vik thairani mobility technical sales consultant mobile communication business -microsoft corp....
TRANSCRIPT
![Page 1: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/1.jpg)
![Page 2: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/2.jpg)
Securely Deploying Windows Mobile in Your Enterprise
Vik ThairaniMobility Technical Sales ConsultantMobile Communication Business -Microsoft Corp.WMB308
![Page 3: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/3.jpg)
Session Objectives and Takeaways
OverviewAuthenticating against your Corporate EnvironmentSecure Intranet AccessSecuring Data in TransportSecuring Data on the DeviceSecuring Devices for Malware and VirusesQ&A
![Page 4: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/4.jpg)
Architecture
![Page 5: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/5.jpg)
DMZ Corporate Intranet
ISA Server /Reverse Proxy
Exchange 2003 / 2007 Topology
Exchange Front-End/CAS
Server
ExchangeMailbox Server
128Bit SSLTunnel
Firewall Firewall
Subscription to Mailbox
MAPIClients
Internet
Active Directory
SharePoint 2003/2007 Server
SharePointRequest Proxy via
Exchange CAS
128Bit SSL Tunnel
![Page 6: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/6.jpg)
SCMDM 08 Deployment TopologySystem Center Mobile Device Manager 2008
DMZ Corporate Intranet
SCMDM 08Gateway
Exchange, SharePoint, Intranet and LOB Servers
SSL User Authentication
MMCConsole
SCMDM 08 Management
Server
ActiveDirectory
WSUS Software Management
MDM Enrollment Server
IPSEC MobIKE VPN
128Bit SSL Tunnel
IPSECVPN
128bit SSLTunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA DeviceEnrollment via SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
Optional ISA orReverse Proxy
128Bit SSL
Tunnel
Device CertificateEnrollment
Service
![Page 7: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/7.jpg)
Authenticating Against Your Corporate Network
![Page 8: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/8.jpg)
SSL Tunneling vs. SSL BridgingWildcard Cert SupportElevated Root Cert install support in WM6
Certificate AuthenticationISA 2006 when Domain Joined Can Cert Auth in the DMZ
Standard Authentication
![Page 9: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/9.jpg)
2 Factor Authentication with RSA
RSA must be installed on the IIS serverRSA Agent must be 5.3 or Greater
![Page 10: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/10.jpg)
DMZ Pre-Authentication via ISA
Split Tunneling via ISA ListenersRadiusLDAP
Cert Authentication with Domain Joined ISA 2006
![Page 11: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/11.jpg)
MDM 2008
11
Mobile Device Manager 2008 – 2 Factor Authentication
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
MobileVPN
![Page 12: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/12.jpg)
Secure Intranet Access
![Page 13: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/13.jpg)
Secure Intranet Access (VPN)
Built in VPNL2TP and PPTP
Mobile VPN included in MDM 2008Issues with Traditional VPNs
![Page 14: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/14.jpg)
MDM 2008
14
Mobile Device Manager 2008 VPN
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
MobileVPN
![Page 15: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/15.jpg)
Securing Data in Motion
![Page 16: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/16.jpg)
SSL / MobileIKE
SSL RC4, 3DES, AES 128, AES 256*
MobIKEv2 IPSEC Tunnel
![Page 17: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/17.jpg)
Wireless LAN Security
WiFi 802.1x user authentication usingProtected EAP (PEAP)EAP/TLS (certificate-based)WPA / TKIP
Wi-Fi Certificate Enroller provided by OEMBuilt in Certificate Enroller for Windows Mobile 6 in Active sync 4.5Windows Mobile 6 Includes built in PFX, CER, .P7B installer
![Page 18: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/18.jpg)
S/MIME
Windows Mobile 5.0 Requires Smart-Card readerWindows Mobile 6.0 Supports Soft-CertificatesExchange 2007 SP1 Does Support SMIME
![Page 19: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/19.jpg)
Mobile Device Manager 2008
19
Mobile Device Manager 2008 - IPSEC
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Inter-network roaming• Standards–based (IKEv2, MOBIKE,
IPSec tunnel mode)
Network Access WorkloadDeployment: In DMZ
Management WorkloadDeployment: Inside firewall
MobileVPN
![Page 20: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/20.jpg)
Securing Data on Device
![Page 21: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/21.jpg)
On Device Encryption
Encrypted PIM Data (WM 6.1 w/ Exchange 2007, MDM)
AES 128SD Card (WM 6)
AES 128LOB Custom Applications (CryptoAPI, MDM 2008)
3DES, AES128, AES 256
![Page 22: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/22.jpg)
Information Rights Management
Windows Mobile 6 Supports IRM with MailRead OnlyNo Creation
Office for Windows Mobile 6 supports IRM for Office Documents
![Page 23: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/23.jpg)
Device Policies available with Exchange 2003/2007
Device LockNew Pin Enhancements (Pin Recovery, History)
Device PasswordNew Password Requirements
Exchange 2007 allows for group based PolicesNew Exchange 2007 Policies
