Introduction
Windows Mobile-based devices, including the Windows Mobile-based Smartphone and Windows Mobile-based Pocket PC Phone Edition, are ideal communications tools for busy corporate executives, sales people, managers, field engineers, and others who need to stay in close touch with e-mail, calendar, contacts, and corporate data while they’re on the move. Like laptop computers, such devices enable mobile users to work in multiple locations, such as their office, home, a hotel, a customer’s site, or while in transit using a familiar Microsoft® Windows® interface.
But Windows Mobile-based devices also offer several advantages not available from laptops. For example, they have a battery life long enough to be used all day without recharging, and they are compact enough to be used in a store or restaurant, while in a car, or while out with colleagues, family, and friends. Windows Mobile-based devices can access corporate data through mobile Line of Business (LOB) third party applications as well as via standard file shares. In combination with Microsoft Exchange Server 2003 ActiveSync® technology, Windows Mobile-based devices enable users to synchronize their e-mail, contacts, and calendar entries over the air—and to respond to urgent e-mail from any location that has wireless coverage. Windows Mobile-based Pocket PCs and Pocket PC Phone Edition devices can view and edit standard Microsoft Office Word and Excel documents, as well as send notes to Microsoft Office OneNote 2003 SP1. And of course, Windows Mobile-based Smartphones and Pocket PC Phone Edition devices can place and receive phone calls, including calls to contacts stored in corporate Exchange Server mailboxes.
The e-mail client built into Windows Mobile-based devices uses a variety of wireless connections, depending on the device, to send and receive e-mail while the user is on the move. For example, Windows Mobile-based Smartphone and Pocket PC Phone Edition devices utilize standard radios such as General Packet Radio Services (GPRS) or Code Division Multiple Access (CDMA). Certain devices also support Wireless Local Area Network (WLAN) connections through built in or add-on WLAN adapters. Each time Exchange ActiveSync runs on the device, the client synchronizes with the Exchange Server 2003 mailbox server, sending and receiving any changes in email, calendar, and contacts to and from the server. and receiving any new mail that has arrived. Changes include new and/or deleted items, read/unread status, meeting request responses, and so on.
Because supporting Windows Mobile-based devices can involve networks and devices beyond the range of the traditional desktop/laptop, this white paper provides IT organizations with guidance regarding fully supporting these devices within the enterprise. Based on Microsoft’s experience in working with large enterprise customers, this paper addresses the complete enterprise lifecycle of a Windows Mobile-based device, including the infrastructure required to support the device, procurement recommendations, how to provision (configure) the device, support issues, security considerations, and how to decommission the device at the end of its lifecycle.
It is our hope that by reviewing the steps that Microsoft’s enterprise customers have taken to successfully deploy and support Windows Mobile-based devices within their organizations and adapting these steps to meet the needs of your enterprise, you will both improve the overall user experience and enable users to fully leverage the power of these innovative communications tools.
Infrastructure
One key difference between Windows Mobile-based devices and other mobile phones or PDAs is that Windows Mobile-based devices provide built-in access to any e-mail folders, calendar, and contact information stored on Exchange Server 2003, enabling users to synchronize this information between Exchange Server and the mobile device directly. To use this information exchange capability, users need to be able to synchronize their Windows Mobile-based devices with Exchange Server 2003. This section explains the infrastructure that your IT department needs to have in place for this synchronization to work.
Exchange Server 2003
Wirelessly synchronizing Windows Mobile-based devices using built-in Exchange ActiveSync requires at least one Exchange Server 2003 server in your messaging infrastructure. Note that your organization does not need to have Exchange 2003 fully deployed across the entire environment
For information on setting up the necessary Exchange Server 2003 components, please see the Exchange Server 2003 deployment guide (particularly Chapter 8):
http://www.microsoft.com/technet/prodtechnol/exchange/2003/library/depguide.mspx
Also see the Exchange Server 2003 ActiveSync Architecture whitepaper:
http://www.microsoft.com/exchange/techinfo/administration/mobiledevices.asp
Note that earlier versions of Exchange Server do not offer the built-in synchronization capabilities: you must have Exchange Server 2003 for users to be able to wirelessly synchronize their Windows Mobile-based devices.
Active Directory
For ActiveSync to work, your infrastructure must include Active Directory® domain controllers. You also need to make sure that your Exchange Server 2003 servers are members of a Windows Active Directory domain.
