System Center Mobile Device Manager (MDM) and Windows
Mobile 6.1 security architecture offers the following features to
help protect devices and the enterprise network against various
threats and risks.
Access to data because of device theft or loss
- Device lock requires a password or PIN to access the device
when it is turned on.
- Local device wipe occurs after a specified number of incorrect
- Remote device wipe removes data and helps prevent unauthorized
- Configurable number of password attempts allowed.
- Local storage card wipe removes data and helps prevent
- Remote storage card wipe removes data and helps prevent
- Storage card encryption helps prevent unauthorized use.
- Password policy enforcement, such as a required password for
Access to data during transmission
- Advanced Encryption Standard for SSL channel encryption in
128-bit and 256-bit cipher strengths.
- MDM Gateway Server establishes and manages an Internet Protocol
security (IPsec) tunnel to and from a managed Windows Mobile
device. It checks that the device has a valid IPsec Security
Association and establishes authenticated and encrypted
communications over the Mobile Operator network or a public Wi-Fi
Unauthorized penetration into company network
- IPsec client authentication.
- Client authentication by using certificates created by Active
Directory Domain Services and related public key infrastructure
- Encrypted access to e-mail and line-of-business (LOB)
applications from the Internet.
- MDM Gateway Server uses IPsec tunneling to communicate with and
manage Windows Mobile devices outside the perimeter network and the
double firewall that surrounds the company network.
- Firewall protection between MDM Device Management Server and
MDM Gateway Server by using a secure SSL connection. MDM Device
Management Server begins all communications with MDM Gateway Server
to help minimize the security risk of communicating with MDM
Gateway Server in the perimeter network.
Unauthorized penetration into mobile device
- Can disable unused features to reduce the potential attack
Malicious software or viruses on mobile devices
- Application approval and blocking by using Active Directory
- Code execution control enables the device to lock so that only
applications signed with a trusted certificate can run on the
- Security policies help control the acceptance of unsigned
attachments, applications, or files.
- Two-tier access for code execution control. The executable runs
if it is signed and has been granted permissions.
- One-tier access for code execution control. The executable runs
- Attachments for download can be size-restricted or denied.