MDM Security Architecture
As you use the existing infrastructure of the enterprise, System Center Mobile Device Manager security architecture helps protect company data and communications.
The security architecture helps companies control their own security and data. Unlike some solutions, you do not have to use a third-party network operations center with its associated risks of downtime and compromise of information. In addition, Windows Mobile devices can communicate with enterprise communication services by using industry-standard protocols that run on most mobile operator networks. This eliminates geographical restrictions on service availability.
The following illustration shows a high-level view of the security architecture for each instance of MDM. This includes Windows Mobile devices, Exchange Server, and existing company network components.
This illustration is described in the following sections.
All access to the company intranet is through the perimeter network, also known as the DMZ or screened subnet. The perimeter network contains MDM Gateway Server between an external (outward facing) and internal firewall. The following shows how this topology helps protect company data.
Before a Windows Mobile device can connect to MDM Gateway Server, it must enroll to establish itself as a known and authenticated object in the Active Directory Domain Service. After authentication, the device can connect to MDM Gateway Server to access company network resources.
MDM Gateway Server is a stand-alone server, not domain-joined, and shares no accounts or passwords with the domain of the company. There is no direct use of Active Directory Domain Service, NTLM, or Kerberos access to authenticate devices because these would require the server to be domain-joined, or to store domain credentials. MDM Gateway Server authenticates incoming connection requests by verifying that it was signed by a particular root certificate. MDM Gateway Server then checks incoming connections against a blocked-device list that you can configure.
MDM Device Management Server issues the commands to MDM Gateway Server by using a mutually-authenticated SSL connection through the internal firewall. This means that MDM Device Management Server initiates communications to MDM Gateway Server, and not the other way around. This helps minimize the security risk of communicating with MDM Gateway Server in the perimeter network.
Security Note: For increased security, MDM Gateway Server does not initiate communications with MDM Device Management Server. You can configure the port that the Gateway Central Management (GCM) uses to manage MDM Gateway Server. By default, it uses the standard TCP port 443 for SSL traffic.
The device connects to the company intranet by using the Mobile virtual private network (VPN) client on the Windows Mobile device.
The Windows Mobile device uses IPsec to authenticate and encrypt data that passes between the device and MDM Gateway Server. After the Mobile VPN connection is established, all network traffic from the cellular wireless wide-area network (WWLAN) or Wi-Fi connection redirects to MDM Gateway Server through the Mobile VPN connection
On a server that is running MDM, you can use Group Policy and MDM software distribution to make sure that the Windows Mobile device follows the required policies and software packages. By using these standards, MDM extends your company infrastructure to let you manage Windows Mobile devices by using familiar tools and capabilities.
MDM Enrollment Server
MDM Enrollment Server contains the Enrollment Web service, hosted by Internet Information Services (IIS). This service manages incoming requests from mobile devices to enroll them in the managed infrastructure. As soon as MDM Enrollment Server receives a request, this service manages communications with the mobile device until it becomes a domain-joined managed mobile device. After it enrolls, MDM Gateway Server handles communications.
MDM Device Management Server
MDM Device Management Server provides services to interface with the management infrastructure of company servers and services by using MDM Gateway Server in the perimeter network.
The following shows how these services help protect company data:
MDM Software Distribution Console: MDM software distribution uses Windows Server Update Services (WSUS) to enable the distribution of applications to managed devices. MDM Software Distribution Console provides the interface to WSUS. All external communications use the standard WSUS interfaces.
MDM Group Policy Service: This service communicates with the Group Policy service on the company domain controllers. This service determines the Resultant Set of Policy (RSoP) from the Active Directory Domain Service for each device object in the domain. These settings are then aggregated and recorded in the relevant database and used to update a device, if it is required, the next time that it connects.
MDM Remote Wipe Service: This service manages the command to wipe data from a managed mobile device. If a wipe command comes from a management console, it notifies this service. Then, the remote wipe service communicates with a domain controller to remove the Active Directory Domain Service object for the device. It also communicates with the certification authority to revoke the certificate that the device was using. After confirmation that a device is wiped or the grace period has expired, the command makes sure that MDM Gateway Server and the databases are updated so that the device will be unable to connect to the system by using its previous credentials. To rejoin the managed environment, the device must complete the enrollment process again.
Gateway Central Manager (GCM). This service communicates configuration changes and updates to MDM Gateway Server in the perimeter network. MDM Device Management Server pushes this information to the management IIS instance on MDM Gateway Server though an SSL connection.
Active Directory Domain Service
The Windows directory service stores credentials for VPN and 802.1X-based connections and the Group Policy settings that configure the required settings on each managed mobile device. Examples include configuring ActiveSync settings or enabling a Password required policy.
MDM security model requires X.509 certificates. MDM works directly with your existing PKI for client and server certificate signing. To issue certificates for MDM, you must have a certificate server that is running Windows Server 2003 Enterprise Edition operating system with Service Pack 2 (SP2).
E-Mail and LOB servers
Windows Mobile devices managed by MDM can gain access to company line-of-business (LOB) application servers. This includes the following:
Exchange servers: You can grant direct access to company Exchange servers from devices that use Outlook Mobile. This provides calendar scheduling and e-mail services.
Custom application servers: In-house applications that provide Web services to mobile clients can be made available to the managed mobile devices.