System Center Mobile Device Manager

Micr rosoft® Syste Ce em enter M Mobile Devic Manager 2008 e ce n A Tech hnical White Paper Table of Contents f s Abstract Section 1 Introductio to System Center Mob Device M 1: on m bile Manager Securit Mangemen ty nt Device Managemen nt Mobile VPN Section 2 Solutions to IT’s Mobile Challenges 2: t s Device Managemen with Mobile Device Mana nt ager ty ent nager Securit Manageme with Mobile Device Man Mobile VPN with Mo obile Device M Manager Adm ministrators 3  3  3 4  4  4  4  5  6  Section 3 System Ce 3: enter Mobile Device Mana ager—A Com mprehensive Mobile Device Managem e i ment Solution 7  High Scalability and Availability 7  Reduce Pressure on IT Helpdes ed o sk 7  Greater Control of Mobile Device M es 7  Easier Deployment With Other M W Microsoft Products 8  Section 4 Conclusion 4: 8  2 Abstrac ct This whit paper provides an ove te erview of Microsoft® System Center Mobile Dev r vice Manage er 2008, an end-to-end solution for provisionin securing and managing Windows Mobile dev r ng, s vices in a corporate netwo The pape addresses the key mo ork. er s obile device c challenges fa aced by IT y—including management, control, m maintenance device security, and e, administrators today —and discusses how Sys stem Center Mobile Devi Manager helps IT administrators ice r s support— address t these issues. The paper a . also provide an overvie of the lon es ew ng-term benefits of this e endto-end m mobile device manageme enterpris solution. e ent se Section 1: Introdu uction to Sy ystem Cent Mobile Device Ma ter e anager Today IT teams have to manage an ever-exp panding fleet of mobile d t devices and ensure that every dev vice is autho orized, has se ecure access and adequa permissions on the n s ate network, and d does not compromis the securit of corpora data. Sim t se ty ate multaneously IT professi y, ionals also h have to mainta a balance between e ain e enforcing cor rporate polic on devic and allow cies ces wing end users a certain degree of con ntrol over their personal devices. In order to add dress these c challenges, IT T teams ha to depen on multip proprietary solutions to manage and secure m ave nd ple mobile devic ces within a c corporate ne etwork. This tends to inc crease costs of purchasin and maintaining mult ng tiple solutions In addition the IT supp s. n, port teams h have to spen more time familiarizin themselve nd e ng es with prop prietary third d-party solut tions. What IT p professionals need is a f flexible, end-to-end solution that helps them to ease the pro ocess of securin and managing device within a c ng es corporate ne etwork, while providing a more secur e re, single-po access fo line-of-bu oint or usiness (LOB application and corpo B) ns orate data. System C Center Mobil Device Ma le anager is a c comprehensi reliable, and low-cos managem ive, st ment solution t that can be easily deployed into an enterprise’s existing Mic crosoft infras structure. Designed to address the three co requirem d ore ments of IT p professionals s—security, d device managem ment, and Mobile VPN— M —Mobile Dev vice Manage is a solutio that helps administrat er on s tors to efficiently address the growing need for g s g greater secur and man rity nageability o Windows of devices within a network k. Mobile d ® Security Manageme ent System C Center Mobil Device Ma le anager provides a securi managem ity ment platform for Windo m ows Mobile p phones with over 130 po olicies and se ettings and b built-in mech hanisms that help prevent t the misuse of corpor rate data. Ad dministrators can lock do s own many ar reas of the W Windows Mo obile smartpho ones, includi certain communicati ing ions and dev vice function nality, while e exercising significan control ov the softw nt ver ware to be installed on devices. Syste Center M em Mobile Device 3 Manager can also be used to ma r e anage securit on all the Windows M ty Mobile device across the es e enterpris network. se Device M Managemen nt Mobile D Device Manager is a simp and comprehensive s ple solution for distributing software to Windows Mobile dev s vices and ma aintaining an inventory o devices in a complex o n of organization nal environm ment. Mobile Device Man e nager enable cost-effec es ctive device enrollment t through ove erthe-air (O OTA) provisio oning and