As you use the existing infrastructure of the enterprise, System Center Mobile Device Manager (MDM) security architecture helps protect company data and communications.
The security architecture helps companies control their own security and data. Unlike some solutions, you do not have to use a third-party network operations center with its associated risks of downtime and compromise of information. In addition, Windows Mobile devices can communicate with enterprise communication services by using industry-standard protocols that run on most mobile operator networks. This eliminates geographical restrictions on service availability.
The following illustration shows a high-level view of Windows Mobile security architecture. This includes Windows Mobile devices, Exchange Server, and existing company network components.
This illustration is described in the following sections.
All access to the company intranet is through the perimeter network, also known as the DMZ or screened subnet. The perimeter network contains MDM Gateway Server between an external (outward facing) and internal firewall. The following shows how this topology helps protect company data.
- Before a Windows Mobile device can connect to MDM Gateway
Server, it must enroll to establish itself as a known and
authenticated object in the Active Directory® Domain Service. After
authentication, the device can connect to MDM Gateway Server to
access company network resources.
- MDM Gateway Server is a stand-alone server, not domain-joined,
and shares no accounts or passwords with the domain of the company.
There is no direct use of Active Directory Domain Service, NTLM, or
Kerberos access to authenticate devices because these would require
the server to be domain-joined, or to store domain credentials. MDM
Gateway Server authenticates incoming connection requests by
verifying that it was signed by a particular root certificate. MDM
Gateway Server then checks incoming connections against a
blocked-device list that you can configure.
- MDM Device Management Server issues the commands to MDM Gateway
Server by using a mutually-authenticated SSL connection through the
internal firewall. This means that MDM Device Management Server
initiates communications to MDM Gateway Server, and not the other
way around. This helps minimize the security risk of communicating
with MDM Gateway Server in the perimeter network.
Security Note: For increased security, MDM Gateway Server does not initiate communications with MDM Device Management Server. You can configure the port that the Gateway Central Management (GCM) uses to manage MDM Gateway Server. By default, it uses the standard TCP port 443 for SSL traffic.
Windows Mobile Powered Device
The device connects to the company intranet by using the Mobile virtual private network (VPN) client on the Windows Mobile device.
The Windows Mobile device uses IPsec to authenticate and encrypt data that passes between the device and MDM Gateway Server. After the Mobile VPN connection is established, all network traffic from the cellular wireless wide-area network (WWLAN) or Wi-Fi connection redirects to MDM Gateway Server through the Mobile VPN connection
On a server that is running MDM, you can use Group Policy and MDM software distribution to make sure that the Windows Mobile device follows the required policies and software packages. By using these standards, MDM extends your company infrastructure to let you manage Windows Mobile devices by using familiar tools and capabilities.
MDM Enrollment Server
MDM Enrollment Server contains the Enrollment Web service, hosted by Internet Information Services (IIS). This service manages incoming requests from mobile devices to enroll them in the managed infrastructure. As soon as MDM Enrollment Server receives a request, this service manages communications with the mobile device until it becomes a domain-joined managed mobile device. After it enrolls, MDM Gateway Server handles communications.
MDM Device Management Server
MDM Device Management Server provides services to interface with the management infrastructure of company servers and services by using MDM Gateway Server in the perimeter network.
The following shows how these services help protect company data:
MDM Software Distribution Console: MDM software distribution
uses Windows Server Update Services (WSUS) to enable the
distribution of applications to managed devices. MDM Software
Distribution Console provides the interface to WSUS. All external
communications use the standard WSUS interfaces.
MDM Group Policy Service: This service communicates with the
Group Policy service on the company domain controllers. This
service determines the Resultant Set of Policy (RSoP) from the
Active Directory Domain Service for each device object in the
domain. These settings are then aggregated and recorded in the
relevant database and used to update a device, if it is required,
the next time that it connects.
MDM Remote Wipe Service: This service manages the command to
wipe data from a managed mobile device. If a wipe command comes
from a management console, it notifies this service. Then, the
remote wipe service communicates with a domain controller to remove
the Active Directory Domain Service object for the device. It also
communicates with the certification authority to revoke the
certificate that the device was using. After confirmation that a
device is wiped or the grace period has expired, the command makes
sure that MDM Gateway Server and the databases are updated so that
the device will be unable to connect to the system by using its
previous credentials. To rejoin the managed environment, the device
must complete the enrollment process again.
Gateway Central Manager (GCM). This service communicates
configuration changes and updates to MDM Gateway Server in the
perimeter network. MDM Device Management Server pushes this
information to the management IIS instance on MDM Gateway Server
though an SSL connection.
Active Directory Domain Service
The Windows directory service stores credentials for VPN and 802.1X-based connections and the Group Policy settings that configure the required settings on each managed mobile device. Examples include configuring ActiveSync® settings or enabling a Password required policy.
MDM security model requires X.509 certificates. MDM works directly with your existing PKI for client and server certificate signing. To issue certificates for MDM, you must have a certificate server that is running Windows Server® 2003 Enterprise Edition operating system with Service Pack 2 (SP2).
E-Mail and LOB servers
Windows Mobile devices managed by MDM can gain access to company line of business (LOB) application servers. This includes the following:
Exchange servers: You can grant direct access to company
Exchange servers from devices that use Outlook Mobile. This
provides calendar scheduling and e-mail services.
Custom application servers: In-house applications that
provide Web services to mobile clients can be made available to the
managed mobile devices.