The Active Directory domain controllers must run on either Windows 2000 Server with Service Pack 3 (SP3) or Windows Server 2003. Windows Server 2003 is recommended for best performance.
Software for Windows Mobile-Based Devices
Wireless synchronization requires a device running Windows Mobile 2002 or 2003 or later.
Internet Connectivity and Security
To synchronize, a Windows Mobile-based device makes an ActiveSync connection from the Internet or the corporate WLAN into a corporate server running Exchange Server 2003. To provide the necessary connectivity and security, the incoming Internet connection requires:
A wireless mail DNS name resolvable from the Internet—for example, www.mail.myco.com. This name, which can be the same for all Windows Mobile-based devices in the enterprise, is configured both on ISA Server and on each Windows Mobile-based device.
Port 443 opened at the external firewall to allow Windows Mobile-based devices to initiate a connection from the Internet into the enterprise. (This port is also known as Secure Sockets Layer or Secure HTTP or HTTPS.)
SSL certificates on servers that terminate SSL connections and translate HTTPS to HTTP.
You may also utilize existing services or choose to deploy such services as:
A proxy server, such as Microsoft Internet Security and Acceleration (ISA) Server 2004, to intercept incoming Web requests from clients and redirect them to the Exchange Server 2003 mailbox server or front-end server (if used). This is sometimes referred to as Web Publishing or Reverse Proxy. In addition to standard Web Publishing/Reverse Proxy features, ISA Server can perform content inspection and filtering and can use the URLScan feature to check the incoming requests for valid commands and reject buffer overflow attacks.
A perimeter network (also known as a DMZ, or demilitarized zone) between the corporate LAN and the Internet. A DMZ is not required for Internet connectivity, but it’s often a requirement of security policy for corporations. The DMZ includes two firewalls—one interfacing to the public Internet, and the other interfacing to the corporate LAN. The DMZ can also include ISA Server as above.
Figure 1 shows a typical Exchange Server 2003 ActiveSync implementation.
Figure 1. Typical implementation for Exchange Server 2003 and ActiveSync
Infrastructure Support
Your organization will need to establish who is responsible for supporting the infrastructure. Typically, the corporate IT group handles this function. Infrastructure support provided by the corporate IT group usually includes:
Resolving ActiveSync problems experienced by users of Windows Mobile-based devices—for example, problems with synchronizing mail, calendar, or contacts. In attempting to resolve an ActiveSync problem, help desk technicians need to determine whether the problem is:
A mobile operator problem, in which case the help desk should direct the user to the mobile operator’s help desk.
A device problem, in which case the help desk should direct the user to the device help desk.
A problem with a user’s account or mailbox, in which case the help desk works with the user to resolve the issue.
An infrastructure problem, in which case the help desk works with the user to resolve the issue.
Proactively monitoring the infrastracture to catch and resolve potential problems before they result in server outages.
Serving as a clearinghouse for information about mobile operator or corporate WLAN outages
Maintaining a database of all known symptoms in Windows Mobile-based devices and the appropriate resolution or workaround, in order to expedite future troubleshooting
Training
In order to effectively support the infrastructure, the corporate IT group needs training in:
The Windows Mobile platform
ActiveSync usage and troubleshooting
Troubleshooting of other device features
The Microsoft Learning Web site (http://www.microsoft.com/learning/default.asp) includes courses and materials to assist, such as “Implementing and Managing Microsoft Exchange Server 2003” (http://www.microsoft.com/learning/syllabi/en-us/2400Bfinal.mspx).
The corporate IT group will also need a supply of Windows Mobile-based devices or emulators that can be used for troubleshooting and testing purposes.
For information on Windows Mobile 2003 emulators, see:
http://www.microsoft.com/downloads/details.aspx?FamilyId=5C53E3B5-F2A2-47D7-A41D-825FD68EBB6C&displaylang=en (for Pocket PC and Pocket PC Phone Edition)
http://www.microsoft.com/downloads/details.aspx?FamilyId=791BAE52-B057-4D72-B263-105534825CA5&displaylang=en (for Smartphone)
http://msdn.microsoft.com/mobility/windowsmobile/default.aspx for general information
Procurement
Purchasing Windows Mobile-based devices differs from purchasing most other types of equipment in four ways:
In the case of Windows Mobile-based devices, you are often purchasing not only equipment (the devices), but also a service plan.
