Windows Mobile
Device Management
Khalid Siddiqui
Mobility Architect
Microsoft Corporation
Scope
Windows Mobile Device Management
Overview
Provisioning
Standards and architecture
System apdates
System Management Server
Messaging and Security Feature Pack
Scenarios
What is Device Management?
Software
distribution
Help Desk
Troubleshooting
Auditing
and
logging
Provisioning
OTA
connected
Patch
management
OS update
Image update
Inventory
H/W
S/W
Device Management Mechanism
Mechanism
Payload
Protocol
Direction
RAPICONFIG
Website
SD Card
XML
CPF
CAB
CPF/CAB
CPF/CAB
WBXML
SDIO
SMS
SI
SL
DTAS
HTTP/S
OMA CP
OMA DM
server
SMS / MSFP
OMA
DM XML
XML/
PKG
SMS
HTTP/S
HTTP/S
DTAS
Configuration Manager
Configuration Manager hosts Configuration
Service Providers (CSP)
Each CSP is a block of settings
Each block of settings has a corresponding block
of XML
Configuration
Manager
Configuration
Service Provider
Configuration
Service Provider
Configuration
Service Provider
Accessing Configuration
Service Provider
ROLE
USER_AUTH
OPERATOR
OPERATOR_TP
S
MANAGER
Configuration Service Provider
Access, Bluetooth, Browser Favorite, Clock,
CM_GPRSEntries, CM_NetEnteries, CM_Networks,
CM_Planner, CM_PPPEnteries, CM_ProxyEnteries,
CM_VPNEnteries, CM_WIFIEnteries, CM_Planner,
EMAIL2, FileOperation, Home, Locale, NAP, NAPDEF,
Obex, Proxy, PXLOGICAL, Sounds, SpeedDial, Sync,
Uninstall, VPN
Application, Bootstrap, DevDetail(R/O), DMAcc(R/O),
NAPDEF, PXLOGICAL.
Application, Bootstrap, GPRS_Entries, CM_PPPEntries,
DevDetail(R/O), DMAcc(R/O), FwUpdate,
LoaderRevocation, NAP, NAPDEF, PXLOGICAL,
ROMPackage, WiFi
CertificateStore, CM_Mappings, DeviceInformation(R/O),
Metabase, Registry, SecurityPolicy, TAPI
Configuration Service Providers
Branding
Home, notifications
Customization
Clock, browser favorites, email, sync, sounds
Networking
GPRS, mapping, planner, proxy, VPN, WiFi, Bluetooth
Security
Policies, certificates
GPRS CSP
<wap-provisioningdoc>
<characteristic type="CM_GPRSEntries">
<characteristic type="GPRS1">
<parm name="DestId" value="{436EF144-B4FB-4863-A0418F905A62C572}" />
<characteristic type="DevSpecificCellular">
<parm name="BearerInfoValid" value="1" />
<parm name="GPRSInfoValid" value="1" />
<parm name="GPRSInfoProtocolType" value="2" />
<parm name="GPRSInfoL2ProtocolType" value="PPP" />
<parm name="GPRSInfoAccessPointName" value="your apn" />
<parm name="GPRSInfoAddress" value="" />
<parm name="GPRSInfoDataCompression" value="1" />
<parm name="GPRSInfoHeaderCompression" value="1" />
<parm name="GPRSInfoParameters" value="" />
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
WiFi CSP
<wap-provisioningdoc>
<characteristic type=“Wi-Fi">
<characteristic type=“access-point">
<characteristic type=“Work Network">
<parm name=“NetworkKey"value=“key"/>
<parm name="DestId"value="{GUID}"/>
<parm name=“Authentication"value=“0"/>
</characteristic>
</characteristic>
</characteristic>
</wap-provisioningdoc>
Bluetooth CSP
<wap-provisioningdoc>
<characteristic type="Bluetooth">
<parm name="BtMode" value="2"/>
</characteristic>
</wap-provisioningdoc>
0=Off
1=On
2=Discoverable
Sync CSP
<characteristic type="Sync">
<characteristic type="Connection">
<parm name="User" value="test"/>
<parm name="Password" value="test"/>
<parm name="SavePassword" value="1"/>
<parm name="Server" value="labsrv.sphone.net"/>
<parm name="Domain" value="sphone"/>
</characteristic>
<characteristic type="Mail">
<parm name="Enabled" value="1"/>
<parm name="SyncSwitchPurge" value="1"/>
</characteristic>
<characteristic type="Contacts">
<parm name="Enabled" value="1"/>
<parm name="SyncSwitchPurge" value="1"/>
</characteristic>
<characteristic type="Calendar">
<parm name="Enabled" value="1"/>
<parm name="SyncSwitchPurge" value="1"/>
</characteristic>
</characteristic>
Security Policies CSP
Setting a security policy
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<!-- Unsigned CAB Policy: do not allow unsigned cab files
<parm name="4101" value="0" />
<!-- Unsigned Applications Policy: enabled
-->
<parm name="4102" value="0" />
</characteristic>
</wap-provisioningdoc>
Querying a given security policy
<wap-provisioningdoc>
<characteristic type="SecurityPolicy">
<parm-query name="4101"/>
<parm-query name=“4102"/>
</characteristic>
</wap-provisioningdoc>
-->
Provisioning the Device
CAB Provisioning
CPF = CAB provisioning file
Contains XML configuration file instead of EXE
Should be signed using SIGNTOOL tool and a
certificate appropriate for the contents of the
CPF (usually a certificate with Manager role on
the device)
May be distributed like a CAB file
Delivered via:
Pull CPF file from a website
OTA Push of CPF File
Load CPF file from MMC/SD card
SI and SL
Creating CPF File
1. Create XML Configuration file, test it and name
