The use of mobile devices, or smartphones, for business isn't new; however, the patterns of use and the features these devices offer have changed radically in recent years. Today, it's possible to browse the web, send and receive email, and run countless applications—from customer relationship management (CRM) apps to word processing to social networking software—all while talking with someone on a call. The increased processing power, memory, and storage make these devices powerful business tools, and your users probably have corporate documents, customer lists, and sensitive pricing information on their devices. Responding to the loss of a device might involve sending breach notifications to customers and partners, and potentially paying fines and other penalties.
However, losing devices isn't the only risk a company faces. Employees who quit or are terminated could potentially walk out with your company's intellectual property, and it's possible that data could be accidentally leaked to social networking sites, as well as leaked through web browsing and personal email use. Previously, the response to these risks might have been to ban the use of mobile devices altogether, but their popularity and usefulness means that more and more organizations are seeking ways to integrate them into the enterprise while applying corporate policies to them.
There are solutions available today that can be used to integrate mobile devices with corporate networks and apply policies to them. In this article, I'll describe Microsoft System Center Mobile Device Manager (MDM) 2008 SP1, focusing on installation and configuration.
MDM vs. Exchange 2010
MDM isn't the only solution Microsoft has that supports mobile devices. Organizations with Microsoft Exchange Server 2010 can use Exchange to manage mobile devices so that devices can send and receive email using the Exchange infrastructure with Exchange ActiveSync (EAS). In addition, EAS can be used to push basic policies to mobile devices.
Basic policies for mobile devices can be used to enforce password policies, such as a policy that requires the use of a complex password. They can also be used to enforce what users can do with their devices, including disallowing removable storage such as memory cards; preventing use of the camera and Wi-Fi; restricting what Bluetooth features are available; and controlling which applications can run, including the browser and non-Exchange email apps. A broad EAS setting lets you enable or disable nonprovisionable devices, which are devices that won't or can't enforce policies pushed by Exchange.
Exchange 2010 ties basic policies to mailboxes, not devices, and doesn't offer true end-to-end management of security and devices. Nor does it offer a remote-access solution, which permits mobile devices to consume resources on the corporate network. MDM offers these features, and it has much richer policy and enforcement features. However, MDM supports only Windows Mobile–based devices running Windows Mobile 6.1 or later, whereas Exchange 2010 can support any EAS-enabled device. MDM and Exchange 2010 can coexist, and can be used simultaneously for device management.
Preparing to Install MDM
MDM is a reasonably complex product to deploy, consisting of several components. First, MDM requires Microsoft SQL Server 2005 or later to store policy and configuration information. MDM itself requires a Gateway Server, Device Management Server, and Enrollment Server. You can deploy the Device Management Server and Enrollment Server roles on the same server, which is a typical scenario for smaller environments. The Gateway Server is deployed in your demilitarized zone (DMZ), and it requires one network interface for internal communications and one for external communications. The Gateway Server's external interface must have a public IP address, must have a default route configured, and can't be published behind Microsoft ISA Server or Forefront Threat Management Gateway (TMG). The Device Management Server and Enrollment Server roles are deployed on your intranet.
The three server roles form an instance of MDM, and an instance can support as many as 30,000 mobile devices. You can deploy multiple instances to support more than 30,000 users, or to accommodate users in different regions so that users can connect to a local MDM instance for best connection speeds, and you can manage groups with disparate policy requirements. Note that MDM doesn't require Exchange (or its mobility features) but can be used to offer Exchange services to mobile devices.
MDM is a 64-bit–only product, so it requires 64-bit–capable hardware and a 64-bit OS: Windows Server 2003 R2 64-bit. Installation on Windows Server 2008 isn't supported—some tools and utilities simply fail to install, although there are some workarounds. Before you can deploy MDM, you need a Certification Authority (CA), which should be an enterprise CA integrated with Active Directory (AD). The enterprise CA can run on Server 2008, and the Windows Server 2003 R2 servers that you install MDM on can be member servers in a Server 2008–based forest with the functional level raised to Server 2008 Forest Functional mode.