You may need to offer users:
A choice of devices and form factors, since different users may need different feature sets
A choice of service plans, since the most cost-effective plan may depend on the individual’s usage pattern
A choice of mobile operators and/or WLAN “hotspot” providers, since different users may need coverage in different geographical areas
As new Windows Mobile devices are launched, new feature sets become available, service plans change, and usage patterns change, you should regularly reevaluate your offerings to make sure that they continue to meet users’ needs in the most cost-effective manner possible.
Corporate procurement may order and pay for the devices, or the end user may order and pay for them. End users who procure their own devices may then expense the purchase, depending on corporate policy. If end users are procuring their own devices, it is strongly recommended to issue corporate device standards to ensure that devices support the security, usability, and mobile application and data requirements of the corporation.
This section outlines the key issues you need to consider with regard to purchase of Windows Mobile-based devices and the associated service plans. It also describes the online purchasing tool that Microsoft uses to make it easy for employees to order devices and service.1
General Considerations
Considerations in the procurement process include:
Coverage. Geographical coverage differs from one service provider to the next. Individual users will also have different coverage needs: for example, some may need international coverage, while others will not. At a minimum, you will want to make sure to provide good coverage in all locations where your company operates facilities.
Some large enterprises negotiate agreements with several national service providers to provide their users with a broad range of coverage options. They ask each mobile operator to provide coverage maps, so employees can choose the plan that best meets their needs.
Other enterprises negotiate an exclusive arrangement with a single national or international service provider—an approach that can result in better pricing. After obtaining coverage maps and outage data from several mobile operators, they choose the one that best meets their needs and negotiate an agreement. While it is sometimes not possible for a single mobile operator to meet the needs of all of the enterprise’s employees, it is generally possible to meet the needs of up to 80 percent of them. In that case, the organization can handle the remaining 20 percent on an exception basis.
Device selection. Employees who plan to use their Windows Mobile-based device for data entry (for example, to generate e-mail) may prefer a PDA (personal digital assistant) form factor, such as the Windows Mobile-based Pocket PC Phone Edition, with its larger, touch-sensitive screen. Those who use the device more for data consumption, such as reading e-mail, may prefer a traditional phone form factor, such as the Windows Mobile-based Smartphone. Line of business application requirements may also influence device selection based on factors such as screen resolution, available memory, expansion slots, and physical durability.
Service plan discounts. You can negotiate several different types of service plan discounts with mobile operators:
Number of lines/minimum annual commitment. You can receive discounts on both service and equipment by committing to a minimum number of lines or minimum annual dollar amount per year. (Some mobile operators base their discounts on one factor; some on the other.) In addition to negotiating discounts based on your current number of lines (or current annual dollar amount projection), it is helpful to include a provision that will increase the discount rate as your number of lines or expenditures grow.
Pooling of minutes. To obtain additional discounts on service, you can set up a special account that pools all employees’ minutes into a single account, enabling you to take advantage of the lower rates available for high-volume usage. This approach only works, however, if you have the mobile operator bill the company rather than the end user.
Flat rate, no minimum commitment. If your company typically uses a high volume of air time, you may be able to negotiate a flat rate—for all times of day and days of the week—without commiting to either a minimum number of lines or minimum dollar amount. This option gives you the most flexibility for dealing with changes in the number of lines or airtime usage.
When working with multinational mobile operators, you may be able to negotiate a better discount by choosing an operator who services several countries, as your total call volume will be higher with this approach.
Corporate vs. individual billing. Organizations that negotiate service plans based on a minimum annual dollar amount may want to have the service provider pool all employees’ minutes into a single, consolidated billing statement. If you choose this approach, you need to have controls in place to ensure that you don’t continue to pay for phone service after employees leave the company.
Alternatively, you can negotiate a corporate discount but have the mobile operator bill employees individually. Employees whose managers are willing to reimburse them for the device and airtime can then submit monthly expense reports and be reimbursed.
Device discounts. You can negotiate device discounts separately from the service plan discounts. Although paying a discounted price for the device may require employees to stay with the service provider for a specified period of time, it doesn’t have to prevent them from moving up to a new device with better features when one becomes available: they may be able to purchase the new device at a discounted price by simply extending their period of commitment.
