Microsoft ® System Center Mobile Device Manager 2008 SP1
description
Transcript of Microsoft ® System Center Mobile Device Manager 2008 SP1
Microsoft® System Center Mobile Device Manager 2008 SP1Chip Vollers Mobile Business Experience MarketingSr. Product Manager, [email protected]
Agenda• Mobility Overview• Worldwide Mobility Market• System Center Mobile Device
Manager 2008• Demo• MDM SP1 Features• Microsoft Stack Integration• Competitive Overview• Pricing and Licensing• Information & Links
Mobile Devices Are Not LaptopsMobile devices…• Are more easily lost or stolen.• Require persistent connectivity.• Have capabilities driven by form
factor and user interface.• Must also function as phones.• Are outside the corporate network
most or all of the time.
Why do DMSec and mVPN Matter for Mobility?• Proliferation of connected devices
outpacing PCs• Growth of worldwide mobile workforce• Expansion of mLOB application
development and usage—more mLOB users means lower cost per user and higher per user mLOB ROI
• Desire for more secure network connectivity from mobile devices
Mobility Drives Growth
Desktop Mobile Phones
Mobile PCs Converged Mobile
Devices
0%
10%
20%
30%
40%
CAG
R (%
) 200
6-20
10
18.6%Mobile PCs
5.8%Mobile Phones3.9%
Desktop PCs
34.1%ConvergedMobile Phones
Source: Gartner, Dataquest, and IDC 2006
245 Million Converged Devices
by 2010
Worldwide Market OpportunityWorldwide, the mobile worker
population is expectedto increase to
878 million by 2009,
accounting for >27%of the total global workforce.
SOURCE: IDC, WW Mobile Worker Population, October 2006
Balanced Market GrowthBalanced growth driven by both mobile messaging and rich mobile scenarios beyond e-mail:• Corporate data access and mobile LOB grows 41%
(CAGR) from CY 2006–2011.• Messaging grows 46% in the same time period.
Note: Sizing based on support for Microsoft solutions. Source: MED Finance analysis and industry reports
Corporate data access and mLOB31.5 MM
Corporate data access and mobile LOB 6.2 MM
Mobile Messaging71.2 MM
Mobile Messaging10.7 MM
mLOB only0.9 MM
mLOB only8.3 MM
2006 2011
What is MDM?System Center Mobile Device Manager 2008MDM helps to…• Safeguard corporate data from
unauthorized access.• Reduce the cost and complexity of
mobile deployments.• Maintain persistent and enhanced
security for connectivity.• Simplify device management.
MDM OverviewMDM is a comprehensive device management solution that enables efficient control of Windows Mobile® devices.With MDM, customers can:• Set and control policies using Active Directory® and Group
Policy.• Extend corporate data and line of business (LOB) applications
in a security-enhanced virtual private network (VPN) environment.
• Execute a remote wipe with the “always on” Mobile VPN (mVPN) if a device is lost or falls into the wrong hands.
• Lock down communications and device resources for compliance and confidentiality purposes—disable Bluetooth, SMS/MMS, WLAN/Wi-Fi, Infrared, POP/IMAP e-mail, and even camera functionality.
• Take advantage of advanced features including policy enforcement, inventory and reporting, and software distribution from a single point of management.
What IT pains does MDM solve?How to:• Manage mobile devices like PCs on the
corporate network• Manage policies and software distribution to
multiple groups of users• Provision mobile devices without physically
touching them• Allow more secure connectivity with single-
point network access control• Allow specific business units individual
control over the devices in their business unit
Aligning with Customer Priorities
• Anytime access to corporate info
• Dependable and resilient phone experience
• Superior productivity including unified communications
• Secure data and network access
• Manageable, scalable IT infrastructure
• Standardization vs. point solutions
• Integrate and align with existing systems
• Minimize training and support
• “Make it just another device on my network that I control and manage, and as an integral part of my existing architecture and security framework””
• -VP of IT for Large Wall Street Bank
Key BDM Priorities
“I need a strong ROI justification if I am
going to roll out mobile devices to
most of my organization and not just the managers”
- Director of business group for major manufacturer
Key IT Priorities
“Make it just another device on my network
that I control and manage, one that’s an
integral part of my existing architecture
and security framework”
- VP of IT for Large Wall Street Bank
Key End User Priorities
“Provide me with always available
access to the people, information, and
applications I need even when I am on the
go”
- Sales Manager for global pharmaceutical firm• End user productivity
• Scalable and reliable procurement
• Minimized support costs and TCO
• Secure data and network access
• Manageable, scalable IT infrastructure
• Standardization vs. point solutions
• Integration and alignment with existing systems
• Minimized training and support
• Robust access to corporate info
• Dependable and resilient phone experience
• Superior productivity including unified communications
MDM Core Feature AreasMDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network.
