Until recently, Windows Mobile devices lacked the native management and security capabilities long associated with BlackBerrys. Many third-party device management and security solutions were (and still are) available for Windows Mobile. However, Windows Mobile simply did not have BlackBerry's "protected-out-of-the-box" appeal. With System Center Mobile Device Manager, Microsoft has moved to fill this gap.
Work in progress
Today's Windows Mobile 6 devices are descended from many generations of Windows CE PDAs and Pocket PCs. Those older mobile operating systems were certainly not devoid of native security capabilities. They were simply incomplete and hard to manage.
For example, Windows Mobile 2003 Pocket PCs included PPTP and IPsec VPN clients, but they were not enabled by default. Moreover, those clients could not be IT-configured over the air without jumping through extra hoops (e.g., syncing XML provisioning documents or using a third-party mobile device manager). Any data received by those devices was stored in decrypted form -- unless a third-party crypto product was added.
In short, enterprises that needed to centrally manage and secure Windows Mobile devices had to assemble the piece parts and fill in critical gaps.
A new generation
Starting with Windows Mobile 6.1, Microsoft-based smartphones and PDAs have an alternative: Microsoft's System Center Mobile Device Manager (SCMDM) 2008. All WM 6.1 devices are inherently capable of being managed by an enterprise SCMDM server. Depending upon your needs and configuration, that server can provide fully automated over-the-air device provisioning, software installation, policy enforcement, and monitoring/reporting.
To enroll with SCMDM, a WM 6.1 user just enters his enterprise email address and an administrator-supplied one-time PIN. The WM 6.1 device uses SSL to connect to an SCMDM gateway server (i.e., a 64-bit Windows 2003 Server reachable from the Internet, outside the enterprise's trusted intranet).
That gateway authenticates the user and completes enrollment by interacting with a device management server (i.e., another 64-bit Windows 2003 Server, located inside the intranet, with access to Active Directory). These SCMDM server functions can be further distributed -- for example, delegating persistent storage to a separate SQL Server, or using a separate Microsoft CA to issue device certificates.
Once a WM 6.1 device has been enrolled and "boots-strapped," all further communication between the PDA/smartphone and gateway is protected by an auto-configured IPsec "mobile VPN" tunnel. SCMDM can provision Windows Mobile devices by using the Windows Software Update Service (WSUS) 3.0 to push application packages over the air. SCMDM also installs and enforces IT-defined Active Directory Group Policies -- to deny use of selected network interfaces and applications, for example, or encrypt specified files or folders.
Thereafter, each managed Windows Mobile can be centrally monitored and updated through the SCMDM. New software can be pushed through WSUS. Device hardware and software can be periodically inventoried. If a managed Windows Mobile is ever lost or stolen, the SCMDM can be used to remotely wipe the device the next time it connects to the enterprise network.
Note that SCMDM does not rely on Active Sync. Instead, WM 6.1 devices automatically reconnect their mobile VPN tunnel to the SCMDM gateway whenever a 3G or Wi-Fi link becomes active. Bear in mind, however, that most nomadic mobile devices still spend some time out of range and thus disconnected from every network, including the SCMDM.
Finally, that mobile VPN tunnel can also provide a secure conduit for enterprise application access -- for example, letting Windows Mobile users connect to Exchange, Sharepoint, and other application servers inside the enterprise firewall. Even applications that apply their own data protection measures, like TLS-encrypted POP and SMTP sessions, can be relayed through the mobile VPN tunnel.
Where SCMDM fits
With SCMDM, Microsoft provides a "protected-out-of-the-box" solution for enterprises that use new Windows Mobile devices. However, SCMDM cannot manage older Windows Mobile devices, including today's dominant Windows Mobile 6.0 population. Given the short lifespan of smartphones, many older devices may never be soft-upgradeable to 6.1 -- instead, you'll have to buy new hardware to tap into SCMDM.
Moreover, like BlackBerry Enterprise Server, SCMDM is not (currently) a cross-platform solution. Organizations with diverse mobile device populations will either need to deploy multiple MDM "silos" or invest in a third-party MDM like Sybase iAnywhere, Nokia Intellisync, or Motorola Good, with agents for multiple operating systems.
While SCMDM provides a relatively broad set of management and security capabilities, no platform can be everything to everyone. For example, those who require over-the-air remote control still need a third-party solution. Finally, SCMDM is Microsoft's first foray into mobile device management; it will no doubt require refinement and hardening over time. Visit Microsoft to learn more about Windows Mobile 6.1 security and Microsoft's SCMDM approach to Windows Mobile data protection.
This was first published in October 2008