Device purchase procedure. The most convenient approach is to set up a purchasing tool, available on your intranet, that employees can use to purchase their devices at the negotiated discount rate through the selected mobile operator. In some cases, mobile operators that have retail stores near your offices will work with the staff there to enable your employees to buy their devices at the store and still receive the negotiated discount.
Length of commitment. If you decide to commit to a minimum number of lines or minimum annual dollar amount, the mobile operator may give you a choice of making that commitment for a one- or two-year period. Even though a longer commitment will give you a higher discount, some large enterprises choose a one-year commitment because it’s hard to predict usage that far in advance.
Early cancellation provision. If your organization expects the number of lines it needs to fluctuate, you may wish to neogtiate a contract provision that allows you to cancel a certain number of lines without paying an early termination fee. Such a provision will give you the flexibility to respond to unexpected changes.
Early termination fees. Fees charged for terminating a contract early vary from one mobile operator to the next. In working with mobile operators that do charge termination fees, you may be able to negotiate lower fees as part of the contract negotiation process.
Frequent analysis. To keep your costs as low as possible, it’s important to analyze rate plans and usage on a regular basis. It may be helpful, for example, to perform random audits of managers to show them how their group’s costs compare to those of other groups. If your arrangement with the service provider involves a single, consolidated billing, you may also want to e-mail each employee’s charges directly to the employee, together with analyses that compare the employee’s costs to the company average.
Validation process. If you pay through a consolidated bill, you may want to have an electronic process in place to ensure that you are paying only for valid users (for example, that you aren’t paying for employees who have left the company). Such a process could compare employee IDs from the mobile operator billings with your current list of employees and generates a list of any mismatches.
Online Purchasing Tool
Microsoft employees use an internally-developed online purchasing tool to order devices and service. The steps for using this tool are as follows:
The employee goes to an internal purchasing portal, which provides mobile operator, device, and service plan information--everything necessary to help the employee make the best choice for his or her situation.
The employee completes an online form to select the desired device, service plan, and features. The purchasing tool walks the employee through each step of the purchase, determining whether the purchase is for an existing or new line, which rate plan and features the employee wants, what the employee’s home area code is, and so forth. In this way, the purchasing tool ensures that the mobile operator will have all the necessary data.
The employee completes an individual service agreement and supplies personal credit card information in order to set up an account. The application automatically applies corporate discounts to the purchase and sends it to the mobile operator.
The mobile operator fulfills the employee’s device and service order, sends an acknowledgment, and bills monthly charges to the employee’s home address. Employees who have their manager’s approval can submit expense reports and be reimbursed.
The purchasing tool is used only to place orders, not to cancel or change plans. So if an employee later wants to make any changes—for example, to move to a different service plan—he or she contacts the mobile operator to cancel the existing plan, and then uses the purchasing tool to set up the new plan.
If employees need assistance with the purchasing application, the site instructs them to contact the purchasing help desk if the question relates to Microsoft policy. If it relates to a mobile operator issue, the site instructs them to contact the mobile operator’s Microsoft account manager. The purchasing portal provides contact information in both cases.
Some Microsoft offices do not have access to the online purchasing application. In such cases, the mobile operator’s Microsoft account manager may come to the office and help employees complete the paperwork—or they may arrange to have a nearby retail store provide the Microsoft discount to employees.
Provisioning
To send and receive data—and synchronize over the air with Exchange Server —a Windows Mobile-based device must be configured with the necessary information. This section describes the options for provisioning Windows Mobile-based devices. The steps are the same whether you are provisioning a new device for the first time or reconfiguring an existing device (for example, in a case where the user wants to change from manual to automatic synchronization or has inadvertently entered the wrong settings, causing the device to be unable to synchronize).
Web-based Provisioning Microsoft’s Internal Provisioning Tool
Microsoft has developed an internal Web-based provisioning tool for employees to input the necessary configuration information and automatically configure their Windows Mobile-based devices. In addition, some mobile operators provide an Internet-based tool to enable users to configure their ring tones, themes, Internet Explorer favorites, and other settings to enhance their overall experience.
Configuring a data connection. To configure the device to send and receive data, the steps are as follows:
1. With the mobile device in the cradle and turned on, the user goes to the Web site portal and clicks the Data Connection link.
