A lot of discussions within IT organizations are about security, and how the approved security policies must be executed and implemented. Traditionally it is not the same group of the staff that has mandated the security policies that has to implement tools and processes to have them executed. But I have seen how this “disjointed camp” trend is slowly becoming better in many organizations.

The focus of this posting is to highlight some of the options available that I have run across recently on the question of Windows Mobile security and encryption. In particular what Windows Mobile 6.1 brings and potential issues you might encounter depending on your security policies and requirements.

Native Device and File Encryption

Starting in the Windows Mobile 6 release there was native support for device and file encryption. In Windows Mobile 6.1 this was further enhanced with additional features to handle storage cards inserted into the device. This could be triggered from Exchange 2007, from System Center Mobile Device Manager (SCMDM) in a Group Policy Object (GPO), or even from a 3rd party tool on the device like Andreas Helland wrote (see http://mobilitydojo.net/2008/11/19/update-dojocrypt-goes-10/). Basically specific registry keys needs to be flipped to activate the appropriate features.

The encryption code is built into the Windows Mobile operating system so there is low over head.  The encryption on the storage card is upon write, so existing data on the card is not encrypted unless re-written. In WM 6.1 you can also specify exclusions/inclusions of directories . This can be handy to only encrypt e-mail or critical folders with line-of-business applications.

Data Recovery

Some companies require that the encrypted data can be retrieved. This may go against the reasoning behind encryption you say, but depending on your security mindset and corporate data ownership a necessary evil.  Say some important employees have important data on an encrypted storage card or device and you need to access the data, either for support or legal reasons, with or without their co-operation.

On desktops and servers there are some processes to accomplish this with encryption Key Escrow or Recovery using storage of the encryption key elsewhere. This of course brings other security risks into effect. I know the Windows Vista/Windows 2008 BitLocker technology for example accomplishes this through the Active Directory.

But on the native Windows Mobile 6 and 6.1 operating system this was not prioritized as a necessary component of the latest OS release as it would have probably required more work and back-end integration. But who knows what the future could bring if enough enterprise customers ask for it! (hint hint, this is where you have a say back to Microsoft!)

Thus if you wipe a Windows Mobile device, either from Exchange 2007 or System Center Mobile Device Manager (MDM) or other means and the encrypted storage card that was previously encrypted within the device was taken out beforehand, there is no way to read the encrypted data on the card again. It can only be read on the device it was encrypted with.

Jason Langridge’s blog entry here lays it out nicely: http://blogs.msdn.com/jasonlan/archive/2007/03/16/storage-card-wipe-and-encryption-what-s-the-deal.aspx 

- and a reference from the Windows Mobile product team themselves from their encryption FAQ:
http://blogs.msdn.com/windowsmobile/archive/2007/03/26/windows-mobile-6-storage-card-encryption-faq.aspx

Key Recovery

If your security policies require encryption key recovery processes, you may need to look at 3rd party solutions. These will of course bring an additional cost, but may also add additional security features.

Some or most solutions work around the issue by creating their own encrypted file “volumes” and backup the known key used. Thus not using the default file encryption implementation.

Possible products and links: 

Aiko Solutions SecuBox: http://www.aikosolutions.com/products/secubox-for-pocket-pc/articles/secubox-encryption-vs-windows-mobile-6-encryption/
GuardianEdge Smartphone Protection: http://www.guardianedge.com/products/smartphone-security.php
CheckPoint Pointsec Mobile: http://www.checkpoint.com/products/datasecurity/mobile/index.html 
McAfee SafeBoot: http://www.mcfee.com 
Mobile Armor DataArmor: http://www.mobilearmor.com/dataarmor.php 
Credent Mobile Guardian: http://www.credant.com/products/cmg-enterprise-edition.html 
WinMagic SecureDoc Mobile Edition: http://www.winmagic.com/solutions/securedoc-pda.html
PGP Mobile: http://www.pgp.com/products/mobile/index.html

No default workaround

Some good technical explanation and background from my colleague and resident expert Mr Dave Field (CISSP) from Enterprise Mobile on the technical aspects of using the native Windows Mobile 6.x encryption and why a workaround isn’t currently possible with the default implementation of encryption:

“The problem is that both storage card encryption and device main memory encryption is performed using keys that are auto-generated and auto-encrypted by DPAPI.  The DPAPI system key and user key are encrypted using device-specific entropy.  The user key on WM 6.1 used for encryption adds the device lock PIN/PW as entropy.  So, even if you went and found the keys in memory and uploaded them to the infrastructure, you wouldn’t be able to decrypt them using some shared password.  There is no function available to decrypt the key and provide the output.  DPAPI only decrypts the  key into memory as part of encryption/decryption operations.  DPAPI has no archiving function and is not tied into Active Directory.  When using EFS or even enrolling a certificate, the keys can be archived using active directory. 