Management WorkloadDeployment: inside firewall
Network Access WorkloadDeployment: in DMZ
• Machine authentication and “double envelope security”
• Session persistence• Fast reconnect• Internetwork roaming• Standards support (IKEv2,
IPSEC tunnel mode)
• Single point of management for mobile devices in enterprise
• Full OTA provisioning and bootstrapping
• OTA Software distribution based on WSUS 3.0
• Device data and inventory reporting
• SQL Server 2005-based reporting capabilities
• Role-based administration • MMC snap-ins and Powershell
cmndlets• WMU on/off control • OMA-DM compliance
• Active Directory Domain Join • Policy enforcement using
Active Directory and Group Policy targeting (>130 policies and settings)
• Communications and camera disablement
• File encryption • Application allow and deny• Remote wipe • OMA-DM compliance
Security Management
Device Management
MobileVPN
Security Management Benefits• System Center Mobile
Device Manager extends Active Directory/Group Policy to Windows Mobile.
• Over 130 configuration settings are now managed through Group Policy including control of Bluetooth, WIFI, SMS/MMS, IR, Camera, and POP/IMAP.
• Architecture is extensible.
Device Management Benefits• Enterprise-wide OTA software distribution
− Leverages Windows Software Update Service (WSUS) 3.0 − Most widely deployed Windows software update solution across organizations of all
size (60%+ penetration)− Rich targeting and packaging capabilities required by IT departments
• Rich Inventory and Reporting− Robust hardware
and software inventory capabilities
− SQL Server 2005–based reporting infrastructure− Highly flexible − Customizable
• End-to-end security features• Headless gateway deployed in the DMZ• Privacy compliance
Security
• Use best available channel• Adapt to network to minimize keep alive traffic (goal)
Efficiency
• Transparent to mobile application • Transparent to LOB services
Extensible
• Always connected• Allows pushed technology
Reliability
• Minimum user configuration• Transparent to user and to applications
Simplicity
Mobile VPN Benefits • Offers features to help secure behind-the-firewall access to the corporate network
and applications.− Access data from a broad range of Intranet sites (e.g. SAP, Siebel, intranet sites, SQL Server)
• Aligns with existing remote access model for desktops/laptops and scales to a broad set of scenarios.
DMZ
Internal Corporate SiteDomain Controller
Mobile
VPN
Mobile VPN
Mobile Operators Cellular DataConnection
Internet
WiFi Connection
Mobile VPN Gateway
Corporate Internal Firewall
Controlled access to Internalcorporate resources from themobile devices connected via
Mobile VPN
Corporate External Firewall
Mobile VPN vs. Non-Mobile VPN• mVPN is bandwidth-optimized:
−Less data throughput per task−More efficient use of the radio stack−Greater battery life
• mVPN is connectivity-optimized:−Fast reconnect−Session persistence
• mVPN is security-optimized:−“Double envelope” with SSL tunnel inside the
IPSec tunnel−Standards-based: IPSec, IKEv2, MobIKE
(mobility and multi-homing)
Other VPN solutions today do not offer this same level of performance for mobile devices.
Certificate Management/HandlingMDM works closely with Active Directory and utilizes the Microsoft Certification Authority (CA).
• Microsoft CA allows for standardized certificate templates.
• Microsoft CA complies with widely adopted industry standards and is used for automatic certification handling by MDM.
• The enterprise version of Windows Server® is needed to support the certificate templates required by AD.
• Customers who currently use a third-party CA within their PKI can deploy Microsoft CA as a subordinate CA and configure to issue certificates for a specific use—in MDM’s case, client authentication for MDM-managed devices. The existing PKI can than operate normally for other purposes.
• Microsoft Certification Authority is integrated with AD. Configuring the Microsoft CA as one use only will prevent unauthorized certificate issuance and misuse of this CA.
