Microsoft System Center Configuration Manager 2007 Mobile Device Management requires prerequisites be in place on site systems that will support mobile devices and that a proper certificate infrastructure is accessible to mobile devices. This topic describes the three types of prerequisites that are required, and the certificate infrastructure that enables the mobile device to be managed once the mobile device management client is installed and the mobile device is ready to communicate to the Configuration Manager 2007 server.

Site System Prerequisites

To support mobile devices in mixed or native security modes, the following prerequisites are required on distribution points that will be used by devices:

Note
A site must be in native security mode to manage Internet-based mobile devices.
  • Configure Internet Information Services (IIS) and firewalls for communication between Configuration Manager 2007 site servers and mobile devices.

  • Web Distributed Authoring and Versioning (WebDAV) extensions for Internet Information Services (IIS) enabled

  • Background Intelligent Transfer Service (BITS) extensions enabled on the distribution point

  • Mixed mode only: Anonymous access must be enabled on the distribution point.

Secure Communication Prerequisites

To support mobile devices in native security mode the following certificate trust relationships are required:

  • The mobile device client must trust the SSL server authentication certificate of any server from which it gets policy or downloads software. This could be either the firewall/proxy server protecting site systems or, for example in an Internet scenario, it could be the site systems themselves.

  • The site systems (or firewall/proxy) must trust the SSL user authentication certificate used by the mobile device client to secure its half of the SSL connection.

  • The mobile device client must trust the site server signing certificate used by the Configuration Manager 2007 site server to sign policy sent to the mobile device client.

  • Any intermediate certification authority (CA) certificates necessary to complete the certificate trust chain to the PKI root must be installed on the device.

Secure Software Prerequisites

To protect mobile devices from malicious or untrusted software, all Windows Mobile devices starting with Windows Mobile 5.0 and Windows Mobile Smartphone 2003 require installed software come from a trusted source.

  • The Windows Mobile platform verifies both distributed software and any distributed .cab file are signed with a trusted software publishing certificate (SPC). Additionally, once installed on a mobile device, the mobile device client verifies the SPC that signed the code is from a trusted source every time the software is run.

  • Certain software must operate at a privileged level on the mobile device. The Configuration Manager 2007 device management agent requires privileged permission to run on the device. To run with privileges, the Software Publisher Certificate (SPC) used to code-sign the software must be in the SPC store on the device AND be stored in the privileged store on the mobile device. Software signed by certificates in the privileged execution store runs with elevated privileges. Software signed by certificates in the unprivileged execution store runs in a normal user context.

Certificates on Mobile Devices

Microsoft System Center Configuration Manager 2007 security in native mode is heavily dependent on public key infrastructure X.509v3 certificates. Mobile devices themselves do not have a user logon or access to Active Directory to provide security. Certificates are extremely important to mobile device management where they are used to do everything from registering the mobile device client and securing the SSL connections to verifying received software is from a trusted source.

Certificates will be stored in the following locations on the device:

  • Root certificate store - The root certificate for authenticating the server SSL connection and the Site Server Signing Certificate used by the site server to sign policy. Any intermediate certification authority certificates needed to complete the trust chain to the root of the PKI being authenticated will also be stored in the root certificate store.

  • Personal certificate store - The user authentication certificate used to authenticate the user for SSL connection to the server. This is also used to register the mobile device client with the site server.

  • SPC store - Any software publishing certificates (SPC) trusted by the device. This may include the Microsoft Authenticode Certificate used to sign the Microsoft System Center Configuration Manager 2007 mobile device client so it can install on the mobile device. For more information about certificate requirements for Configuration Manager 2007 communication, see About Native Mode Certificates for Mobile Device Clients.

  • Privileged execution store - Any software publishing certificates that are required to allow applications to run with elevated rights on the mobile device.

See Also