Even if we found the registry keys for the auto-generated DPAPI keys and stored them centrally. We couldn’t re-use them elsewhere if we replaced them and used the same user PIN/PW on the new device. This is because there are a number of device characteristics used for entropy as well as the user PIN/Password.  The entropy points are not advertised for the obvious reasons…”

Wrap-up

Please comment if you have different experiences, feedback or interesting views on these issues!

References of possible further interest on this topic:

Why Device Lock PIN/Password must be configured with Windows Mobile 6.1 Device Encryption:
http://blog.enterprisemobile.com/2008/06/why-device-lock-pinpassword-must-be-configured-with-windows-mobile-61-device-encryption/
Windows Data Protection API (DPAPI): http://msdn.microsoft.com/en-us/library/ms995355.aspx
Older Mobile Encryption paper: http://www.sans.edu/resources/student_projects/200612_001.pdf
Keep Mobile Devices Safe With Encryption (Nov 2007):
http://www.informationweek.com/news/mobility/security/showArticle.jhtml?articleID=202803981&pgno=2&queryText=&isPrev=

|\\arco..
mnielsen (at) enterprisemobile.com

If you haven’t already I highly recommend that you upgrade your Live Search to the latest version previewed at CES last week: http://news.cnet.com/8301-1035_3-10141820-94.html

The biggie being the ability to locate your approximate location without a GPS built into your device.  Also predictive text/word completion has been added with a weight on previous hits you have done. Upgrade from within the app as shown below, or directly download it from http://wls.live.com on your device.

For enterprise deployments of the Microsoft signed Live Search .CAB file through SCMDM 2008 please see this article: http://blog.enterprisemobile.com/2008/04/software-distribution-with-mdm

|\\arco..

SP1 has now been officially released and supported!!
Read all about it here: http://www.microsoft.com/systemcenter/mobile
All the resource kits tools have also been refreshed, see the downloads below!

Key Features and Benefits:

Mobile Device Manager 2008 enables efficient control of Windows Mobile 6.1 devices by providing reliable, low-cost, and consistent manageability, easy integration with your existing Microsoft infrastructure, and secure access to the corporate network.

• Multiple Instance: Supports deployments where multiple points of control are required within a single forest.
• PIN Reset: Allows users to request a PIN reset on their device. (details here: http://technet.microsoft.com/en-us/library/dd252841.aspx)
• Enrollment Auto Discovery: Facilitates easier self-service enrollments.
• Runs with Windows Server 2008: Provides support for Windows Server 2008 Active Directory functional level.
• Performance/Scalability: Increased system capacity.
• Virtualization: Provides Hyper-V testing support using Windows Server 2003 as a guest OS.

Information:
Get the evaluation here:
http://technet.microsoft.com/en-us/evalcenter/cc339027.aspx 
Great must-read “What’s New” overview:
http://technet.microsoft.com/en-us/library/dd261938.aspx 
Updated SP1 TechNet documentation appears to be slowly published here:
http://technet.microsoft.com/en-us/library/dd261783.aspx

Downloads:
System Center Mobile Device Manager 2008 SP1 Evaluation Edition – 120 day
System Center Mobile Device Manager (MDM) 2008 SP1 Evaluation Edition is a system that enables Windows Mobile devices to become managed and authenticated members of the IT infrastructure of an organization.

System Center Mobile Device Manager 2008 SP1 MSDN
System Center Mobile Device Manager (MDM) 2008 SP1 MSDN is a system that enables Windows Mobile devices to become managed and authenticated members of the IT infrastructure of an organization.

Mobile Device Manager 2008 SP1 MP for OpsMgr 2007 v1.0.2430.0
This Microsoft System Center Mobile Device Manager Service Pack 1 (MDM SP1) 2008 Management Pack provides proactive monitoring of your Microsoft System Center Mobile Device Manager 2008 SP1 environment.

MDM 2008 SP1 Resource Kit Tools – Password Reset Client v1.0
System Center Mobile Device Manager (MDM) Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM.

MDM 2008 SP1 Resource Kit Tools – Reporting Services v2.0
System Center Mobile Device Manager (MDM) 2008 Server Pack 1 (SP1) Reporting Services provides a reporting and data access service across all areas of an MDM system.

MDM 2008 SP1 Resource Kit Tools – Server Tools v2.0
System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) Server Tools provides tools to help administrators manage deployment and cleanup tasks in an MDM system.