Typical Deployment Topology
DMZ Corporate Intranet
MDM/SP1Gateway Server
Exchange, SharePoint, Intranet
and LOB Servers
SSL User Authentication
MMCConsole
MDM/SP1 Management
Server
ActiveDirectory
Integrated WSUS Software Management
MDM/SP1Enrollment Server
IPSec Mobile VPN
128Bit SSL Tunnel
IPSECVPN
128bit SSLTunnelFirewall Firewall
One Time PIN for Enrollment
Initial OTA DeviceEnrollment via
SSL
Machine Certificate Authentication for Mobile VPN
SQLServer
Internet
Optional ISA orReverse Proxy
128Bit SSL
Tunnel
Device CertificateEnrollment
Service
MDM demo
NameTitleGroup
demo
MDM SP1 Feature UpdatesFeature and capability updates with MDM SP1 include:• Multiple Instance
− Supports deployments where multiple points of control are required within a single forest
• Enrollment Auto Discovery− Helps eliminate guesswork and user confusion by allowing the
enrollment server to match the user with the correct MDM instance• Runs with Windows Server 2008
− SP1 will run against a domain/forest running Windows Server 2008 AD Domain Services
• Performance/Scalability− Increases system capacity to 40K users from MDM 2008 levels
• Virtualization− Hyper-V support using hosted Windows Server 2003 for testing/trial
purposes
Mobile Device Manager 2008 SP1
Management WorkloadDeployment: inside firewall
Network Access WorkloadDeployment: in DMZ
Improved• Scalability and
Reliability
New• Multi-Instance• Support Windows
Server 2008 AD • Hyper-V (2003
host)Improved• Reporting• Scalability and
Reliability
New• Improved self-
service and helpdesk experience
Improved• Scalability and
Performance
Security Management
Device Management
MobileVPN
Unlocks Large Scale Deployments MDM SP1 will better enable IT to manage Windows Mobile 6.1 and later devices in situations where greater scale and distributed control points are required.
Multiple InstanceAdministrative Policies
Division 1 Users
Active Directory Forest
Multiple Instance allows customers with multiple domains, multiple network access points, and different administrative policies to all be managed independently
IT
Division 2Division 1 Division 3
MDM Infrastructure
Division 2 Users Division 3 Users
Windows Server 2003 SP2
SQL Server 2005
Active Directory/Group Policy
Windows Software Update Service (WSUS)
Microsoft Stack UtilizationMDM is designed to work well with existing IT infrastructure, network directory, and services:
Better Together: MDM + …
ConfigMgr = Comprehensive client
management
Exchange 2007 = More secure mobile
messaging
ISA + IAG = Enhanced network security and user
authentication
SharePoint = Mobile access for
better collaboration and teamwork
System Center Mobile Device Manager 2008 works very closely with other Microsoft products to increase the
productivity of mobile workforces.
S E G M E N T A T T R I B U T E S P R I O R I T YMobi
le Informatio
n Work
er
Messaging Mobile messaging with some security & manageability High TCO sensitivity Both front door and back door devices Some requirements for location, presence and UC services
Exchange 2007 SP1
Secure Messaging
Require mobile messaging with highest security due to regulatory compliance issues or internal security policies
Need secure network access for messaging Front door devices only Enhanced requirements for location, presence and UC services
Exchange 2007 SP1with MDM
Messaging + LOB
Messaging with enhanced security Corporate data access (mLOB apps, Intranet sites, etc) Need DM and secure network access Mostly front door devices Enhanced requirements for location, presence and UC services
MDM withExchange 2007 SP1
Task Work
erLOB only
Rich LOB applications, mission critical (established ROI) Mobile messaging not hard requirement Need for DM and secure access Enhanced requirements for location, presence and UC services Users may have no affinity to PC Potentially ruggedized devices (front door only)
MDMor
SCCM
Segmentation & Opportunity
UMM
and
Ent
erpr
ise C
usto
mer
s
Comprehensive Messaging and Device Management Solution• Best in class mobile messaging and PIM solution• Enhanced messaging security beyond SSL• Rich device management• Domain objects in Active Directory• Management via AD/Group Policy • Windows Mobile device management support• Best in class mobile VPN• Customized policy templates without AD schema
changes• 130+ mobile policies out of the box• Software distribution via WSUS
By combining Exchange 2007 SP1 with MDM,
customers get the best of both worlds—best in class
messaging/PIM solution and device management, security, and secure,
persistent connectivity for their Windows Mobile
devices.
Comprehensive Device & Client Management Solution• Rich PC client and mobile device
management• Domain objects in Active Directory• Management via AD/Group Policy • Windows Mobile device management
support• Best-in-class mobile VPN• Customized policy templates without AD
schema changes• 130+ mobile policies out of the box• Software distribution via WSUS
By combining ConfigMgr with MDM, customers get the best of both worlds—feature-rich client management for their
PCs and device management, security, and
secure, persistent connectivity for their
Windows Mobile devices.
