During today's CTIA keynote address in San Francisco, Microsoft CEO Steve Ballmer announced the company's new management solution for mobile devices, System Center Mobile Device Manager 2008. As a quick take, I would say Microsoft's tool looks like a significant advancement in the ability to take control of and quickly advance the capabilities of Windows Mobile devices used throughout the enterprise and that third-party security solution providers should be pretty concerned about the feature set that could soon come standard with Microsoft's devices as the product gains acceptance.
Integration will be a key selling point for Mobile Device Manager 2008, as the product ties in to resources that likely already exist in the enterprise infrastructure, such as WSUS 3.0 and Active Directory. This has the dual benefit of simplifying management and deployment while leveraging familiar management components.
Via demonstrations from Ballmer's keynote address and on the show floor, I've gleaned the following about Mobile Device Manager 2008:
Users will auto-enroll their Windows Mobile-based device via a Web application that grants a onetime password, which is then used to join the domain. Users will have to provide their e-mail address to perform these actions, but during the demo, the process looked a little light on credentialing and access permissions. I hope there is more to it.
The domain request appears in the administrator's management console, which is based on the familiar MMC interface. It looks like the administrator needs to approve the registration request, so that is good. I can't tell what level of access users will have on the device while they are in this twilight state of approval. But once approval is finished, the device will be a manageable object in AD.
From the console, administrators can perform a number of actions on remote devices that are enabled over the air - for instance, pushing software and settings. It looks like administrators can create software deployment packages that are delivered via cooperation with the enterprise's WSUS 3.0 patching server. Administrators can tailor language requirements for the software package and address any application or registry dependencies as well.
Since the device is now an AD object, Group Policy settings can be applied as well. The various demonstrations I observed showed Group Policy settings for password policies (length, type and complexity), encryption settings (device, file or exclusion lists) and VPN settings (AES versus 3DES and so forth).
It is good to see Microsoft bundling VPN capability with this product; this will enable easier secured access to secured and hosted resources. Presumably this will make it much easier for enterprises to emphasize the use of hosted applications and data resources and to reduce the need for confidential information to be carried around, stored on the device itself.
Administrators can also perform actions from the console, temporarily blocking devices from access or performing remote wipes. In addition, detailed logs and histories of actions taken are present in the management console.