MDM 2008 SP1 Resource Kit Tools – Best Practices Analyzer v2.0
Best Practices Analyzer Tool for System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) helps you analyze a group of servers to determine if the prerequisites and best practices are met for MDM deployment.

MDM 2008 SP1 Resource Kit Tools – Client Tools v2.0
System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) Client Tools provides tools to help administrators troubleshoot connections and monitor device synchronization for Windows Mobile devices as part of an MDM system.

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

I’ve been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well. New entries are in red..  Sorted by mobile operator/OEM and now made it more condensed as well!

Now included the specific OS/AKU build for each upgrade for SCMDM SP1 support.

If you know of others, updates or corrections, please let me know!

Update Dec 15, 2008: * Thanks to Wayne Philips of Airloom for these build numbers!

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

I’ve compiled a running alphabetical list of which devices now have official supported upgrades available for them. This may be useful for many of you as well. I will keep this list updated, new entries in red. Sorted by mobile operator/OEM:

Alltel HTC PPC8600 [Posted 10/10/2008]
Alltel HTC Touch [Posted 10/10/2008]

ASUS PDA Phone P527 (Released by country): [Posted 9/16/2008]
ASUS PDA Phone P750 (Released by country): [Posted 9/18/2008]

AT&T Motorola Q9h
AT&T Tilt [Reposted 8/26/2008]
AT&T Pantech C810 Duo [Posted 10/8/2008]
AT&T BlackJack II (SGH-i617) [Posted 9/2/2008]

Bell HTC Touch [Posted 8/23/2008]

Fido BlackJack (SGH-i616) [Posted 10/8/2008]

HTC TyTN II (unlocked)
HTC Touch Cruise [Posted 9/30/2008]
HTC Touch Dual [Posted 10/10/2008]

Intermec CN3 [Posted 9/26/2008]

O2 XDA Stellar [Posted 9/19/2008]
O2 XDA Orbit 2 [German] [Posted 9/19/2008]

Orange HTC TyTN II
http://www.coolsmartphone.com/news4172.html

Rogers BlackJack (SGH-i616) [Posted 10/8/2008]

Samsung SCH-i760
Samsung Omnia SCH-i900 [Posted 8/9/2008]

Sprint Motorola Q9c
Sprint Mogul [Posted 8/6/2008]
Sprint HTC Touch [Posted 8/6/2008]
Sprint Samsung Ace (SPH-i325) [Posted 10/16/2008]

Telus HTC Touch [Posted 8/6/2008]
Telus HTC S720 [Posted 9/12/2008]
Telus HTC P4000 [Posted 8/6/2008]

Verizon Samsung SCH-i760
Verizon UStarcom XV6800 [Posted 8/27/2008]
Verizon XV6900 [Pending ???]
Verizon Motorola Q9c [Posted 9/18/2008]

Vodafone v1615 [Posted 6/27/2008]

If you know of others, or corrections, please let me know!

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

UPDATED: Oct 5, 2008: Updated v1.1 .ADM file with corrections and additional settings. Download here.

One of the most powerful things about Microsoft System Center Mobile Device Manager (SCMDM) is the ability to manage all of your Windows Mobile 6.1 or above devices through Active Directory (AD) Group Policy Objects (GPOs). A large percentage of the corporate market is already using GPOs to manage their desktop, notebook and server environments.

The GPO technology was introduced in Windows 2000 Server. Before that there were System Policies in Windows NT 4.0. There is already a fair amount of documentation and knowledge around extending GPOs to your own needs. But here I will go into some aspects more important around making use of SCMDM and supporting Windows Mobile in an enterprise running AD.

In this article I will go through how you can extend your own GPOs to have additional settings not available out of the box in the default Windows Mobile GPO template supplied by Microsoft in SCMDM 2008. I will expect that you already know how to access and use the default SCMDM GPO settings.

Windows Mobile Registry Keys

GPOs work by manipulating how registry keys are changed and written on the client machines. This is no different on Windows Mobile, compared to other Windows platforms at this point in time.

I will save the discussion on where to find and research Windows Mobile registry locations. But will point out that many are bound to specific OS levels, OEM and hardware requirements. So what works on one WM device may not work on another. So I can’t stress enough the aspect of testing such settings before a larger deployment to end-users.

