utilize an enterprise’s current active directory ® structure to deploy and manage windows mobile...
TRANSCRIPT
System Center Mobile Device Manager
Microsoft System Center Mobile Device Manager 2008
Management
Security
Mobile VPN
Active Directory® and Group Policy Utilize an enterprise’s current Active Directory® structure to deploy and manage Windows Mobile devices with:
Over 125 policies, including specific security policies for device management, encryption, and remote device wipeCustom policies that can be created using Active Directory Management Templates
Full OTA Provisioning
To enroll their devices, users simply need to:
Access the company’s portal for self-service enrollmentEnter their e-mail addressEnter a one-time PIN code for enrollment
Software distribution capabilities
Target users in specific Active Directory groupsConfigure mobile applications such that users cannot uninstall themEliminate the need to distribute CAB files via Flash drivesAccess powerful reporting systems for reviewing software distribution across a mobile device workforce
Rich inventory and reporting
Manage and view all Windows Mobile devices via a single, convenient interface. With this, IT Pros can now:
View a broad range of device characteristics like device settings, certificates installed, software installed etc.Reduce the learning curve since it is based on the familiar Microsoft Management Console (MMC)
Hardware driver lock-down capabilityAdministrators can remotely access Windows Mobile devices using Mobile Device Manager to:
Disable specific hardware functionality, such as the camera or Bluetooth connectivityRemotely wipe security-compromised devices
Mobile VPN
Single point of access to the corporate networkAlways-on, security-enhanced wireless communicationBehind-the-firewall access to business applications
MDM Deployment Topology
Smartcard
Internet
DMZ
Corporate Intranet
FrontFirewall
InitialOTA DeviceEnrollment
MobileGW
BackFirewall SSL Mutual
User Auth
SSL Auth(PIN+Corp Root)
SSL MachineMutual Auth
E-mailand LOBServers
SSL User-mutual Auth
or Similar
Console
MobileServer
Back-end
R/O
AD
LHSNAP System
Self HelpSite
EnrollmentService
OMAProxy
CA
Mobile VPN
Server ArchitectureMDM introduces three new server
roles:Enrollment Server
Proxies request to enroll device
Mobile VPN ServerTypically located in the network perimeterEntry point to corporate networkForwards network and device management communications between a corporate network and their devices
Device Management ServerBased on OMA DM standards
Architecture PrinciplesSecurity firstLarge scale distributed solutionTransparent compatibilityExtensibility & future proofing
The Enrollment Server
Internet
DMZ
Corporate Intranet
FrontFirewall
InitialOTA DeviceEnrollment
MobileGatewayServer
BackFirewall
SSL Auth(PIN+Corp Root)
SSL MachineMutual Auth
E-mailand LOBServers
SSL User-mutual Auth
or Similar
Console
MobileServer
Back-end
R/O
AD
WSUS Catalog
Self HelpSite
EnrollmentService
Device Managem
entServer
CA
Mobile VPN
Enrollment Server• Location:
• Intranet based (domain joined server/service)• Purpose:
• Manage the process flow of enrollment• Create domain objects• Create certificates• Supply provisioning instructions
• Other:• Best practice: protected by a Proxy (e.g. ISA)• Can co-exist on DM Server in integrated
implementation
The Enrollment Process
Active Director
y
Certification
Authority
Create Acct.
Issue Cert
Negotiate SSL RootSubmit Cert
RequestReceive Cert
Public DNS
Discovery
Security Features
Private key and Enrollment Password never transmitted over the airAll traffic between client and server uses SSLSSL negotiation does not require public root cert (e.g. VeriSign etc.)
