Introducing System Center Mobile Device Manager

Although mobile messaging has been around in one form or another for many years, it seems that Microsoft only started taking it seriously with the release of Exchange Server 2003 SP2. SP2 featured a whole slew of new capabilities for organizations that wanted to use mobile messaging, and things got better from there. Exchange Server 2007 introduced even more improvements, and Microsoft even threw in a bunch of new mobile device security settings in Exchange Server 2007 SP1. Continuing the trend, Microsoft has recently released System Center Mobile Device Manager (MDM) 2008.

The best way to understand how MDM works is to compare it to Microsoft Internet Security and Acceleration Server (ISA Server). As you probably know, ISA Server is a completely separate product from Exchange. Exchange can function without ISA Server, and ISA Server can function without Exchange. Even so, ISA Server was designed specifically with Exchange in mind, and because it's Exchange aware, it can provide Exchange with better security than most other firewall products can.

MDM works similarly; it isn't an Exchange-specific add-on, but if you're using Exchange's mobile messaging capabilities, MDM can help you be more secure. It's designed to let large, enterprise-class organizations provision, manage, apply group policies to, and deploy software to Windows Mobile 6.1 devices.

MDM has three primary components: the Mobile Device Management Server, the Enrollment Server, and the Gateway Server. As Figure 1 shows, the MDM setup program lets you install each of these options separately. Technically, you can install each of these server roles on a common server, but I would recommend doing so only in a lab environment. In a real-world deployment, you need to host these roles on separate servers for security and performance reasons.

The Mobile Device Management Server is the heart and soul of MDM. This is the server from which all your mobile devices receive policies and software deployments. If a mobile device is on the mobile network, the device will use a cellular or Wi-Fi link to connect to an IPsec VPN, which in turn connects the device to the Mobile Device Management Server. If the device is connected to the corporate network using a Wi-Fi connection, the device doesn't bother using a VPN connection; rather, it communicates directly with the Mobile Device Management Server directly.

Although many of the policies that you can apply with MDM are the same types available through Exchange Server 2007 SP1 (to which Microsoft added a few dozen new mobile device policy settings), policy management is completely different. MDM actually joins Windows Mobile 6.1 devices to a domain and applies the policies through Group Policy Objects (GPOs).

One of the nice things about managing mobile devices in this way is that your mobile device security policies mirror your Active Directory (AD) structure. For example, if you have multiple organizational units (OUs) in place for various departments within your company, you can create a separate set of mobile-device-related GPOs for each OU. This ability gives you granular control over how mobile devices are used. For example, you might allow the executives in your company—and maybe even the IT staff—to have full, unrestricted access to all of the mobile device’s features. However, you might want to prevent the people in the sales department from connecting to the Internet using Wi-Fi. The ability to apply separate group policy settings to various OUs lets you accomplish this level of security fairly easily.

If you're familiar with the GPOs that are built into Windows Server by default, then you know that few (if any) are related to mobile devices. So where do all of these new group policy settings come from? Well, if you look back at Figure 1, you'll notice that the splash screen contains an option for configuring AD for MDM. It's this configuration process that makes the new group policy template settings available.

Group policies can't be applied unless a mobile device has been joined to a domain. Currently, Windows Mobile 6.1 is the only version of Windows Mobile that is capable of being joined to a domain, and is therefore the only version of Windows Mobile that you can manage through MDM.

The other primary function of the Mobile Device Management Server is its ability to deploy applications to mobile devices. In case you're wondering, MDM accomplishes this by using Windows Server Update Services (WSUS) as a back-end component. In fact, Microsoft requires you to install WSUS 3.0 SP1 before you install MDM.