3LM - Three Laws Mobility - device management and secure VPN solutions for Android

3LM, recently acquired by Motorola, develop device management and secure remote connectivity VPN solutions for the Android platform: the three laws of mobility being:

• Protect your user - a mobile device may not harm its user or, through inaction, allow its user to come to harm through malicious code or content
• Protect yourself - a mobile device must protect itself and the integrity of its data and secured communications
• Obey - a mobile device must let the user use the device freely, as long as such usage does not conflict with the First or Second Law

A number of vendors already offer solutions for applying security policies to Android Smartphones (use of a password, for example) such as Soti's MobiControl and Syabse Afaria. Where 3LM differs is the ability to provide not only policy enforcement and remote application installation on client devices, but also a VPN solution for Android providing secure remote connectivity to internal corporate resources, such as intranets and line of business (LOB) applications, including Microsoft Exchange - something that the stock Android operating system does not handle very well.

The solution is a client-server model, requiring that an Internet-facing device management and remote access server be deployed, and also that a client package be present on the Android Smartphone installed at the ROM level (which both Motorola and HTC will be doing on all handsets in the future), however a hosted model is also going to be available.

Hardware Control

The device management options available in the 3LM solution include:

• Set policies to enable and disable Bluetooth, Camera, NFC, WiFi, SD card and microphone
• Whitelist and blacklist applications that can run on the device
• Disable preinstalled applications
• Push and remove applications from devices
• Control application-level access to system resources and hardware

Security

The security features offered by the solution include:

• Enforce use of strong passwords on devices
• On-device and SD card encryption
• Offer applications secure encrypted transport to enterprise back-ends, including Microsoft Exchange ActiveSync
• Remote device lock and remote device wipe

The 3LM solution also offers location tracking and location history reporting as well as hardware usage policies based on location (Geofencing). The solution can also be integrated with Microsoft Active Directory groups for ease of user management and profile assignment.

Only devices running Android 2.3 or later are supported.

Watch this space for more detailed information as it becomes available.

DME Mobile Device Management by Excitor

Excitor (http://www.excitor.com) is a Danish software development company specialising in remote device management and cost control solutions for the enterprise.
The DME Mobile Solution Suite is Excitor's modular framework that provides a feature-rich, multi-platform device management solution combined with state of the art security tools as well as an optional mobile email and PIM manager.

Including support for both OMA-CP and OMA-DM industry-standard device provisioning and device management protocols, at its simplest level, DME can be used to remotely provision compatible devices with Internet, email, VoIP and bookmark settings using SMS configuration messages with little to no user intervention required, granting access to corporate email and telephony systems quickly and easily. For more advanced functionality, the full DME client application can then be delivered over the air. Using the DME client application, devices can be fully managed remotely enabling the administrator to enforce password usage, corporate usage policies (ie disable hardware and software elements), send files, deploy applications as well as collect inventory information on device usage, installed applications and running processes.
Devices can naturally be remotely 'killed' in the event that they are reported either lost or stolen. The extent to which devices are wiped can be defined by the administrator: specific data locations can be erased, including removable storage, or devices can be factory reset completely. Devices can also be configured to automatically wipe themselves in the event that the user password is entered incorrectly too may times in succession, or even if the SIM card in the device is changed (or substituted for one that is not specifically authorised).

When the optional SmartEncrypt module is added to the solution, on-device encryption can be enforced on client devices, down to a granular folder level specified locally by the administrator as a policy on the DME server.

The DME solution also features an optional email and PIM manager module that can interface with either Microsoft Exchange or Lotus Domino, providing push-based synchronisation, on-device PIM data encryption as well as local and server-based search. Enabling this module removes the need to expose the corporate messaging platform to the Internet, requiring only that the DME server have access over the local network. The solution can integrate with Active Directory or an existing LDAP source, meaning that users need only remember one set of login credentials.
DME user and group profiles can also be based on existing Active Directory groups.

Using the Files module, users can synchronise documents on their client device with a remote network file server, again using active directory authentication if required.
The SmartLink module allows users to embed links to documents stored on the local network in email messages. When selected on the client device, the DME client is able to retrieve the document securely from the remote file server with no need for a separate VPN infrastructure.

A further optional module in the solution suite is Voice Extender: a client-based application that can be used to replace operator voicemail services by recording messages locally before the incoming call is diverted to your voicemail box. This allows users to listen to messages 'offline' without needing to place a call to the operator (an effective cost-saving measure when abroad), keep messages for as long as desired as well as send messages via email as an audio file attachment.

The DME client application can upload to the device management server comprehensive information on device configuration, including operating system, installed applications, running processes and memory usage. Details of voice, data and SMS/MMS usage can also be recorded, enabling the administrator to generate detailed reports on mobile voice and data costs by region and by operator. Alerts can also be triggered when users approach a pre-defined usage threshold.
As a further cost-control measure, specific roaming networks can be defined by the administrator ensuring that client devices only use approved operators when abroad.

I will look at all of these features separately.

Supported client device platforms include Windows Mobile (5, 6, 6.1, 6.5), Symbian (S60, UIQ), selected Java devices as well as the Apple iPhone. Full details can be found on the Excitor web site - http://www.excitor.com/supporteddevices

Features

• Support for industry-standard OMA-CP and OMA-DM configuration protocols
• Internet connectivity, bookmark, email, VoIP setting delivery
• Remote client delivery
• OTA software, patch and file delivery
• Password enforcement
• Device encryption as well as centrally managed file encryption
• Remote device kill
• Optional device wipe upon SIM card replacement
• One-click user blocking
• Email and PIM data synchronisation
• File synchronisation between server and devices
• Choice of push, pull, scheduled and manual synchronisation
• Application blacklisting
• Lock-out of settings on client devices, preventing user tampering or modification
• Hardware activation / deactivation
• Set preferred operator in every country
• Easy to use browser-based configuration
• AD / LDAP integration
• Ability to change AD password from device
• User and Group management
• Detailed logging of user and server actions
• Detailed reporting capability
• Automatic administrator event notification

Architecture

The DME solution utilises a server-client model, requiring that an Internet-facing server be deployed and a client application be installed on devices. Client-server communication is performed over 2 TCP ports that can be defined by the administrator. All client-server communications are encrypted using 128-bit AES encryption and can be further secured via TLS/SSL certificates. The solution is agnostic of the means of connecting to the Internet, or the mobile operator used.

The DME "Gateway" Server is typically deployed in a DMZ environment. If the optional Messaging & Collaboration features are used, then an additional DME "Connector" Server is required. This would typically be installed on the LAN with access to the messaging environment, with ports opened between the Gateway and the Connector. For small-scale deployments including the messaging functionality, both Gateway and Connector roles can be installed on the same host on the LAN.
Multiple Connectors can be installed to service different messaging servers and platforms.

Both Gateway and Connector servers can be installed on Microsoft Windows Server or Linux-based hosts.

A back-end database is also required to store configuration parameters. This can be Microsoft SQL Server 2005 (for Windows-based deployments) or MySQL 5 (for Linux-based deployments) on separate servers from the DME Gateway. For small-scale deployments, the database can be homed on the same host, using SQL Server 2005 Express Edition on a Windows-based deployment.

The solution is administered via an HTTPS web application, providing an intuitive and logical interface with all features readily accessible without confusing nested menus.

In order for DME to use existing enterprise authentication mechanisms, meaning that users can use their network login and password without the need to remember any additional credentials, the DME server needs to have access to the LDAP or AD directory.

In order to be able to send configuration messages via SMS, the DME server will need either access to an SMSC account, or a locally connected GSM modem and active SIM.

Hardware Requirements

Gateway Server hardware requirements (for up to 1000 users)

A 32- or 64-bit Intel or AMD based server equipped with at least:

• 3.0 GHz processor
• 4GB RAM
• 75GB hard drive
• 100/1000 Mbit network interface card
• 1 available USB or RS232 communication port (USB only supported on Windows)
• Siemens MC35i modem or SMS Centre account
• CD / DVD drive

For larger systems, add more memory and hard drive space.

For small to medium installations, the the DME Connector can be installed on the DME Server machine. In this case, add 2GB RAM to the server.

Furthermore, a fast Internet connection is required, where the capacity is based on how many clients need to be concurrently connected. You can calculate this according to the following formula:

Internet bandwidth (in Kbit) divided by a typical GPRS speed of 42 Kbit = maximum number of concurrent users.
For example, a 2Mbit connection will support (2000/42) = 47 concurrent client connections).

To access the DME Web Administration Interface, at least Firefox 2.0 or Microsoft Internet Explorer 7 is required. IE 6 and 8 also work, but do not show all design elements correctly.

Connector Server hardware requirements

A 32- or 64-bit Intel or AMD based server equipped with at least:

• 3.0 GHz processor
• 4GB RAM
• 40GB hard drive
• 100/1000 Mbit network interface card

Software Requirements

32 or 64-bit operating systems supported, including:

• Red Hat Enterprise Linux 4,5 and 5.1 (5.1 without virtualisation support installed)
• SuSE Linux 10
• Fedora Core 8,9 and 10
• Microsoft Windows Server 2003 with all patches

Collaboration System Requirements

• 32-bit Lotus Domino 6.5 or later
• 32/64-bit Lotus Domino 8.5 or later
• Microsoft Exchange 2003
• Microsoft Exchange 2007

Database System Requirements

• Microsoft SQL Server 2005 on a separate server
• MySQL 5.0 on a separate server
• SQL Server 2005 Express on the DME Server
• MySQL 5.0 on the DME Server

Firewall Settings

The DME Gateway Server requires a public, Internet-facing IP address and access to the server needs to be allowed on any firewalls between the Internet and the server on ports TCP 5011 (SSL Sync) and TCP 5021 (SSL IP Push).

The DME Gateway Server management web interface is accessed from the LAN via port TCP 8080 by default, this can be adjusted by the administrator as required.

If an optional Connector Server is deployed on the LAN, the following TCP ports need to be opened between it and the Gateway:

• 1098
• 1099
• 3873
• 4444
• 4445
• 4446
• 4457
• 4458

The below diagram summarises the access required between the client, gateway and connector elements, as well as access to the database. In this example a Microsoft Exchange deployment has been assumed and the access required to Exchange, AD and DNS is also displayed:

I will look at the integration with Microsoft Exchange in more detail later.

Client Installation

Should the client device feature native support for the OMA-DM protocol (in this article I used the Nokia E71) the built-in OMA-DM client can be configured with the address and port of the DME server via SMS message:

Which will deliver the necessary initial connection settings to the device. The user will need to open the message and select the option to save the delivered settings. If desired, the SMS message can be protected by a PIN code to prevent unauthorised access.

The OMA-DM client on the handset can then establish an IP-based 'pull' connection to the DME server over the Internet and download the full DME client, which will be added to the Installations folder on the device:

This procedure is known as "bootstrapping" and can be initiated in one action from within the admin interface. The administrator can optionally define which Internet access point on the device the DME client should use (which could also be configured on the device via SMS configuration message):

The installation will again need to be accepted by the user. At this stage the client is a 'vanilla' build pre-configured with the address of the server. No policies will be applied to the device until the user logs into the client using their credentials - these could be the user's Active Directory credentials if integration with AD has been configured. I will look at how this is configured later.

Once logged in, the user will see those elements that have been enabled for that user by the administrator:

Any packages and device management policies defined by the administrator on the DME server and assigned to the user (or the group the user is a member of) will now be downloaded and applied automatically.
The user can now access the Email, PIM, SmartEncrypt and Voice Extender applications. I will look at each of these in turn later.

Should the DME server be using a self-signed SSL certificate rather than a root-trusted one, the root certificate of the authority that assigned the cert to the DME server can be pushed to the client before the DME client:

Device Management Administration

The DME solution provides a single point of administration for all functionality via an optionally SSL-secured web interface, by default running on port 8080:

The web interface is accessible from Internet Explorer, Firefox, Safari and Google Chrome.

A list of connected clients (together with device images) will be displayed together with their associated user. Selecting a device entry will display detailed information on the status of that device, including hardware specs, memory usage, installed applications and running processes. This means helpdesk support staff can retrieve the existing configuration of a device while the user is on the phone, invaluable for remote fault diagnosis and troubleshooting:

Applications can be blocked with a single click by selecting the "Block" action next to the program's entry in the inventory. Once blocked, users will receive notification on the device the next time they try to use the application:

Comprehensive log files can also be accessed detailing all client server operations and any errors encountered.

When setting up a new device, or should a device have been hard reset, or the settings have become corrupt, SMS messages can be sent directly to devices, as well as the OMA-DM and SSL certificate settings:

Applications and file packages can be "packaged" on the server and push deployed to clients:

Groups can also be configured meaning that a single change made by the administrator on the DME server can be deployed automatically to any number of remote clients.

Security

DME's security measures allow your users to carry and instantly access sensitive corporate data without the risk of exposure of that data.
Password usage and encryption policies can be automatically applied to client devices. Devices that are suspected of being lost or stolen can be remotely wiped at the click of a button directly from the web interface:

The memory card can also be wiped during a device wipe if desired.

Devices can be configured to wipe themselves automatically in the event that the SIM card is replaced. Details of authorised SIMs can be defined:

The hardware and software elements that users are allowed to access on their devices can be defined automatically - preventing users from accessing Bluetooth, for example, or installing unauthorised applications. Should you suspect that users will attempt to edit the settings that have been applied by the DME solution, access to configuration areas can be locked down altogether, meaning that users are not able to circumvent the intended usage profile.

In addition to on-device PIN protection, access to email and PIM data can be secured by LDAP authentication. The data areas on the client device that require LDAP authentication can be defined flexibly.

SmartEncrypt

SmartEncrypt is an optional on-device encryption application. The folders and memory areas on the device that should be automatically encrypted can be defined and managed centrally on the DME server:

Encrypted files and folders can only be accessed when the user is successfully logged into the DME client. When logged out, these locations are not accessible:

Email and PIM Management

The device management capabilities of the DME solution can be used to push configuration details to client devices for Exchange ActiveSync, Mail for Exchange and Lotus Traveler automatically, setting up devices for access to existing email systems.

