Microsoft® System Center Mobile Device Manager 2008 SP1Chip Vollers Mobile Business Experience MarketingSr. Product Manager, Infrastructurecvollers@microsoft.com

Agenda• Mobility Overview• Worldwide Mobility Market• System Center Mobile Device

Manager 2008• Demo• MDM SP1 Features• Microsoft Stack Integration• Competitive Overview• Pricing and Licensing• Information & Links

Mobile Devices Are Not LaptopsMobile devices…• Are more easily lost or stolen.• Require persistent connectivity.• Have capabilities driven by form

factor and user interface.• Must also function as phones.• Are outside the corporate network

most or all of the time.

Why do DMSec and mVPN Matter for Mobility?• Proliferation of connected devices

outpacing PCs• Growth of worldwide mobile workforce• Expansion of mLOB application

development and usage—more mLOB users means lower cost per user and higher per user mLOB ROI

• Desire for more secure network connectivity from mobile devices

Mobility Drives Growth

Desktop Mobile Phones

Mobile PCs Converged Mobile

Devices

0%

10%

20%

30%

40%

CAG

R (%

) 200

6-20

10

18.6%Mobile PCs

5.8%Mobile Phones3.9%

Desktop PCs

34.1%ConvergedMobile Phones

Source: Gartner, Dataquest, and IDC 2006

245 Million Converged Devices

by 2010

Worldwide Market OpportunityWorldwide, the mobile worker

population is expectedto increase to

878 million by 2009,

accounting for >27%of the total global workforce.

SOURCE: IDC, WW Mobile Worker Population, October 2006

Balanced Market GrowthBalanced growth driven by both mobile messaging and rich mobile scenarios beyond e-mail:• Corporate data access and mobile LOB grows 41%

(CAGR) from CY 2006–2011.• Messaging grows 46% in the same time period.

Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports

Corporate data access and mLOB31.5 MM

Corporate data access and mobile LOB 6.2 MM

Mobile Messaging71.2 MM

Mobile Messaging10.7 MM

mLOB only0.9 MM

mLOB only8.3 MM

2006 2011

What is MDM?System Center Mobile Device Manager 2008MDM helps to…• Safeguard corporate data from

unauthorized access.• Reduce the cost and complexity of

mobile deployments.• Maintain persistent and enhanced

security for connectivity.• Simplify device management.

MDM OverviewMDM is a comprehensive device management solution that enables efficient control of Windows Mobile® devices.With MDM, customers can:• Set and control policies using Active Directory® and Group

Policy.• Extend corporate data and line of business (LOB) applications

in a security-enhanced virtual private network (VPN) environment.

• Execute a remote wipe with the “always on” Mobile VPN (mVPN) if a device is lost or falls into the wrong hands.

• Lock down communications and device resources for compliance and confidentiality purposes—disable Bluetooth, SMS/MMS, WLAN/Wi-Fi, Infrared, POP/IMAP e-mail, and even camera functionality.

• Take advantage of advanced features including policy enforcement, inventory and reporting, and software distribution from a single point of management.

What IT pains does MDM solve?How to:• Manage mobile devices like PCs on the

corporate network• Manage policies and software distribution to

multiple groups of users• Provision mobile devices without physically

touching them• Allow more secure connectivity with single-

point network access control• Allow specific business units individual

control over the devices in their business unit

Aligning with Customer Priorities

• Anytime access to corporate info

• Dependable and resilient phone experience

• Superior productivity including unified communications

• Secure data and network access

• Manageable, scalable IT infrastructure

• Standardization vs. point solutions

• Integrate and align with existing systems

• Minimize training and support

• “Make it just another device on my network that I control and manage, and as an integral part of my existing architecture and security framework””

• -VP of IT for Large Wall Street Bank

Key BDM Priorities

“I need a strong ROI justification if I am

going to roll out mobile devices to

most of my organization and not just the managers”

- Director of business group for major manufacturer

Key IT Priorities

“Make it just another device on my network

that I control and manage, one that’s an

integral part of my existing architecture

and security framework”

- VP of IT for Large Wall Street Bank

Key End User Priorities

“Provide me with always available

access to the people, information, and

applications I need even when I am on the

go”

- Sales Manager for global pharmaceutical firm• End user productivity

• Scalable and reliable procurement

• Minimized support costs and TCO

• Secure data and network access

• Manageable, scalable IT infrastructure

• Standardization vs. point solutions

• Integration and alignment with existing systems

• Minimized training and support

• Robust access to corporate info

• Dependable and resilient phone experience

• Superior productivity including unified communications

MDM Core Feature AreasMDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network.

