EveryWAN Mobility Manager

I have blogged about the EveryWAN Remote Support Personal Edition utility previously on the blog (http://blog.brightpointuk.co.uk/everywan-remote-support-personal-edition) - a free tool that provides extensive control over your connected Windows Mobile PDA directly from your desktop PC.

EveryWAN Mobility Manager is the big brother of this utility which is now available for a 30-day free trial from the developer's web site, Sparus Software - http://www.sparus-software.com/. This server-based application provides a complete solution for managing a fleet of Windows Mobile-based PDAs remotely.

With the recent release of version 3.0 of the software, and Sparus-Software's nomination by Microsoft as their Startup Company of note (http://www.microsoftstartupzone.com/Blogs/Microspark-BizSpark-Startup-of-the-Day/Lists/Posts/Post.aspx?ID=47), I thought it was high time I installed the software and posted my findings to the blog.

Features

The EveryWAN Mobility Manager Suite is composed of three distinct products:

• Mobility Manager - device configuration and application deployment server
• Remote Support - real-time device control
• Device Provisioning - automatic OTA device "enrollment"

EveryWAN Mobility Manager

Architecture

The EveryWAN solution is a server-client model, that does require an Internet-facing server, and client software on the PDA devices which communicates with this server.
All client-server communications can be secured using SSL, on a port that can be defined by the administrator. All data exchanges are also compressed enabling the solution to be used even over low-bandwidth connections such as GPRS.
In order to integrate the solution with domain authentication sources, the required ports should be open between the EveryWAN server and LDAP servers or domain controllers.
A DMZ deployment is possible should you not to wish to open firewall ports directly to the LAN, where the EveryWAN server is located on the internal network behind a proxy server located in the DMZ.

Prerequisites

The EveryWAN Mobility Manager can be installed on either Microsoft Windows Server 2003 SP2 or equally on Red Hat Enterprise Linux v4.0 or later.

PostgreSQL v8.2 is the database back-end installed by default by the EveryWAN solution, but alternate supported database platforms include:

• MySQL v5.0
• Microsoft SQL Server 2005
• Oracle 10
• DB2 v9.5 or later

Installation

Launch the autorun.exe splash screen loader from the CD or from within the contents of the extracted ZIP file if you downloaded the application:

Select the option to install the Mobility Manager. You will be prompted to specify your installation language, accept the terms of the license agreement and specify where o wish the program files to be copied to. By default the solution will use a local installation of Postgre SQL to create the database 'back end'. If you wish to use an alternate database, untick the option to install the Database Server:

If you do opt to use Postgre SQL, during the installation you will be prompted to enter the details of the default system account:

When warned that the password entered for the service account is not strong enough, allow the wizard to generate a random password for the installation wizard automatically, otherwise the installation may not complete successfully.

Once the database engine is installed, you will the be prompted to enter your license details. This information is stored in a separate license file which you will be most likely receive via email from Sparus Software:

It is this file that determines which of the features of the Suite that you will be allowed to access.

You can now enter the details of the database itself that the Mobility Manager solution should use:

Next you can specify which protocols the server is to be accessible via from the outside world:

The Mobility Manager installation includes an installation of the Apache Tomcat web server software, so there is no need to configure IIS on the Windows Server. During the installation the necessary SSL certificates will be generated automatically.

Finally, the authentication mechanism can be specified. A default username and password can be specified using Mobility Manager's own authentication scheme, or the solution can be integrated into an existing LDAP source, including Active Directory and Lotus Domino:

Client Installation

The client installer package is accessed by browsing to http(s)://(everywan_server)/everywan/setup.cab from within the browser on the PDA itself. This CAB package is generated automatically during the server installation and is configured with the details of the server's external DNS name as specified during the server installation. This link can be entered in manually by the user, or could be sent via SMS text message or via email.
Installation does not require any interaction from the user, once installed, the PDA will be rebooted.
A new icon is added to the Programs folder, and the client will launch automatically at startup. When run for the first time the user will be prompted to enter their username and password:

As we saw earlier, Mobility Manager can be integrated with an existing LDAP source, including Active Directory, or a common, default, username and password can be used. The EveryWAN solution also allows for anonymous users, which does not require the entry of a username or password, instead the device itself is authenticated rather than the user. Device details can be imported into the server (serial number and IMEI number) from a text file.

Once authenticated, the device will initiate a connection to the server automatically:

Once the client is installed, an icon is added to the status bar at the top of the screen but is otherwise very unobtrusive and there are no settings for the user to alter, other than the username and password.

