We live in an increasingly mobile world, and enterprise IT administrators must now deal with a wide array of devices connecting to the corporate network. In addition to users' home computers and both company-issued and personally-owned laptops, many of today's workers expect to be able to access their email, contacts, calendars and more with their handheld devices (PDAs and smart phones).
These take-everywhere connectivity devices offer a large degree of convenience, but they present a challenge to IT departments in terms of security and manageability, even when they're issued and owned by the company. There are various management solutions out there, such as CA's Mobile Device Management (MDM) for BlackBerry devices.
Microsoft's solution for centralized management of Windows Mobile devices, to be available in the second half of 2008, is the System Center Mobile Device Manager (SCMDM) 2008. SCMDM was introduced by Steve Ballmer last October at CTIA in San Francisco. Currently it only works with a limited number of devices (a software upgrade is required), but we can expect compatibility with many more in the future. In fact, all Windows Mobile phones that come out after mid-year 2008 are expected to have SCMDM support built in and updates are expected to be available for such current phones as the AT&T Blackjack II and Tilt, the HTC Mogul and Touch, the Samsung i760 and the Palm Treo 750, among others.
Let's take a look at how it works.
Making Mobile behave more like a real Windows client
When it comes to mobile clients, one item on the IT administrator's wish list is to be able to exert the same controls over them that we have over Windows PCs in the enterprise. That is, we want to be able to quickly see what mobile devices can access domain resources, apply Group Policy for consistency and protection, and distribute software automatically (or prevent users from installing/running software that may pose a security threat). There are also special needs when it comes to mobile devices, such as the need to prevent a lost mobile device from resulting in divulgence of sensitive corporate information or breaches of the network.
SCMDM 2008 is a recent addition to the System Center product line that takes on all of these issues and more. Despite its somewhat unwieldy acronym, this is a pretty exciting package for those concerned with mobile device security on a Microsoft network. It's certainly scalable enough for the enterprise, with a single SCMDM installation being capable of handling more than 20,000 mobile devices. Built in reporting tools help you to keep an accurate inventory of devices.
SCMDM interoperates with other Microsoft server products, such as Windows Software Update Services (WSUS), SQL Server, Exchange and IIS.
Better security with Group Policy
With SCMDM, you enroll devices that you want to manage into the domain (similarly to joining PCs to the domain) and they become objects in Active Directory. That means you can apply Group Policy to them as you do with your Windows servers and workstations. For example, you can enforce password policies on mobile devices or set a policy that forces full file encryption on the devices. In addition to the out-of-the-box policies that come with SCMDM, you can create your own policies using administrative templates. More than 130 policies are included.
Devices can quickly be enrolled by any user with Active Directory credentials through an "easy enrollment" web site on the Mobile Device Manager server. On the administrative side, management of devices is done via the familiar Microsoft Management Console (MMC) interface. Here you can view the status and history of each enrolled device.
You can even prevent the use of selected communications protocols on specific devices. For example, you could prevent a particular device from being able to send and receive email or disable Bluetooth on a device. Or you could disable the cameras built into Windows Mobile smart phones in situations where you don't want users to have picture-taking capability.
Protection in case of theft or loss
The theft or loss of a mobile device can have dire consequences if users have confidential company information stored on the devices or if a thief is able to use the device to connect to the corporate network.
SCMDM makes it possible for IT administrators to conduct a remote wipe on a lost or stolen device, to eliminate the possibility of misuse by a thief.
Distributing software to mobile devices
A great benefit of SCMDM is the software distribution feature. Administrators are used to being able to push applications and updates to the PCs on their networks. Now they can do the same thing with mobile devices. This allows you to ensure that mobile software is consistent across the organization, or that particular devices have specific applications installed. The software packages that you select are distributed over the air so that users don't have to deal with downtime while programs are being installed on their devices. You can make the software packages mandatory or optional.
Providing for secure VPN connections from mobile devices
Yet another feature of SCMDM is its Mobile VPN access. For best security, you can use IPsec authentication and SSL encryption to provide mobile users with a very secure way to connect their devices to the corporate network. They can access line of business applications on internal servers behind the corporate firewalls.
And if the session gets disconnected (as often happens with cellular connections or when using an unreliable wi-fi connection), SCMDM has a "fast reconnect" feature that keeps the session history and doesn't require reauthenticating.
Managing mobile devices in an enterprise environment presents a big challenge, but companies can leverage their existing Microsoft network infrastructures and Windows Mobile smart phones by deploying System Center Mobile Device Manager 2008 to solve many of the problems associated with mobility.
Debra Littlejohn Shinder, MCSE, MVP is a technology consultant, trainer, and writer who has authored a number of books on computer operating systems, networking, and security. Deb is a tech editor, developmental editor, and contributor to over 20 additional books on subjects such as the Windows 2000 and Windows 2003 MCSE exams, CompTIA Security+ exam, and TruSecure's ICSA certification.