bootstrapping and helps administrato streamlin device g ors ne managem ment through role–based administra d ation, MMC snap-ins, and Microsoft Windows PowerShell™ cmdlets s. Compreh hensive repo orting tools w within Mobile Device Ma anager provi IT profes ide ssionals with improved visibility of devices and helps redu the cost and complex of mana d f d uce xity aging device es within a c corporate ne etwork. Mobile V VPN Mobile D Device Manager is design to facilit ned tate a seamle user exp ess perience acro cellular o oss or Wi-Fi dat connectio The solution provide a single point for secu ta ons. es urity–enhanc ced, behind-thefirewall a access to cor rporate data and LOB ap pplications. W Mobile Device Man With nager, administrators can fa acilitate secu urity over public wireless networks th hrough a Mo obile VPN lin nk. s evice and cor rporate serv vers The VPN link secures wireless communications between a mobile de rypted tunne This doub el. ble-barreled combination of VPN aut n thentication and through an SSL–encr yption lends a definite e s edge over other systems that genera use a single security ally SSL encry barrier. W features such as fas reconnect and session persistence Mobile VPN also helps With s st e, N s maximize user produ e uctivity. Section 2: Solution to IT’s M ns Mobile Cha allenges This section of the white paper u underlines th benefits o System Ce he of enter Mobile Device Man nager nting real-lif scenarios pertaining to device ma fe anagement, s security man nagement, and by presen Mobile V VPN. Device M Managemen with Mob Device M nt bile Manager IT administrators in an enterprise network of a e ften have to rely on mult tiple management solutions to config gure, manage track, and target mobile devices in a corporat network. S e, n te System Center Mobile D Device Manager allows administrator to address device man rs s nagement needs throug a gh single, ea asy-to-use package. This reduces the cost of pur p s e rchasing and maintaining a propriet d tary solution as well as th time spent in familiarizing themse he elves with it. 4 • Seamless ove er-the-air d device enrollment. Due to the sheer number of devices that r t co onnect to th corporate network, en he nsuring quick and easy d k device enrollment is a ch hallenge. A simple, ones -time device enrollment wizard resul in fewer u lts user-related lo ogin issues, reducing the pressure on the IT help r e n pdesk. Since Mobile Device Manager r le everages Act tive Directory and certif y ficate service device enrollment and configurat es, d tion ® is now simple and more convenient. s er • Ef fficient soft tware distribution. Inst talling applic cations on ea and ever mobile de ach ry evice is a potentiall time-cons s ly suming task. Moreover, w while the device is being provisioned g d, th device ow he wner experie ences a perio of unprod od ductive down ntime. Mobile Device Manager dist M tributes softw ware and sen updates OTA, makin the task o software nds s ng of distribution to multiple W o Windows Mo obile phones significantly easier, alon with a y ng re eduction in device down d ntime. • Simplified tr racking thro ough rich in nventory and reporting After configuration and d g. d in nstallation, IT administrators have to monitor eve device th connects to the T o ery hat s co orporate net twork. System Center Mobile Device Manager has rich inven e ntory and re eporting cap pabilities that provides detailed repo orting of dev vice hardware and installed so oftware. Along with a Microsoft SQL Server™–bas infrastru L sed ucture, admin nistrators are able to easily keep a track of devices within the e k enterprise ne etwork. • Delegation of tasks thro D o ough role–b based admin nistration. K Keeping track of existing g devices in the corporate n e network as w as continually deplo well oying new on is a time nes eonsuming ta The role–based adm ask. ministration c capability wit thin Mobile Device Manager co le administr ets rators delega tasks on the basis of functions, s ate f simplify the t tracking and d deployment of devices, and focus on manageme inventory and reporting. o ent, y, Additionally, the Mobile D A Device Mana ager Self-He portal allo IT administrators gr elp ows rant users access to basic device managem t ment functio including device wip and creating ons g pe new