The DME Suite also includes its own push email and PIM manager client application that can be used to automatically encrypt all email messages as well as require LDAP authentication before access to the client will be granted (in addition to the standard on-device PIN).
This feature of the solution can be used in conjunction with Microsoft Exchange 2003 / 2007 and also with Lotus Domino 6.5 or later.

The email and PIM module is built into the DME client application - if this module is not enabled on the server, it is simply not visible on the client. This does mean that the native email, contacts and calendar applications on the client are not used, but the interface is easy to use and offers superior functionality over the native client such as on-the-fly data decryption when data is accessed as well as local and server search capability:

All mailbox folders can be synchronised (contacts, calendar, to dos and email), including subfolders. Messages can be sorted, moved between folders and attachments can be downloaded and viewed. File synchronisation can also be initiated from here, should this module also be enabled:

Synchronisation schedules can be defined, so that mails are automatically pushed to the client during core business hours, synchronisation is performed automatically every 30 minutes, say, in the evening, and then manually by the user outside of those hours and at the weekend.
All settings can be defined by the administrator and access to all client settings can be locked down if desired:

Mobile Cost Control

The DME Mobile Solution Suite can also provide the enterprise with a transparent view of how mobile devices are being used and the costs that that usage incurs, as well as a number of tools to help minimise those costs.

Reports can be generated detailing voice and data traffic statistics, by user, by group, by device platform, by country, by application, etc, putting you in a strong position when negotiating favourable rates from operators.

Roaming partners can be specified and prioritised, ensuring that users attach to the cheapest operators when abroad:

Asset Management

The DME solution also offers simple asset management tracking:

Voice Extender

This modular feature of the DME solution bypasses operator voicemail services. Essentially, rather than letting calls go to the operator's voicemail service after x number of unanswered rings, calls are recorded on the device itself using the device's built-in software capabilities and are stored locally as sound files.
This means that users can playback recordings locally without the need to dial into the operator's voicemail service - potentially representing a large cost saving when abroad. Messages can be listened to regardless of the order in which they were received.

Sound files can also be forwarded as attachments to other parties via email or uploaded to file servers.

Should the device be lost or stolen and a remote device wipe initiated from the DME server, all messages will be erased.

Integration with Microsoft Exchange

In terms of Microsoft Exchange, the DME solution accesses mailboxes using the Exchange WebDAV (Outlook Web Access) protocol, so this feature needs to be enabled on the Exchange Server and on user mailboxes:

There is no need for the OWA web site to be Internet-facing if not desired: it only needs to be accessible to the DME Connector Server over the LAN.
User mailboxes can be accessed by the Connector in two manners:

• Users authenticate against Exchange "as themselves", using their own Active Directory login credentials. User credentials can optionally be stored on the DME server to reduce the amount of request traffic generated from the DME client. If this feature is enabled, credentials are encrypted on the DME server.
• Using a Service, or "courier", account. In this approach a specific user account needs to be created within Active Directory. This user account can be assigned Full Mailbox Access Rights to all users of the DME solution who are using the Messaging component:

  (Exchange 2003)
  

  (Exchange 2007)
  
  

  or for large deployments the service account can simply be assigned Full Access Rights to the Exchange Information Store:

  (Exchange 2003)
  

  (Exchange 2007)
  

Summary

DME Mobile Device Management by Excitor should be included in the list of products to evaluate by any company looking to trial and deploy a device management solution that offers a wide range of supported clients, industry-standard provisioning mechanisms, integration with existing messaging systems as well as scalability and ease of use.

The below diagram details the whole capabilities of the full modular suite:

You can find a collection of datasheets and other material in the File Library.

For more information visit the Excitor web site - http://www.excitor.com

Addendum

Version 3.5 of the DME Solution promises to add a raft of new features to the solution, including:

• Custom device configuration – new device configuration capabilities makes it possible to silently configure smartphones with any setting including VoIP, bookmarks and access points.
  
• Configuration of 3rd party mobile e-mail – configuration settings for Mail for Exchange, native PIN code and native encryption can be pushed from DME, making these 3rd party e-mail applications easily accessible and more secure.
• iPhone configuration and new push mechanism – iPhone profiles including for example VPN, private certificates and native PIN code activation can be pushed to iPhone users. New email alerts are also possible.
• iPhone swipe authentication – a new authentication option that makes it much faster/easier to log into DME.
• Android device management and traffic logging – DME now offers device configuration, software deployment and file back-up for this new and upcoming platform as well as data/voice traffic logging
• BlackBerry traffic logging – with the DME client installed on BlackBerry devices, all traffic can be monitored - enabling organizations to optimize their voice/data plans and reduce mobile costs

Diginext

DigiNext (www.diginext.com) develop a connection manager application for the Win32 platform (Windows 2000, XP, Vista) named Iqonn (www.iqonn.com)

Iqonn provides a number of advanced features over and above those provided by the 'bundled' connection managers that ship with most USB or PC card 3G modem devices:

• Support for a wide range of cellular devices
• Automatic configuration of connection settings based on the SIM card detected
• Automatic toggling between available connection options, including LAN, WiFi and Cellular
• Data usage monitor
• SMS message manager
• SIM contact manager
• RSS feed reader
• Support for advanced wireless LAN encryption standards, such as WPA, EAP, LEAP and EAP-Fast

Iqonn is available in two 'flavours': Iqonn Pro and Iqonn Lite.

Iqonn Lite is freely available for download from the Iqonn web site. Iqonn Pro offers additional functionality to the enterprise customer such as the ability to 're-skin' the default interface with a corporate colour scheme and logo, as well as the ability to pre-populate LAN and WiFi connection settings as well as 'one-click' shortcut access to corporate applications such as a VPN client. All settings are stored in a separate XML configuration document (along with any logo images) meaning that the default application can be 're-skinned' quickly and easily provided that the required image and XML file is stored on the client device.

Installation

The installation on the Windows platform is quick and easy and launched from a single 24MB executable file:

Click Next. Read the license agreement and select the option to accept if you agree to the terms and conditions:

In order to use Iqonn for free, you must register for an account on the Iqonn web site. Registration is free and only requires that you enter a username and password of your choosing.

Select the connection types that you wish the Iqonn client to have access to. Click Next. Specify whether you want the software to automatically report problems back to DigiNext

Review your installation options

The installer will allow you to check for updated settings - including wireless hotspot and MNO 3G connection settings. Click Next, the application will now be installed. This may take a few minutes as both the required application files and device drivers are installed. Once complete, click Finish.

Usage and Configuration

An icon will have been added both to the desktop and the Start Menu:

The default Iqonn interface appears as shown below:

A list of available networks will be displayed, by default only the LAN and WiFi connections will be displayed. Select Connect to initiate a network connection and begin monitoring it:

The application shortcut buttons for the SMS Manager, Data Usage Manager and RSS Feed Manager will launch separate applications:

Cellular devices can be added manually or automatically simply by either inserting them into the PC, or selecting the driver from the Settings menu.

Support for the latest wireless encryption standards is provided for WiFi connections:

A full list of supported network operators can be located within the settings menu and the option to automatically determine settings can be enabled or disabled:

The software also features a Roaming Manager which allows the user (or the administrator) to specify which networks should be used in which foreign countries.
Further functionality is provided by an optional component called the 'HotSpot Manager', which provides the user with a constantly updated database on wireless hotspots available in their location.

Iqonn Pro also features a Download Manager application that enables users to pause and resume file downloads, as well as intelligently resuming downloads that are accidentally 'broken' from the last bit that was successfully downloaded without having to resume the entire download again.

As well as the desktop software, the Iqonn solution also features an optional server component. This component allows the administrator to 'push' configuration settings to a connected Iqonn client and also saves regular log and inventory information from the client which can be used to assist with troubleshooting issues and generate reports on the networks, hardware and software being used by your user base. (operating system, drivers, firmware version, connection settings, connection session durations, data transfer volumes etc).

All client-server communications are secured using SSL encryption.
A self-service portal can also be configured which allows users to specify those settings allowed by the administrator themselves - roaming settings, etc. This portal also provides 'nice to have' features such as the ability to upload Internet Explorer favourites to the Iqonn server so that should that user be issued a new laptop, those favourites can be imported quickly and easily.
If that wasn't enough, Iqonn can also be integrated into the "Follow-Me" GPS tracking service so that administrators can view where their users are currently, and also where they have been and when.

Iqonn is available in over 16 languages.

In short then, the Iqonn solution is very feature-rich. This is merely an overview of the features available within the product. If you wish to know more I recommend downloading the free trial or contacting Brightpoint on 0870 849 0225.

EveryWAN Mobility Manager

I have blogged about the EveryWAN Remote Support Personal Edition utility previously on the blog (http://blog.brightpointuk.co.uk/everywan-remote-support-personal-edition) - a free tool that provides extensive control over your connected Windows Mobile PDA directly from your desktop PC.

EveryWAN Mobility Manager is the big brother of this utility which is now available for a 30-day free trial from the developer's web site, Sparus Software - http://www.sparus-software.com/. This server-based application provides a complete solution for managing a fleet of Windows Mobile-based PDAs remotely.

With the recent release of version 3.0 of the software, and Sparus-Software's nomination by Microsoft as their Startup Company of note (http://www.microsoftstartupzone.com/Blogs/Microspark-BizSpark-Startup-of-the-Day/Lists/Posts/Post.aspx?ID=47), I thought it was high time I installed the software and posted my findings to the blog.

Features

The EveryWAN Mobility Manager Suite is composed of three distinct products:

• Mobility Manager - device configuration and application deployment server
• Remote Support - real-time device control
• Device Provisioning - automatic OTA device "enrollment"

EveryWAN Mobility Manager

Architecture

The EveryWAN solution is a server-client model, that does require an Internet-facing server, and client software on the PDA devices which communicates with this server.
All client-server communications can be secured using SSL, on a port that can be defined by the administrator. All data exchanges are also compressed enabling the solution to be used even over low-bandwidth connections such as GPRS.
In order to integrate the solution with domain authentication sources, the required ports should be open between the EveryWAN server and LDAP servers or domain controllers.
A DMZ deployment is possible should you not to wish to open firewall ports directly to the LAN, where the EveryWAN server is located on the internal network behind a proxy server located in the DMZ.

Prerequisites

The EveryWAN Mobility Manager can be installed on either Microsoft Windows Server 2003 SP2 or equally on Red Hat Enterprise Linux v4.0 or later.

PostgreSQL v8.2 is the database back-end installed by default by the EveryWAN solution, but alternate supported database platforms include:

• MySQL v5.0
• Microsoft SQL Server 2005
• Oracle 10
• DB2 v9.5 or later

Installation

Launch the autorun.exe splash screen loader from the CD or from within the contents of the extracted ZIP file if you downloaded the application:

Select the option to install the Mobility Manager. You will be prompted to specify your installation language, accept the terms of the license agreement and specify where o wish the program files to be copied to. By default the solution will use a local installation of Postgre SQL to create the database 'back end'. If you wish to use an alternate database, untick the option to install the Database Server:

If you do opt to use Postgre SQL, during the installation you will be prompted to enter the details of the default system account:

When warned that the password entered for the service account is not strong enough, allow the wizard to generate a random password for the installation wizard automatically, otherwise the installation may not complete successfully.

Once the database engine is installed, you will the be prompted to enter your license details. This information is stored in a separate license file which you will be most likely receive via email from Sparus Software:

It is this file that determines which of the features of the Suite that you will be allowed to access.

You can now enter the details of the database itself that the Mobility Manager solution should use:

Next you can specify which protocols the server is to be accessible via from the outside world:

The Mobility Manager installation includes an installation of the Apache Tomcat web server software, so there is no need to configure IIS on the Windows Server. During the installation the necessary SSL certificates will be generated automatically.

Finally, the authentication mechanism can be specified. A default username and password can be specified using Mobility Manager's own authentication scheme, or the solution can be integrated into an existing LDAP source, including Active Directory and Lotus Domino:

Client Installation

The client installer package is accessed by browsing to http(s)://(everywan_server)/everywan/setup.cab from within the browser on the PDA itself. This CAB package is generated automatically during the server installation and is configured with the details of the server's external DNS name as specified during the server installation. This link can be entered in manually by the user, or could be sent via SMS text message or via email.
Installation does not require any interaction from the user, once installed, the PDA will be rebooted.
A new icon is added to the Programs folder, and the client will launch automatically at startup. When run for the first time the user will be prompted to enter their username and password:

As we saw earlier, Mobility Manager can be integrated with an existing LDAP source, including Active Directory, or a common, default, username and password can be used. The EveryWAN solution also allows for anonymous users, which does not require the entry of a username or password, instead the device itself is authenticated rather than the user. Device details can be imported into the server (serial number and IMEI number) from a text file.

Once authenticated, the device will initiate a connection to the server automatically:

Once the client is installed, an icon is added to the status bar at the top of the screen but is otherwise very unobtrusive and there are no settings for the user to alter, other than the username and password.

Administration

The Mobility Manager server is administered via a web interface, accessible via http(s)://(everywan_server)/everywan:

Once logged in using the default admin username and password specified during the server installation, a summary screen is displayed on the General tab:

Configuration

All configuration of the solution is done via the web interface. Users and Groups can be defined:

A list of connected devices is displayed. New devices can also be defined manually or can be imported from a text file:

Tunnels

The first item that needs to be configured is a Tunnel. Tunnels are used to control which configuration packages are assigned to which devices or groups. Tunnels can be restricted to specific client IP addresses and can be restricted to specific access types if they contain large amounts of data:

NOTE - a special built-in tunnel type is available for Remote Support, I shall look at this in a moment.