Management WorkloadDeployment: inside firewall

Network Access WorkloadDeployment: in DMZ

• Machine authentication and “double envelope security”

• Session persistence• Fast reconnect• Internetwork roaming• Standards support (IKEv2,

IPSEC tunnel mode)

• Single point of management for mobile devices in enterprise

• Full OTA provisioning and bootstrapping

• OTA Software distribution based on WSUS 3.0

• Device data and inventory reporting

• SQL Server 2005-based reporting capabilities

• Role-based administration • MMC snap-ins and Powershell

cmndlets• WMU on/off control • OMA-DM compliance

• Active Directory Domain Join • Policy enforcement using

Active Directory and Group Policy targeting (>130 policies and settings)

• Communications and camera disablement

• File encryption • Application allow and deny• Remote wipe • OMA-DM compliance

Security Management

Device Management

MobileVPN

Security Management Benefits• System Center Mobile

Device Manager extends Active Directory/Group Policy to Windows Mobile.

• Over 130 configuration settings are now managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP.

• Architecture is extensible.

Device Management Benefits• Enterprise-wide OTA software distribution

− Leverages Windows Software Update Service (WSUS) 3.0 − Most widely deployed Windows software update solution across organizations of all

size (60%+ penetration)− Rich targeting and packaging capabilities required by IT departments

• Rich Inventory and Reporting− Robust hardware

and software inventory capabilities

− SQL Server 2005–based reporting infrastructure− Highly flexible − Customizable

• End-to-end security features• Headless gateway deployed in the DMZ• Privacy compliance

Security

• Use best available channel• Adapt to network to minimize keep alive traffic (goal)

Efficiency

• Transparent to mobile application • Transparent to LOB services

Extensible

• Always connected• Allows pushed technology

Reliability

• Minimum user configuration• Transparent to user and to applications

Simplicity

Mobile VPN Benefits • Offers features to help secure behind-the-firewall access to the corporate network

and applications.− Access data from a broad range of Intranet sites (e.g. SAP, Siebel, intranet sites, SQL Server)

• Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios.

DMZ

Internal Corporate SiteDomain Controller

Mobile

VPN

Mobile VPN

Mobile Operators Cellular DataConnection

Internet

WiFi Connection

Mobile VPN Gateway

Corporate Internal Firewall

Controlled access to Internalcorporate resources from themobile devices connected via

Mobile VPN

Corporate External Firewall

Mobile VPN vs. Non-Mobile VPN• mVPN is bandwidth-optimized:

−Less data throughput per task−More efficient use of the radio stack−Greater battery life

• mVPN is connectivity-optimized:−Fast reconnect−Session persistence

• mVPN is security-optimized:−“Double envelope” with SSL tunnel inside the

IPSec tunnel−Standards-based: IPSec, IKEv2, MobIKE

(mobility and multi-homing)

Other VPN solutions today do not offer this same level of performance for mobile devices.

Certificate Management/HandlingMDM works closely with Active Directory and utilizes the Microsoft Certification Authority (CA).

• Microsoft CA allows for standardized certificate templates.

• Microsoft CA complies with widely adopted industry standards and is used for automatic certification handling by MDM.

• The enterprise version of Windows Server® is needed to support the certificate templates required by AD.

• Customers who currently use a third-party CA within their PKI can deploy Microsoft CA as a subordinate CA and configure to issue certificates for a specific use—in MDM’s case, client authentication for MDM-managed devices. The existing PKI can than operate normally for other purposes.

• Microsoft Certification Authority is integrated with AD. Configuring the Microsoft CA as one use only will prevent unauthorized certificate issuance and misuse of this CA.