enrollme records, reducing use reliance on the IT he ent ers’ elpdesk. Security Manageme with Mo ent obile Device Manager e obile devices can potentially hold confidential co s orporate and personal data, the loss or d Since mo theft of these devices poses a sig gnificant security risk for an organiza r ation. Ensuring that ever ry rom misuse is a challeng Mobile D ge. Device Manag diminish the risk o a ger hes of phone is protected fr breach by pr roviding mec chanisms that help prov vide security to sensitive data. security b • Anti-theft mechanisms. When devic are lost o stolen, IT administrato must pre A m ces or ors event th confident corporate data conta he tial e ained in thes devices fro falling in the wron se om nto ng hands. Mobile Device Ma e anager mitigates security risks through on-devic file encryp y ce ption of sensitive co orporate info ormation. W When a device is lost or stolen, Mobil Device le 5 Manager allows administrators to exe M ecute a remo device w ote wipe when th device is he online and co onnected to the VPN, pre eventing the misuse of c e critical data. • Granular dev G vice control. In certain s situations such as in testing labs or m manufacturin ng units, compan need to ensure that employees cannot reco or transm confidential nies o t ord mit in nformation. In such insta I ances, IT nee the flexib eds bility to disallow communication ca apabilities on select mob devices. Mobile Dev bile vice Manager’s robust se ecurity management platform allows administrators to lo down se m t ock everal areas o a Window of ws Mobile device including c M e communicat tions, or even device fun n nctionalities l like Bluetoot th, SMS/MMS, WLAN, POP/IMAP, and eW -mail. • Application-level contro Device ow A ol. wners often install unaut thorized app plications tha at co ould potenti ially lead to device error and increa the work rs ase kload of the I support st IT taff. With W Mobile Device Mana ager, administrators hav significant control ove Windows ve t er Mobile device within an enterprise b providing administrat M es by tors with acc cess to over 125 policies and settings. The policies e s ese enable Windows Mobile devices to b listed and be d managed, allo m owing contro over many of the app ol y plications tha users migh install on their at ht devices. Mobile V VPN with Mobile Devic Manager M ce Administ trators need to be certain that mobil devices co le onnect to the corporate network ove a e er secure co onnection. With the help of Mobile V W p VPN, Mobile Device Man e nager ensure that Wind es dows Mobile d device users access their corporate network (via a network se ervice provid or an der external W Wi-Fi connection) through an encrypted link. As a result, Wi s indows Mob device us bile sers gain secu urity–enhanc ced, behind-the-firewall access to co orporate data and LOB a applications for Windows Mobile dev s vices. • Secure data access. Adm ministrators a challenge with mak are ed king sure tha communat ic cations betw ween an authenticated m mobile device and the corporate intra e anet are secu ure. With W Mobile Device Mana ager, IT adm ministrators c use “dou can uble envelop security”— pe —a process in wh hich data is p protected by traveling th y hrough an IP PSec–authenticated, SSL– – encrypted tun nnel. • OB-authent ticated acce Mobile d ess. device users are often re equired to ac ccess an LO organization’s LOB applic cation server Since rem rs. mote access p process invo olves data ransfer over a potentially insecure co y onnection, IT must to en T nsure that co ommunicatio is on tr authenticated With Mobile Device M d. Manager, adm ministrators c allow or deny a secu can r ure network access connectio between a Windows M on Mobile–pow wered device and an e cation server rs. organization’s LOB applic 6 • Session persistence and fast reconn d nect. Device users can a e access their m mailboxes or LOB r applications while mobile however, t w e; they might n be “alway on”, as po Wi-Fi not ys oor co onnectivity or a weak ne o etwork provider signal m cause the link to be t may terminated. This in nterruption in connectivi can result in loss of d ity ts data and wa asted user ef ffort. The ses ssion persistence and fast reconnect featur in Mobile Device Man re nager allows users to econnect to the corporate intranet w without