System Center Mobile Device Manager (MDM) works directly with your existing Public Key Infrastructure (PKI) for client and server certificate signing. If no current PKI is in place, or if you want to maintain a separate certification authority for device authentication, you can add a Microsoft enterprise certification authority. The Windows Server® 2003 Enterprise Edition operating system certification authority is the only supported issuing certification authority for MDM.
MDM uses certificates for remote authentication of Windows Mobile devices.
Certificate use with MDM provides the following benefits:
- Data transfers confidentially between servers and managed
devices by using encryption to prevent data exposure over public
Internet links.
- Servers and managed devices verify the identity of one another
by using mutual authentication during communication.
- MDM Gateway Server uses a server-specific certificate, together
with that of the managed device-specific certificate, to
authenticate the device and create an IPsec connection. Then, the
managed device can use the device certificate to create an
end-to-end SSL session with the target LoB host. The managed device
can use another certificate to authenticate applications.
Public Key Infrastructure
A PKI consists of the following basic components:
- Digital certificates
- Certification Authorities
- Certificate policy and practice statements
- Certificate repositories
- Certificate revocation lists (CRL)
- Certificate trust lists (CTL)
- Key archival and recovery
- Public key standards
For information about PKI, see the PKI documentation:
- Public Key Infrastructure for Windows Server 2003
Enterprise Edition. For more information, see this Microsoft Web
site:
http://go.microsoft.com/fwlink/?LinkID=68943 . - Designing a Public Key Infrastructure (March 2003). For more
information, see this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=78391 . - Best Practices for Implementing a Windows Server 2003
Enterprise Edition Public Key Infrastructure. For more information,
see this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=22667 .
Certificates
MDM uses certificates from your existing Public Key Infrastructure (PKI).
Windows Server 2003 Enterprise Edition certification authority is the only fully supported certification authority for MDM. Its automatic enrollment and certificate renewal capabilities are key elements in making sure of the highest quality end-user experience during MDM enrollment.
Note: |
---|
When you introduce a Windows Server 2003 Enterprise Edition certification authority into a production environment, server certificates are issued to domain controllers. |
MDM supports only one root. You must put one Enterprise Root certification authority in the root of the PKI infrastructure.
We recommend that you deploy at least one offline root certification authority and one subordinate (issuing) certification authority. Depending on your deployment, this might include one or more of the following:
- Active Directory® Directory Service (Windows Server 2003 forest
and domain functional levels)
- Microsoft Domain Name System (DNS), correctly deployed and
configured
- Certification Authority running Windows Server 2003 enterprise
edition
- At least one Global Catalog server in the same Active Directory
site as the MDM servers.
- Microsoft SQL Server® 2005 with Service Pack 1 (SP1), local or
remote to the MDM Device Management Server
MDM Certificate Templates
The following certificate templates create during MDM installation. You can view these templates in the Certificate Templates MMC snap-in.
For more detailed information about these templates, see Creating Manual Certificatesin the MDM Deployment Guide.
SCMDM2008GCM
MDM uses the SCMDM2008GCM template for digital signature and encryption.
The following shows information about this template.
Extensions |
Client authentication |
Validity |
Two years |
Automatic renewal? |
No |
Publish to Active Directory? |
No |
SCMDM2008MobileDevice
MDM uses the SCMDM2008MobileDevice template for digital signature and encryption.
The following shows information about this template.
Extensions |
Client authentication |
Validity |
One year |
Automatic renewal? |
Yes |
Publish to Active Directory? |
Yes |
SCMDM2008WebServer
MDM uses the SCMDM2008WebServer template for digital signature and encryption.
The following shows information about this template.
Extensions |
Server authentication |
Validity |
Two years |
Automatic renewal? |
No |
Publish to Active Directory? |
No |
Additional Resources
Windows Server 2003 PKI information
- For information about how to plan, configure, and implement a
Windows Server 2003 Enterprise Edition PKI, see Securing
Wireless LANs - A Windows Server 2003 Certificate Services
Solution, at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=111414 . - For more information about how to design a PKI, see Public Key
Infrastructure for Windows Server 2003 at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=111418 .
Security and Windows Mobile powered Devices
- For more information about security on Windows Mobile devices,
see Security Model for Windows Mobile 5.0 and Windows
Mobile 6, at this Microsoft Web site:
http://go.microsoft.com/fwlink/?LinkID=89639 .