Typical Deployment Topology

DMZ Corporate Intranet

MDM/SP1Gateway Server

Exchange, SharePoint, Intranet

and LOB Servers

SSL User Authentication

MMCConsole

MDM/SP1 Management

Server

ActiveDirectory

Integrated WSUS Software Management

MDM/SP1Enrollment Server

IPSec Mobile VPN

128Bit SSL Tunnel

IPSECVPN

128bit SSLTunnelFirewall Firewall

One Time PIN for Enrollment

Initial OTA DeviceEnrollment via

SSL

Machine Certificate Authentication for Mobile VPN

SQLServer

Internet

Optional ISA orReverse Proxy

128Bit SSL

Tunnel

Device CertificateEnrollment

Service

MDM demo

NameTitleGroup

demo

MDM SP1 Feature UpdatesFeature and capability updates with MDM SP1 include:• Multiple Instance

− Supports deployments where multiple points of control are required within a single forest

• Enrollment Auto Discovery− Helps eliminate guesswork and user confusion by allowing the

enrollment server to match the user with the correct MDM instance• Runs with Windows Server 2008

− SP1 will run against a domain/forest running Windows Server 2008 AD Domain Services

• Performance/Scalability− Increases system capacity to 40K users from MDM 2008 levels

• Virtualization− Hyper-V support using hosted Windows Server 2003 for testing/trial

purposes

Mobile Device Manager 2008 SP1

Management WorkloadDeployment: inside firewall

Network Access WorkloadDeployment: in DMZ

Improved• Scalability and

Reliability

New• Multi-Instance• Support Windows

Server 2008 AD • Hyper-V (2003

host)Improved• Reporting• Scalability and

Reliability

New• Improved self-

service and helpdesk experience

Improved• Scalability and

Performance

Security Management

Device Management

MobileVPN

Unlocks Large Scale Deployments MDM SP1 will better enable IT to manage Windows Mobile 6.1 and later devices in situations where greater scale and distributed control points are required.

Multiple InstanceAdministrative Policies

Division 1 Users

Active Directory Forest

Multiple Instance allows customers with multiple domains, multiple network access points, and different administrative policies to all be managed independently

IT

Division 2Division 1 Division 3

MDM Infrastructure

Division 2 Users Division 3 Users

Windows Server 2003 SP2

SQL Server 2005

Active Directory/Group Policy

Windows Software Update Service (WSUS)

Microsoft Stack UtilizationMDM is designed to work well with existing IT infrastructure, network directory, and services:

Better Together: MDM + …

ConfigMgr = Comprehensive client

management

Exchange 2007 = More secure mobile

messaging

ISA + IAG = Enhanced network security and user

authentication

SharePoint = Mobile access for

better collaboration and teamwork

System Center Mobile Device Manager 2008 works very closely with other Microsoft products to increase the

productivity of mobile workforces.

S E G M E N T A T T R I B U T E S P R I O R I T YMobi

le Informatio

n Work

er

Messaging Mobile messaging with some security & manageability High TCO sensitivity Both front door and back door devices Some requirements for location, presence and UC services

Exchange 2007 SP1

Secure Messaging

Require mobile messaging with highest security due to regulatory compliance issues or internal security policies

Need secure network access for messaging Front door devices only Enhanced requirements for location, presence and UC services

Exchange 2007 SP1with MDM

Messaging + LOB

Messaging with enhanced security Corporate data access (mLOB apps, Intranet sites, etc) Need DM and secure network access Mostly front door devices Enhanced requirements for location, presence and UC services

MDM withExchange 2007 SP1

Task Work

erLOB only

Rich LOB applications, mission critical (established ROI) Mobile messaging not hard requirement Need for DM and secure access Enhanced requirements for location, presence and UC services Users may have no affinity to PC Potentially ruggedized devices (front door only)

MDMor

SCCM

Segmentation & Opportunity

UMM

and

Ent

erpr

ise C

usto

mer

s

Comprehensive Messaging and Device Management Solution• Best in class mobile messaging and PIM solution• Enhanced messaging security beyond SSL• Rich device management• Domain objects in Active Directory• Management via AD/Group Policy • Windows Mobile device management support• Best in class mobile VPN• Customized policy templates without AD schema

changes• 130+ mobile policies out of the box• Software distribution via WSUS

By combining Exchange 2007 SP1 with MDM,

customers get the best of both worlds—best in class

messaging/PIM solution and device management, security, and secure,

persistent connectivity for their Windows Mobile

devices.

Comprehensive Device & Client Management Solution• Rich PC client and mobile device

management• Domain objects in Active Directory• Management via AD/Group Policy • Windows Mobile device management

support• Best-in-class mobile VPN• Customized policy templates without AD

schema changes• 130+ mobile policies out of the box• Software distribution via WSUS

By combining ConfigMgr with MDM, customers get the best of both worlds—feature-rich client management for their

PCs and device management, security, and

secure, persistent connectivity for their

Windows Mobile devices.