Administration

The Mobility Manager server is administered via a web interface, accessible via http(s)://(everywan_server)/everywan:

Once logged in using the default admin username and password specified during the server installation, a summary screen is displayed on the General tab:

Configuration

All configuration of the solution is done via the web interface. Users and Groups can be defined:

A list of connected devices is displayed. New devices can also be defined manually or can be imported from a text file:

Tunnels

The first item that needs to be configured is a Tunnel. Tunnels are used to control which configuration packages are assigned to which devices or groups. Tunnels can be restricted to specific client IP addresses and can be restricted to specific access types if they contain large amounts of data:

NOTE - a special built-in tunnel type is available for Remote Support, I shall look at this in a moment.

Once a tunnel has been created, individual configuration packages can be assigned to it. Configuration packages can fall into one of the following categories:

• Registry configuration
• XML package
• Software deployment

Registry Configuration

On the Registry tab, a representation of a typical device registry is displayed:

From here the administrator can define new String or Key values:

There are also a number of pre-defined wizards built into the solution that allow the administrator to enter the required registry key details for common tasks:

From here the EveryWAN client itself can be configured with details of the network types via which it should be allowed to connect to the server:

The EveryWAN client itself can be uninstalled remotely if desired via a registry configuration:

Automatic connection schedules can be defined on the client:

A phone number can be specified within the client to enable SMS "wake-up" messages - should the client PDA receive an SMS from the number specified, it will automatically initiate a connection to the server provided that a connection to the Internet is available:

The settings for Microsoft Exchange Server ActiveSync direct push can be defined automatically on the Mobility Manager server and be delivered to the client device:

Roaming behaviour can be defined:

Preventing users from using the solution when abroad, if desired, to avoid amassing large call charges.

XML Packages

On the XML tab, custom XML scripts can be built and saved, ready for delivery to the client. XML scripts allow the administrator to control virtually any element of a Windows Mobile-based PDA's functionality by creating and editing registry information, using the industry-standard OMA-CP protocol: be it enabling or disabling hardware elements on the device, blacklisting applications or whatever. This feature does require that the administrator know the correct format in which to structure the XML code, but documentation is available on the Microsoft web site, and the Mobility Manager solution has a number of common tasks pre-defined within the administration interface:

GPRS/3G and WiFi access points can be defined:

Network connection settings can be defined:

The device camera can be enabled or disabled:

Certificates can be delivered to the client and installed into the appropriate certificate store:

Applications can be uninstalled (provided that you know the name of the application as it appears in the 'Remove Programs' list):

Or custom XML scripts can be defined:

Software Deloyment

On the Software tab, CAB package application installers ca be specified and delivered to client devices:

Deployment

On the Deployment tab, individual deployment packages can be created. This is where you specify which of the configurations you have defined should be available to which users or groups:

Once defined, you can trigger an automatic deployment by clicking on the Deploy button. This will automatically update all connected client devices that have been associated with that deployment package.

Once a device has connected once to the Mobility Manager server, information about that device is available within the properties of that device on the Devices tab, including hardware inventory information as well as an inventory of the applications that are installed on that device:

A history of the configuration packages that have been applied to the device (both successfully and unsuccessfully) is available:

Devices can also be remotely 'killed' from the Mobility Manager server in the event that they are reported lost or stolen:

Reporting

A number of pre-defined reports can be run from the Mobility Manager web interface and which are generated using a local installation of the Crystal Reports runtime environment:

Reports can be exported.

EveryWAN Remote Support

Remote Support is an additional, optional, component of the Mobility Manager Suite, and is a Windows-based PC application that provides support staff with real-time control over the remote devices, provided that they are connected to the Mobility Manager server. Similar in functionality to the EveryWAN Remote Support Personal Edition application, this provides instant access to device system information allowing support staff to view and kill running processes, enables file transfer to the remote device from their workstation or the server, provides remote access to the device registry as well as real-time access to the device screen and input hardware.

Device screen capture and video recording capability is also available making this is an excellent support tool. Live annotations using a "shared whiteboard" and VoIP-based voice communications between mobile end users and helpdesk personnel is also available.

EveryWAN Secure Device Provisioning

This is another optional component of the Mobility Manager Suite that provides for a stronger encryption method for securing the exchange of data between the client and the server, and also for enforcing local data encryption on the device.
Mutual authentication between clients and the EveryWAN server can be enforced using PKI key infrastructure base don X509 v3 certificates. Local data encryption can be enforced either by invoking an encryption application already present on the device, or by automatically downloading one to the client and silently installing it.
Power-on password usage can also be enforced on the device.