re-au uthenticating or losing s g session histo ory, re re esulting in an increasingly seamless and trouble-free user ex xperience. Section 3: System Center Mo obile Devic Manage ce er—A Comp prehensive Mobile e Manageme Solutio ent on Device M Mobile D Device Manager is design to be a reliable, end ned d-to-end solu ution that ca easily scale to an manage the needs of an enterprise’s growing mobile wo f g orkforce. Not only is it ea to deploy in t asy ng astructure, bu as an organization grows and its mobile ut an existin Windows Server infra computin needs mu ng ultiply, Mobi Device Manager has t capacity to scale acc ile the y cordingly. Th his section o the white paper exami of p ines the scalable architecture of Mobile Device M Manager and d provides details of th Microsoft products an technolog it supports. he nd gy High Sca alability and Availabilit d ty The Mob Device Manager arch bile M hitecture is d designed to support diffe erent server configuratio ons, dependin on the or ng rganization’s requiremen Mobile D s nts. Device Mana ager servers allow for flexible implementation options, where s server config gurations can be planned to cater to small corpo n d o orate c ns ad-balanced scenarios. d network integrated configuration as well as complex loa d o esk Reduced Pressure on IT Helpde Transparent processe such as de es evice enrollm ment, session persistence, fast recon nnect, and a nable Windo Mobile S ows Smartphone users to self f-manage m many facets o of “Self-Help” portal, en vices, resultin in lesser d ng dependency on IT suppo This frees up valuable hours for t ort. the their dev helpdesk team, enab k bling to beco ome more re esponsive and efficient w while resolvin user issue ng es. Greater C Control of Mobile Devices M Mobile D Device Manager allows fo an unprec or cedented de egree of cont over mo trol obile devices and s their usag through comprehens ge sive security management policies, a granular targeting o and r of groups o users and/ devices to define and enforce IT security and manageme policies. of /or d d ent Through Active Direc ctory integra ation, it allow for the mo ws obile device to be mana aged as a firs st zen. class citiz 7 Easier De eployment With Other Microsoft Products r System C Center Mobil Device Ma le anager is designed to su upport existing IT infrastructure in a corporate network, enabling an e e e easier deployment. Mob Device M bile Manager leve erages Windows Software Update Services (WSUS 3.0 with Se S) ervice Pack 1 to allow ap pplications to be distribu o uted to manag devices. If it is not p ged present on th server, the service is in he e nstalled on t server when the Mobile D Device Manager is deploy yed. Mobile Device Man nager leverag existing Microsoft proges ducts and services lik Active Dir d ke rectory, Certificate Autho orities, SQL S Server, Intern Informat net tion Services (IIS) 6.0, and Microsoft .N Framew d NET work version 2.0 to provide IT administrators an deploy mana agement solution. In add dition, Mobile Device Manager must be installed on t d easy-to-d servers ru unning Wind dows Server 2003 SP2 64 4-bit edition Because o Mobile De ns. of evice Manag ger’s extensible platform, IT profession are able to include s I nals e support for a operatin system any ng feature o application through ad or n dministrative (ADM) tem e mplates and t Registry Configuratio the on Service P Provider (CSP P). In case of LOB applic cation server Mobile De rs, evice Manag enables W ger Windows Mo obile devices to s securely access mailb boxes residin on Micros ng soft Exchang Servers an custom w ge nd web–based hosted on ap pplication se ervers. services h Section 4: Conclus sion System C Center Mobil Device Ma le anager 2008 is a compre 8 ehensive serv solution for the ver managem ment of Windows Mobile phones. It empowers I profession to provide a highly e IT nals secure da and netw ata work access f their mobile workfor while ret for rce, taining a hig degree co gh ontrol over their mobile dev vice usage. M Mobile Devic Manager is easy to de ce eploy, integr rate, and maintain with existing IT infrastru ucture and is highly scalable for effic s cient mobile device e ment and pro ovisioning. I summary, it is the sing point of managemen for Windo In gle nt ows managem Mobile d devices in the enterprise. e 8