The iPad has indeed arrived. You can’t head to a news site or check out the latest on the tech blogs without seeing a mention of Apple’s newest device. You know what I’m talking about – with its debut recently, the iPad has seemingly taken on a life of its own. From reviews in publications like The Economist to an article on application development in the New York Times, the media and the public alike are abuzz with its possibilities.

Before too long, some of the early users, who are now just getting comfortable with the device, will find ways to use it to perform job-related tasks. After the iPad 3G comes out, users and application developers will already have begun turning iPad into a serious enterprise device.

I expect that enterprise users will embrace the iPad for many of the same reasons they took to the iPhone (attractive design, ease of use and range of applications). Its form factor makes it suitable for tasks for which a laptop would be unwieldy, but a phone interface would be limiting. The iPad will especially appeal to mobile workers who need to access information and complete relatively simple data entry on the go. Salespeople will likely be early adopters since the lightweight device will be easy to carry on road trips and will provide a flexible platform for presenting product demos, photos and other graphical information. The iPad should also be put to good use in the medical field, providing doctors and other health care staff access to patient records and other information on an easy-to-carry device.

My advice to IT is this: apply the lessons learned from the iPhone and plan for iPad deployments. Anticipate how your end users might employ the device. Then consider what types of controls you’ll want to put in place to manage it effectively. In other words, treat the iPad like a smartphone or a laptop. It promises productivity benefits but will undoubtedly challenge your staff. They are not going to have a lot of time to come up to speed before end users start connecting the iPad to your network.

We’ve been hearing from more and more companies that lack Apple expertise but need to deploy iPhones to considerable numbers of users. In recent engagements we’ve applied our mobility tools and best practices to get fully loaded iPhones into the hands of our customers’ corporate users. By adapting our iPhone mobility services to the iPad, we’ll be ready when the iPad comes into the enterprise, whether it’s supplied by IT or brought in by enthusiastic users.

As you may have heard, today Enterprise Mobile announced the availability of a Hosted Device Management solution for iPhone and other mobile platforms. It is powered by technology from MobileIron, a partner that we have been working with very closely for a while now. I am personally excited about this for several reasons:

• Hosted DM is faster to implement – no design reviews, no security committees for our customers to deal with.
• It can be scaled up and down very quickly – if you are hiring 1333 merchandisers for a holiday season, no problem – you only get charged for the 2 months they are employed.
• No ramp up for a company’s IT staff is required.
• Coupled with our other services, it enables a full mobile deployment instantly.

I could go on to say why this is sexy. I could call it cloud computing, SaaS, the ASP model, hosting, outsourcing or any of the other labels that trendy now. The descriptors aren’t as important as the capabilities that hosted device management provides. Of course, we all know that beyond the benefits I mentioned there are challenges with a hosted model that should be considered. User/authentication can be more complex as the identity of users either has to be replicated or re-created with the hosting provider, and some services may be limited in terms of integrating into an existing on-premise infrastructure.

However, I do believe that when you combine our services and capabilities you get more benefits than pitfalls with the hosted model. Of course, if you don’t share that view, you can take advantage of the installation and services on premise. That way you can enjoy looking at the silver appliance in your data center and Enterprise Mobile takes care of all the support, ongoing management, provisioning or even end user support for you. Give us a call…

I just came across an interesting marketing gimmick – www.bargaincell.com have extended some of their deals till January 15th 2010 !

However there is a catch – you have to place the orders on Thursdays and Fridays only in addition to using the THRFRIDAY coupon.

So in order to get the 15% off:

1) Go to www.bargaincell.com Thu or Fri ONLY

2) During checkout use THRFRIDAY coupon

3) Save 15% on your new Motorola Droid or iPhone or even Windows Mobile Accessories

Many Windows Mobile users are waiting eagerly for the release of updates to the 6.5 version. Unfortunately for most US based users it means waiting on their mobile operator (T-M for HTC Touch PRO2, Sprint for HTC Snap, etc.) to release the updates. It is not clear when and how are going to be released yet as mobile operators usually don’t share their plans and roadmaps. We, based in the US can just hope, call our account managers and keep the pressure on!