Microsoft Solution Comparison
Exchange Server 2007 SP1 ECAL ConfigMgr 2007 MDM 2008
Cross-organization policy application Yes Yes Yes
Policy enforcement using Active Directory/Group Policy targeting No No* Yes
Push software via WSUS No Yes Yes
Mobile device-specific policies Yes No Yes
Inventory/Asset Tracking No Yes Yes
Management via SSL Yes Yes No
Management via IPSec Tunnel No No YesPre-Windows Mobile 6.1 device support Yes Yes No
Inline bootstrapping Yes No Yes
Full Software Inventory No No** Yes
* This applies to mobile device management. AD/Group Policy is supported for desktop clients.** File inventory only.
MDM complements other Microsoft DMSec solutions.
MDM: Competitive ReviewKey Capabilities
Exchange 2003
SP2Exchange 2007
Exchange 2007 SP1 MDM
RIM Blackberry Enterprise Server 5.X
BES 4.1 Good 4.9 IMS 8.0 SP 1 Afaria
Push e-mail and PIM X X X Exchange X X X X OneBridge
Basic policies X X X X X X X X XAdvanced policies X X X X X X XActive Directory Integrated targeting X X3 XActive Directory Domain Join XApplication Disablement X X X X X X XComms Lockdown (IR, Bluetooth, Camera, WIFI) X X3 X X Coming
OTA Software Distribution X X X X X XOTA Firmware Update X XInventory X X X X X XReporting X1 X1 X X X X X XHelpdesk Console X X X X X XEnd-to-end full OTA Provisioning X2 X X X X X XDevice Wipe X X X X X X X X XMobile VPN X XDual factor authenticated access X X X X X
1. Exchange 2007 provides EAS statistical reporting (with basic device information).2. Exchange 2007 enables full OTA provisioning of EAS Client only (does not include IRM or cert-based authentication).3. Expected to deliver deeper integration with LDAP but not necessarily specific to AD.4. Middleware (i.e. Good, IMS) software only, not device firmware.
$521,000
$1,038,400
$398,500
$119,300$104.20
per user$207.68
per user$79.70per user
$23.86per user
License and Support Cost ComparisonFirst year investment - list price, 5K usersPricing includes Software Assurance (SA) for MDM and technical support for all solutions (MDM included in Premier).
AfariaGood RIM MDM
MDM Technical Support• Premier Field Engineering (PFE)
− MDM technical specialists in Redmond and Prague
• Microsoft Consulting Services (MCS)− MDM expertise in Redmond with supervision of
WW team build-out• Mobility SSP team
− WW solution selling expertise for MDM, Windows Mobile, and third-party mobility solutions
• Product Support Services (PSS)• MVPs—mobility specialists outside Microsoft
Licensing Considerations• MDM is a three server role solution:
− Enrollment Server role− Device Management (DM) Server role− Gateway Server role
• Roles required:− Outside the firewall, all three roles are
required.− Inside the firewall (WiLAN) Gateway is
optional.• Role combinations:
− Enrollment and DM can be combined on one box—single server license required.
− Gateway is always a stand-alone role.
MDM SKU OfferingsOffering Category License Offering Net Price
(Select C level)
System Center Mobile Device Manager 2008 (MDM 2008)
MDM 2008 Server License $1500
MDM 2008 User Client Access License (CAL) $40
MDM 2008 Device Client Access License (CAL) $40
System Center Mobile Device Manager 2008 with SQL Server 2005 Technology (MDM 2008 with SQL)
MDM 2008 with SQL Server License $2122
MDM 2008 with SQL User Client Access License (CAL) $40
MDM 2008 with SQL Device Client Access License (CAL) $40
Advantage MDM: MDM combines the must-have DMSec
features IT demands, low TCO, and robust
Microsoft technology stack utilization.
Information and Links• www.microsoft.com/systemcenter/mobile/ • www.microsoft.com/windowsmobile/en-us/bu
siness/solutions/enterprise/mobile-device-manager.mspx
• http://technet.microsoft.com/windowsmobile/
• http://technet.microsoft.com/en-us/scmdm/
© 2008 Microsoft Corporation. All rights reserved. Microsoft, Active Directory, SQL Server, Windows, Windows Server and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
Microsoft Confidential