SD Card encryption
![Page 24: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/24.jpg)
Exchange 2007 Device Control
Disable desktop ActiveSync Disable removable storage Disable camera Disable SMS and any MMS text messaging Network Control
![Page 25: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/25.jpg)
Exchange 2007 Device Control
Disable Wi-Fi Disable Bluetooth Disable IrDA Allow internet sharing from device Allow desktop sharing from device Application Control
![Page 26: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/26.jpg)
Exchange FunctionalityFeatures 2007 S E Features 2007 S E
Password Required X X X Min Device Pwd Complex Characters X XAllow non-provisionable devices X X X Require Device Encryption X X
Allow Simple Device Password X X X Require Encrypted SMIME Messages X XAlphanumeric Password X X X Require Encryption SMIME Algorithm X X
Attachments Enabled X X X Require Manual Sync When Roaming X XInactivity Timeout X X X Require Signed SMIME Algorithm X X
Max Attachment Size X X X Require Signed SMIME Messages X XMax Failed Password Attempts X X X Allow Bluetooth X
Min Password Length X X X Allow Browser XPassword Expiration X X X Allow Camera X
Password History X X X Allow Consumer Email XPassword Recovery Enabled X X X Allow Desktop Sync X
Policy Refresh Interval X X X Allow Internet Sharing XStorage Card Encryption X X X Allow IrDA X
UNC Access Enabled X X X Allow POP/IMAP Email XWSS Access Enabled X X X Allow Remote Desktop X
Allow HTML Email X X Allow Storage Card X
Allow SMIME Encryption Algorithm Negotiation X X Allow Text Messaging X
Allow SMIME Soft Certs X X Allow Unsigned Applications XMax Calendar Age Filter X X Allow Unsigned Installation Packages X
Max Email Age Filter X X Allow Wi-Fi XMax Email Body Truncation Size X X Approved Application List X
Max Email HTML Body Truncation Size X X Unapproved InROM Application List X
2007 = Exchange 2007 | S = Exchange 2007 SP1 Standard CAL | E = Exchange 2007 SP1 Enterprise CAL
![Page 27: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/27.jpg)
Mobile Device Manager 2008
27
Mobile Device Manager 2008 - Security
• Active Directory® Domain Join • Policy enforcement using Active
Directory/group policy targeting (>125 policies)
• Communications and camera disablement*
• File encryption • Application allow and deny• Remote wipe • OMA DM compliant
*Part of LTK requirement
Security Management
Management WorkloadDeployment: Inside firewall
![Page 28: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/28.jpg)
Antivurus and Firewalls
![Page 29: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/29.jpg)
Antivirus and Firewalls
Mitigating Attack Vectors on Windows MobileOfficeInternet ExplorerApplication Install
Entry Points on your Corporate EnvironmentDesktopExchange
APIs available for Windows Mobile
![Page 30: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/30.jpg)
Exchange Advanced Policies
Allow browserAllow consumer mailAllow unsigned appsAllow unsigned installation packages
![Page 31: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/31.jpg)
Mobile Device Manager 2008
31
Mobile Device Manager 2008 – Software Distribution
• Single point of management for mobile devices in enterprise
• Full over-the-air (OTA) provisioning and bootstrapping
• OTA software distribution based on Windows Software Update Service (WSUS) 3.0
• Inventory• Microsoft SQL Server™ 2005–based
reporting capabilities • Role–based administration • MMC snap-ins and Microsoft
Windows PowerShell™ cmdlets• WMU On/Off control
Management WorkloadDeployment: Inside firewall
Device Management
![Page 32: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/32.jpg)
PartnersManagement and SecurityCredantTrust DigitalAfariaOdyssey
VPNBluefire (Cisco)Net Motion (IPSEC Mobile)Checkpoint (SSL)
![Page 33: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/33.jpg)
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
![Page 34: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/34.jpg)
Windows Mobile® ResourcesTechNet TechCenter – System Center Mobile Device Manager 2008 http://technet.microsoft.com/scmdm
TechNet TechCenter – Windows Mobile http://technet.microsoft.com/windowsmobile
MSDN Center – Windows Mobilehttp://msdn.microsoft.com/windowsmobile
Webcasts and Podcasts for IT – Windows Mobilehttp://www.microsoft.com/events/series/msecmobility.aspx
General Information – Windows Mobilehttp://www.windowsmobile.com
General Information – System Center Mobile Device Manager 2008http://www.windowsmobile.com/mobiledevicemanager
Windows Marketplace Developer Portalhttp://developer.windowsmobile.com
![Page 35: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/35.jpg)
Windows Mobile® is giving away Blackjack IIs !
Stop by the Windows Mobile Technical Learning Center to learn how to enter
![Page 36: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/36.jpg)
Complete an evaluation on CommNet and enter to win!
![Page 37: Vik Thairani Mobility Technical Sales Consultant Mobile Communication Business -Microsoft Corp. WMB308](https://reader035.vdocuments.site/reader035/viewer/2022062421/56649db65503460f94aa820f/html5/thumbnails/37.jpg)
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.