2. The provisioning tool prompts the user to select the appropriate mobile operator.
3. The user submits the request.
4. The provisioning tool sends the user a .CAB or .CPF file. (Unlike the ActiveSync provisioning process, these steps do not involve transmission of sensitive information; therefore, no PIN is required.)
5. The user sends the .CAB or .CPF file to the cradled device and installs it. This completes the configuration process; the user can now send and receive data.
Configuring over-the-air Exchange Server 2003 synchronization. To configure a Windows Mobile-based device to synchronize with Exchange Server, the steps are as follows:
1. With the mobile device on and ready to accept SMS messages, the user goes to the Web site portal and clicks the Exchange Activesync link.
2. The user selects the mobile device type (Windows Mobile Pocket PC Phone Edition 2002 or 2003, or Windows Mobile Smartphone 2002 or 2003).
The user enters the following information: e-mail alias, domain, password, server, and phone number. (The provisioning tool prompts the user to enter the password twice to ensure that it is entered correctly.)
The user submits the information.
The provisioning tool supplies the user with a PIN number.
The provisioning tool sends an SMS message to the device with a link to download a .CAB or .CPF file.
Once the file is downloaded, the user opens the file and enters the PIN, which causes the file to be installed. This completes the configuration process; the user can now synchronize the device with Exchange Server.
Creating a Provisioning Tool
Large enterprises may find it helpful to create an online provisioning tool to assist employees with the configuration process. While it’s possible to provision Windows Mobile-based devices manually by e-mailing users step-by-step instructions and having them key in the necessary information, using a provisioning tool generally results in fewer errors and fewer support issues. A provisioning tool can also be useful as a troubleshooting step in situations where the user was previously able to synchronize and now can no longer do so. In such cases, the help desk may use the tool to reconfigure the settings on the device and see if that resolves the problem.
If you create a provisioning tool, be sure to include these items:
Enterprise-specific account data, such as the server name of the Exchange Server machine, domain name, and user account ID and password.
GPRS and/or WLAN settings. In synchronizing over the air with Exchange Server, GSM-based devices use a data connection to transmit and receive data. To be able to access the Internet, GSM devices need to be configured with the proper GPRS settings. New devices purchased from a mobile operator may already be set up to access the Internet, so you won’t have to deal with configuring the GPRS settings. But users who move a SIM card from an old GSM device to a new one will have to contact the mobile operator’s help desk to find out the proper GPRS settings. Also, users with Windows Mobile devices utilizing WLAN connections (operating over either built-in or add-on WLAN radios) may need to configure settings such as Wireless Equivalent Privacy (WEP) keys, Service Set Identifier (SSID) information, etc.
Synchronization preferences. The provisioning tool should ask which items (e-mail, calendar, contacts) the user wants to synchronize. In the case of e-mail and calendar, it should ask whether items in the past should be synchronized or not—and, if so, how far back. In the case of e-mail, it may be helpful to specify a maximum message size and attachment handling if you have not chosen an unlimited data plan.
Synchronization schedule. Should the device be set up to synchronize automatically, without user involvement? If so, should this autosynchronization occur only when the user is not roaming, or during normal business hours? And how frequently should auto-synchronization occur? The answers depend both on the needs of the individual user and on the service plan details. For example, some service plans allow for unlimited amounts of data to be transferred back and forth, while others charge according to the amount of data transmitted. Your organization may want to set policies regarding who qualifies for autosynchronization and how to determine autosynchronization frequency.
SMS message delivery. To transfer the configuration information to the device, at the end of the process the provisioning tool sends the Windows Mobile-based device an SMS message that contains a link to a Web site containing the configuration data. Using the device, the user navigates to the designated Web site and is prompted to download a file. Once downloaded, the file installs the configuration data on the device.
For more information on creating CAB Provisioning Files, please visit http://msdn.microsoft.com/library/default.asp?url=/library/en-us/amo_ppc/htm/creating_a_cab_provisioning_format_cpf_file_zvvq.asp.
If the Provisioning Tool Doesn’t Work
If, at the conclusion of the provisioning process, the user is unable to browse to the Web site and download the configuration settings, the problem may be due to any of a number of factors:
Incorrect GPRS settings. If the data settings on the Windows Mobile device are incorrect, the user won’t be able to access the Internet. This may be the case, for example, if a user has transferred an old SIM card to a new GSM phone. In such a case, the user should first be referred to the service provider’s help desk to get the proper data settings. The user can then supply this information to the corporate IT help desk, which in turn can help the user manually enter the proper settings into the device.