However if you live in Europe, where the (re) branding of your phone by mobile operator is much less prevalent you are lucky – there are 3 updates available right now. See the links below and let me know how you like the new, shine WM 6.5

HTC Touch Pro 2

HTC Snap

Toshiba TG01

As you probably already noticed Microsoft has made public their interim Windows Mobile 6.5 release. There is ton of reviews, I will leave it up to you to judge how it is received. But if you are looking for what is new, I found this very nice table of comparison:

http://www.mobiledeployments.com/windows-mobile-6-5-feature-compare-to-6-1-and-6-01/

Cancelled Sendo WM device

I have started to work with smartphones sometime in 1998. I even have a mint prototype of what supposed to be the first Windows Mobile powered phone by Sendo – project that got canceled in 2002. Read more about it here.

Anyway fast forward to 2006 and any IT executive that was thinking about deploying mobile email / PIM and mobile applications basically had two basic option RIM/Blackberry and Windows Mobile. Each had its advantages and issues but once you had your requirements and made your decision, there was a good chance for you to run homogeneous platform. IT Helpdesk and Support, Training, Security and other departments became aware of the platform of choice and while international presence may posed a challenge with availability and the Symbian disruption (especially in Europe) the job was quite easy.

But something did happen in 2007 – the Apple released iPhone and stirred the pot. While the first generation was not suited at serious business use, the second one in 2008 added support for Microsoft Exchange and history started to repeat itself. IT managers were asked by their executives to figure out how to support iPhone, instead of their Blackberries. Regular employees started to bring their own devices and peer support helped them to get corporate email enabled. And the numbers grew.

Today with the introduction of Palm Pre into the mix, the bigger use of ruggedized devices that almost exclusively run Windows Mobile OS, over 30 new smatphone devices running Android planned for release before the end of the year and iPhone being on its 3^rd generation, the 2006 homogenous era looks like a something that will never happen again.

The reality is that most if not all IT departments and business owners have to consider supporting multiple platforms and consider the impacts and risks of all of them. There are some tools that serve multiple platforms well but most are just in their infancy. Also how to make a decision on which support and which just allow /enable but don’t provide any support?

Enterprise Mobile has been building mobile expertise since 2006. If you have any questions about what to do why don’t you send quick email or attend one of the great webinars

As I have blogged about previously, there was some interesting webcast  sessions on Windows Mobile, Security and Device Management on TechNet recently.

If you were unable to attend you can also catch a glimpse of one of the speakers I know, David Field here on TechNet Edge:
http://edge.technet.com/Media/Enterprise-Mobile-Security-Interview/

Dave Field spoke at TechEd on mobile security and gives us some insight into mobile phone security on topics such as:

• Areas where Windows Mobile security is strong against the competition
• Scenarios where companies will want to look to 3rd party solutions for mobile security
• Recommended ways to implement 2 factor authentication for phones

The Windows Mobile security whitepaper Dave mentions is available here: http://www.enterprisemobile.com/resources/white-papers.htm

|\\arco..
mnielsen(at)enterprisemobile.com

There appears to be a lack of public information regarding the inner secrets of successfully navigating and configuring the proxy and work exceptions on the Windows Mobile platform. My fellow Enterprise Mobile colleague, Patrick Salmon, has broken through and made some very interesting observations and facts about how to get it all configured correctly. This article contains all of the material and information Patrick has researched.

Most of this boils down to how the Windows Mobile Connection Manager is handling the connections and the decisions it makes to route the traffic. The Connection Manager is well aware of the native L2TP and PPTP connection methods in Windows Mobile, but appears to lack direct support for the Windows Mobile 6.1 Mobile VPN that is used by SCMDM 2008. See more information here: http://msdn.microsoft.com/en-us/library/ms879581.aspx.

This article assumes you are already well familiar with the SCMDM network routing requirements and how to configure Group Policies.

Proxy Issues Today

1. If you set the proxy via the SCMDM 2008 Group Policy you may observe that the necessary connectivity to the SCMDM Device Management server and WSUS services break.

2. Trying to use the Work/Internet capabilities as currently documented breaks the SCMDM VPN.
Although http://technet.microsoft.com/en-us/library/dd261930.aspx does explain some of the necessary steps. Also on http://technet.microsoft.com/en-us/library/dd261921.aspx it also states to make sure that the SCMDM Gateway server is listed.

3. No visibility on the client of what is configured.
The Windows Mobile Connection Manager internally uses something called a URL Mapping Table to decide if a specific URL is destined for the Internet or the corporate network connection. It can use a URL pattern which we will go into in more detail below. Please see http://msdn.microsoft.com/en-us/library/aa455992.aspx.

