Microsoft takes big step in managing enterprise handhelds

One new bit of code in Windows Mobile 6.1 makes this otherwise-minor release of Microsoft's handheld operating system a watershed for enterprise users.

The new code contains hooks into Microsoft's System Center Mobile Device Manager 2008 (MDM), a new server application that is the first major effort by the company to make handhelds as manageable and secure as PCs. At the CTIA Wireless show, Microsoft announced that MDM, unveiled last October, was now shipping.

The company also said that a handful of mobile carriers are preparing subscription service plans for enterprise customers, built around MDM. The carriers will offer simplified licensing for the application, one-call tech support, and an optimized network connection for subscriber devices.

Enterprises face a daunting set of challenges in administering and securing Windows Mobile handhelds and the corporate data they carry. In meeting these challenges, Microsoft has lagged far behind a group of well-established rivals, both large and small. (Compare client management products.)

MDM is a major step forward for Microsoft. It's a licensed server application, deployed behind the firewall, with a gateway server in the DMZ. Each mobile client needs a separate access license. The server works only with Windows Mobile 6.1, just released and due out on new phones by mid-year. Version 6.0 phones can be upgraded to 6.1, says John Traynor, a senior director in Microsoft's Mobile Communications Business.

In Version 6.1, Microsoft added code to support automatic device enrollment, a new mobile VPN, and mobile VPN drivers for WLAN and cellular adapters. As a result, devices with Version 6.1 can register automatically with MDM, with no additional client code to download or administer. "Typically a user would be provided a one-time [registration] password," Traynor says. "They input their e-mail address on the device, with the password, the device registers automatically, and then downloads the relevant [management and security] policies. It's a very simple process."

This first MDM release has 130 such policies, implementing and enforcing a wide range of administrative and security controls on the handsets. Among other things, administrators can permit or block specific applications on the device, encrypt different types or groups of files and data, and disable cameras or any of a number of communications interfaces, including Bluetooth and Wi-Fi.

Also in Windows Mobile 6.1, Microsoft has introduced its first VPN designed specifically for handhelds, called Mobile VPN, which ensures that device traffic only flows over an authenticated, encrypted link. The previous version did have a VPN feature, but it was not optimized for mobile networks, says Traynor. Mobile VPN sets up the IPsec tunnel to the MDM gateway server, which authenticates the connection using Internet Key Exchange Version 2 (IKEv2) and the machine certificates downloaded during the enrollment process.

Mobile VPN also supports Network Address Translation-Traversal (NAT-T) and IKEv2 Mobility and Multi-homing, to negotiate fast reconnections if the wireless link breaks. Users can pick up in an application where they left off, says Traynor.