WAP access only. If the user’s data plan allows Internet access only through the Wireless Access Protocol, the user will be able to receive the SMS message and retrieve the configuration settings, but will not be able to synchronize over the air. In such a case, the help desk should refer the user back to the mobile operator to choose a plan that allows standard Internet access.
Storage card (SD or MMC) based Provisioning
The configuration of data settings, Exchange Server name, and so on contained in the .CAB or .CPF file can also be saved to an SD card instead of being sent via SMS. When the user receives a Windows Mobile device, he or she inserts the SD card and an autorun invokes the .CAB or .CPF file. The following MSDN article details how to use an autorun:
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/guide_ppc/html/ppc_programming_pocket_pc_2002_balr.asp
See the Windows Mobile developer center on MSDN for more information:
http://msdn.microsoft.com/mobility/windowsmobile/default.aspx
Corporate IT, Mobile Operator, or OEM Provisioning
Using Web-based provisioning, Storage card based provisioning, or manual configuration, the Windows Mobile device can be provisioned prior to distribution to the user. This pre-provisioning can be carried out by the corporate IT group, the selected mobile operator, or even by the Original Equipment Manufacturer (OEM).
Support
Once a Windows Mobile-based device has been procured and provisioned, support must be available until the device is no longer in use. Supporting Windows Mobile-based devices is somewhat different from supporting other nodes in the corporate network (desktops, laptops, etc.) in that the process can involve multiple help desks: your corporate IT support group, the mobile operator’s help desk, and the device manufacturer’s help desk.
While there is a certain amount of overlap in the kinds of problems each help desk addresses, each has its own areas of focus:
Corporate IT support. Enterprises often set up a help desk within the corporate IT department to handle problems related to the IT infrastructure, such as:
Provisioning devices with the proper settings
Problems with over-the-air synchronization of mail, calendar, and contacts (for example, if a user can connect to the server but can’t synchronize)
Problems with sending and receiving mail
Corporate account problems (such as an invalid password or the account being locked out)
Patches and operating system upgrades
Your organization may choose to support a broader or narrower set of problems—but you should clearly define the support boundaries, so technicians will know when to troubleshoot a problem and when to refer the user to a different help desk.
Mobile operator’s help desk. The corporate help desk should refer users to the mobile operator’s help desk for problems involving connectivity, such as:
Problems with the wireless service account (for example, if it’s not enabled for GPRS)
Problems with making voice calls
General data connectivity issues
Web browser problems
Problems with text messaging (SMS messages)
Questions about the rate plan
Device manufacturer’s help desk. The corporate help desk should refer users to the device manufacturer’s help desk for problems related to hardware and software functionality. (It should be noted, however, that the device manufacturer’s help desk will deal only with software installed by the device manufacturer and in some occasions by the mobile operator, not with additional software that users may download.) Examples of issues handled by the device manufacturer’s help desk include:
Features and functionality of the device.
Web browser functionality, such as navigating to a site or setting a home page. (Note, however, that network issues, such as connectivity or password problems, will be referred back to the mobile operator.)
Problems with the media player, file manager, Pocket Office applications such as Pocket Outlook, and other buillt-in device programs.
Problems with built-in accessories, such as a camera.
Because some user problems will be outside the boundaries of your corporate help desk, we recommend that you set up a standard set of guidelines to assist corporate help desk technicians in determining whether the issue is within or outside of their scope. For example, if the user can’t make a voice call or browse the Web, the guidelines would suggest referring the user to the mobile operator’s help desk.
If a problem falls within the boundaries of the corporate help desk but the technicians can’t resolve it, they can consult their normal support channels such as Microsoft Product Support Services.
Security
While most users understand the security implications of allowing unauthorized users to access their laptop PCs, they may not realize that having their mobile device fall into the wrong hands poses similar risks. Windows Mobile-based devices can store large amounts of data and connect to a broad spectrum of networks, making them as important and sensitive computing platforms as laptop PCs.
Security risks represented by lost or stolen Windows Mobile-based devices include:
Access to sensitive data stored on the device. Data may be stored in the device itself or in storage cards that fit into the device’s expansion slot. It’s possible that some of the data stored in the device or cards will be sensitive business information that you wouldn’t want to fall into a competitor’s hands or become public knowledge.
