MDM Client Architecture

11/11/2008

The System Center Mobile Device Manager (MDM) client application that lets you manage a Windows Mobile device through MDM is built into Windows Mobile 6.1 devices. It is not included in earlier versions of Windows Mobile. Windows Mobile 6.1 supports the standards needed to allow the client to establish an authenticated and encrypted communications channel to MDM Gateway Server.

Note:
Mobile operators can disable the MDM management functionality on your managed devices. Check with the operator to make sure that it will allow this functionality on devices that you purchase from them.

The following illustration shows the architecture of the MDM client on a Windows Mobile 6.1 device:

The MDM client architecture consists of the following primary components:

Enrollment client: The Enrollment client is responsible for enrolling the device onto the managed MDM environment. During the enrollment process, the device is bootstrapped with the necessary settings and the certificates and certificate chain install. The device will use these certificates to authenticate on the company network.
Device management client: The Device Management client receives the settings and policies from Group Policy and applies them to the managed mobile device. This communication authenticates by using MDM Device Management Server. SSL is used for the communication, even when data is encapsulated over the virtual private network (VPN) tunnel.
Software distribution client: The Software Distribution client enables over-the-air distribution of software packages to managed Windows Mobile devices. This client works together with Windows Server Update Services (WSUS) to deploy packages that can contain new software applications, updates to existing applications and systems, new policies, and changes to existing policies.
Device applications: The device applications, for example, LOB mobile applications, are included with the Windows Mobile devices, or you can install them later. These applications may require access to the company network or to the Internet, depending on their nature.
Mobile VPN client: The Mobile VPN client is based on IPsec and has the logic, rules, policies, and settings for the VPN tunnel. After the enrollment process configures the Mobile VPN client, there is a sustained, always-on connection to MDM Gateway Server.

The Mobile VPN client establishes the Mobile VPN tunnel to MDM Gateway Server. MDM Gateway Server then authenticates the tunnel by using the machine certificates provided to the device during the enrollment. The negotiation for the encrypted and authenticated IPsec connection is done by using IKEv2.

The encryption mechanisms supported for this IPsec tunnel are the Data Encryption Standard (3DES) and Advanced Encryption Standard (AES) that use 128-, 192-, or 256-bit key lengths. SHA-2 is used for hashing. The Mobile VPN client has default settings and policies that define its behavior. The administrator can use Group Policy to reconfigure and control these settings.

The Mobile VPN client supports key features for a mobile environment such as Network Address Translation-Traversal (NAT-T) and IKEv2 Mobility and Multi-homing (MOBIKE) to negotiate fast reconnections.

If administrator policies allow the user to disable the Mobile VPN client, the user can do so if access to the company network is temporarily unnecessary. Administrators can configure the client to operate in a low-traffic mode for times when the device is roaming.
Mobile VPN drivers: When the Mobile VPN tunnel is connected, the Mobile VPN driver intercepts all traffic and then sends the traffic over the Mobile VPN tunnel or discards it.