System Center Mobile Device Manager (MDM) and Windows Mobile 6.1 security architecture offers the following features to help protect devices and the enterprise network against various threats and risks.

Term Definition

Access to data because of device theft or loss

  • Device lock requires a password or PIN to access the device when it is turned on.

  • Local device wipe occurs after a specified number of incorrect logon attempts.

  • Remote device wipe removes data and helps prevent unauthorized use.

  • Configurable number of password attempts allowed.

  • Local storage card wipe removes data and helps prevent unauthorized use.

  • Remote storage card wipe removes data and helps prevent unauthorized use.

  • Storage card encryption helps prevent unauthorized use.

  • Password policy enforcement, such as a required password for synchronization.

Access to data during transmission

  • Advanced Encryption Standard for SSL channel encryption in 128-bit and 256-bit cipher strengths.

  • MDM Gateway Server establishes and manages an Internet Protocol security (IPsec) tunnel to and from a managed Windows Mobile device. It checks that the device has a valid IPsec Security Association and establishes authenticated and encrypted communications over the Mobile Operator network or a public Wi-Fi network.

Unauthorized penetration into company network

  • IPsec client authentication.

  • Client authentication by using certificates created by Active Directory Domain Services and related public key infrastructure (PKI).

  • Encrypted access to e-mail and line-of-business (LOB) applications from the Internet.

  • MDM Gateway Server uses IPsec tunneling to communicate with and manage Windows Mobile devices outside the perimeter network and the double firewall that surrounds the company network.

  • Firewall protection between MDM Device Management Server and MDM Gateway Server by using a secure SSL connection. MDM Device Management Server begins all communications with MDM Gateway Server to help minimize the security risk of communicating with MDM Gateway Server in the perimeter network.

Unauthorized penetration into mobile device

  • Can disable unused features to reduce the potential attack surface.

Malicious software or viruses on mobile devices

  • Application approval and blocking by using Active Directory Group Policy.

  • Code execution control enables the device to lock so that only applications signed with a trusted certificate can run on the device.

  • Security policies help control the acceptance of unsigned attachments, applications, or files.

  • Two-tier access for code execution control. The executable runs if it is signed and has been granted permissions.

  • One-tier access for code execution control. The executable runs if signed.

  • Attachments for download can be size-restricted or denied.

See Also