Secure Network Access
Mobile VPN for both client and serverStandards based
IPSec Tunnel ModeMobIKEIKEv2
Enables access to corporate resources
LOBInternet proxy servers
The Mobile VPN
Internet
DMZ
Corporate Intranet
FrontFirewall
InitialOTA DeviceEnrollment
MobileGatewayServer
BackFirewall
SSL Auth(PIN+Corp Root)
SSL MachineMutual Auth
E-mailand LOBServers
SSL User-mutual Auth
or Similar
Console
MobileServer
Back-end
R/O
AD
WSUS Catalog
Self HelpSite
EnrollmentService
Device Managem
entServer
CA
Mobile VPN
Mobile VPN Server• Location:
• Corporate DMZ (non-domain joined)• Purpose:
Authenticates incoming connections for authorized devicesAssigns a stable internal IP address for the deviceEnables fast resume/reconnect features for devices and applicationsNegotiates keys to encrypt traffic over the internet
• Other:• IPSEC termination point• Managed remotely
FW
18
VPN Scenario: LOB Application
FW
LOB1
Proxy (ISA)
LOB2
Double envelope security
User Authentications:1) Certificate2) NTLM v23) Basic
Kerberos delegation
Mobile VPNPerformance
Technical featuresIPSec Tunnel Mode
Aggregate all traffic through a single tunnel with a single NAT/Firewall Keep-Alive
IKEv2IETF Standard that includes address assignment (unlike IKEv1)
MobIKE (Mobile IKE)IETF standard for transparent auto recovery of IPSec tunnels w/o re-negotiations of Sas
ImplicationsExtremely efficient, agile and self-healing connectivity solution
SecurityDouble envelope security
VPN technology allows nested secure connectionsOuter layer – IPSec, IKEv2 tunnel from device to GWInner layer – E-2-E Client-Server mechanisms (SSL, IPSec transport, etc)
Defense in depth DMZ pre-auth
Based on device identity and health (not user)
End-to-End auth to corporate servers“Four factor” (2x2) authentication Back-end firewall filtering
DMZ GW is not a vulnerability point
Device Managment
Security managementEnrollmentAD domain joinWipe
Policy enforcementService enablement/disablementApplication deny/allowSoftware distributionInventory and reporting
Device Management Server
Internet
DMZ
Corporate Intranet
FrontFirewall
InitialOTA DeviceEnrollment
MobileGatewayServer
BackFirewall
SSL Auth(PIN+Corp Root)
SSL MachineMutual Auth
E-mailand LOBServers
SSL User-mutual Auth
or Similar
Console
MobileServer
Back-end
R/O
AD
WSUS Catalog
Self HelpSite
EnrollmentService
Device Managem
entServer
CA
Mobile VPN
Device Management Server• Location:
• Intranet based (domain joined server/service)• Purpose:
Primary administration and management service for all managed devicesFunctional hub for device Group Policy application, device software packages, and device data wipesCommunicates with existing infrastructure servers, such as domain controllers, CAProxies information and commands between core Windows Servers (AD/CA) and devices
• Other:• OMA-DM compliant
23
DM Server
Bringing it all together
FWFW
Mobile VPN
DMZ
WWAN
Corpnet
Internet
NAT
Policy Information
Enrollment Server
IT Infrastructure Details
Required:Windows Server 2003 SP2 64 bitSQL Server 2005Active DirectoryMicrosoft CAGroup Policy
Not Required:Exchange Server (any version)Systems Management ServerSystems CenterISA Server*
Which Solution Fits My Needs?
Security Management
Device Management
MobileVPN
SCCMSCMD
M
Std CAL
Ent CAL
System Center
Configuration Manager
System Center Mobile Device
Manager
ExchangeMobile Scenarios
Secure Mobile Messaging Only
Mobile messaging with high security due to regulatory compliance requirements or internal security policiesKey Messages
Security management withoutExchange Enterprise CALIntegration with AD/GPInventory and reporting
Customer ScenariosWho needs Mobile Device Manager?
LOB OnlyRich LOB applications for task workers using ruggedized handhelds with no requirement for mobile messaging
Key MessagesMobile VPNOver-the-air (OTA) app distributionRich inventory and reportingApp allow/deny
LOB + MessagingRich or lightweight LOB applications. Could also include high security requirements for mobile messagingKey Messages
Mobile VPNAdvanced device management featuresSecurity management
Mobile Messaging OnlyMobile messaging and PIM withlowest TCO and baseline securityand manageabilityKey Message
Exchange Standard CAL makes broad deploymentstraightforward and affordableExchange Enterprise CAL adds server-side anti-virus and anti-spam + new management in Exchange Server 2007 SP1
P
© 2007 Microsoft Corporation. All rights reserved.This presentation is for informational purposes only. Microsoft makes no warranties, express or implied, in this summary.