Once a tunnel has been created, individual configuration packages can be assigned to it. Configuration packages can fall into one of the following categories:

• Registry configuration
• XML package
• Software deployment

Registry Configuration

On the Registry tab, a representation of a typical device registry is displayed:

From here the administrator can define new String or Key values:

There are also a number of pre-defined wizards built into the solution that allow the administrator to enter the required registry key details for common tasks:

From here the EveryWAN client itself can be configured with details of the network types via which it should be allowed to connect to the server:

The EveryWAN client itself can be uninstalled remotely if desired via a registry configuration:

Automatic connection schedules can be defined on the client:

A phone number can be specified within the client to enable SMS "wake-up" messages - should the client PDA receive an SMS from the number specified, it will automatically initiate a connection to the server provided that a connection to the Internet is available:

The settings for Microsoft Exchange Server ActiveSync direct push can be defined automatically on the Mobility Manager server and be delivered to the client device:

Roaming behaviour can be defined:

Preventing users from using the solution when abroad, if desired, to avoid amassing large call charges.

XML Packages

On the XML tab, custom XML scripts can be built and saved, ready for delivery to the client. XML scripts allow the administrator to control virtually any element of a Windows Mobile-based PDA's functionality by creating and editing registry information, using the industry-standard OMA-CP protocol: be it enabling or disabling hardware elements on the device, blacklisting applications or whatever. This feature does require that the administrator know the correct format in which to structure the XML code, but documentation is available on the Microsoft web site, and the Mobility Manager solution has a number of common tasks pre-defined within the administration interface:

GPRS/3G and WiFi access points can be defined:

Network connection settings can be defined:

The device camera can be enabled or disabled:

Certificates can be delivered to the client and installed into the appropriate certificate store:

Applications can be uninstalled (provided that you know the name of the application as it appears in the 'Remove Programs' list):

Or custom XML scripts can be defined:

Software Deloyment

On the Software tab, CAB package application installers ca be specified and delivered to client devices:

Deployment

On the Deployment tab, individual deployment packages can be created. This is where you specify which of the configurations you have defined should be available to which users or groups:

Once defined, you can trigger an automatic deployment by clicking on the Deploy button. This will automatically update all connected client devices that have been associated with that deployment package.

Once a device has connected once to the Mobility Manager server, information about that device is available within the properties of that device on the Devices tab, including hardware inventory information as well as an inventory of the applications that are installed on that device:

A history of the configuration packages that have been applied to the device (both successfully and unsuccessfully) is available:

Devices can also be remotely 'killed' from the Mobility Manager server in the event that they are reported lost or stolen:

Reporting

A number of pre-defined reports can be run from the Mobility Manager web interface and which are generated using a local installation of the Crystal Reports runtime environment:

Reports can be exported.

EveryWAN Remote Support

Remote Support is an additional, optional, component of the Mobility Manager Suite, and is a Windows-based PC application that provides support staff with real-time control over the remote devices, provided that they are connected to the Mobility Manager server. Similar in functionality to the EveryWAN Remote Support Personal Edition application, this provides instant access to device system information allowing support staff to view and kill running processes, enables file transfer to the remote device from their workstation or the server, provides remote access to the device registry as well as real-time access to the device screen and input hardware.

Device screen capture and video recording capability is also available making this is an excellent support tool. Live annotations using a "shared whiteboard" and VoIP-based voice communications between mobile end users and helpdesk personnel is also available.

EveryWAN Secure Device Provisioning

This is another optional component of the Mobility Manager Suite that provides for a stronger encryption method for securing the exchange of data between the client and the server, and also for enforcing local data encryption on the device.
Mutual authentication between clients and the EveryWAN server can be enforced using PKI key infrastructure base don X509 v3 certificates. Local data encryption can be enforced either by invoking an encryption application already present on the device, or by automatically downloading one to the client and silently installing it.
Power-on password usage can also be enforced on the device.

Addendum

Version 3.1 has been released. New features include:

Security Policies

• Application blacklist wizard: the administrator can prevent any unauthorised application from running on the PDA
• Authorised installation policy wizard: multi-tier security can now be achieved allowing an administrator to allow only Sparus signed (or Operator signed) applications to be installed on client devices
• Remote device lock: require that a PIN be entered on client devices before they will unlock (useful for preventing access to devices that are suspected of being lost or stolen, but allowing the user time to search for the device before issuing a remote wipe command). PINs can be assigned remotely by the administrator

Windows Mobile 6.1 / 6.5-specific Policies

• Ability to disallow the use of wireless
• Ability to disallow the use of Bluetooth
• Ability to disallow the use of the camera

File / Registry Policies

• File / directory removal wizard
• Registry key / value removal wizard

EveryWAN Server Extensibility

• Web Services API for remote device wipe
• Web Services API for remote device lock
• Web Services API for terminal specification retrieval (memroy, screen, OS version, CPU, etc)
• Web Services API for user property retrieval (as defined in the company address book, for example)

User Interface Improvements

• Simplification of the steps required to erase or lock a remote device
• Client Strong ID prompt no longer appears if the administrator has not implemented the Secure Device option
• Improved informational messages if console load times are too long

Package Deployment Improvements

• An administrator can now specify a package deployment order. It is therefore now possible to run a script that will first stop a selected application, deploy an update, and then restart the application automatically
• Additional rules-based deployment criteria added:
  • Directed by the administrator (see below)
  • Greater battery level (ie deploy only if the battery level is greater than the defined value)
  • Presence of file or directory (ie deploy only if the specified file or directory does not exist)
  • Presence or value of a registry key (ie deploy only if the key does not exist or is greater than the defined value)
• Script flexibility in the file deployment options
  • Definition of action to take when creating files (replacement, keep old file)
  • Selection of destination directory (including directories translated into the language of the operating system, such as 'My Documents')
  • The ability to modify the file attributes (read-only, hidden)
  • Import and export files in the database server (to retrieve a file that was accidentally deleted, for example)
  • Ability to define actions performed on the EveryWAN client installer CAB file following an installation (delete immediately)

NEW - Introduction of client extensibility with EveryWAN Business Process Scripting

Version 3.1 of EveryWAN Mobility Manager introduces a new client-side scripting capability, based on the MortScript language, allowing complex client-based scripts to be created, deployed and managed centrally. Features include:

• The scripting engine is integrated with the EveryWAN client and is installed transparently with no further action required by the user or administrator
• Scripts can be run both online and offline
• Secure script delivery - only scripts signed by the EveryWAN server will be executed. Any other script will be ignored by the engine, adding an extra level of security
• Scripts are deployed as a file with specific options, from within the file deployment interface of the administration console

Example uses of EveryWAN client scripting include:

• test and rotate screen orientation before launching an application
• enable Bluetooth before launching an application, and disable at the end of execution
• keep the screen's backlight permanently active while an application is running
• enable the Internet connection before launching an application
• terminate an application or process
• automate application installation, simulating keystrokes and screentaps
• deploy an application without installing it, and install it automatically 15 days later
• backup and restore user data to SD card (eg My Documents / messaging data)
• display warning messages on certain events (eg low battery / low memory)
• manipulate files on the client device (eg copy / move / rename / delete)
• data fading (hard reset the client device if it has not connected to the server within x number of days)
• create a 'self-test' tool for users if their device is not able to connect (eg test the Internet connection)

Improved Hardware Inventory

EveryWAN can now retrieve the size of the screen, the user's language, memory total / available / used, etc. This data can be used in the conditional deployment engine (ie, scripts can determine the resources available on a client device automatically and then choose to process the rest of the script or stop, based on the information returned). These resources can all also be grouped by type within the admin interface for easy viewing and comparison.

EveryWAN Agent

The 'Reconnection in case of failure' policy can now be changed to improve battery life.

EveryWAN Remote Support

New features include:

• Support for HTTP Proxy Server for Remote Support connections
• Selectable pencil colour for "write on screen" feature. Previously this was restricted to blue
• Use keyboard shortcuts in the application, with the option to disable these shortcuts if required
• Option to include recording of device skin in screenshot function
• New collaborative tool - Text Chat: user and helpdesk staff can communicate in real time when the VoIP function is impractical
• Improved Connection Manager UI - common login and password interface across all users
• Improved File Transfer Tool:
  • find a file on the remote device - no need to navigate the file tree if you know the file name
  • opening simplified on the PC for a client-based file
• Improved display terminals connected, which can now:
  • search user by thier name or partial name match
  • expand / collapse the group tree
  • periodically refresh the user list automatically
  • user configurable display option, allowing sort and display of device information - eg device model instead of serial number
  • Added new skins: Sony Ericsson X1, HTC S740, HTC Touch 3G, Eten DX900
• Improved Remote Display skin creation tool:
  • ASR key codes
  • JPEG support
  • Right-click a skin to edit or delete

Read more information and download a 30-day trial from the Sparus Software web site: http://www.sparus-software.com/

EveryWAN Remote Support Personal Edition

EveryWAN Remote Support from Sparus Software (http://sparus-software.com) is a remote device management solution for the Windows Mobile platform enabling the support desk to remotely diagnose and resolve problems on their fleet of PDAs. Features include:

• Hardware / software inventory
• Backup & Restore
• OTA application installation and configuration
• Active Directory integration

EveryWAN Remote Support Personal Edition is a free Windows application that provides a suite of tools for managing your Windows Mobile-based PDA directly from your desktop.
Features available include:

• Remote control
• Skinable interface
• Screen capture
• Video capture
• Task Manager
• File Transfer
• Registry Editor
• Process Monitor
• Software installer

Installation

Registration is required for the download, but once downloaded the installation process is quick and painless. Run the executable and follow the on-screen instructions:

Tools

Once installed, you will be prompted to connect your device via USB:

The application requires that a client utility be installed onto the Windows Mobile device:

Once installed the application will automatically use the correct skin for your device, provided that it is present:

From here you can remotely control the PDA by clicking on the device's representation. Image files of the device screen can be saved to your hard drive:

Individual tools are launched from the Tools menu:

The Task Manager will display a list of processes running on the device and allow you to stop them:

The File Transfer tool allows you to move files to and from specific folders on the PDA:

The Registry Editor allows you to make changes to the device's registry (a soft reset will usually be required following any changes made to the device registry before they will take effect):

The System Information tool will display detailed information on the hardware and software on the device:

In short, a very useful tool indeed!

FromSMS

FromSMS (www.fromsms.net) is a free utility provided by Fromdistance (www.fromdistance.com) that enables you to send SMS text messages from a web application quickly and cost-efficiently, via a Symbian S60 mobile phone.

All that is required is the FromSMS client installed onto your Symbian phone, and a connection to the Internet. The FromSMS client will register against Fromdistance's middleware server using a unique account code issued to you when you install the client.
On your web server, you simply create a web form with a HTTP Post command configured with the details of the Fromdistance relay server. Then, any messages entered into the web form will be delivered as a text message from your Symbian phone.

In this example I installed the software on my Nokia E71.

The client can be downloaded free of charge from the FromSMS web site. Once installed on the device it will appear in the Installations folder:

When launching the application for the first time you will be warned that the program will both make a data connection to the Internet and will send SMS messages:

You will the be prompted to enter the telephone number of the phone:

An SMS will then be sent from the phone, and one received containing your unique user account.

The application is now installed:

You can test the application via a web form on the FromSMS web site:

Which will hopefully return the following:

You are now ready to configure your web application. All that is required is an HTTP Post command within your web form with the following settings:

• https://ssl.fromsms.net/send.php
• acode = [account code given to you by FromSMS Client], for example "f8er95kztk98"
• number = [phone number of the recipient], for example "+3461234567"
• message = [SMS message content], for example "Hello world!"

Below is a diagram of the architecture of the solution:

The FromSMS client application can be further configured with whitelisted and blacklisted recipients:

You can further specify to automatically delete sent text messages from the phone and set a message limit:

And specify the access point the client should use to connect to the Internet:

Fromdistance Mobile Device Manager

Fromdistance (www.fromdistance.com) is a Finnish company which develops a comprehensive device management solution for Symbian (S60, S80 and UIQ), Windows Mobile (5, 6 and 6.1) as well as Windows (XP and Vista): Fromdistance MDM (Mobile Device Manager).

In this article I shall focus on the features available for the Symbian platform.

Features

MDM uses the standard OMA-CP (Open Mobile Alliance Client Provisioning) protocol to send ‘silent’ configuration messages to supported client devices via SMS.
I shall look at the features available in more detail, but areas of functionality include:

• Enforcement of security policies on remote devices (use of device lock and password access)
• Remote device kill
• OTA provisioning of Internet access points (CSD, GPRS, 3G, WLAN)
• OTA provisioning of Bookmarks
• OTA provisioning of POP, IMAP, Server ActiveSync Exchange email settings
• OTA provisioning of VoIP settings
• OTA provisioning of specific applications including Nokia Mail For Exchange, Lotus Notes Traveler, F-Secure, Nokia Call Connect
• File delivery and execution. File move, copy and delete
• Application blacklisting
• VNC-based remote device control

Architecture

The Mobile Device Manager solution requires an Internet-facing server component which needs to be accessible via SSL. A client application is also required on the remote device. Although many Symbian S60 handsets have an OMA client built in, the Fromdistance solution uses an enhanced OMA client of their own design, as well as a client for communicating with the MDM server via TCP.
The server software itself can run on either Windows or Linux platforms, requiring a database back-end (Microsoft SQL or MySQL), a web server (IIS or Apache) as well as PHP5 or later.

The solution is 'agnostic' of the means of connecting to the Internet and can be used over low-bandwidth connections such as GPRS as well as via WLAN, 3G, or even locally via a LAN.

Below is a diagram of the solution architecture:

In order to be able to deliver SMS messages, the solution does require an SMS gateway. This can be configured within the System Settings and could be an SMS gateway service, a GSM device connected physically to the MDM server itself, or you could equally use the FromSMS application which I posted about here:

http://blog.brightpointuk.co.uk/fromsms

Versions

There are 3 methods of using the MDM solution:

• A purchased behind the firewall server-based model
• A leased behind the firewall server-based model
• A hosted web-based model

An 'MDM Express' version of the product is also available that provides a remote kill functionality as well as a reduced device management feature set - for a lower cost.

Licensing

There is a one-off cost for the server software, and individual user licenses which are purchased separately. There is also an optional ongoing maintenance cost which provides access to software updates.

