Windows Mobile devices that are running Windows Mobile 6.1 contain the System Center Mobile Device Manager (MDM) client application that lets you manage the device through MDM. This application is not included in earlier versions of Windows Mobile. Windows Mobile 6.1 supports the necessary standards to enable the client to establish an authenticated and encrypted communications channel to MDM Gateway Server.
|Mobile Operators may have access to device settings to configure settings for their network and services even after enrollment in MDM. During enrollment, existing references to the Mobile Operator Open Mobile Alliance (OMA) device management (DM) servers are preserved. Therefore, in principle, those servers can access the device. However, the OMA DM servers are typically not exposed to the Internet, and therefore cannot update a device when Mobile VPN is active.|
The Windows Mobile 6.1 client contains the following security-related features specific to MDM:
Enrollment Client, which is responsible for enrolling the
device into the managed MDM environment. During the enrollment
process, the device is bootstrapped with the necessary VPN
connectivity settings, and the certificates and certificate chain
are installed. The device will then use these certificates to
authenticate on the company network.
Mobile VPN client, which is based on IPsec and has the
logic, rules, policies, and settings for the VPN tunnel. After the
enrollment process configures the Mobile VPN client, there is a
sustained, always-on connection to MDM Gateway Server.
For more information about MDM client architecture, see MDM Client Architecturein the MDM Architecture Guide.
To configure devices, IT administrators use Group Policy to deliver and apply policy settings to targeted users and computers in an Active Directory environment. For information about security policies that you can apply to a device, see Security Policies in MDM.
For information about applying Group Policy, see the following
topics in MDM Operations at this Microsoft Web site:
Client-Side Targeting Through Group Policy
Device to One or More Groups
Managed Devices with Group Policy