Even if a user stores only contacts and calendar data on a Windows Mobile-based device, loss of this data could pose security risks. For example, the notes in an executive’s calendar can describe the background of different meetings, which could range from fixing internal problems to addressing customer issues to merger and acquisition discussions. At best, it could be embarrassing if this information were to become public. Similarly, negative consequences could result from an employee’s contact information falling into the wrong hands. For example, if a device is stolen by a competitor, the contact information in it might be used to hire away key staff members.
Access to data stored on corporate networks. An unauthorized user gaining access to an employee’s mobile device could access not only data stored on the device itself, but also potentially data on any corporate networks that the employee has the authority to access.
Malicious software. While mobile devices have yet to become a significant target for viruses, Trojan horses, and worms, such threats are beginning to occur. Also, even if the devices themselves aren’t affected by such code, when they connect to a corporate network, they can serve as transport mechanisms for passing destructive software on to other systems within the enterprise.
Ability to impersonate the authorized user. As with any mobile phone, if an unauthorized user gains possession of an employee’s Windows Mobile-based device, that person could make phone calls that would appear to be coming from the employee. Unlike with standard mobile phones, the unauthorized user might also be able to send emails that would appear to be coming from the employee. These phone calls and e‑mails could have legal consequence for the company.
These are some of the reasons why it’s important for an enterprise to formulate a corporate security policy addressing the various risks posed by mobile devices, and to make sure that employees take the necessary security precautions. This section provides security recommendations based on Microsoft’s experience with its business customers, including recommendations for physically securing the device, protecting data stored in the device, protecting data in transit, and protecting the corporate network.
In addition to establishing the necessary security policies and procedures, we recommend that you also provide training to educate employees on the risks they and the company face if these procedures are not followed.
Physically Securing the Device
A key step that your corporate security policy should address is the need to physically secure the device against unauthorized access. This can be done in two ways:
Power-on authentication. One of the most important steps you can take is to require that all Windows Mobile-based devices have a power-on password or PIN (personal identification number), so they cannot even be powered on by an unauthorized user. You will have to either educate users thoroughly as to the risks they face by not taking this step when they first receive their phone (for example, the risk that someone will make phone calls or send e-mails in their name), or else purchase third-party software that will require entry of the PIN before allowing the device to power up.
Auto-lock. To minimize any damage that an unauthorized user might do, you can set up Windows Mobile-based devices to automatically lock up after a certain period of time, requiring the user to re-enter the password in order to unlock the phone. This will protect devices that are lost while turned on.
Protecting Data Stored on the Device
As mentioned above, mobile devices with SD and/or MMC cards can store up to several gigabytes of data, so it’s important to make sure that the data stored in employees’ devices is protected. To provide the necessary protection, your corporate security policy for Windows Mobile-based devices should address:
Data encryption. One way to protect stored data is by encrypting it. Your corporate policy should address which kinds of data need encryption. For example, you may categorize data as being for general business use, for internal use only (such as phone lists), and confidential/proprietary, and then establish encryption policies for each category.
Auto-run applications. Some memory cards are set up to automatically run specific programs on power-up (see “Storage Card Provisioning” above). If your organization prefers to turn off this functionality, you can use the built-in Prevent Memory Card Auto-Run function to do so.
Protecting Data in Transit
Users who download ring tones or add-on software to their mobile devices may be unaware of viruses, worms, or Trojan horses included in the download. Such malicious software, if allowed to execute, could do a great deal of damage—both to the user and to your corporation. For example, a Trojan horse might send a message to a hacker every time a user adds a contact, makes a phone call, or enters meeting data, allowing the hacker to track everything the user does. Similarly, synchronizing e-mail might introduce a virus or worm into your company’s Exchange Server systems. To protect your organization from such malicious software, your security policy should include steps such as:
Encryption during synchronization. To protect data being transferred between Exchange Server and Windows Mobile-based devices, Microsoft recommends that all remote access be done over an SSL (Secure Sockets Layer)-encrypted link. This is the default for Exchange ActiveSync.
Signed applications. You can set up Windows Mobile-based Smartphones to allow only signed applications to be loaded onto the devices (for example, applications with a mobile operator certificate). In this way, you can be assured that any applications on the device will be from known-good sources. (Note: At the present time, this capability applies only to Smartphones, not to Pocket PC Phone Edition.)