Administration

All administration of the MDM solution is done via a web browser. Multiple administrative logins can be created with varying permission levels.

Client Installation

All client packages can be downloaded from http://www.mdmclient.net if desired. These are the generic client packages so would need to be configured with the server address details. These packages could be installed onto devices via a memory card.
Alternately a link to the client application can be delivered to the remote device via SMS from the MDM server, which when clicked will download the correctly-configured client.

When logging into the administration web interface, the default view will list registered handsets:

I will look at the different sections of the interface in a moment. In the Messages sections is an option for MDM Client Link and Activation:

Here you can enter the telephone number that the link that should be sent to, and specify a PIN number that the SMS message should prompt the user for.

The text message will be received by the client containing the link:

If configured, you will be prompted to enter the PIN defined by the administrator. When installing the client you will be warned that the client will establish a data connection to the Internet:

Once installed the main client connection summary screen will be displayed:

An icon for the client will also have been added to the Installations folder:

During the installation process, you will receive an additional text message with your default MDM security code:

And you will be prompted to change the default password within the client:

The security code is a built-in security feature within the client that will prompt you to enter the security code in the event that the SIM in the phone is changed. If you forget the code you will not be able to access the client.

A connection will then be established to the server automatically. Once the initial connection has been initiated, the new device will be listed within the admin interface as an 'unregistered device'. The administrator will then need to 'approve' the device, and enter the details of the user that is associated with that device.

Once approved, another connection will be established and the server will gather inventory information about the device. This can be accessed within the web interface immediately by clicking on the device's entry:

Available categories of information include - Device Information:

Applications:

Processes:

File Commands (a history of the commands that have been issued to the device from the server):

Logs (the results of the file commands issued to the device):

When deploying the client application, if required the server can configure an Internet Access Point on the remote device first via SMS configuration message before then sending the client to the device.
Once installed, the client can then be configured to use a different access point if required:

Groups

Devices can be placed into groups for ease of administration:

Security Policies

MDM provides for a number of security policies to be enforced on a remote device:

• Bluetooth State - Bluetooth operation mode can be set
• Phone AutoLock - enables the device's built-in device lock feature and enables the administrator to specify the password 'strength' and how many attempts users can have to enter their password correctly
• IMSI Check - enables the MDM client security feature that prompts the user for their security code in the event that the SIM card is changed in their device

Connection Policies

This section of the interface allows the administrator to specify which access points should be available on a device, and the order in which they should accessed by the device. One nice feature is that if when examining the inventory of a device the administrator sees an IAP that may be required by other users, he or she can add that access point to the Connection Policy by copy and paste quickly and easily.

The Access Point information itself is configured within the System Settings section and allows for the creation of CSD, GPRS/3G as well as WLAN access points, including authentication and proxy server information if required:

Application Blacklisting

This section allows the administrator to specify which applications cannot be run on client devices. Programs can be blocked explicitly if the administrator knows the name or UID of the application, or can review the inventories retrieved from connected devices and can block any applications listed that they do not approve of:

File Commands

This section is where the solution starts to become more flexible and powerful. Individual file commands can be grouped to form 'batches' effectively forming a script. Available commands include:

Batch Commands

As well as creating commands manually, the MDM solution includes a number of pre-written command templates for both Symbian and Windows Mobile devices:

Available templates for the Symbian platform include:

The template for the Nokia Mail For Exchange application allows the administrator to define server address, username, password and domain as well as content to be synced and content and schedule information:

An Exchange ActiveSync template is also available for Windows Mobile:

Messages

This section contains templates for OMA-CP messages that can be delivered to supported clients. We saw earlier how a message can be created containing a link to the MDM client application. Other available Message templates include:

The Connect message will cause the device to initiate a connection to the server via the TCP channel.
The Detonate message will cause the device to undergo a hard reset. The Detonate feature will also cause the internal and storage memory on the device to be overwritten a number of times with random data before being hard reset to ensure that any data that had been stored on the device is irretrievable (as much as possible at any rate).

Configuration Messages

This section allows the administrator to build and deliver OMA-CP messages for a variety of services, including email settings, bookmarks, internet access points, or device management settings:

Email account settings are defined within the System Settings section, as are Internet Access Points as we saw earlier:

Backup & Restore

This section allows the administrator to define backup and restore templates:

Contacts, Calendar, Notes, Bookmarks and the SMS Inbox can be backed up from the device and stored on the server in an encrypted file. That backup can then be restored to the same, or a different, device at a later stage.

Any backups that have been created are listed in the web interface:

Reports

This section allows the administrator to generate custom reports from the information contained within the inventories harvested from client devices as well as the server log files. The below image shows the types of reports available:

All reports can be exported to CSV format for viewing in Excel or compatible spreadsheet application.

System Settings

As well as defining Internet Access Points and Email services, the system settings section allows the administrator to define the time intervals within which client devices should connect to the MDM server:

Remote Device Control

Fromdistance have also developed their own VNC-based client application that can be delivered to the client device from the MDM server, installed, and then connected to directly from the MDM server web administration interface, providing advanced remote support and troubleshooting capabilities.

The VPN application can be delivered to the client using a standard batch command template and is installed onto the client quickly and easily:

Summary

Available features include:

• Device Inventory collection
  • IMEI
  • IMSI
  • Roaming status
  • Battery status
  • Firmware version
  • Hardware
  • Manufacturer
  • Language
  • Storage card memory available
  • Device memory available
  • Installed software
  • Network configuration
  • GPS
  • Call logs
  • Data transfer logs
• Configuration Management
  • SyncML data synchronisation settings
  • OMA device management settings
  • SIP (VoIP) settings
• Internet Access Points
  • CSD settings
  • GPRS/3G settings
  • WLAN settings
  • Default access points
• Email
  • Email settings
  • Email data roaming settings
  • Exchange Server ActiveSync settings
  • Nokia Mail For Exchange settings
• Browser
  • Browser settings
  • Bookmarks
  • MMS (picture messaging) settings
• Software Configuration
  • F-Secure Mobile Security
  • Pointsec encryption
  • Siemens HighPath
  • Alcatel Lucent
  • Nokia Call Connect for Cisco
  • Nokia VPN
  • Lotus Notes Traveler
  • Application whitelist
  • Application blacklist
  • Corporate Policy Management
• Security
  • Enable / Disable Bluetooth
  • Enable / Disable Camera
  • Enable / Disable Control Panel
  • Enable / Disable device encryption
  • Enable / Disable user installation of applications
• Backup & Restore
  • Full device backup and restore
  • Selective file/folder backup and restore
  • Contacts
  • Calendar
  • Email messages
  • Tasks
  • Notes
  • Files and folders
  • Multimedia
  • SMS and MMS messages
  • Bookmarks
• Software Management
  • Silent installation
  • Installation parameters
  • Stop application
  • Start application
  • Install / remote / update applications
  • Remote desktop mnagement
• Security
  • Device reboot
  • Device wipe
  • Device lock / unlock
  • Certificate management
  • File system management
  • Read / delete / upload / download / execute / update
• User Alerts
  • Information
  • Confirmation
  • Select
  • Alert

Visit www.fromdistance.com for more information.

Addendum

Version 1.86 has added several new features to the solution:

Phone call logs

The solution now has the ability to record and report on the calls made from and received by any connected device. Whilst this functionality is now included, it is not enabled by default and administrators should be careful to be aware of any regional privacy legislation before enabling this feature.

Client Installation

When creating the client installation package, the administrator can now define a default security PIN that should be entered by the user when installing the client to verify that the package has indeed been delivered to the correct user and device.
As detailed above, the solution now has the ability to record call log information - this feature can be enabled within the client automatically, as can the ability to record GPS location information:

BlackBerry Support

Fromdistance now supports BlackBerry client devices. Although not officially supported until September, MDM now provides the ability to generate both hardware and software inventory information on connected BlackBerry devices. Although the BES product has the ability to do this, if managing a mixed fleet of devices including BlackBerry as well as Windows Mobile and Symbian, the MDM server web administration interface enables the administrator to view detailed information on all of his or her devices without the need to access multiple different systems and reporting tools.

Batch Commands

The batch command feature now provides support for administrator-created, PHP-based scripting. Whilst requiring that the administrator know how to create these scripts manually, this feature is very powerful indeed - providing "if x, then y"-style functionality governing whether the batch command should run or not. Examples would include determining the language installed on the client device, its operating system, free memory available, etc. Training is available from Fromdistance themselves, or naturally consultancy services can be provided by Brightpoint GB - call +44 870 849 0225 for more information.

FromSMS

I blogged about this service in this post - http://blog.brightpointuk.co.uk/fromsms
Developed by the same people that brought you the open source Kannel SMS Gateway (www.kannel.org), FromSMS version 2.01 now provides support for binary SMS messages.

FrOMA

The OMA-CP client for Nokia Symbian S60 devices used by the Fromdistance solution has been updated to version 2.0 which includes support for provisioning Internet Access point (IAP) groups, as used by the Nokia E75 and later devices for the Mail for Exchange application - http://blog.brightpointuk.co.uk/setting-mail-exchange-nokia-e75

Role-based management

The MDM solution now provides support for a greater number of 'user roles', especially valid when considering using the product in a hosted model.
The following roles are now available:

• Service Provider
• Administrator
• Helpdesk
• End User

You can view full details of the Fromdistance Mobile Device Manager product feature set online here - http://www.fromdistance.com/en/products/mdm/datasheets/Fromdistance_MDM_...

IBM Tivoli Endpoint Manager Mobile Device Manager (Beta)

Mobile Device Manager for IBM's Tivoli Endpoint Manager 8.2 software, currently available in beta, adds the ability to apply security policies to Android (2.2 or later) and iOS devices, as well as Nokia Symbian, Windows Mobile and Windows Phone devices - in addition to being able to manage your company's desktop and server machines.

Nokia Symbian, Windows Mobile and Windows Phone devices can be managed from within the Tivoli MDM management console, but assumes that you have a Microsoft Exchange deployment and are managing devices via an Exchange ActiveSync mailbox policy (or policies), which the Tivoli software interfaces with. Integration with a Lotus Traveler deployment is also supported from within the Tivoli management console.

Apple iOS devices are managed, in a similar manner to most iOS-supporting device management platforms, by registering the Tivoli server with the Apple Push Notification Service by means of an Apple-supplied certificate and creating device configuration profiles based on the feature set available in the iOS Configuration Utility.

In this article I am more interested in looking briefly at the features available for managing Android devices. It should be noted that this article was written using a trial beta version of the software, and as such functionality may differ from any subsequent full product releases.

The Tivoli MDM solution uses a client-server architecture, with a client application required on the Android device, configured with the details of an Internet-facing device management server.

The client itself can be downloaded from http://software.bigfix.com/android as an APK file and installed on the Android device manually - a client will be available in the Android Market at a future stage:

The client simply needs the DNS name or IP address of the device management server, or relay server depending on how the solution has been deployed, and the email address of the user:

Within the management console on the server, multiple Android security policies can be created and assigned based on user, group or device property:

On Android 2.2 devices, use of a device password can be enforced, as well as password length, the amount of time the device can be left inactive before it will lock itself and the number of attempts a user may have to enter their password before the device will wipe itself.

On Android 3.x devices, password complexity, history and expiration rules can also be applied, as can enforcement of the platform's on-device encryption capability.

Android 4.0 devices can also have their camera hardware disabled via security policy.

Cellular Access Point Name (APN) information can be configured and pushed out to connected devices:

As can WiFi network profiles:

Applications can be imported from APK files and organised into catalogues for users to receive mandatorily or select from voluntarily:

Configuration items can be assigned to users, groups or devices intelligently, based on a granular set of device properties (inherited from the solution's desktop management capability presumably):

Detailed inventory information about connected clients can be obtained and reported on, including manufacturer, model, OS version, processor, memory, storage, etc, etc

Devices can be remotely wiped, locked, have access to email disabled or re-enabled by the administrator from within the management console.

For more information on the Tivoli Endpoint Manager 8.2 MDM solution, visit the Wiki.

For other Android device management solutions, visit the Device Management section of the blog.

Microsoft System Center Mobile Device Manager 2008

System Center 2008 Mobile Device Manager is the latest addition to the System Center suite of management tools.

The Microsoft System Center is a modular collection of products designed to provide the IT administrator with the ability to capture detailed information about the hardware, software, policies and processes in use within the organisation and to harness that information to dynamically manage the systems and operations to reduce costs and improve availability.

The suite consists of the following products:

• System Center Operations Manager – provides the ability to track the performance of PCs and servers on the network and view high-level reports of the overall health of the IT infrastructure
• System Center Configuration Manager – provides the ability to deploy software patches and applications quickly and easily automatically over the network
• System Center Data Protection Manager – provides a centralised data backup and recovery system
• System Center Essentials – provides the ability to simplify routine IT managements tasks by providing a single console to manage servers, clients, hardware and software
• System Center Virtual Machine Manager – a management interface for Microsoft’s Virtual Server application
• System Center Capacity Planner – a pre-deployment, capacity-planning application

The Mobile Device Manager 2008 is the latest addition to this suite of products, providing the administrator with the ability to centrally manage remote Windows Mobile-based Pocket PCs and Smartphones.

Architecture

The Mobile Device Manager consists of the following 4 components:

• The MDM Gateway Server
• The MDM Device Management Server
• The MDM Enrollment Server
• SQL Server 2005 Database

The MDM Gateway Server is designed to sit in a DMZ or perimeter network environment (ie not in the company domain), and provides a secure IPSec tunnel to the remote Windows Mobile client device. Remote devices are authenticated on the Gateway Server against a list of blocked devices that is configured by the administrator.

The MDM Device Management Server sits on the local network and is the interface between the Windows Mobile device and the Domain Controller and Windows Update (SUS) Server. It enables support for policy-based configuration management, software distribution, asset management and device wipe. The interface is designed to reflect the other elements of the System Center so that administrators can manage Windows Mobile-powered devices in the same way that they manage desktop and laptop PCs.