it _Setup.xml
2. Run makecab _Setup.xml Filename.cpf
3. Sign and apply like a CAB file
OMA Provisioning Standards
Open Mobile Alliance v1.1.2
“2 clients” on each Windows Mobile
5.0 device
“WAP-based” provisioning
Primarily for bootstrapping
Declarative (make the device settings be “this”)
Windows Mobile 2003 extends for continuous provisioning
“OMA-DM -based” provisioning
Primarily for continuous provisioning
Interactive session with a DM server
New for Windows Mobile 2005
OTA Push Message Structure
SMS
header
Phone Number
+
WDP
header
Destination Port
Source Port
+
WSP
header
TID, PDU, Len, Media,
SEC, MAC …… TPS,
Push Flag
+
WBXML
body
Version, Encoding,
Tokens, Code Page,
Strings
Push Proxy
gateway
Over
the Air
Provisioning
Server
Push Router
Configuration
Manager
Configuration
Service
Provider
Configuration
Service
Provider
Configuration
Service
Provider
OTA Provisioning
The OMA DM Architecture
OTA Provisioning Server
WAP Push Gateway
SMS/Data Bearer
Mobile Device
SMS Router
WAP Stack
Security
Security
Providers
Provider
Push Router
Other
Push
client
WININET
OMA DM Transport
Client
Config
Host
OMA DM DPU
Metabase
Configuration Manager
CSP
CSP
CSP
Configuration Manager
2
LegacyCSP
Wrapper
CSP
CSP
OMA-DM: Continuous Provisioning
1. Server trigger
Binary “blob” including:
•Message digest (hash)
•Server ID (pre-configured on device)
•DM protocol version
•User interaction (optional)
2. Client initiates
session
3. Server-controlled interchange
•Get (Query)
•Add
•Replace
•Delete
•Atomic
•Execute
•Sequence
Patch Management
OS update
Image update
OS Update Scenario
Update to the next version of OS is available
User logs in to distribution site
User provides device ID and request update file
Signed update file and appropriate tool is
downloaded to laptop
User connects mobile device to laptop via
ActiveSync
The tool will update the connected device
Image Update
Builds checked to match certificate in the update
loader which is built by ODM
This certificate is not in the same stores as other
certificates on the device; it’s hard-coded into the
executable file
Ensuring appropriate updates
This is checked through versioning, signatures,
GUIDS and Device ID
Packages are differential packages so ODM
needs to build your packages
KEY MESSAGE: Update package has to be
created and signed by ODM
System Management Server
System Management Server
Device Management Roadmap
Device Management Feature Pack v1 (11/04)
Pocket PC 2002-2003 and Windows CE 3.0/5.0 management for corpnetconnected devices
Password and settings management add-ons
Device Management Feature Pack Update (May 2006)
Support for Windows Mobile 5.0 Pocket PC and Phone Edition
Windows Mobile 5.0 password application support and settings management
SMS V4
Everything above plus:
Smartphone 2003 and 2005
Internet-facing device support
Fully integrated with SMS
SMS v4 ++
Support for latest versions of Windows CE, Smartphone, and Pocket PC as
they are released
Regular post SMS V4 feature enhancements via download and in Service Packs
Supported Platforms
Device Management Version 1 (shipped 11/04)
Pocket PC and Phone Edition 2002
Pocket PC and Phone Edition 2003
Windows CE 5.0 Platform Builder (built-in client)
Windows CE 3.0 and above (with OS dependencies)
Coming soon to DMFP (May 2006)
Support for Windows Mobile 5 Pocket PC and Phone Edition
SMS V4 (mid-2007)
Smartphone 2003, 2005
Next Smartphone and Pocket PC release soon after
Partner support – Sybase iAnywhere
Formerly XcelleNet
Support Palm, RIM, Symbian, Smartphone 02
Integrated with SMS 2003 and DMFP
Partner support – Odyssey Software Athena
Integrated with SMS 2003 and DMFP (announcing at MMS)
Support for Windows Mobile, Windows CE, Smartphone in parallel with SMS
DMFP support
Additional features for Windows Mobile devices such as remote control
Athena™ Architecture
PocketPC,
WinCE.NET
Devices
Browser interface
File Manager Service
HTML over HTTP/S [Browser/Console]
System Manager Service
Log Manager Service
Messenger Service
WSDL
Remote Control Service
Web Server
Networking Service
Security
HTML Template Engine
HTML Template Pages
Configuration Service
• Interactive troubleshooting and
corrective action
• Remote control
(directly in browser)
Desktop PC
Programmatic interface
• Microsoft SMS Server 2003 console adapter
• Device-side Logging (device to server)
• Server-side Scripting (server to device)
XML Web Services (SOAP) over HTTP/S
Enterprise
server
Tracker Service
Device side
Enterprise side
DMFP Feature Set
Hardware/software inventory
File collection
Software distribution
Script execution
Settings management
Password policy management
Automated client distribution via SMS 2003
Advanced Client desktop
