Microsoft System Center Configuration Manager 2007 Mobile Device Management requires prerequisites be in place on site systems that will support mobile devices and that a proper certificate infrastructure is accessible to mobile devices. This topic describes the three types of prerequisites that are required, and the certificate infrastructure that enables the mobile device to be managed once the mobile device management client is installed and the mobile device is ready to communicate to the Configuration Manager 2007 server.
Site System Prerequisites
To support mobile devices in mixed or native security modes, the following prerequisites are required on distribution points that will be used by devices:
|A site must be in native security mode to manage Internet-based mobile devices.|
- Configure Internet Information Services (IIS)
and firewalls for communication between Configuration Manager 2007
site servers and mobile devices.
- Web Distributed Authoring and Versioning
(WebDAV) extensions for Internet Information Services (IIS)
- Background Intelligent Transfer Service
(BITS) extensions enabled on the distribution point
- Mixed mode only: Anonymous access must be
enabled on the distribution point.
Secure Communication Prerequisites
To support mobile devices in native security mode the following certificate trust relationships are required:
- The mobile device client must trust the SSL
server authentication certificate of any server from which it gets
policy or downloads software. This could be either the
firewall/proxy server protecting site systems or, for example in an
Internet scenario, it could be the site systems themselves.
- The site systems (or firewall/proxy) must
trust the SSL user authentication certificate used by the mobile
device client to secure its half of the SSL connection.
- The mobile device client must trust the site
server signing certificate used by the Configuration Manager 2007
site server to sign policy sent to the mobile device client.
- Any intermediate certification authority (CA)
certificates necessary to complete the certificate trust chain to
the PKI root must be installed on the device.
Secure Software Prerequisites
To protect mobile devices from malicious or untrusted software, all Windows Mobile devices starting with Windows Mobile 5.0 and Windows Mobile Smartphone 2003 require installed software come from a trusted source.
- The Windows Mobile platform verifies both
distributed software and any distributed .cab file are signed with
a trusted software publishing certificate (SPC). Additionally, once
installed on a mobile device, the mobile device client verifies the
SPC that signed the code is from a trusted source every time the
software is run.
- Certain software must operate at a privileged
level on the mobile device. The Configuration Manager 2007 device
management agent requires privileged permission to run on the
device. To run with privileges, the Software Publisher Certificate
(SPC) used to code-sign the software must be in the SPC store on
the device AND be stored in the privileged store on the mobile
device. Software signed by certificates in the privileged execution
store runs with elevated privileges. Software signed by
certificates in the unprivileged execution store runs in a normal
Certificates on Mobile Devices
Microsoft System Center Configuration Manager 2007 security in native mode is heavily dependent on public key infrastructure X.509v3 certificates. Mobile devices themselves do not have a user logon or access to Active Directory to provide security. Certificates are extremely important to mobile device management where they are used to do everything from registering the mobile device client and securing the SSL connections to verifying received software is from a trusted source.
Certificates will be stored in the following locations on the device:
- Root certificate store - The root certificate
for authenticating the server SSL connection and the Site Server
Signing Certificate used by the site server to sign policy. Any
intermediate certification authority certificates needed to
complete the trust chain to the root of the PKI being authenticated
will also be stored in the root certificate store.
- Personal certificate store - The user
authentication certificate used to authenticate the user for SSL
connection to the server. This is also used to register the mobile
device client with the site server.
- SPC store - Any software publishing
certificates (SPC) trusted by the device. This may include the
Microsoft Authenticode Certificate used to sign the Microsoft
System Center Configuration Manager 2007 mobile device client so it
can install on the mobile device. For more information about
certificate requirements for Configuration Manager 2007
communication, see About Native Mode
Certificates for Mobile Device Clients.
- Privileged execution store - Any software
publishing certificates that are required to allow applications to
run with elevated rights on the mobile device.