The MDM Enrollment Server also sits on the local network and essentially provides the Windows Mobile device with an ‘identity’ within the Active Directory. Before a device can be authenticated by the Gateway Server it must first be enrolled in the domain. The enrollment process works as follows:

The administrator creates a new device enrollment request. This generates a password that is emailed to the user with the device to be enrolled.

On the Windows Mobile device, the user launches the Enroll Device wizard and enters their full email address and the password they have been issued with (NOTE – this is NOT their account password, but the password issued by the Device Management server). The wizard performs a DNS lookup on the domain entered in the email address and from that locates the IP address of the enrollment server.

The Enrollment Server verifies the credentials and, provided that they are correct, creates the necessary entries within the Active Directory and on the Gateway Server. This process is examined in more detail later.

The solution stores all of the configuration settings and user-customised policies in a SQL database which requires that a SQL 2005 Server be available on the network.

Below is an illustration of how the solution would typically be deployed:

NOTE – it is not strictly necessary for the different server roles to be fulfilled by separate machines – the Device Management Server, Enrollment Server and Database Server could all reside on the same physical machine. However, for security purposes the Gateway Server should ideally live in the DMZ or Perimeter Network as shown in the above diagram.

Pre-requisites

With the exception of the SQL 2005 Database Server, all MDM components require Windows Server 2003 SP2 64-bit.

It is recommended that the servers possess 2 Intel / AMD processors at 1500 MHz or higher.

All servers should ideally have at least 4GB of RAM and 100GB of available hard disk space.

The Device Management Server must also have Windows Server Update Services 3.0 SP1 (WSUS) installed, which itself requires access to a SQL database and at least 3GB of hard disk space.

The Administration Tools require Powershell 1.0 to be installed.

Functionality

Device Management

Once installed, the Mobile Device Manager integrates into Group Policy Manager and Active Directory, allowing the administrator to choose from over 130 pre-defined policies controlling hardware and software elements on the Windows Mobile device, including:

• Bluetooth
• WiFi
• SMS/MMS
• IR
• Camera
• POP/IMAP
• Add/Remove Internet Connections
• Allow/Disallow use of removable storage
• Force encryption of removable storage
• Remote device wipe

as easily as he or she might add a user to a distribution group.

Software updates and applications can be deployed to remote devices Over The Air. MDM will integrate with Windows Software Update Services (WSUS) 3.0 so that patches can be ‘allowed’ by the administrator and then deployed automatically.

Inventory and Reporting

MDM also has extensive inventory and reporting options allowing the administrator to take a snapshot of the status of the remote device infrastructure at any given moment.

Mobile Optimised VPN

The MDM solution also enables secure, mobile VPN access to LAN-based resources, such as a corporate intranet. The VPN client built into Windows Mobile can establish a secure IPSec-based VPN to the Gateway Server and thence to the local network.

Installation

Considering that this product is being aimed squarely at the Blackberry market, I personally found the installation procedure relatively complicated when compared to the market leader.

When launched, the installation splash screen will be displayed:

Before any of the server roles can be installed, the Active Directory must first be populated with the necessary containers and entries which the solution will make use of. Selecting the option to Configure Active Directory for MDM will launch the ADConfig.exe utility with a ‘/help’ switch which will display the available options. Be sure to read them carefully.

A simple installation would be effected with the command:

ADConfig /domain:(domain)

(where is the name of the domain for which the target domain controller is responsible for).

The Active Directory will then be prepared for the installation, be sure to make sure that all operations complete successfully:

Once complete, you will see 2 new containers within the Active Directory Users and Computers MMC snap-in:

• SCMDM2008 Infrastructure Groups
• SCMDM2008 Managed Devices

At this stage the user account that is being used to install the solution should be added to the SCMDM2008ServerAdministrators group, then the server logged off and back on again for the permission changes to take effect.

Once logged back in, re-launch the installer and install the desired server roles. The Device Management Server and Enrollment Server roles can be installed on the same machine.

During the installation you will be prompted to enter the details of the SQL 2005 Server as well as a database administrator user account.

You will also be prompted to enter details of a certificate authority should you wish to secure communications to the enrollment server (recommended).

Once installed, you will see a number of additional SCMDM services added to the server:

Be sure to verify that all services have started successfully.

Now install the Administration Tools. There are 3 options available:

• Group Policy Management Manager
• Mobile Device Manager
• Software Distribution Manager
  

The Group Policy Management Manager option will be de-selected. It is important that this component is NOT installed on the server: this component requires that the Group Policy Management Console (GPMC) be installed, which in turn requires the Dot Net Framework 1.0 be installed. The Dot Net Framework is not available in a 64-bit version, installing it on a 64-bit operating system will cause unpredictable performance from the IIS service.

Administration

Once the Admin Tools have been installed, a number of entries will have been added to the Start Menu in the System Center Mobile Device Manager folder, including the System Center Mobile Device Manager Administrator Console.

Mobile Device Manager

This console allows the administrator to issue passwords to allow users to enroll new devices to the server, to view detailed information on the hardware and software elements of any given (enrolled) device, to disable devices from being able to contact the server, or to wipe (hard reset) devices completely.

Available information includes:

• NAP Settings (Network Authentication Protocol)
• VPN Settings
• ROM Packages
• Certificates
• Installed Software
• File Information
• Device Status
• Device History
• General Information
• Application Settings
• Device Settings
• Proxy Settings

To enrol a new device, select the option to Create Pre-Enrollment, the following wizard will be launched automatically:

Click Next.

Enter an alphanumeric name for the device to identify it once listed within the list of enrolled devices. Click Next.

Select the option to enroll an Active Directory user (selecting Browse will display the Global Address List), and tick the option to Send an email confirmation with enrollment password to device user. Click Next.

Verify the settings chosen and click Create.

An email with the necessary enrollment password will be emailed to the user, who will now need to run the Domain Enrolll wizard on the Windows Mobile client device and complete the email address and enrollment password fields.

The Domain Enrolll icon can be found under Start --> Settings --> Connections:

Tap Next to begin the enrollment process (NOTE – an active connection to the Internet [or LAN] will be required). The following screen will be displayed:

Tap Next. The user will be prompted to enter their email address. The wizard will then determine the location of the enrollment server automatically, by performing a DNS lookup on the domain entered in the email address (this requires that the domain have a DNS record for a server with the name of ‘mobileenroll.domain.com’ and that that host have a public IP address).

A connection to the Enrollment server will then be made and the user will then be prompted for their enrollmet password. Should the wizard not be able to locate the server automatically through DNS, the user will be prompted to enter the address or FQDN of the enrollment server.

Once enrollment is complete, the device is then configured to direct all future traffic through the Gateway Server.

Software Distribution Manager

This console allows the administrator to create software ‘packages’ to be delivered to Windows Mobile client devices. Once created, packages need to be ‘approved’ for delivery, and can be delivered on a per-user or per-group basis.

NOTE – packages to be delivered must be in either CAB or CPF format.

To create a new package, select the option to Create. The folllowing wizard will be launched automatically:

Click Next.

Browse to where the CAB or CPF file is and enter a description for the package to identify it. Click Next.

Select the client platforms that you wish the package to be delivered to. Click Next.

Specify whether the user should have the ability to uninstall the package once delivered. Click Next.

Specify the client languages that the package should be delivered to. Click Next.

Specify any dependent software that the package requires to be present prior to installation. Click Next.

Review the settings entered and click Create.

Once complete, click Finish.

The Package will now be listed. It must be approved before delivery to the specified recipient criteria will be scheduled.

Group Policy Manager

As mentioned above, the Group Policy Manager cannot be installed on the MDM server itself, but can be installed, say, on the administrator’s PC:

From here the administrator can define policies for virtually every element of functionality of Windows Mobile Classic, Standard and Professional devices.

MobileIron

MobileIron are a relatively newcomer to the corporate device management space, but have already been listed by Gartner among their "cool vendors" in 2010.

The MobileIron Virtual Smartphone Platform is a complete device management solution incorporating over-the-air enforced security and usage policies, file and application deployment and control, secure mobile network access, asset management and inventory reporting as well as mobile cost control.

Supporting Windows Mobile, BlackBerry, Symbian, Android and Apple iOS, the solution provides a central web-based console to manage all platforms in use in your organisation including BlackBerry provided that you have an existing BlackBerry Enterprise Server infrastructure deployed.

Features

Multi-OS Device Management

• Central web-based console across operating systems
• Inventory and asset management
• Device configuration
• Encryption policy (both phone and removable storage)
• Lockdown security (camera, SD, Bluetooth, WiFi)
• Password enforcement
• Remote lock and wipe
• App inventory, distribution, blacklist
• File distribution
• End-user self-service

Remote Control

• Real-time, permission-based

Enterprise Data Boundary

• Selective wipe
• Privacy policy

Access Control (Sentry)

• ActiveSync connection activity and device visibility
• Blocking of email access

Advanced Security

• Certificate distribution
• Back-end virus scan

Lost Phone Recovery

• Locate and map
• Restore and migrate

Enterprise App Store

• Catalogue creation
• App publishing

Administration

• Over-the-air provisioning
• Role-based access
• Group-based access
• Broadcast SMS, APNs
• Persistent logs and audit trails

Enterprise Integration

• Web Services API
• Blackberry Enterprise Server Integration
• Directory Services AD/LDAP

Cost Control

The MobileIron solution incorporates detailing activity logging and reporting on registered mobile devices, enabling you to easily keep track of the costs and usage patterns of your mobile device estate across voice, data and SMS.
Reports can be filtered across operator, mobile platform as well as between company-billed and employee-billed phones.
Data is updated in real-time and alerts can be triggered when users begin roaming and reach their roaming charges limit. Alerts can also be generated when users exceed their agreed plan or make calls to premium rate numbers.

Self-Service

Users can access elements of the MobileIron solution themselves, enabling them to provision their own devices, download applications from the corporate app repository, access usage reports as well as remotely lock or wipe their own device.

MobileIron Sentry

The MobileIron Sentry module secures access to your Microsoft Exchange infrastructure's ActiveSync capability by enabling the administrator to define access policies based on device platform or on an individual basis, ensuring that only authorised devices and users can access their Exchange mailbox via Exchange ActiveSync.
The administrator can also generate reports on who and what has been accessing the Exchange server in real time.
Mobile Sentry can be deployed as an agent on the Exchange server itself, or if Exchange is not being used as the back-end mail server, Mobile Sentry can also sit on a separate appliance between the client device and the back-end mail server employing the Exchange ActiveSync protocol such as Lotus Domino using Lotus Traveler or a hosted Google Mail solution. A separate appliance approach can also be used in an Exchange deployment.
Client devices would connect to the MobileSentry appliance (requiring that the appliance have an SSL certificate assigned to it ideally) and be passed through to the Exchange server provided that they are verified by access control policy.

It is important to note that this approach does not support the passing of Outlook Web Access requests, therefore if Mobile Sentry is deployed on a separate appliance, separate provisions must be made for publishing OWA, either by using ISA server publishing rules or deploying a separate Exchange Client Access Server specifically for OWA.

iPhone & iPad Management

The below video provides an overview of the MobileIron solution's capabilities around the iOS platform:

Summary

The below chart lists the principle features available in the MobileIron solution. More information is available on the MobileIron web site - http://www.mobileiron.com as well as the MobileIron YouTube channel - http://www.youtube.com/user/mobileiron

Product Datasheets are attached at the end of this article. Additional documentation is also included in the Device Management section of the File Library

Attachment	Size
mobileiron_product_datasheet.pdf	442.3 KB
mobileiron_sentry_datasheet.pdf	929.89 KB
blackberry_product_datasheet.pdf	362.52 KB
iphone_product_datasheet.pdf	418.33 KB

Rove Mobile Admin

Rove (www.roveit.com) develop mobile admin solutions for IT professionals, enabling IT staff to perform all manner of routine tasks directly from their smartphone, be it resetting a user's active directory password, adding a record to a DNS server or generating a BlackBerry activation password - no matter where they are.

Available for Windows Mobile (6 or higher), BlackBerry (device software 4.2 or later), iPhone (iOS 3 or later) and Android (1.5 or later) platforms, Rove Mobile Admin removes the need for a permanent on-site IT presence, and also removes the need for IT staff to always have their laptop with them when on call or working away from the office.

Managed via a web interface, the server component requires a Windows-based server to run on, with IIS installed as well as the Dot Net Framework.

The full list of features which Rove allows administrators to access remotely is as follows:

• Windows - view and clear event logs, run programs, restart or shutdown, view and kill processes, ping, traceroute, net send, manage printers and print jobs, manage files and drive shares, manage scheduled tasks
• Active Directory - manage users and groups, reset passwords
• Exchange - manage users, mailboxes, queues and messages
• IIS - stop, start, restart web sites, create, delete and edit settings
• SQL Server - view, start and stop instances, view, create and manage databases, synchronisations and processes, run queries, reset passwords
• DHCP - view, create and manage scopes, reservations and exclusions
• DNS - view, create and manage records and caches
• Cluster Server
• System Center Operations Manager - view and resolve alerts, view and resolve computer health messages
• System Center Mobile Device Manager - view devices and details, block and unblock, manage wipe and pre-enrollment
• RSA
• Lotus Domino - manage users, groups and mailboxes, manage server ports
• Novell
• Oracle
• BlackBerry Enterprise Server - manage users and devices, set passwords, lock and kill handhelds
• Citrix
• HP ILO
• Backup Exec
• NetBackup
• VMware
• Nagios
• BMC Remedy Service Desk
• BMC Performance Manager Portal
• CA Service Desk
• Microsoft Hyper V

A Telnet, SSH and RDP client is also included as part of the Rove mobile client, allowing you to connect to any server from your mobile device.

A number of authentication options are supported, including an existing active directory account, or an account specific to the Rove Mobile Admin server. Integration with RSA or RADIUS is also possible.

The server can be made accessible from the Internet, secured by HTTPS, but a separate VPN solution is advised due to the nature of the resources that the solution provides remote access to.

