application distribution and deployment

LOB applications can be distributed to mobile devices through WSUS 3.0

Applications can be updated OTA via WSUS 3.0

Maintain inventory and reporting on LOB applications

Inventory capabilities report LOB applications installed on each device, ensuring consistency in availability and deployment

OMA DM compliance

Standards–based OMA DM architecture provides flexibility for LOB applications

Question:

We want to be able to secure the data and the devices – how can we do this?

Securing the Data

• Mobile Device Manager extends

Active Directory®/Group Policy to

Windows Mobile

• Over 130+ configuration policies and

settings for Windows Mobile can now

be managed through Group Policy

including control of Bluetooth, Wi-Fi,

SMS/MMS, IR, camera, and

POP/IMAP

• Administrator can now select to

encrypt both the SD card and the

internal memory of the device

• Microsoft® SQL Server™ compact

edition configurations

Fully relational DB in 2-3MB footprint

Powerful data synchronization technology

Remote data access

Merge replication

Tight integration

Microsoft® Visual Studio® .NET 2005

SQL Server 2005

Database encryption and replication over SSL

Support across Windows Mobile platforms

Question:

How can we keep these devices up-to-date?

Maintaining Devices

In the past, updating applications was a manual process

Now we can push updates and software in much the same way that Windows administrators push software using Group Policies for Microsoft® Windows® XP and Microsoft® Windows Vista® computers

Question:

We would like to provide secure access to out intranet and other services – how can we do this?

Goal: Secure remote mobile access into corporate networks

Legacy solutions are inadequate

Options Limitations

SSL VPN Security: SSL termination in DMZ breaks the end-to-end security

Efficiency: The TCP flow control is not optimized to mobile networks

Direct Web connection

to intranet

Security: No pre-authentication - direct access to corporate network

Efficiency: No connection aggregation (per application keep-alive)

IP VPN

(L2TP, IPSec/IKEv1 )

Security

Pre-authentication in DMZ

Unrestricted access to corporate network

Resiliency

Fails on change of IP address and needs to be reconnected

Failure is visible to applications

Efficiency: L2TP establishment is slow and consumes more bandwidth

Simplicity: Require RADIUS deployment

Standard IPSec tunnel mode (with device authentication)DMZ pre-authentication to meet enterprise standardsSupports e2e native corporate security

Security

Standard IPSec tunnel mode (with device authentication)DMZ pre-authentication to meet enterprise standardsSupports e2e native corporate security

Efficiency

Transparent to client applications and LOB services Extensibility

Resilient to short disconnects and IP address changesSeamless network transition (WIFI<->WWAN)Resiliency

Minimum user configurationTransparent to user and to applications Simplicity

Security Management

Device Management

Partners can set up and support their customers in managing the customers’ devices directly

Partners can benefit from a new services revenue stream by providing SCMDM deployment and integration

Authenticated Network Access

Partners can offer and deploy a single security and management platform with value-added services around WM

Partners have security-enhanced access into the customer’s environment and ability to replicate sensitive information on accessible extranet

Partners can provide infrastructure attach services and solutions, including Windows Server®, Exchange Server, SQL Server, and Office Communications Server

Partners can effectively deliver and manage LOB applications throughout the lifecycle of the mobile solution.

Partner Value Props

Vision: Help partners build out their mobility practices and create additional business benefits with SCMDM & their value-add services

Unleashed sales force on mobility!• New sales of products and services

• New service revenue

• Sold as a Server/CAL model through Microsoft Volume Licensing

Solve customer issues! • Removes dependency on customer deployments of specific

versions of Exchange Server for device management

• Building and deploying new System Center Mobile Device Manager 2008 installations

Deeper penetration and recurring revenue • Delivering and managing Line of Business (LOB) applications for

mobile workers

• Enhancing System Center Mobile Device Manager-based mobile infrastructure with Windows Server, Exchange Server, SQL Server, and Office Communications Server

• Ease of deployment empowers IT to roll device out at large scale

Current customers with the following technology:

Exchange Server 2003–2007

SharePoint Server

Small Business Server

Microsoft CRM

Customers with:

Mobile works

Service industries

Please refer to on-demand Webcast on these specific opportunities

Security

Management

Device

Management

MobileVPN

SCCM SCMDM

Std CAL

Ent CAL

System Center Configuration

Manager

System Center Mobile Device

ManagerExchangeMobile Scenarios

Sold as Server/CAL model

• Typical deployment 2-3 servers (gateway, DM, enrollment)

