An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile.

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407362&culture=en-US
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don’t need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization’s Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300)�
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032409997&Culture=en-US
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692&culture=en-US
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we’ll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we’ll look at various out-of-the-box devices and analyze their threat surface. Last, we’ll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar!

|\\arco..

A quick heads up on some interesting new Microsoft webcasts coming up early next month on Windows Mobile Device Management and Security that may be of interest to many of you:

TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.-11:00 A.M. Pacific Time

TechNet Webcast: Management Lockdown of Windows Mobile Devices (Level 300)Thursday, April 9, 2009
11:30 A.M.-12:30 P.M. Pacific Time

Register now and get it on your calendar!

|\\arco..

I’ve been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well implementing SCMDM and researching which devices are compatible. 

Several links fixed, and several devices purchased with WM 6.1.x builds now listed as reference as well. Interesting to see the slow uptake of devices having the 6.1.4 build finally that has the Internet Explorer Mobile 6 (IE6on6).

Included is the specific OS/AKU build for each device for SCMDM 2008 SP1 support.

If you know of others, updates or corrections, please let me know! 

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

A lot of discussions within IT organizations are about security, and how the approved security policies must be executed and implemented. Traditionally it is not the same group of the staff that has mandated the security policies that has to implement tools and processes to have them executed. But I have seen how this “disjointed camp” trend is slowly becoming better in many organizations.

The focus of this posting is to highlight some of the options available that I have run across recently on the question of Windows Mobile security and encryption. In particular what Windows Mobile 6.1 brings and potential issues you might encounter depending on your security policies and requirements.

Native Device and File Encryption

Starting in the Windows Mobile 6 release there was native support for device and file encryption. In Windows Mobile 6.1 this was further enhanced with additional features to handle storage cards inserted into the device. This could be triggered from Exchange 2007, from System Center Mobile Device Manager (SCMDM) in a Group Policy Object (GPO), or even from a 3rd party tool on the device like Andreas Helland wrote (see http://mobilitydojo.net/2008/11/19/update-dojocrypt-goes-10/). Basically specific registry keys needs to be flipped to activate the appropriate features.

The encryption code is built into the Windows Mobile operating system so there is low over head.  The encryption on the storage card is upon write, so existing data on the card is not encrypted unless re-written. In WM 6.1 you can also specify exclusions/inclusions of directories . This can be handy to only encrypt e-mail or critical folders with line-of-business applications.

Data Recovery

Some companies require that the encrypted data can be retrieved. This may go against the reasoning behind encryption you say, but depending on your security mindset and corporate data ownership a necessary evil.  Say some important employees have important data on an encrypted storage card or device and you need to access the data, either for support or legal reasons, with or without their co-operation.

On desktops and servers there are some processes to accomplish this with encryption Key Escrow or Recovery using storage of the encryption key elsewhere. This of course brings other security risks into effect. I know the Windows Vista/Windows 2008 BitLocker technology for example accomplishes this through the Active Directory.

But on the native Windows Mobile 6 and 6.1 operating system this was not prioritized as a necessary component of the latest OS release as it would have probably required more work and back-end integration. But who knows what the future could bring if enough enterprise customers ask for it! (hint hint, this is where you have a say back to Microsoft!)

Thus if you wipe a Windows Mobile device, either from Exchange 2007 or System Center Mobile Device Manager (MDM) or other means and the encrypted storage card that was previously encrypted within the device was taken out beforehand, there is no way to read the encrypted data on the card again. It can only be read on the device it was encrypted with.

Jason Langridge’s blog entry here lays it out nicely: http://blogs.msdn.com/jasonlan/archive/2007/03/16/storage-card-wipe-and-encryption-what-s-the-deal.aspx 

- and a reference from the Windows Mobile product team themselves from their encryption FAQ:
http://blogs.msdn.com/windowsmobile/archive/2007/03/26/windows-mobile-6-storage-card-encryption-faq.aspx

Key Recovery

If your security policies require encryption key recovery processes, you may need to look at 3rd party solutions. These will of course bring an additional cost, but may also add additional security features.