SMS V4 Feature Set
Hardware/software inventory
File collection
Software distribution
Script execution
Settings management
Connection Management
Password policy management
Automated client distribution via SMS Advanced
Client desktop
Over-the-air management of devices
Internet facing support for managing Internetconnected devices
Messaging and Security
Feature Pack
Security Features
Remotely manage and enforce corporate IT policy
over-the-air via Exchange 03 SP2 console
Enable automatic reset of data when password is
entered incorrectly X number of times
Help to better protect device data with
remote reset of on-device data via
Exchange 03 SP2 console
Increase access security to Exchange 03 SP2 using
Certificate-based Authentication to the server
Help protect email content with native
support for S/MIME
GAL Lookup over the air (no storage on device)
Keep Outlook Mobile Up-to-date
with Direct Push Technology:
An Illustrative View
Direct Push = Device interacts directly
with Exchanger Server 2003 SP2
Server running
Exchange 2003 SP2
1. Device sends PING
request to Exchange 2003
SP2 server
5. Device immediately
issues SYNC request to
pull mail. Upon SYNC
completion, go to step 1
Windows Mobile
Device with
Messaging and
Security Feature
Pack
4. If new mail arrives
before heartbeat interval
expires, Exchange 2003
notifies device that
changes have occurred
in the mail box
2. Exchange 2003 holds the
request pending until
heartbeat interval expires
3. If no mail arrives
before heartbeat
expires, device
sends another
PING request
Device and Server Requirements
WinMobile device requirements
Requires a Windows Mobile
5.0 device
MSFP will not work on
devices with versions prior
to Magneto
MSFP features will not need PC
sync except Certificate-based
Authentication
Certificate-based
Authentication will require a
one-time connection to
ActiveSync for certificate
deployment
Exchange server requirements
Requires upgrade from
Exchange Server 2003 to
Exchange Server 2003 SP2
No major changes beyond
SP upgrade
Need to increase IIS and Firewall
https connection timeout to the
ActiveSync virtual directory
Recommend 15-30minutes
for timeout
Certificate-based Authentication
feature will require a Certificate
Authority (CA) deployment
Recommend using Windows
Protocol Transition for CA
deployment
How Does MSIT Does Windows
Mobile Device Provisioning
Web site
Windows Mobile Provisioner
Windows Mobile Provisioner
What does it do?
Allows users to rapidly configure their Exchange
ActiveSync settings in seconds via a single screen
Facilitates the easy configuration of device data
connections through the selection of a mobile operator
from a list
Displays mobile applications, ring tones and other
content that can be downloaded and installed on the
device
Allows administrators to push out patches, anti-virus
definitions, ROM packages, and other software to
selected devices
Sends device inventory, health metrics, and other
information to the server for analysis
Windows Mobile Provisioner Examples
Device Management Partners
Credant
CA
Odyssey Software
SOTI
Sprite Software
Sybase iAnywhere AvantGo
Synchronica
Trust Digital
Scenarios
User has accidentally deleted their GPRS
settings
SD Card, OMA CP, DTAS
Need to wipe the device contents over the air
MSFP
Revoke application in the ROM with known fault
OMA CP, OMA DM, System Management Server
Admin wants to find out the device configuration
– OS Version, Memory
OMA DM , DT ActiveSync, System Management Server
Handset Vendor has a fix
Image Update, OMA DM, SD Card, Web site, System
Management Server
Device Management Architecture
Review
OS Update
SI/SL
USB
Serial
USB
Serial
OTA
OMA
CP
XML/
WBXML
Image
Update
System
Management
Server
OTA
OMA DM
Messaging
and Security
Feature
Pack
Binary
Notification
OTA
Short Message
Service
RapiConfig
Sync XML/ Exchange XML/CAB/
ML CAB Air Sync
CPF
OTA
DATA
GPRS/1XRTT
(HTTP/S)
(HTTPS for Sync ML)
Windows Mobile Device
DeskTop
ActiveSync
SD
Card
CAB/CPF
SDIO
Q&A
ITP 401
Windows Mobile Enterprise Security Internals
ITP 310
Windows Mobile Enterprise Security Best Practices
ITP 307
Inside Microsoft: The Microsoft Corporate
Windows Mobile Architecture
ITP 311
Using Systems Management Server with
Windows Mobile Devices
ITP 302
Overview of Mobile Messaging with Windows Mobile
and Exchange Server 2003
Resources
Need developer resources on this subject?
Stop by the MED Content Publishing Team Station in the
Microsoft
Pavilion or Visit the MED Content Publishing Team Wiki Site:
http://msdn.microsoft.com/mobility/wiki
© 2006 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions,
it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation.
MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.