Where to set the Proxy server setting in the SCMDM 2008 Group Policies:

The solution is to correctly configure the Internet proxy setting and also specify the routing of which URLs go to the “Internet” and through the configured proxy, and which are internal or go through “Work” back through the VPN connection.

Overall best practices

Keeping things as simply as possible will go a long way. The basics are:

1. “Internet” bound traffic = Route via proxy if defined, otherwise use Default Gateway on SCMDM Gateway Server.

2. “Work” bound traffic = Route traffic directly to internal network using local routing tables on SCMDM Gateway Server.

3. If the FQDN of the Proxy is part of an internal domain do not put the FQDN in the Proxy configuration!
This will not work, as it will be detected as an Internet domain, due to the dotted name and you won’t see it working as you think. The solution is to use the direct IP address. Example: instead of “proxy_host.company.com:8080″ use “172.16.1.1:8080″.

Where to configure the specific Internet/Work routing is done through a “hidden” existing Group Policy setting:

The dialog window has two areas. One for the Internet domains (which will be routed to a proxy if configured so) and at the bottom for Work domains (not routed to the proxy if configured). This is what the default values are:

Next we will go into how to configure these entries in more detail.

Connection Manager URL Mapping Pattern

The Windows Mobile Connection Manager uses a general *://*.*/* URL type format. This can be further broken down into these examples:

• "*" & "?" can be used anywhere.:
  • “*” = Zero or more of any type of characters.
  • “?” = Can take the place for any single character.
• *:// = Any protocol (usually http or https).
• /*.*/ = Any FQDN namespace
• /*/ = Any NetBIOS/WINS name
• *://servername/* = specific NetBIOS server name
• *://*.company.com/* = Any host in a FQDN domain called company.com.
• *://host1.company.com/* = Only host1, any protocol, any website on target.
• *://host?.company.com/* = All traffic to host[a-z, 0-9], any website.
• https://host1.company.com/home = Only https requests to host1’s "home’ directory.

Some things to think about when defining you own URL Mapping table:

- Obey classic firewall rules – most granular is processed first
- Define your targets and know your internal name space
- Put in sequence (most specific first, least specific last)
- Decide whether traffic goes via the “internet” or “work” network routing from your SCMDM Gateway Server

Example and Outcome

Here is what a working example of URL Mapping Filter entries could look like:

Please note the above setting details:
- *://www.company.com/* – Externally hosted Internet site
- *://mdmvpn.company.com/* – Route SCMDM Gateway Server access through Internet
- *://*.company.com/* – Internal work namespace
- *://*.*/* – Catch all for all other Internet requests
- *://*/* – Catch all for all other internal NetBIOS/WINS requests – However, not found to work in testing, and removed so Internet requests are not caught by it!

Outcome with the above setting details:
- SCMDM VPN will connect correctly through the Carrier/MO/ISP on the device
- SCMDM Device Management and WSUS traffic will require no further invention.
- Internal Line-Of-Business application traffic will go direct.
- Internet bound traffic will go to the corporate proxy (if defined in separate Group Policy).

Internal namespace sans WINS

Since most companies are well on their way to totally get rid of WINS and have put in place DNS suffix search order standards. Another solution is to push a default DNS suffix to your Windows Mobile. Brian Puhl from Microsoft IT blogged about this last year here:

http://imav8n.wordpress.com/2008/08/21/getting-single-label-name-resolution-on-mdm-enrolled-phones/.

So this could ensure proper name resolution to a FQDN for internal names used on the Windows Mobile device. In the example above this could be routed to the “work” side of things by the *://*.company.com/* URL Mapping.

For more information on creating custom ADM templates for use in SCMDM 2008 please see: http://blog.enterprisemobile.com/2008/10/writing-custom-gpos-for-scmdm-2008/.