For this article I have asked my colleague, Chris De Herrera, to suggest some registry keys to use:

Improve text rendering performance by increasing the GLYPH Cache to 32k (decimal):

[HKEY_LOCAL_MACHINE\System\GDI\GLYPHCACHE]
“limit”=dword:00008000

Internet Explorer Mobile homepage settings:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs]
“home_0409″=”file://\\windows\\default_0409.htm“
“version_0409″=”file://\\windows\\about_0409.htm“
“blank”=”res://webview.dll/blank.htm”

Configure Communicator Mobile:

[HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings]
“ServerInternal”=”sip.yourcompany.com”
“Server”=”sip.yourcompany.com:443″

Furthermore I have also researched the following registry keys which may be helpful in corporate environments:

ClearType Activation:

[HKEY_LOCAL_MACHINE\System\GDI\ClearType][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
“ClearTypeText”=dword:1[HKEY_LOCAL_MACHINE\System\GDI\ClearTypeSettings]
“OffOnRotation”=dword:0

Browser History:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“DaysToKeep”=dword:00001E

Default Search Page:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=http://m.live.com/search/Results.aspx?q=%&mid=8001

Internet Explorer User Agent:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
“Default”=”Mozilla/4.0″
“Platform”=”Windows CE”
“Version”=”MSIE 6.0″

Menu Animations:

[HKEY_LOCAL_MACHINE\SYSTEM\GWE\Menu]
“AniType”=dword:0

Windows Animations:

[HKEY_LOCAL_MACHINE\SYSTEM\GWE]
“Animate”=dword:0

Error Reporting:

[HKEY_LOCAL_MACHINE\System\ErrorReporting\DumpSettings]
“DumpEnabled”=dword:0
[HKEY_LOCAL_MACHINE\System\ErrorReporting\UploadSettings]
“DontUpload”=dword:1[HKEY_LOCAL_MACHINE\System\ErrorReporting\UploadSettings]
“ConnectionFlags”=dword:0

Today Screen Text:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell\DeviceBeta]
“Today”=”EnterpriseMobile”

Display Time/Date in Taskbar or disable for battery indicator:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell]
“TBOpt”=dword:3
“ShowTitleBarClock”=dword:1

Permit Bluetooth and IrDA File Transfer:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Obex]
“IsEnabled”=dword:1

Please be aware that most of these settings require a soft reboot of the device before they become effective. The SCMDM policy agent should prompt you for a reboot of the device when an updated policy is synchronized from the Device Management Server.

Creating .ADM Files

Using the information published here about the correct registry key prefix to use for GPOs on Windows Mobile I created my own .ADM file with my sample registry keys listed above and a few other samples currently available.

You can download it here. I have noted in my sample the references used.

Look for a new folder called “Windows Mobile Settings-Extended” in the Computer Configuration section of the Group Policy Object Editor.

 
The single main trick was to prefix the native Windows Mobile registry keys with the <SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry> path.

So the native:
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs> became the longer:
<SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Software\Microsoft\Internet Explorer\AboutURLs>.

Note the collapsed HKEY_LOCAL_MACHINE hive into the named HKLM. This also works for the HKEY_CURRENT_USER hive into HKCU.

Further Information on .ADM Files

Please see the reference links below for more details on the syntax used in the example .ADM file. The syntax and commands are not the easiest in the world of IT.

I also found a ADM file editor, called ADM Template Editor from a small company in Australia that may be useful if you are planning to write and manage a large number of custom .ADM/.ADMX files.

Again, please test the policies on the OS platform, level, and hardware you wish to broadly deploy your Windows Mobile settings out to.

Look for more articles soon on useful Windows Mobile registry keys and GPOs!

References:

• Microsoft articles on writing GPOs:
  • How to Write a Simple .Adm File for Registry-based Group Policy
  • KB225087: Writing Custom ADM Files for System Policy Editor
  • KB816662: Recommendations for managing Group Policy administrative template (.adm) files
• Creating a New Group Policy Object for (Windows Mobile) Devices
• SCMDM Technical Article: Deploying and Configuring Communicator Mobile with MDM
• SCMDM Technical Article: Name Resolution Considerations for Company Web Site Access
• ADM Template Editor: (Recommended, one of the few I believe out there!)

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

For those going to the upcoming TechEd North America 2008, IT Pro Conference, June 10-13 in Orlando Florida my Enterprise Mobile colleague Patrick Salmon has two sessions just about SCMDM:

My other Enterprise Mobile colleague Doug Field, is managing the Hands-On-Lab for SCMDM as well!

Find more information on TechEd 2008 here.

There is also a ton of sessions on Windows Mobile and Windows Mobile 6.1 that could be very interesting!

Marco Nielsen

Another great article in the current issue of Smartphone/PocketPC Magazine from my colleague Patrick Salmon. Check it out here:

http://www.pocketpcmag.com/cms/_archives/Jun08/SystemCenterDevice

Good round-up of knowledge skills and necessary to get started with SCMDM. Provides an excellent overview of the technology and why it is important as well!

Marco Nielsen