Management

The installation of the Rove Mobile Admin server component is a simple process - the product license key will need to be verified against the Rove activation server (even for 14-day trials), requiring that the server have outbound Internet access for this step only.
Once installed, the server is managed via a web interface on port 4054 (https://(rove_server):4054)

Servers and services that should be accessible to mobile clients can be defined by the administrator via this interface:

The list of available services is as detailed above:

Once configured, the client software will need to be installed on mobile devices. The client application is free to download from the device's corresponding online application market - be it the Google Market or the iPhone App Store. The client will need to be configured with the IP address of the Rove Mobile Admin server as well as authentication details. Once connected, the same admin interface will be displayed:

Configured servers and services will be listed, and administrators can add new resources as required:

Common tasks are available at the tap of a button: managing resources such as Activ Directory could not be easier:

Resources such as BlackBerry Enterprise Server require the configuration of additional authentication credentials, such as the BesAdmin service account, but once configured on the server, tasks can be performed from client devices in the same efficient manner:

Visit the Rove web site for more information - www.roveit.com

SOTI MobiControl

SOTI (www.soti.net) have been developing remote-control and device management solutions for the Windows Mobile platform for many years. At the time of writing their portfolio consists of three principle products:

• Pocket Controller - provides remote control, file sync, registry editing and screen capture / video recording direct from your Windows PC
• Pocket Controller Enterprise - aimed at helpdesk environments, provides remote control and diagnostic tools for over the air troubleshooting
• MobiControl - Advanced device management, provisioning, asset tracking and reporting solution

In this article I shall provide an overview of the MobiControl solution and the features available for the Windows Mobile platform.

Architecture

MobiControl is deployed in a server-client model, requiring an Internet-facing, Microsoft Windows Server-based machine (referred to as the Deployment Server) which can communicate over both fixed and wireless networks with a client application running on the remote Windows Mobile PDA (referred to as the Device agent).

The solution requires a Microsoft SQL Server database to store its configuration information in. This can be an existing SQL Server installation or when downloading the installer package you can optionally include either SQL Server 2005 Express Edition or the older Microsoft SQL Desktop Engine (MSDE) for smaller installations.

The solution is managed via a management application that can be installed on the Deployment Server itself but also on a Windows PC on the same local network as the server.

Features

• OTA device provisioning and configuration
• Disable hardware and software elements remotely
• Enforce password usage
• Blacklist applications
• Schedule-based, script-based file and application delivery
• File retrieval
• Remote device control
• Registry Editor, File Explorer, Task and Process Manager
• Screen and video capture
• Inventory collection
• Time server synchronisation
• Device Encryption
• GPS device tracking
• Reporting

Installation

The installation process quick and painless, the only notable step being the option to install SQL locally or connect to an external database server:

The final step in the installation process is the entering of your license key:

MobiControl is freely available for a 30-day trial period from the Soti web site.

Once installed, the Management interface an be launched either from the desktop or from the Start menu:

Configuring the server

Once installed, you can specify the internal and external name of the MobiControl server as well as the port used by the client to communicate with the server:

Ideally a single server name should be used and the corresponding entries configured on internal and external DNS to enable clients to be able to communicate with the Deployment Server when connecting remotely and also when connected to the local network, without having to make any configuration changes.
By default the port used by clients to communicate with the server is TCP 5494 - this port should therefor be open on any firewalls between the client and the Deployment Server.
Client-server communications can be secured using SSL if required.

Installing the client application

In order to install the client application onto devices, an 'Add Device Rule' must first be created:

Which allows the administrator to define whether the client is being built for internal or external connections as well as a schedule by which devices should initiate a connection to the server:

Once the rule has been created, the client installer package itself can then be created. This is done within the Device Agent Manager:

When creating a client installer package, the specific type of client device can be defined:

Or alternatively, if the device is connected locally via ActiveSync, the device settings can be detected automatically:

The client naming convention can also be defined:

Once created, the client installer package will then be listed in the Agent Manager:

The package can then be deployed to a device that is connected locally via ActiveSync, or the package can be exported to a single installer file for copying to devices either via email, memory card or download from a web server:

Once installed on the client, an icon for the application is displayed in the bottom right-hand corner of the Today screen:

as well as the System Settings screen:

No settings can be altered by the user on the client itself, but information is displayed on the status of the connection to the server as well as the packages that have been installed:

Deploying Packages

The MobiControl Package Studio enables the administrator to assemble complex software installation packages containing pre-built CAB files as well as custom pre and post installation visual basic scripts which can be used to add an additional level of intelligence to package deployment (verify processor type, language or free storage space available, for example):

Target client installation paths can be defined:

as well as user-displayed messages:

These packages can then be included in 'Deployment Rules' which allow the administrator to assign the package to specific devices or groups of devices.
The MobiControl solution allows the administrator to create two types of group: static groups (such as 'Sales', 'Warehouse', 'Admin', etc) as well as virtual groups (such as 'all devices with Windows Mobile 6'), for example.
Groups can be 'nested', with the properties assigned to a parent group automatically being propagated to any child groups for easy administration.

Packages can be deployed immediately or can be scheduled for execution at a specific time:

The success or failure of that package deployment can then be monitored within the Manager:

File Sync rules can be defined to send individual or groups of files to client devices, including automatic creation of directories (which can be named based on device variables if required).
Files can also be uploaded from clients to the Deployment Server, again in directories named automatically based on the client they were collected from.

As well as being able to run packages on a schedule, packages can run automatically if any files contained within the package change - either on the local network or on the client device.

Remote Device Control

Detailed inventory information is collected from client devices automatically and displayed within the Manager interface:

Right-clicking on a device's entry provides the ability to remote that control either locally via ActiveSync or remotely (provided that the device is online):

The Remote Control display interface provides access to a number of tools, including a registry editor, file explorer and task manager:

Also available is a command prompt allowing for direct issuing of commands to remote devices:

Screenshots can be captured as well as video recordings. Macros can also be created and deployed:

Clipboards can be synchronised between helpdesk computers and remote devices.

An image of a client device can be created, containing a complete backup of the device file system and registry information. That image can then be used to compare against a later device image and report on the differences, enabling a helpdesk to view what changes have been applied to a client device and assist with troubleshooting.

Right clicking on a device entry also provides several configuration options:

Server ActiveSync settings can be applied to remote devices quickly and easily, including server details, content as well as scheduling information:

Password usage can be enforced on client devices. An administrative password can be defined should a user forget their own password:

User passwords can be integrated with Active Directory if required meaning that users need only remember one password.

The MobiControl solution also features a device lockdown feature which enables the administrator to hide the default Windows Mobile today screen and instead choose to display only the icons for those applications that the administrator wishes users to be have access to. All other applications are unavailable to the user.

Specific applications can be blacklisted so that they are unavailable to users.

Hardware and software elements on client devices can also be remotely enabled and disabled by the administrator:

Storage encryption can also be enforced on client devices and certificates can also be delivered to and installed on client devices for secure access to web services (including Exchange Server ActiveSync if a self-signed certificate has been issued to the Exchange server)

Devices can also be configured with details of a time server and be required to synchronise with that server to ensure tat the clock on the device is always correct.

Custom data fields can be defined within the MobiControl Manager and then monitored on client devices and reported on - these might be registry values, ini file contents, etc.

Reporting and Tracking

Finally, MobiControl has a wide range of pre-defined report templates that can be accessed to provide detailed information on the status of your fleet of remote devices:

Reports can be exported in a number of formats.

Provided that client devices have correctly configured and functioning GPS capability, location information can be collected from clients and reported on within the MobiControl Manager.

Addendum

SOTI have now announced Version 7 of MobiControl. New features include:

• Alerts - Email notifications of critical network and device changes
• Windows 7 - Supports both 32 and 64 bit versions, along with support for Windows XP 64 bit, Windows Vista and more
• Location Services Enhancements - GeoFencing, Reverse Geo Code and Live traffic conditions
• Phone Block - Whitelist / Blacklist for acceptable and unacceptable phone numbers, as well as call logging
• 2-Way Chat - Live chat between devices and MobiControl central console
• Laser Pointer - Optionally display the desktop mouse pointer on devices during remote control sessions
• Reports - Improved report execution speed as well as a richer set of canned reports now available
• New Device Support - Added support for Honeywell 6100, Intermec CN50, Motorola MC9500 and other devices

Visit the SOTI web site for more information - www.soti.net

SOTI MobiControl Product Video

Soti MobiControl for Android

I have written previously about Soti's MobiControl device management solution for the Windows Mobile Platform (http://blog.brightpointuk.co.uk/soti-mobicontrol). Now in version 8.51 Soti have added support for the Android platform, on devices running Android 2.2 or later.

With the huge success of the Android platform, and the growing trend for employees to use their personal Smartphone for company tasks, the need for a central device management solution that supports the Android platform is increasing.

Features

MobiControl makes it easy to maintain an inventory of all connected devices, to enforce required security policies, to provide access to required applications and restrict access to undesirable apps all from within a web-based administration console with support for multiple groups and usage policies.

Devices can be enrolled using unique password credentials or optionally through integration with Active Directory. Once enrolled businesses can then view and audit devices in real time including the following pieces of information:

• Device Name
• Personalized Device Name
• Device ID
• Phone ID (IMEI, MEID, ESN)
• IP Address
• MAC Address
• Wi-Fi Signal
• Battery Status
• Phone Number
• Cellular Carrier
• Available/Total Memory
• Available/Total Storage
• Platform
• Operating System Version
• Model
• Agent Version
• Last Connected
• Last Disconnected
• Security Status (Rooted detection)
• Installed Applications

As well as requiring that all connected devices have a password configured, and being able to determine the required strength of that password, devices can also be automatically wiped should the user fail to enter their password incorrectly too many times in succession.

Administrators can automatically determine whether users have "rooted" or "jailbroken" their devices and optionally decide to restrict access to sensitive corporate data on those devices, perform a factory reset on them or merely remove all corporate applications: perfect for personally-owned devices where completely wiping a device might result in that user losing important personal documents or pictures.

Device configuration parameters can be pushed to devices over the air including WiFi connection profiles.
Advanced application management is also provided as part of the solution: administrators can view and report in real time on the applications being used on connected devices, and delete those applications which are prohibited.
An Enterprise Application Catalogue can be deployed and maintained by administrators, comprising of both Android Market applications and corporate applications held on a secure web server, either of which can be mandatory or merely recommended.

Alerts can also be configured to notify administrators of specific events, such as the failure of an aspect of the server, a failure of a device to connect within a specified timeframe or a specific user event such as the jailbreaking of a device.

Detailed reports can be generated and exported on any of the inventoried information stored by the solution.

Finally devices can be located and tracked via GPS and displayed on an interactive live world map, enabling businesses to determine where field workers are operating or locate lost or stolen devices.

Architecturally, MobiControl is deployed in a server-client model requiring an Internet-facing server running a Windows server operating system to which the client application running on the Android device communicates over the air: be it a cellular or WiFi connection.
Client-server communications are handled over a single TCP port (5494 by default but this can changed), and sessions are encrypted.

A product video is available here - http://blog.brightpointuk.co.uk/soti-mobicontrol-product-video

For more information visit the Soti web site - www.soti.net

Enrolling devices

Once installed, the MobiControl solution is managed via an SSL web interface:

Device addition rules can be created for specific users or groups, with an optional password requirement which users must enter on the device before the application can be installed:

Once created, the client installation package can then be saved and deployed to a file or web server as required:

Once the rule has been created, it can be published to the "enrolment server", if the option to require a password upon installation was selected, this will be displayed:

Or optionally the Android client is also available to download free from the Android Market:

If the client is downloaded from the Market, the required server information will need to be entered into the device - the server's external IP address or DNS name:

If downloading the generated package from a private web server, this connection information will be pre-populated automatically.

If an enrolment password was specified, this will be required when connecting to the server for the first time:

And you will be prompted to confirm that the application will be granted security policy access on the device:

Once connected the device will be listed in the administration console:

Inventory Collection

Once the device has synchronised with the server, a wide range of information about it can be viewed and reported on by the administrator as detailed above:

including what applications are installed on the device:

and administrators have the ability to remotely uninstall any applications they do not want to be present on devices:

Security

Any device can be disabled (prevented from contacting the MobiControl server), can be locked and a password set, or can be completely wiped at the click of a button from within the web interface:

Passwords can be enforced on all connected devices if required, and the strength of that password can also be set:

Administrators can also determine that should the user fail to enter their password correctly within a set number of attempts then the device will either lock itself or will erase all corporate or simply all device data.

Configuration

WiFi access point profiles can be sent to connected devices over the air, providing secure access to corporate resources over WiFi once correctly provisioned:

Configuration the Application Catalogue

One key feature of the MobiControl solution for Android is the ability to deploy and maintain a repository of allowed applications which users can browse and install on their devices.

Published applications can be assigned to individual users or groups:

and applications can either be stored in the Android Market or on a private web server:

Once published, applications are then available to users within the MobiControl client:

Summary

Soti MobiControl naturally still provides all of the features for the Windows Mobile platform that I have written about previously (http://blog.brightpointuk.co.uk/soti-mobicontrol), and also provides support for the Apple iPhone. The addition of security, location and asset inventory reporting for the Android platform makes MobiControl as powerful and as flexible as you need it to be.

Visit the Soti web site for more information - www.soti.net

Sybase Afaria

Sybase Afaria is 'the daddy' of device management solutions. The scope of this article is to give an overview of the features available. For detailed information on the product, view the product documentation on the FTP site:

ftp://ftpaccess:Brightpoint1@ftp.brightpointuk.co.uk/Sales/Sybase%20Afaria/

Due for release in Q1 2009 is version 6 of the product, which is the version I shall look at in this post.