Some or most solutions work around the issue by creating their own encrypted file “volumes” and backup the known key used. Thus not using the default file encryption implementation.

Possible products and links: 

Aiko Solutions SecuBox: http://www.aikosolutions.com/products/secubox-for-pocket-pc/articles/secubox-encryption-vs-windows-mobile-6-encryption/
GuardianEdge Smartphone Protection: http://www.guardianedge.com/products/smartphone-security.php
CheckPoint Pointsec Mobile: http://www.checkpoint.com/products/datasecurity/mobile/index.html 
McAfee SafeBoot: http://www.mcfee.com 
Mobile Armor DataArmor: http://www.mobilearmor.com/dataarmor.php 
Credent Mobile Guardian: http://www.credant.com/products/cmg-enterprise-edition.html 
WinMagic SecureDoc Mobile Edition: http://www.winmagic.com/solutions/securedoc-pda.html
PGP Mobile: http://www.pgp.com/products/mobile/index.html

No default workaround

Some good technical explanation and background from my colleague and resident expert Mr Dave Field (CISSP) from Enterprise Mobile on the technical aspects of using the native Windows Mobile 6.x encryption and why a workaround isn’t currently possible with the default implementation of encryption:

“The problem is that both storage card encryption and device main memory encryption is performed using keys that are auto-generated and auto-encrypted by DPAPI.  The DPAPI system key and user key are encrypted using device-specific entropy.  The user key on WM 6.1 used for encryption adds the device lock PIN/PW as entropy.  So, even if you went and found the keys in memory and uploaded them to the infrastructure, you wouldn’t be able to decrypt them using some shared password.  There is no function available to decrypt the key and provide the output.  DPAPI only decrypts the  key into memory as part of encryption/decryption operations.  DPAPI has no archiving function and is not tied into Active Directory.  When using EFS or even enrolling a certificate, the keys can be archived using active directory. 

Even if we found the registry keys for the auto-generated DPAPI keys and stored them centrally. We couldn’t re-use them elsewhere if we replaced them and used the same user PIN/PW on the new device. This is because there are a number of device characteristics used for entropy as well as the user PIN/Password.  The entropy points are not advertised for the obvious reasons…”

Wrap-up

Please comment if you have different experiences, feedback or interesting views on these issues!

References of possible further interest on this topic:

Why Device Lock PIN/Password must be configured with Windows Mobile 6.1 Device Encryption:
http://blog.enterprisemobile.com/2008/06/why-device-lock-pinpassword-must-be-configured-with-windows-mobile-61-device-encryption/
Windows Data Protection API (DPAPI): http://msdn.microsoft.com/en-us/library/ms995355.aspx
Older Mobile Encryption paper: http://www.sans.edu/resources/student_projects/200612_001.pdf
Keep Mobile Devices Safe With Encryption (Nov 2007):
http://www.informationweek.com/news/mobility/security/showArticle.jhtml?articleID=202803981&pgno=2&queryText=&isPrev=

|\\arco..
mnielsen (at) enterprisemobile.com

A lot of Enterprise Software for Mobile devices utilizes SSL for security.  SSL is the de facto choice because it can traverse NATs and routers whereas many VPNs cannot.

So, you’ll need to purchase an SSL certificate for your web server and any Windows Mobile clients should have the root of your SSL certificate in the device’s root certificate store. 

The problem comes when the root certificate is not already in the device root certificate store by default.  You can add certificates to the root store (this got a lot easier in Windows Mobile 6.0).  But, this will likely require a user trying to perform the task or the support tech will need to “touch” the device.  And, if the device is cold reset, you have to perform this task all over again.  It is much easier just to use an SSL server certificate from a Public Certificate Authority  that chains to a root certificate that’s already resident on the device.

Unfortunately, Windows Mobile has no root certificate updating service as included in Windows XP and Windows Vista.  With Windows Mobile, you get the root certifcates that were added when the image was built.