Microsoft Solution Comparison

Exchange Server 2007 SP1 ECAL ConfigMgr 2007 MDM 2008

Cross-organization policy application Yes Yes Yes

Policy enforcement using Active Directory/Group Policy targeting No No* Yes

Push software via WSUS No Yes Yes

Mobile device-specific policies Yes No Yes

Inventory/Asset Tracking No Yes Yes

Management via SSL Yes Yes No

Management via IPSec Tunnel No No YesPre-Windows Mobile 6.1 device support Yes Yes No

Inline bootstrapping Yes No Yes

Full Software Inventory No No** Yes

* This applies to mobile device management. AD/Group Policy is supported for desktop clients.** File inventory only.

MDM complements other Microsoft DMSec solutions.

MDM: Competitive ReviewKey Capabilities

Exchange 2003

SP2Exchange 2007

Exchange 2007 SP1 MDM

RIM Blackberry Enterprise Server 5.X

BES 4.1 Good 4.9 IMS 8.0 SP 1 Afaria

Push e-mail and PIM X X X Exchange X X X X OneBridge

Basic policies X X X X X X X X XAdvanced policies X X X X X X XActive Directory Integrated targeting X X3 XActive Directory Domain Join XApplication Disablement X X X X X X XComms Lockdown (IR, Bluetooth, Camera, WIFI) X X3 X X Coming

OTA Software Distribution X X X X X XOTA Firmware Update X XInventory X X X X X XReporting X1 X1 X X X X X XHelpdesk Console X X X X X XEnd-to-end full OTA Provisioning X2 X X X X X XDevice Wipe X X X X X X X X XMobile VPN X XDual factor authenticated access X X X X X

1. Exchange 2007 provides EAS statistical reporting (with basic device information).2. Exchange 2007 enables full OTA provisioning of EAS Client only (does not include IRM or cert-based authentication).3. Expected to deliver deeper integration with LDAP but not necessarily specific to AD.4. Middleware (i.e. Good, IMS) software only, not device firmware.

$521,000

$1,038,400

$398,500

$119,300$104.20

per user$207.68

per user$79.70per user

$23.86per user

License and Support Cost ComparisonFirst year investment - list price, 5K usersPricing includes Software Assurance (SA) for MDM and technical support for all solutions (MDM included in Premier).

AfariaGood RIM MDM

MDM Technical Support• Premier Field Engineering (PFE)

− MDM technical specialists in Redmond and Prague

• Microsoft Consulting Services (MCS)− MDM expertise in Redmond with supervision of

WW team build-out• Mobility SSP team

− WW solution selling expertise for MDM, Windows Mobile, and third-party mobility solutions

• Product Support Services (PSS)• MVPs—mobility specialists outside Microsoft

Licensing Considerations• MDM is a three server role solution:

− Enrollment Server role− Device Management (DM) Server role− Gateway Server role

• Roles required:− Outside the firewall, all three roles are

required.− Inside the firewall (WiLAN) Gateway is

optional.• Role combinations:

− Enrollment and DM can be combined on one box—single server license required.

− Gateway is always a stand-alone role.

MDM SKU OfferingsOffering Category License Offering Net Price

(Select C level)

System Center Mobile Device Manager 2008 (MDM 2008)

MDM 2008 Server License $1500

MDM 2008 User Client Access License (CAL) $40

MDM 2008 Device Client Access License (CAL) $40

System Center Mobile Device Manager 2008 with SQL Server 2005 Technology (MDM 2008 with SQL)

MDM 2008 with SQL Server License $2122

MDM 2008 with SQL User Client Access License (CAL) $40

MDM 2008 with SQL Device Client Access License (CAL) $40

Advantage MDM: MDM combines the must-have DMSec

features IT demands, low TCO, and robust

Microsoft technology stack utilization.

Information and Links• www.microsoft.com/systemcenter/mobile/ • www.microsoft.com/windowsmobile/en-us/bu

siness/solutions/enterprise/mobile-device-manager.mspx

• http://technet.microsoft.com/windowsmobile/

• http://technet.microsoft.com/en-us/scmdm/

© 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, SQL Server, Windows, Windows Server and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.

The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.

MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.

Microsoft Confidential