Just my 2p's worth....
This session was the best of the week for me - as you know, one of my passions is mobile devices, and especially finding ways to integrate them into the Mars environment to enhance the user experience by giving more choice and flexibility. I've previously reviewed the current crop of Mobile Device Management tools in my blog entries from TechEd 2008, and am very excited to see the new developments and functionality that will be available in SCCM v.Next, particularly as this may well be something we can implement our new environment.
The speakers gave a few interesting statistics which I recorded:
• By 2013, there will be more smartphones than PCs in enterprise level business today
• Devices are trending away from platform conformance (ie iPhone, Android etc are becoming more common)
• 75% of smartphones are consumer bought, but still used for business (guilty as charged m'lord...)
In Mars, this is particularly worth noting due to tight control over business supported mobile devices - associates and contractors who don't qualify will often look for alternatives ways to access their corporate data, and in our environment this could pose a risk to us in terms of data security and corporate privacy as we have no control over these devices currently.
Using the tools available today, we have the following opportunities to take control:
• SMS 2003 - Windows Mobile / CE devices only
• SCCM 2007 - CE 4.2 / Pocket PC 2003 - basic control and provisioning
• MDM 2008 SP1 - Windows Mobile 6.1, mobile VPN, Rich Device Management (remote wipe etc)
When v.Next is available, we can look forward to:
• Management integration in the same UI for desktop, server and mobile devices
• Over the air enrolment (using AD credentials)
• Mobile application deployment (this is cool, see below)
• Monitoring and remediation of non compliant devices
• Support for WinCE 5+, Windows Mobile 5/6/6.1 and Windows Phone 6.5
• Additional platform support (ie Nokia Symbian)
• Over the air inventory and setting management including software and patch deployment, remote device lock/unlock and wipe
The topology v.Next includes the following key server roles for device management:
• Enrolment web proxy point
• Enrolment service point
• Software catalog roles
• Management point
• Distribution point
The speakers went over some enrolment and deployment scenarios, describing the process for establishing mutual trust between the mobile device and the enrolment web proxy, which demonstrated the over the air provisioning. This can be invoked either by the admin in the console in a few easy steps, or by the remote user, using the web based software catalogue which is part of SCCM's standard services. Whichever method is chosen , the end result is the user receiving a notification with instructions specific to their device type, and includes a one time PIN number which is valid for 8 hours by default. Once the user initiates the enrolment process on the device using the PIN, a secure session is initiated and enrolment is completed in the background on the device. Once the process is complete (which can either be bound to the users AD credentials, or specific credentials to the device), you're ready to deploy software, policy and patching to the device, along with being able to over the air inventory, status report (ie memory, CPU, free storage etc) & remote control in the same way as any other domain device. Specifically for mobile devices, you may lock/unlock or wipe the device.
Settings management for mobile devices direct from the console was also covered, and includes:
• Integrated mobile settings
• Support for monitoring and enforcement of policies
• Standard settings and simple UI which will be familiar to any SCCM admin
• Administrator defined settings via mobile registry or omni-uri (configuration via web link)
• All evaluation and remediation is done by the server so that the device isn't slowed by any processes required.
Alongside this, another great thing about this product is that you don't need to create separate security policies for mobile devices - rather you use your baseline desktop/laptop policy and add a supplement configuration item for mobile devices. This will save time for admins and security teams, and also ensure that sweeping security changes, for example a change to the 8/90 password policy, would be affected for all device types at once without the need for many policy changes to encompass all devices. The configuration item contains control for such things as bluetooth networking and sharing, camera use etc, specific to smartphones, along with and password lock policies etc.
Software distribution to mobile devices works in the same way as with any other SCCM deployment, so I won't go into detail here, however one point worth mentioning is that once a mobile device application or patch is packaged, it can be grouped into software collections along with the same applications for other devices on the DP servers, using the same requirement rules (for example device type, available memory and storage etc), and SCCM automatically works out which version to deploy to which device. Also, packages can be signed with a corporate certificate, so that the user can have confidence in the source, and the enterprise maintains continuity of the packages.
So to try and make this clear, if user Colin requires Adobe Reader and had a desktop PC and a smartphone, all the admin needs to do is deploy Adobe Reader once - it will appear on all devices if available and required. The only thing which isn't clear to me at this stage is how license constrains are observed here, user Colin may well own the application on his desktop, but may not be licensed on the mobile device - so I'm not currently clear on how this is handled. I am sure there will be a way though, it's not like Microsoft to miss something as fundamental to their business model as licensing!
Software distribution packages can be in several flavours, including MSI, App-V and mobile CAB. Software can be deployed either via SCCM or user initiated web based self service. The beauty of all this for admins, is that now, mobile devices can be treated pretty much in the same way as desktops and laptops all from the same UI, using the same packaging, monitoring and reporting functionality - giving us control of the devices in our environment finally!
Subscribe to:
Post Comments (Atom)
Posts
No comments:
Post a Comment