Addendum

Version 3.1 has been released. New features include:

Security Policies

• Application blacklist wizard: the administrator can prevent any unauthorised application from running on the PDA
• Authorised installation policy wizard: multi-tier security can now be achieved allowing an administrator to allow only Sparus signed (or Operator signed) applications to be installed on client devices
• Remote device lock: require that a PIN be entered on client devices before they will unlock (useful for preventing access to devices that are suspected of being lost or stolen, but allowing the user time to search for the device before issuing a remote wipe command). PINs can be assigned remotely by the administrator

Windows Mobile 6.1 / 6.5-specific Policies

• Ability to disallow the use of wireless
• Ability to disallow the use of Bluetooth
• Ability to disallow the use of the camera

File / Registry Policies

• File / directory removal wizard
• Registry key / value removal wizard

EveryWAN Server Extensibility

• Web Services API for remote device wipe
• Web Services API for remote device lock
• Web Services API for terminal specification retrieval (memroy, screen, OS version, CPU, etc)
• Web Services API for user property retrieval (as defined in the company address book, for example)

User Interface Improvements

• Simplification of the steps required to erase or lock a remote device
• Client Strong ID prompt no longer appears if the administrator has not implemented the Secure Device option
• Improved informational messages if console load times are too long

Package Deployment Improvements

• An administrator can now specify a package deployment order. It is therefore now possible to run a script that will first stop a selected application, deploy an update, and then restart the application automatically
• Additional rules-based deployment criteria added:
  • Directed by the administrator (see below)
  • Greater battery level (ie deploy only if the battery level is greater than the defined value)
  • Presence of file or directory (ie deploy only if the specified file or directory does not exist)
  • Presence or value of a registry key (ie deploy only if the key does not exist or is greater than the defined value)
• Script flexibility in the file deployment options
  • Definition of action to take when creating files (replacement, keep old file)
  • Selection of destination directory (including directories translated into the language of the operating system, such as 'My Documents')
  • The ability to modify the file attributes (read-only, hidden)
  • Import and export files in the database server (to retrieve a file that was accidentally deleted, for example)
  • Ability to define actions performed on the EveryWAN client installer CAB file following an installation (delete immediately)

NEW - Introduction of client extensibility with EveryWAN Business Process Scripting

Version 3.1 of EveryWAN Mobility Manager introduces a new client-side scripting capability, based on the MortScript language, allowing complex client-based scripts to be created, deployed and managed centrally. Features include:

• The scripting engine is integrated with the EveryWAN client and is installed transparently with no further action required by the user or administrator
• Scripts can be run both online and offline
• Secure script delivery - only scripts signed by the EveryWAN server will be executed. Any other script will be ignored by the engine, adding an extra level of security
• Scripts are deployed as a file with specific options, from within the file deployment interface of the administration console

Example uses of EveryWAN client scripting include:

• test and rotate screen orientation before launching an application
• enable Bluetooth before launching an application, and disable at the end of execution
• keep the screen's backlight permanently active while an application is running
• enable the Internet connection before launching an application
• terminate an application or process
• automate application installation, simulating keystrokes and screentaps
• deploy an application without installing it, and install it automatically 15 days later
• backup and restore user data to SD card (eg My Documents / messaging data)
• display warning messages on certain events (eg low battery / low memory)
• manipulate files on the client device (eg copy / move / rename / delete)
• data fading (hard reset the client device if it has not connected to the server within x number of days)
• create a 'self-test' tool for users if their device is not able to connect (eg test the Internet connection)

Improved Hardware Inventory

EveryWAN can now retrieve the size of the screen, the user's language, memory total / available / used, etc. This data can be used in the conditional deployment engine (ie, scripts can determine the resources available on a client device automatically and then choose to process the rest of the script or stop, based on the information returned). These resources can all also be grouped by type within the admin interface for easy viewing and comparison.

EveryWAN Agent

The 'Reconnection in case of failure' policy can now be changed to improve battery life.

EveryWAN Remote Support

New features include:

• Support for HTTP Proxy Server for Remote Support connections
• Selectable pencil colour for "write on screen" feature. Previously this was restricted to blue
• Use keyboard shortcuts in the application, with the option to disable these shortcuts if required
• Option to include recording of device skin in screenshot function
• New collaborative tool - Text Chat: user and helpdesk staff can communicate in real time when the VoIP function is impractical
• Improved Connection Manager UI - common login and password interface across all users
• Improved File Transfer Tool:
  • find a file on the remote device - no need to navigate the file tree if you know the file name
  • opening simplified on the PC for a client-based file
• Improved display terminals connected, which can now:
  • search user by thier name or partial name match
  • expand / collapse the group tree
  • periodically refresh the user list automatically
  • user configurable display option, allowing sort and display of device information - eg device model instead of serial number
  • Added new skins: Sony Ericsson X1, HTC S740, HTC Touch 3G, Eten DX900
• Improved Remote Display skin creation tool:
  • ASR key codes
  • JPEG support
  • Right-click a skin to edit or delete

Read more information and download a 30-day trial from the Sparus Software web site: http://www.sparus-software.com/