• CALs offered per-user or per-device

• Windows Server licenses and CALs required for OS

• Pricing TBD

Integration with Microsoft Volume Licensing

• Available in all VL programs worldwide—EA, Select, Open, Open Value, Academic

• Standalone only with potential future integration with Enterprise CAL Suite or other packaged offers

Projected Availability Spring 2008

• Price list and Volume Licensing projected availability Spring 2008

• Sim-ship all languages

1. Where can I get more information?

2. How do I sell Mobile Device Manager?

3. What is the key resource for Windows Mobile products for partners?

4. What training is available?

5. Who is the best customer for this product?

6. How do I get on the Beta? (at Connect.microsoft.com)

https://partner.microsoft.com/US/program/competencies/mobilitysolutions

As a Mobility Solutions partner you will get news and announcements on:

Upcoming training

Schedule of related events

Product announcements

Partner marketing tools

And as a Mobility Solutions partner you get software for internal use!

New Mobility Solutions training will be available on the Partner Learning Center:

https://training.Partner.microsoft.com/plc/search_adv.aspx?ssid=783c495a-7cd0-4e03-a24a-631a94740594

Business Value for Partners Webcast (February 25, 2008 8:00 AM PT) https://training.partner.microsoft.com/plc/details.aspx?systemid=1787852&page=/plc/search_adv.aspx

Selling MDM and Related Products/Services Webcast (February 26, 2008 8:00 AM PT)

https://training.partner.microsoft.com/plc/details.aspx?systemid=1787853&page=/plc/search_adv.aspx

Licensing Programs Webcast (February 27, 2008 8:00 AM PT)https://training.partner.microsoft.com/plc/details.aspx?systemid=1787878&page=/plc/search_adv.aspx

Technical Review of MDM Webcast (February 28, 2008 8:00 AM PT)https://training.partner.microsoft.com/plc/details.aspx?systemid=1787877&page=/plc/search_adv.aspx

Overview for Mobile Operators Webcast (February 29, 2008 8:00 AM PT)

https://training.partner.microsoft.com/plc/details.aspx?systemid=1787880&page=/plc/search_adv.aspx

Microsoft System Center Mobile Device Manager 2008 Online tutorial: https://training.partner.microsoft.com/plc/details.aspx?systemid=1746109&page=/plc/search_adv.aspx

Generalhttp://www.microsoft.com/windowsmobile/default.mspx

http://www.microsoft.com/windowsmobile/mobileoperators/default.mspx

http://www.microsoft.com/systemcenter/mobile/default.mspx

Mobility Solutions Competency https://partner.microsoft.com/global/program/competencies/40019126

Partner Marketing Center https://partner.microsoft.com/global/salesmarketingsection/smcampaigns

Resources by Customer and Marketing Segment Small Business Mobility Solutions

https://partner.microsoft.com/program/competencies/40031816

Midsize Mobility Solutions https://partner.microsoft.com/program/competencies/40029383

Line-of-Business Mobility Solutions https://partner.microsoft.com/program/competencies/40037304

Windows Mobile Direct Sales Resource Center http://windowsmobilesales.com

Windows Mobile Business Value Calculator http://www.microsoft.com/windowsmobile/business/calculator/default.mspx

Business Portal http://www.microsoft.com/windowsmobile/business/default.mspx

Partner Directory http://www.microsoft.com/windowsmobile/providers/mpdsearch.aspx

Training https://partner.microsoft.com/US/program/competencies/mobilitysolutions/40029316

http://www.msreadiness.com/competency.aspx?cid=590

http://windowsmobiletraning.com

Case Studieshttp://www.microsoft.com/windowsmobile/business/success/default.mspx

http://www.microsoft.com/resources/casestudies/

White Papershttp://www.microsoft.com/windowsmobile/business/strategy/default.mspx

Technical Supporthttp://technet.microsoft.com/default.aspx

http://msdn.microsoft.com/mobile/security (mobile security)

http://supportcenter.windowsmobiletraining.com (device troubleshooting)

Use Windows Mobile devices

Check out the resources (previous slides)

Identify the low-hanging fruit

Organizations with Exchange Server 2003

Companies looking to ―go beyond e-mail‖

Watch for the Windows Mobile Security and Device Management Webcast Series

© 2008 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.