The System Center Mobile Device Manager (MDM) client application that lets you manage a Windows Mobile device through MDM is built into Windows Mobile 6.1 devices. It is not included in earlier versions of Windows Mobile. Windows Mobile 6.1 supports the standards needed to allow the client to establish an authenticated and encrypted communications channel to MDM Gateway Server.
|Mobile operators can disable the MDM management functionality on your managed devices. Check with the operator to make sure that it will allow this functionality on devices that you purchase from them.|
The following illustration shows the architecture of the MDM client on a Windows Mobile 6.1 device:
The MDM client architecture consists of the following primary components:
Enrollment client: The Enrollment client is responsible for
enrolling the device onto the managed MDM environment. During the
enrollment process, the device is bootstrapped with the necessary
settings and the certificates and certificate chain install. The
device will use these certificates to authenticate on the company
Device management client: The Device Management client
receives the settings and policies from Group Policy and applies
them to the managed mobile device. This communication authenticates
by using MDM Device Management Server. SSL is used for the
communication, even when data is encapsulated over the virtual
private network (VPN) tunnel.
Software distribution client: The Software Distribution
client enables over-the-air distribution of software packages to
managed Windows Mobile devices. This client works together with
Windows Server Update Services (WSUS) to deploy packages that can
contain new software applications, updates to existing applications
and systems, new policies, and changes to existing policies.
Device applications: The device applications, for example,
LOB mobile applications, are included with the Windows Mobile
devices, or you can install them later. These applications may
require access to the company network or to the Internet, depending
on their nature.
Mobile VPN client: The Mobile VPN client is based on IPsec
and has the logic, rules, policies, and settings for the VPN
tunnel. After the enrollment process configures the Mobile VPN
client, there is a sustained, always-on connection to MDM Gateway
The Mobile VPN client establishes the Mobile VPN tunnel to MDM Gateway Server. MDM Gateway Server then authenticates the tunnel by using the machine certificates provided to the device during the enrollment. The negotiation for the encrypted and authenticated IPsec connection is done by using IKEv2.
The encryption mechanisms supported for this IPsec tunnel are the Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) that use 128-, 192-, or 256-bit key lengths. SHA-2 is used for hashing. The Mobile VPN client has default settings and policies that define its behavior. The administrator can use Group Policy to reconfigure and control these settings.
The Mobile VPN client supports key features for a mobile environment such as Network Address Translation-Traversal (NAT-T) and IKEv2 Mobility and Multi-homing (MOBIKE) to negotiate fast reconnections.
If administrator policies allow the user to disable the Mobile VPN client, the user can do so if access to the company network is temporarily unnecessary. Administrators can configure the client to operate in a low-traffic mode for times when the device is roaming.
Mobile VPN drivers: When the Mobile VPN tunnel is connected,
the Mobile VPN driver intercepts all traffic and then sends the
traffic over the Mobile VPN tunnel or discards it.