Afaria is a modular product, with the solution being divided into a number of optional ‘Channels’, each Channel being independent of the others and being enabled or disabled based on the license key used to install the product:

• Software Manager – deliver and install commercial or custom-built software packages on client devices
• Inventory Manager – interrogate and report on the hardware and software resources available on client devices
• Document Manager – publish and deliver groups of documents to client devices, be they text files, images, HTML web pages, etc
• Configuration Manager – enable, disable and configure hardware and software elements on the client device, delivering connection settings, blacklisting applications, disabling camera and Bluetooth features, for example
• Backup Manager – backup and restore specified files from the client device to a specified location on the corporate network
• Session Manager – the most powerful feature of the solution, enabling automation of file distribution, directory management, registry management. I will examine this feature in more detail later
• Data Protection Manager – define and enforce security settings on the client device, including power-on passwords, encryption settings. Users can be allowed a set number of attempts to enter the password correctly, after which specific events can be triggered automatically, including removal of specific PIM data and/or files and applications, or a complete device hard reset
• Patch Manager – deliver operating system patches and security updates to clients automatically (Windows 32 only)

NOTE – not all Channels are available on all client platforms.

Multiple channels can be configured, with each channel having one or more of the supported client types associated with it, or specific users or groups subscribed.

Afaria supports both ‘push’ and ‘pull’ functionality, whereby application, file and other publication packages can be delivered to the client as soon as they are updated on the local network, and client devices can also request specific information from the server at the user’s initiation.
Push functionality works by the use of ‘Outbound Notifications’ on the server: a ‘Listener’ on the client monitors the server for changes to specific Channels. As soon as a change is saved and published by the administrator, an outbound notification is generated which is received by the listener, which causes the client to initiate synchronisation with the server.
‘Bandwidth throttling’ is also available, enabling the administrator to define how much of the bandwidth available to the client device can be utilised by the Afaria client, thereby giving priority to more business-critical applications if required.
‘Byte-level differencing’ enables the Afaria server to deliver to the client only those byte-level changes that have been made to files and publications since the client last contacted the server, reducing the amount of data transmitted and reducing connection times.
‘Segmented delivery’ allows for large files and publications to be broken down into smaller packages and delivered to the client over a series of connections if required.
‘Check point restart’ allows for interrupted connections to be resumed at the point that it was ‘broken’, reducing redundant data transfer and reducing connection times.
Compression technology allows for files and published data to be compressed during transmission to the client to further reduce data transfer and connection times.

Afaria can also be optionally integrated with the Microsoft System Management Server (SMS) product for further ease of client device administration and reporting.

New to version 6 is the inclusion of OMA-CP functionality. OMA is the Open Mobile Alliance responsible for ratifying standards governing the delivery of configuration settings to supported client devices via SMS messages. The Linux version of the Nokia Intellisync Mobile Suite offered this functionality when used in conjunction with the Nokia E and N series range of devices. Afaria 6 now offers similar levels of functionality which I will look at later.

Afaria is a Windows server-based application, requiring either Windows Server 2000 or 2003.
The solution requires a database back-end to store configuration information, this can be MSDE for smaller installations, Microsoft SQL Server 2000 or 2005 or Sybase’s own SQLAnywhere database product.
All administration of the product is done via a web interface, therefore IIS needs to be installed on the server also.

There are a number of other pre-requisite applications that also need to be installed prior to installing the Afaria product, but these are provided on the accompanying installation media and you will be prompted to install them automatically if they are not present on the target server:

• Microsoft Visual C++ Redistributable
• Microsoft Dot Net Framework 3.5
• Crystal Reports Runtime Redistributable
• Microsoft Core XML Services 6
• Microsoft Direct Access Components (MDAC)

The Afaria solution requires that a client application be installed onto the client device, I will look at how this application can be deployed to the client later.
Supported client platforms include:

• Windows 32 (Windows 2000, Windows XP, Windows Vista)
• Windows Mobile 5,6 (Pocket PC and Smartphone)
• Palm OS
• Symbian
• Blackberry
• Java MIDP

For the client to be able to contact the Afaria server, the server must have a public Internet-facing IP address, with a correctly configured DNS entry if a ‘friendly name’ is to be used.
All client-server communications are done over TCP port 3007, therefore this port will need to be open on the firewall if one is deployed. All client-server communications are encrypted using SSL.

It is not necessarily a requirement that HTTP access be allowed through to the server from the Internet unless you need the ability to administer the server remotely (in which case a VPN solution would be preferable).

It is not advisable that the Afaria server be located in a DMZ environment if the Afaria server is going to need to access local network resources (file servers, database servers, AD authentication information, etc). For the security conscious, Afaria provides the ability of deploying a ‘relay server’ in a DMZ environment. This is a Windows or Linux-based IIS or Apache service that accepts client communications on a customisable port, and relays them to the back-end Afaria server on an alternative port.

I will look at the server installation procedure in a separate post.

The Afaria Administrator

All aspects of the Afaria server’s operation can be configured through a web browser. Internet Explorer is required, and the Microsoft Dot Net Framework 3.5 must be installed.
Administrative Roles can be configured allowing administrative accounts different levels of access.

The default view displays status information on the server as well as historical connection statistics:

It is beyond the scope of this post to go through all of the features available within the Administrator web interface. I shall look at the features available in the various Channels, which are configured within the Channel Administrator view:

Software Manager

The Software Manager allows the administrator to deliver pre-built application installers to client devices and run them:

The installers can be stored locally on the Afaria server or on network shares. The administrator can specify where on the client the package is delivered to and also where it is then installed to. Checks can be implemented to verify before proceeding with the installation that the client has sufficient free storage space and memory available.
Custom actions can also be specified so that events occur both pre- and post-installation of the package. This involves integration with the Session Manager which I will look at in more detail later.

Inventory Manager

The Inventory Manager allows the administrator to define an inventory collection task on the server. Inventories can be hardware-only, or both hardware and software:

Once the Inventory has been processed on the client and the data uploaded to the server, that information can be viewed and reports generated based on specific criteria (devices with Adobe Reader 5 installed, for example).
Inventories can also be included in the Session Manager

Document Manager

The Document Manager allows the administrator to ‘publish’ specific files and folders, be they local to the Afaria server or network shares. Users can then choose to ‘subscribe’ to some or all of those published files:

Configuration Manager

The Configuration Manager allows the administrator to deliver connection settings and access point information to the client device. The Symbian configuration manager also has templates pre-defined for the delivery of Mail For Exchange settings (the Server ActiveSync client for the Nokia E and N series range of handsets enabling push synchronisation with Microsoft Exchange):

The Windows Mobile configuration manager offers comprehensive options including templates for access points, connection settings, Server ActiveSync profiles, hardware control (Bluetooth, IR, WiFi, Camera, etc), Owner Information, Regional Settings and lots more:

Backup Manager

The Backup Manager is relatively straightforward to configure. Once created you can specify specific files or folders (including subfolders if relevant) to be included in the device backup publication:

Similar restore packages can be created, including all or less of the data that has already been backed up:

Data Protection Manager

The Data Protection Manager allows the administrator to enforce a power-on password on client devices, specify how many attempts users have to enter their password correctly, and what happens to the client device should that numbers of attempts be exceeded:

Patch Manager

The Patch Manager is for Windows 32 clients only (Windows 2000, XP and Vista). This feature integrates with Windows Update and allows the administrator to approve available updates and have them delivered to clients automatically:

Session Manager

It is the Session Manager that is the most powerful feature of the Afaria solution, and effectively all of the above Channels can be invoked for inclusion in a Session Manager ‘worklist’, so it is the Session Manager that I shall look at in the most detail.

The Session Manager allows the administrator to create and order Worklists. Each worklist can be run separately or part of a sequence.

Each Worklist can be comprised of one or many pre-defined actions, including querying an element of the device’s hardware or software status (free memory or storage, version of application installed, for example), delivering a file (be it a document, application, patch or whatever) if required, based on the result returned from the previous query executed on the client, verifying the successful delivery of the file (based on the creation of a directory on the client, the value of a specific registry key or a value in an ini file on the client, for example), then sending an email to a pre-defined address to alert the administrator to the fact that the worklist has been completed successfully.

Worklists can be completely automated, having queries performed on the client on a preset interval and have pre-defined actions trigger automatically should specific criteria be met on the client. A client request might query the device registry, file structure, a specific text file, or even a custom variable defined by the administrator.

The complete list of actions available within the Session Manager is as follows:

 

Append File

Check File

Check Memory

Check Speed

Check Volume

Comment

Copy File

Create Registry Key

Delete File

Delete Registry Key

Delete Registry Value

Delete Variable File

Directory Listing

Disconnect

Else

Else If

End If

End Impersonation

End Quota

End Repeat

End Session

End Work Object

Execute Program

File Status

Find File

Get Database Field

Get File From Client

Get Registry Value

Get Script Variable

If

Impersonate User

Increment Variable

Insert Channel

Insert Worklist

Load Script

Make Directory

Message

Notify Program

Quota

Raise Event

Read Variable File

Reboot Client At End Of Session

Release Script

Remove Directory

Rename File

Repeat

Run Script Function

Search Registry

Send File To Client

Set Bandwidth Throttling Config

Set Client Time

Set Database Field

Set File Attributes

Set Registry Value

Set Script Variable

Set Variable

Test Group Membership

Test Variable

Update Variable File

Wait For File To Exist

Adding an action to a worklist displays the options available for that action, so for example, should you choose to send a file to a client, the administrator can specify where on the network the file lives and where on the client it needs to go. File differencing can be enabled (so that only byte-level changes to files are sent to clients to avoid having to re-send whole files should only small changes have been made to the source), etc:

The Safe Transfer option prevents the creation of the destination file until the file has been successfully transferred. This option instructs the server to use a hidden temporary file until the file transfer completes. Once complete, the server renames the temporary file to the destination filename.

Further variables can be defined, so that for example should you wish to retrieve a file from a client device, you can have a directory created on the target server which includes the machine name of the client, the date and the time that the file was uploaded:

These variables can be pre-defined or custom variables created by the administrator. The list of available variables is as follows:

 

<!Drive<VarName>>

<!File<VarName>>

<!Path<VarName>>

<%UserDefined>

<AuthenticatedUser>

<ChannelName>

<ChannelViewer>

<CheckDiskSize>

<CheckMemorySize>

<ClientAllUsersDesktopDir>

<ClientChannelDir>

<ClientCommonFilesDir>

<ClientDomainName>

<ClientInstallDir>

<ClientIPAddress>

<ClientMachineName>

<ClientMemorySize>

<ClientOS>

<ClientOSServicePack>

<ClientOSShell>

<ClientOSVersion>

<ClientProcessor>

<ClientProgramFilesDir>

<ClientRasUserName>

<ClientSyncUserName>

<ClientTempFilesDir>

<ClientUserName>

<ClientVersion>

<ClientWindowsDir>

<ClientWindowsSystemDir>

<ConnectionId>

<ConnectionSpeed>

<ConnectionType>

<d>

<date>

<dw>

<dy>

<FileStatCount>

<FileStatSize>

<FileStatVersion>

<GetFilesAttempted>

<GetFilesFailed>

<GetFilesNoUpdate>

<GetFilesSuccessful>

<hh>

<mm>

<ms>

<SendFilesAttempted>

<SendFilesFailed>

<SendFilesNoUpdate>

<SendFilesSuccessful>

<ServerCommonFilesDir>

<ServerID>

<ServerInstallDir>

<ServerIPAddress>

<ServerMachineName>

<ServerMemorySize>

<ServerName>

<ServerOS>

<ServerOSVersion>

<ServerProgramFilesDir>

<ServerTempFilesDir>

<ServerVersion>

<ServerWindowsDir>

<ServerWindowsSystemDir>

<SessionDuration>

<SessionStartTime>

<ss>

<time>

<VolumeSize>

<y>

<y1>

<y4>

The ‘Execute Program’ command can be used to issue any command native to the client operating system. Therefore, for example, should a specific service need to be stopped on the client whilst an action is performed, and then subsequently restarted, the NET STOP and NET START commands could be used. As mentioned above, Software Manager publications can be configured to run Session Manager worklists before and after application installers are delivered to the client.

An element of control can be incorporated into worklists. For example, the ConnectionSpeed command can be used to query the bandwidth available to the client and have different actions available depending on the speed of the connection:

Whilst the Configuration Manager has templates defined for easy configuration of common features on client devices, provided that the administrator knows the required files, variables and registry entries that need to be specified on the client, virtually any aspect of a client’s operation can be controlled via the Session Manager.

Session Manager is, then, very powerful indeed.

Monitors & Alerts

Monitors can be defined on the Afaria server, including:

• Connection Monitor
• File/Directory Monitor
• Memory Monitor
• Power Monitor
• Process Monitor
• Registry Monitor
• Schedule Monitor
• Window Monitor

Thresholds can be defined within the properties of each monitor so that should defined values be reached (a named service on a client device stops running, for example), then a specific event is triggered automatically – this could simply be an alert in a log file, an email to the administrator, or a pre-defined Session Manager Worklist.

Alerts can also be defined so that the administrator is informed automatically should certain event occur on the Afaria server, be it via email, pager or text message.

Channel Sets

Individual channels can be grouped into a channel set. The Afaria client is configured with the address of the Afaria server to connect to, and the channel set to request. That way a client only needs to know the details of the channel set and can automatically be delivered the contents of a Backup Manager, Configuration Manager, Document Manager, Session Manager, or whatever the administrator has ‘published’ to that channel set.

Client Deployment

Client installation packages can be created for all supported client platforms (CAB package for Windows Mobile, SIS package for Symbian, etc). Installers can be pre-configured with the name or IP address of the Afaria server, the channel set to connect to, and can be configured to automatically connect to the server immediately following installation.
Once created, the installation package can be placed on a network share, on a web site, or distributed via memory card, for example.

Static & Dynamic Client Groups

Client devices can be arranged into groups in 2 ways. The membership of static groups does not change: you can define, say, all Windows Mobile 5 devices, or all Sales staff.
Dynamic groups can be defined on a more intelligent basis and their membership can change based on the results of Inventory scans – all devices with over 10MB of available storage, for example.

