One new bit of code in Windows Mobile 6.1 makes this otherwise-minor release of Microsoft‘s handheld operating system a watershed for enterprise users.
The new code contains hooks into Microsoft’s System Center Mobile Device Manager 2008 (MDM), a new server application that is the first major effort by the company to make handhelds as manageable and secure as PCs. At the CTIA Wireless show, Microsoft announced that MDM, unveiled last October, was now shipping.
The company also said that a handful of mobile carriers are preparing subscription service plans for enterprise customers, built around MDM. The carriers will offer simplified licensing for the application, one-call tech support, and an optimized network connection for subscriber devices.
Enterprises face a daunting set of challenges in administering and securing Windows Mobile handhelds and the corporate data they carry. In meeting these challenges, Microsoft has lagged far behind a group of well-established rivals, both large and small. (Compare client management products.)
MDM is a major step forward for Microsoft. It’s a licensed server application, deployed behind the firewall, with a gateway server in the DMZ. Each mobile client needs a separate access license.
The server works only with Windows Mobile 6.1, just released and due out on new phones by mid-year. Version 6.0 phones can be upgraded to 6.1, says John Traynor, a senior director in Microsoft’s Mobile Communications Business.
In Version 6.1, Microsoft added code to support automatic device enrollment, a new mobile VPN, and mobile VPN drivers for WLAN and cellular adapters. As a result, devices with Version 6.1 can register automatically with MDM, with no additional client code to download or administer.
“Typically a user would be provided a one-time [registration] password,” Traynor says. “They input their e-mail address on the device, with the password, the device registers automatically, and then downloads the relevant [management and security] policies. It’s a very simple process.”
This first MDM release has 130 such policies, implementing and enforcing a wide range of administrative and security controls on the handsets.
Among other things, administrators can permit or block specific applications on the device, encrypt different types or groups of files and data, and disable cameras or any of a number of communications interfaces, including Bluetooth and Wi-Fi.
Also in Windows Mobile 6.1, Microsoft has introduced its first VPN designed specifically for handhelds, called Mobile VPN, which ensures that device traffic only flows over an authenticated, encrypted link. The previous version did have a VPN feature, but it was not optimized for mobile networks, says Traynor.
Mobile VPN sets up the IPsec tunnel to the MDM gateway server, which authenticates the connection using Internet Key Exchange Version 2 (IKEv2) and the machine certificates downloaded during the enrollment process.
Mobile VPN also supports Network Address Translation-Traversal (NAT-T) and IKEv2 Mobility and Multi-homing, to negotiate fast reconnections if the wireless link breaks. Users can pick up in an application where they left off, says Traynor.
The MDM server draws on and works with the capabilities of an array of Microsoft server capabilities. It integrates fully with Active Directory, for example, and supplements the mobile messaging management and security features in Exchange Server 2007, and the inventory management and configuration capabilities of System Center Configuration Manager 2007.
It’s the kind of approach that Microsoft-based enterprises are looking for, says Ken Dulaney, vice president at market research firm Gartner. Mobile VPN “reduces network overhead and proxies IP addresses to reduce the battery consumption caused by independent applications that [constantly] ping the network to ensure their connection is being maintained,” he says.
One key rival in this space is Research In Motion (RIM), with its BlackBerry Enterprise Server. But RIM and Microsoft focus mainly on managing their respective software platforms and the handsets running them, says Benjamin Gray, an analyst with Forrester Research.
Enterprises that use other platforms, such as Symbian, or have a mix, can turn to Nokia’s Intellisync Mobile Suite, HP’s Enterprise Mobility Suite, Good Technology’s Mobile Messaging (now part of Motorola), Motorola’s own MotoPro Mobility Suite, Sybase iAnywhere’s Afaria Mobile Device Management, and Wavelink’s Avalance Mobility Center, among others, according to Gray.
The new mobile operator services being built around MDM are due out later this year from various cellular carriers, including in the U.S., AT&T and Verizon Wireless. According to Traynor, the implementations of these “Mobile Services Plans” will simplify mobile deployments by giving enterprises a single locus for MDM client licensing, device purchase, support and maintenance, and a guarantee of a high-quality network connection for mobile users.
Again, Microsoft is moving into a crowded field. “Many carriers and infrastructure outsourcers offer handheld management services that are powered by mobile device management vendors like Nokia or Mformation,” says Forrester’s Gray.