Antivirus software. Because viruses can be transmitted through e-mail, you may choose to install antivirus software not only on your Exchange Server systems, but also on all devices—or, at a minimum, to have the software ready for immediate deployment over the air in the event that a viral intrusion occurs.
Protecting Your Network
Good firewalls are an essential part of any network defense. In the Infrastructure section, above, under Internet Connectivity and Security, we describe the DMZ, which includes two firewalls: one between the public Internet and ISA Server, and a second one between ISA Server and the corporate LAN.
Other Security Policy Issues
In addition to the security policy provisions discussed above, your corporate security policy should address:
Who can use your device besides yourself? For example, can you hand it to a colleague who needs to make a call? A client? What about family members?
What are the appropriate uses for your device? For instance, can you use it to make personal phone calls? You may want to specify different uses depending on the user’s profile.
What if your device is lost or stolen? Whom do you notify? What steps do you need to take? The procedures you want people to take in these circumstances should be noted in your corporate security policy. See the section on Decommissioning for specific recommendations in this regard.
What happens when you no longer need your device? Again, the steps users need to take in this situation need to be noted in your corporate security policy. See the section on Decommissioning for more information.
Decommissioning
At the end of its lifecycle, a Windows Mobile-based device must be decommissioned. We use the term “decommissioning“ to cover all the situations in which a device is no longer in use, including cases where the phone has been lost or stolen; where the user is leaving the company; or where the user is replacing it with a new device.
In the Security section, we talked about the many security risks to which a company can expose itself if a mobile device falls into the wrong hands. In addition, there is the risk of significant monetary loss, factoring in the cost of the device, an associated SIM card if on a GSM network, software on the device, the staffing time required to set up a new device, and the possibility that an unauthorized user may make unlimited phone calls and browse the Internet extensively.
For all these reasons, we recommend that you establish a corporate policy that spells out the steps to be taken when a Windows Mobile-based device is to be decommissioned. The specific steps may differ according to whether the phone has been lost or stolen or simply is no longer needed by the current user.
Devices That Are Lost or Stolen
You may want your decommissioning policy to include the following steps for mobile devices that are lost or stolen:
Notify Security.
Contact the mobile operator and suspend or terminate the service.
Notify your manager.
File a police report (insurance companies often require this step before they will reimburse you for the loss).
Devices That Are No Longer Needed
For Windows Mobile-based devices that are no longer needed, it’s helpful to include the following steps in your decommissioning policy:
Perform a master reset (sometimes referred to as a “cold boot”) to remove all data and applications from the phone.
Remove any removable media, as the master reset will affect only the data on the device itself, not data on storage cards. Erase the cards by formatting them in Windows-based PC, using an adaptor available for this purpose.
Return the device and removable media to your manager.
Contact the mobile operator and terminate the service—or, if the device is being given to another user, change the Exchange ActiveSync settings to those of the new user and transfer the service to that account. (This can be accomplished through any of the Provisioning methods mentioned above.)
If your mobile phone number is a primary point of contact for you, ask the mobile operator to transfer it to your new device and assign a new number to the old device. Note—if the device operates using Global System for Mobile Communications (GSM), then you can simply remove the Subscriber Identity Module (SIM) card from the old device and transfer it to the new GSM device.
For devices that are no longer needed by anyone in the company, dispose of them in an environmentally responsible manner—turning them over to an electronics recycler or a non-profit group which provides devices to the disadvantaged . As with all mobile devices, Windows Mobile devices have heavy metals, chemicals, and other toxic materials in them and should not be disposed of in landfills.
Conclusion
Windows Mobile-based devices offer users numerous advantages not available in conventional mobile phones and PDAs, including the ability to run line of business applications, to browse the Internet and to synchronize e-mail, calendar, and contacts over the air. While these advantages can significantly increase employees’ productivity, the sophistication of these devices can also create some unique challenges for IT organizations.
This paper has outlined the challenges at each stage of the device’s life cycle and provided guidelines for addressing those challenges, based the experience of Microsoft’s large enterprise customers. By following the recommendations outlined here and adapting them as needed to fit your organization, you will be able to minimize the cost and burden on your IT department while maximizing the user’s experience.
|