SCMDM 2008 SP1 Source-based Routing

Another feature that can be used to better assist with the complex nature of network routing, proxies and Internet access is the source-based routing feature present in SCMDM 2008 SP1. Some details can be found here: http://technet.microsoft.com/en-us/library/dd252779.aspx

The source-based routing option on the Gateway Wizard:
One example of how this could work is instead of having the default gateway on the External NIC of the Gateway Server, you place one on the Internal NIC. You can then configure the source-based routing option to an IP address of an external firewall that is accessible from the Internal NIC. Now Internet IPSec traffic will come in and terminate on the external NIC, but return back to the device through the Internal NIC and the IP address of the source-based routing, back to the Internet. Now any traffic from the Windows Mobile devices not configured to the proxy will default out to the Internal NIC gateway. This could be useful for applications that are not proxy aware, or if you won’t want to use any proxy but direct all traffic to the internal side and to be taken care of there for either internal or external Internet routing..

Split DNS

Another idea that could perhaps assist in some architectures is the use of split-DNS. In the Gateway Wizard you can specify the DNS server the Windows Mobile clients will use to resolve hostnames. Many simply use the existing DNS server present internally and make sure connectivity on TCP port 53 is open to it. Another idea could be to use a separate DNS server that contains hostname zone entries that could be similar but resolve to different IP addresses to better resolve network routing or DMZ issues at hand. DNS forwarding could still be used to forward remaining requests to the primary internal DNS servers.

Tethering Devices

Another Enterprise Mobile colleague, Dave Field, also points out:

“Please note that if you have a proxy setup on the device and you partner the device to a desktop that has “automatic” setup for the Connection setting, it will auto-configure the device proxy and overwrite whatever you have. It will configure it for port 80 automatically too.”.

At this of this writing I’m not sure if the Group Policies will automatically refresh the settings again down to the device. A work around may be to disable the tethering functionality all together if this is a big concern.

Wrap up

The final best advice is to have patience in troubleshooting and testing the proxy and network routing. It can be complex and quite difficult to get setup correctly in a large organization. Logic flow, re-verifying settings, and looking at logs could be your best friends.

Thanks again to Patrick Salmon for getting the answers together. Also a thanks to Wayne Phillips and David Creedy from Airloom for their feedback and corrections!

Please leave a comment or contact me directly if you have additional findings or feedback on how these settings work and act for you!

Reference links – for additional information:
Default URL Mapping values in Connection Manager:
http://msdn.microsoft.com/en-us/library/aa456095.aspx
How Connection Manager works:
http://blogs.msdn.com/fzandona/archive/2005/10/10/ConnectionManager02.aspx
How the Mapping Index works and what are some of the high-end catch all values:
http://msdn.microsoft.com/en-us/library/aa455850.aspx
http://msdn.microsoft.com/en-us/library/aa456095.aspx
Using Connection Manager URL Mapping:
http://msdn.microsoft.com/en-us/library/aa455992.aspx
SCMDM Forum thread discussion on these settings:
http://social.technet.microsoft.com/Forums/en-US/SCMDM/thread/9a295dc0-55a6-4783-b43e-132748e8e7b5

|\\arco..

Updated on May 12, 2009 with some corrections.

Don’t believe this is that recent news, but just learned about it and thought I would share as I think it could be quite useful for many enterprise scenarios..

This is a public website that can be used to troubleshoot Exchange server connectivity issues. Originally written by a Microsoft Escalation Engineer and continually updated.

You can test such things Exchange ActiveSync (EAS) issues, including Windows Mobile 5 and Windows Mobile 5 w/MSFP, Windows Mobile 6.1 clients with AutoDiscover, Outlook RPC over HTTP (Outlook Anywhere), Outlook 2007 and AutoDiscover and even inbound SMTP. The tool will give you a nice detailed report that you can drill down into and research where any failure might be.

It is accessed from here: https://www.TestExchangeConnectivity.com.

This could be very useful in testing your Exchange configuration and setup before you have Windows Mobile clients to access your environment. Validation of certificates and which Windows Mobile versions are supported is also included!

Main menu:

Apply test credentials:

Example report:

Reference Links:
Blog: http://msexchangeteam.com/archive/2009/03/25/450908.aspx
Video: http://edge.technet.com/Media/The-Remote-Connectivity-Analyzer-for-Exchange-Server/
Facebook Group: http://www.facebook.com/group.php?gid=58417140899
Twitter: http://twitter.com/ExRCA 

|\\arco..

An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile.

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407362&culture=en-US
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don’t need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization’s Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300)�
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032409997&Culture=en-US
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692&culture=en-US
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we’ll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we’ll look at various out-of-the-box devices and analyze their threat surface. Last, we’ll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar!

|\\arco..