MDM Overview

  • Article

10/3/2008

System Center Mobile Device Manager (MDM) is a new Microsoft technology that helps Windows Mobile® 6.1 devices work within the IT infrastructure of a company as trusted and managed members of the enterprise. Historically, this degree of integration was not possible with other mobile device platforms because it raised many security, management, and accountability issues for the enterprise. MDM enables you to use Windows Mobile powered devices as managed business devices in a comprehensive manner that has minimal effect on existing infrastructure.

The goal of MDM is simple: Enable Windows Mobile powered devices to become managed and authenticated members of the IT infrastructure of an organization. The Windows Mobile platform is the ideal platform for this solution. The features of MDM help extend this platform in a manner that is both manageable and protected.

The MDM architecture is based on open industry standards that provide specialized device management (OMA DM), and authenticated and encrypted communications (IPsec, IKEv2, and MOBIKE). When you use these standards together with Windows Server platform services, such as Group Policy and Windows Software Update Server (WSUS), you have a powerful and proven solution that you can apply in a consistent and scalable manner to your company Windows Mobile powered devices.

The data that you can access from today’s mobile devices can be both business-critical and business-sensitive. Increasingly, organizations are deciding not to give unmanaged access to this data. However, cutting the mobile worker off from this information can be both inefficient and costly. Enabling managed and authenticated access to this data has to be the way forward for the modern organization. The power of the Windows Server platform and the agility and efficiencies of the Windows Mobile device platform provide a solution that can improve security while providing improved access to business information.

MDM Highlights

A managed device in an MDM implementation may become an important instrument of the enterprise because of the focus on security, controlling connectivity, and ease of administration.

MDM co-exists with the existing infrastructure and resources of your company. MDM requires minimal additional investment in hardware and software licenses. MDM significantly reduces cost of ownership compared to a non-MDM solution because most administrators are already familiar with many of the MDM system components.

To help you add Windows Mobile powered devices to your current IT infrastructure and manage these devices, MDM has extra features in the following areas:

  • Network connectivity
  • Security considerations
  • Device management
  • Connectivity optimization

Network Connectivity

Cellular wireless connectivity is improving constantly, but still lags behind the network connectivity that is available in a Wi-Fi (802.1 X)-enabled enterprise network. Cellular connections are bandwidth constricted, subject to high error rates, and prone to delay and jitter (delay variation). MDM can manage Windows Mobile powered devices across various network bandwidths and conditions, ranging from speed-limited cellular networks up to full Wi-Fi connections. MDM does the following:

  • Addresses the complexities and challenges of Network Address Translation (NAT), especially when encountered in an IPsec-based application
  • Manages mobility and roaming managed devices that may change their IP addresses during a session
  • Improves the user experience by keeping the underlying infrastructure transparent
  • Allows for, and manages the low bandwidth available to a mobile device

Security Considerations

The data that mobile devices can access are becoming more business-sensitive as mobile applications and the devices themselves become more powerful. Therefore, it is increasingly important to protect and manage devices, and the way that they access IT services, settings, and architecture of a company. MDM provides the following key security features to managed devices:

  • Encrypted access to e-mail messages and line-of-business (LOB) applications through the Internet
  • Active Directory® Domain Services authenticated network access
  • Device inventory and health inspection
  • Application approval and blocking by using Active Directory Group Policy
  • Remote device wipe to remove sensitive data from lost, stolen, or compromised devices

Device Management

For full acceptance of mobile devices in the enterprise, you must be able to control them as much as you manage computers, portable computers, and servers. Devices must be able to follow the security and operating policies of a company. Until recently, creating and enforcing a standard policy across many devices has been difficult or impossible. Device users were able to modify device settings that could result in compromising the data that is stored on their devices. For example, a user was able to remove password protection. This enabled unauthorized users access to the stored data if the device were lost or stolen.

In MDM, device enrollment involves the device following a controlled and managed process to become a trusted device and a member of the Active Directory domain. As with any computer or server, membership in the domain provides manageability. In addition, MDM lets you block a device from enrolling.

MDM lets you manage Windows Mobile powered devices in a manner that resembles portable business computers by using Group Policy and MDM software distribution, built upon WSUS, to make sure that devices follow the required policies and software package updates. Additionally, MDM lets you manage device loss or theft in an appropriate and timely manner.

Connectivity Optimization

All mobile devices are restricted with regard to battery power and network bandwidth. Make sure that any service that uses a Windows Mobile powered device is aware of the effect that this service will have in a mobile environment. MDM uses several techniques and technologies to address these limitations specifically:

  • Traffic aggregation: Constant network communication will drain a device battery. Therefore, MDM aggregates policy and software packages and issues them as one update the next time that the device connects to the company network. A configuration schedule sets the connection frequency.
  • Stable network address: MDM provides a stable internal IP address to a device so that an application can easily maintain a persistent connection as the device moves around in the network.
  • Data caching: MDM collects, validates, and caches information about a device. The operating system can resolve future queries from the cache, minimizing communication with the device.
  • Roaming state awareness: You can configure the MDM client component of Windows Mobile powered devices to reduce device communications based on network connection profiles. This can be useful for turning off MDM communications when the device should not communicate with MDM, such as when the device is subject to roaming charges.

For more information about Windows Mobile powered devices, see the Windows Mobile Web site: https://go.microsoft.com/fwlink/?LinkId=108529.

For more information about Windows Mobile powered devices for an enterprise, see the Windows Mobile Web Enterprise site: https://go.microsoft.com/fwlink/?LinkId=108530.

For more information about the Windows Mobile powered device Enterprise Resource Kit, see the Windows Enterprise Resource Kit Web site: https://go.microsoft.com/fwlink/?LinkId=108531.

For more information about Group Policy, see the Group Policy Web site: https://go.microsoft.com/fwlink/?LinkId=108532.

For more information about Windows Server operating systems, see the Windows Server Web site: https://go.microsoft.com/fwlink/?LinkId=108533.