If you are using Windows Mobile 5.0 devices, you should not use GoDaddy or Comodo root certificates for the most part.   Here is a table showing which versions of Windows Mobile includes which Public CA certificates:

Another consideration is the use of wildcard certificates.  As you probably already know if you are reading this, a wildcard certificate allows the use of a wildcarded DNS name prefix such as “*.acme.com”.  You can use the same SSL certificate for many different web servers that all have assigned DNS names that end in “.acme.com”.  It is important for SSL security that the server’s internet DNS name matches the subj or subj alt name on the certificate.  So, if you wildcard th prefix in the certificate, you can use one cert for a lot of servers.

Windows Mobile started supporting wildcard certificates in Windows Mobile 6.0.  If you have Windows Mobile 5.0 devices, you should take a look at the offering from Digicert.  They allow you to pre-populate the subj alt name of the certificate with a list of server names.  This ends up giving you something approaching wildcard certificate features.  However, you do need to know the internet DNS names of all the web servers you’ll be using.  See more details on the Digicert site. Note that digicert is not shown on the list above because they actually chain back to the Entrust root.

Dave Field, CISSP, MCP
Device Management and Security Architect
Enterprise Mobile, Inc.

For those going to the upcoming TechEd North America 2008, IT Pro Conference, June 10-13 in Orlando Florida my Enterprise Mobile colleague Patrick Salmon has two sessions just about SCMDM:

My other Enterprise Mobile colleague Doug Field, is managing the Hands-On-Lab for SCMDM as well!

Find more information on TechEd 2008 here.

There is also a ton of sessions on Windows Mobile and Windows Mobile 6.1 that could be very interesting!

Marco Nielsen

Another great article in the current issue of Smartphone/PocketPC Magazine from my colleague Patrick Salmon. Check it out here:

http://www.pocketpcmag.com/cms/_archives/Jun08/SystemCenterDevice

Good round-up of knowledge skills and necessary to get started with SCMDM. Provides an excellent overview of the technology and why it is important as well!

Marco Nielsen

When installing System Center Mobile Device Manager (aka MDM) in a customer environment recently, I encountered a scenario where VPN connectivity worked on all but one of the mobile networks we tested. Here’s a recap of the challenges I encountered, and the eventual solution.

Summary
After installing all MDM components, we were able to successfully enroll and connect two T-mobile devices without any problems. Next, we tried connecting AT&T devices (using the recommended isp.cingular APN), and the tunnel would come up but the device could not access any internal systems. Policies would get pushed down to T-mobile (or even WiFi) connected devices flawlessly, yet isp.cingular would always fail. This happened consistently across a variety of devices, SIMs and regions of the country. We were also able to take the same device, SIM and APN and connect fine to our MDM lab here at Enterprise Mobile. Read the rest of this entry »

UPDATE: Check out our CAB Signing Tool if you need to sign CAB files with your own certificate.

A recurring question I get is how to test and demo the software distribution capabilities of MDM.

People generally run into errors with importing test CAB files because the DM does not trust the signature the CAB was signed with – or the CAB is simply unsigned. First thing to note is the software distribution server can only import signed CAB files. You cannot disable this feature (as of this writing anyway.) The root certs of the certificate that signed the cab file must be in the Trusted Publisher store on the DM server. In most cases you will have to manually put it there. Read the rest of this entry »

The Windows Mobile device management platform supports two different Open Mobile Alliance (OMA) standards: OMA Client Provisioning (OMA CP) and OMA Device Management (OMA DM). By the say, OMA CP is the new name for WAP Provisioning. So, when you see Windows Mobile configuration XML with the root node of <wap-provisioningdoc>, you know you are using OMA CP.

Because Windows Mobile supports both OMA CP and OMA DM, you’ll find that MSDN documentation for most Windows Mobile Configuration Service Providers will include information on configuration XML for both standards. OMA DM is suppose to be the new, improved standard (and it is in many ways). So, you may wonder why OMA CP support is still included. Read the rest of this entry »