Reporting

Afaria boasts comprehensive reporting capabilities: monitors and alerts can be reported on, as well as the different server log files and all aspects of the general server ‘health’ (disk usage, network bandwidth, etc); the status of successful and unsuccessful package delivery and connection requests can be reported on; and reports can be generated from the Inventory information collected from all clients that have an Inventory Manager channel defined.

Authentication

Afaria offers a range of mechanisms for authenticating client devices. Devices can be automatically ‘approved’ so there is no need for the user to enter any authentication credentials. This may be preferable if the devices are only being used on a local, closed network, or security has already been addressed elsewhere: a VPN connection, for example.
The Afaria server can be configured to use Active Directory authentication so that users are required to enter their Windows username and password on their client device in order to connect to the server.
Alternatively, an LDAP authentication source can be defined to authenticate against an LDAP server using the Lightweight Directory Access Protocol.

OMA-CP Messages

The ability to generate Open Mobile Alliance Client Provisioning (OMACP) messages from the Afaria server is a feature new to version 6 of the product. This feature allows devices to be remotely configured with connection settings using
XML-based .DFF files delivered via SMS (the Short Message Service, not to be confused with the Microsoft System Management Server I mentioned earlier). No client software is required on the device, the device simply needs to support the OMACP standard (which most Symbian devices do now).
This means that a ‘fresh’ client can be configured with the necessary settings to connect to the Internet, a text message can be delivered to the client containing a link to where the Afaria client can be downloaded, and then the device can be configured directly from the Afaria server once the client has been installed.

This feature does require that the Afaria server have access to an SMS Gateway, or have a cellular mode connected to it which supports SMS message delivery (virtually any mobile phone installed as a modem or a connected Fixed Cellular Terminal would provide this capability).

Within the Afaria Administrator, browse to Home → Client Deployment:

Select the option to create a new OMA CP Message Template, the following window will be displayed:

Enter a name for the template and define the APN, username and password for your cellular service provider. Click Save, the new template will be listed.

Right click on the entry and select the option to Send Notification:

In the To field enter the mobile number of the device to which the message is to be sent.
NOTE – the format of the contents of the To field will depend on the requirements of the SMS Gateway or SMSC Connection you defined earlier. This may be full international number format (+447843359005), international format minus the ‘+’ prefix, the format of an email address @carrier.com, etc. Your carrier or service provider will be able to provide assistance.

NOTE – an address book can be configured on the Afaria Server containing the details of all of your recipients. These addresses can also be arranged into distribution groups.

Create an SMS Message containing the link to the Afaria client download: within the Afaria Administrator return to the Client Deployment screen. Select the option to create a New Message, the following window will be displayed:

Enter a name for the message.
Enter a subject for the message and in the Message field enter the link to the Afaria client download.
Save the message, then right click on it and select the option to Send Notification.

Delivering Settings via OMACP

Whilst templates exist for the delivery of Internet connection settings, provided that the administrator knows the correct syntax of the XML to be delivered to the client, virtually anything that can be defined in XML can be configured on the client device using this feature.
Within the Client Deployment screen is an option to create a ‘Free-Form’ Message:

Enter a name for the message.
In the Body field enter the XML source of the OMACP message you wish to deliver to the client.

Save the message, then right click on it and select the option to Send Notification.

Summary

To conclude, then, Afaria offers a level of ‘granular’ control not available in any other product I have come across, on the widest range of client device platforms of any device management solution. The administration of all these features is correspondingly ‘involved’, but once you are familiar with how Session Manager worklists hang together the possibilities are virtually endless!

Addendum

For details on the new features available in version 6.5 of Afaria, read this article - http://blog.brightpointuk.co.uk/sybase-afaria-65

Sybase Afaria 6.5

Afaria is Sybase's device management solution for the Enterprise market, arguably the solution to choose if you need to manage a large fleet of remote devices running a variety of different operating systems and provide mobile integration with back-end line-of-business applications.

I have looked at Afaria in a previous article here - http://blog.brightpointuk.co.uk/sybase-afaria . In this post I shall look at the new features available in version 6.5 of the product.

Architecture

The essential architecture of the solution remains unchanged: a Windows Server is required, that needs to be Internet-facing and a single TCP port needs to be opened on the firewall to allow client access. A database is required to store configuration information. For security, a reverse proxy can be deployed in a DMZ environment to accept incoming client requests on one port, and pass them through to the LAN-based server on another port. The proxy can be either Windows or Linux-based.
Configuration parameters can be 'pushed' to compatible client devices via SMS messages using the industry-standard OMA-CP (Open Mobile Alliance Client Provisioning) protocol to configure clients with the required connection settings to be able to connect to the Internet and download the full Afaria client, to perform more detailed configuration, or alternatively the client's own OMA-DM client can be used if one is available (such as on Nokia's Symbian S60 series).

The solution is network agnostic and can operate over cellular, WiFi or Ethernet links.

Channels

Also unchanged is the modular nature of the solution. Different Channels can be enabled or disabled based on the license key used to install the solution. The Channels available include:

• Software Manager – deliver and install commercial or custom-built software packages on client devices
• Inventory Manager – interrogate and report on the hardware and software resources available on client devices
• Document Manager – publish and deliver groups of documents to client devices, be they text files, images, HTML web pages, etc
• Configuration Manager – enable, disable and configure hardware and software elements on the client device, delivering connection settings, blacklisting applications, disabling camera and Bluetooth features, for example
• Backup Manager – backup and restore specified files from the client device to a specified location on the corporate network
• Session Manager – the most powerful feature of the solution, enabling automation of file distribution, directory management, registry management.
• Data Security Manager – define and enforce security settings on the client device, including power-on passwords, encryption settings. Users can be allowed a set number of attempts to enter the password correctly, after which specific events can be triggered automatically, including removal of specific PIM data and/or files and applications, or a complete device hard reset
• Patch Manager – deliver operating system patches and security updates to clients automatically (Windows 32 only)

Further features of the solution include:

• Afaria supports both push and pull client-server interaction: clients can request packages from the server either on a schedule or manually by the user. Alternatively packages can be delivered to available clients with no user interaction immediately.
• Byte-level Differencing allows the client and server to calculate which changes have been made to large files, and only send those changes over the air to minimise data exchange traffic.
• Bandwidth Throttling allows the administrator to restrict how much of the client's connection to the Internet the Afaria client should be able to make use of to prevent it affecting users' other applications.
• Segmentation and Check Point Restart allows the administrator to deliver large packages to clients in stages, between specific hours or in specific size batches. Should a transfer be interrupted, it can be resumed at the same point it was cut off removing the need for the whole package to be re-delivered, reducing data exchanges, costs, and increasing efficiency.
• All client-server communications are compressed to reduce data exchanges and costs.
• Notifications allow the administrator to track the success or failure of client installations.

New features

Afaria Administrator
The Afaria Administrator now supports Internet Explorer 8:

Client Support
New features include support for new client devices including Nokia Series 60 5th Edition, BlackBerry 4.5, 4.6 and 4.7 devices, Windows Vista SP2 and Server 2008.

Data Security Manager
The Data Security Manager for Symbian now supports increased options for 'device lockdown' (ie what happens to devices when the password policy has been voided - the user has entered their password incorrectly too many times in succession):

Windows Mobile clients can now be locked down to a specific SIM card and be wiped automatically should the SIM be changed:

On both Symbian and Windows Mobile platforms specific PIM data and file locations can be encrypted:

Application Lists
The Application Control Policy for Windows Mobile clients allows the administrator to block access to any application on the device, be it part of the standard device ROM or a third party application. Access to device settings can also be restricted:

Call Filtering
The Call Filtering Policy allows the administrator to prevent specific numbers from being dialled from client devices:

Multiple policies can be defined.

Anti-Virus / Firewall Integration
The full Afaria device client features an integrated anti-virus client and built-in firewall, both of which can be enabled and configured from the server. Again multiple policies can be defined:

OMA DM
The OMA DM policy editor allows the administrator to quickly and easily deploy XML-based configuration templates to compatible OMA DM-capable clients, including such settings as:

• GPRS / 3G / WiFi Access Points
• Nokia Mail for Exchange
• SIP Settings (VoIP)
• SCCP Settings (Cisco VoIP)
• Remote device lock, reboot and wipe
• User access to connection and email device settings

Initial connection settings, including access point and DM server profile settings can be delivered via PIN-protected SMS message virtually removing the need for any user interaction altogether:

iPhone Support

Available as a separate Feature Pack for the Afaria server, iPhone clients running version 3.1 or higher of the iPhone operating system can also be managed from the Afaria server.
Individual device configuration templates are created using Apple's own iPhone Configuration Utility (http://blog.brightpointuk.co.uk/apple-iphone-configuration-utility-20). Therefore the items that can be configured on the iPhone client are those same elements that can be configured here.
The resulting package can then be published to the iPhone Configuration Server, which runs as a separate web service on the Afaria server within IIS.
For the iPhone to 'trust' the configuration package, the iPhone Configuration Server must have an SSL certificate assigned to it. This can be a self-signed certificate using Microsoft Certificate Services. The address of the configuration server can then be delivered to the iPhone via SMS. When connecting to the server for the first time the iPhone client will prompt you to accept and install the SSL certificate.

Symbian Client

To give you an idea of the client interface I have configured my Nokia E71 against the test server. The client installer package is created on the Afaria server and in the case of Symbian creates a SIS file as you would expect. During the client configuration process a specific Channel Set can be defined, user access to client settings can be removed, and clients can be configured to automatically connect to the server once installation is complete.
On the E71 the Afaria client is listed in the Installations folder:

If user access to settings is enabled, server address and channel set information can be edited:

Once a successful connection has been established, the log view displays information on package transactions:

For more detailed information about the capabilities of the Afaria solution especially the Session Manager, I recommend reading my previous article on the product - http://blog.brightpointuk.co.uk/sybase-afaria

You can access the product documentation for Afaria on our FTP site - ftp://ftpaccess:Brightpoint1@ftp.brightpointuk.co.uk/Sales/Sybase%20Afaria/

It worth noting that whilst Afaria is very much the "gold standard" of device management solutions in terms of the ability to run both client and server-side scripted routines, it may be overkill for smaller business who simply need the ability to remotely provision devices with connection, email and VoIP parameters and remotely 'kill' devices that have been reported lost or stolen.
Afaria can be deployed in a multi-tenant hosted model if you want to leverage the policy enforcement capabilities of the solution without the need to access LAN-based documents and applications, therefore not requiring that the server be hosted and maintained on your premises.

Contact Brightpoint today on +44 870 849 0225 for more information and an unbiased perspective on device management. If you're interested in simply learning more about what device management is and why it may be important to you, read my article on choosing a DM platform - http://blog.brightpointuk.co.uk/choosing-device-management-solution-q4-2009

What is OMA DM?

The Open Mobile Alliance (OMA) is a standards body responsible for developing and ratifying open standards for the mobile phone industry. OMA-DM is the device management protocol developed by the body for the remote management of mobile phones and PDAs.

The OMA currently manages a number of standards including:

• MMS - Multi-Media Messaging
• WAP - Wireless Application Protocol
• OMA-DS - Open Mobile Alliance - Data Synchronisation
• OMA-CP - Open Mobile Alliance - Client Provisioning
• OMA-DM - Open Mobile Alliance - Device Management

In this post I shall look at the OMA-CP, OMA-DS and OMA-DM protocols.

OMA-CP

The Client Provisioning protocol enables the remote configuration of device settings via SMS message. Such settings might include:

• Internet Access Points - be it CSD (dial-up), GPRS/3G or WLAN (including support for wireless authentication information)
• Browser bookmarks
• Data Synchronisation (DS) server address details
• Device Management (DM) server address details
• POP/IMAP email account settings
• VoIP settings

Once configured with these settings, the device will then be able to connect to the Internet and initiate a session with the DS server to synchronise contact and calendar information (using the SyncML data synchronisation protocol), and to the Device Management server to perform more detailed configuration. Bookmarks sent to the device may be to web sites where application installer packages and certificates could be downloaded.
This is where the real power of the solution comes into play: a device can be configured with the required Internet connection details via SMS, requiring only a live SIM card. Once connected to the Internet virtually any aspect of the device's functionality can be configured via OMA-DM:

OMA-DM

The device management protocol uses an HTTPS data session rather than SMS message delivery, but a data connection can be requested from the device by sending it a 'wake-up' SMS message. This connection request can be visible to the end user, or can be entirely 'silent' requiring no user interaction at all. Visible requests can also be 'PIN protected' so that the user is required to enter a password (which will need to be provided to the user by some other method, most likely verbal).
Once the session is initiated, the DM server sends XML-based setting template files to the device. These XML templates essentially list every element of the device's functionality and can enable or disable them, or configure specific settings. The client device will then send responses to the OMA-DM server indicating whether the XML was processed successfully or not.
The OMA-DM protocol also provides for the delivery of files to the remote device over the data channel, be they applications, certificates, documents, patches, etc.
Basic inventory information can also be gathered from devices and saved on the OMA-DM server and reported on: including such details as hardware specification, files stored in memory, processes running, applications installed, etc.
Devices can be customised with themes and logos.

In order to support OMA-CP or OMA-DM functionality, the mobile device must have a capable client installed. Thankfully, this is included in the Symbian operating as standard, both series 40 and 60 as well as UIQ and also in the Windows Mobile 6.1 platform.
There are several commercial OMA-DM server products available, including Sybase Afaria, FromDistance Mobile Device Manager, Excitor DME and Perlego. Read the Device Management section for more details. As the OMA-DM protocol is an open standard, it is possible to build your own solution should you wish, and there are open-source projects which can be downloaded free of charge, such as Funambol (www.funambol.com). The Microsoft System Center Mobile Device Manager product also leverages OMA-DM functionality.

In order to be able to send SMS provisioning messages to client devices, the OMA-DM server will need access to an SMS gateway, or will need a mobile device connected to it through which it can send the SMS messages.

DDF Files

DDF Files are Device Description Framework documents that describe the precise XML tags supported by devices, and typically relate to a specific service or application. for example, there is a specific DDF file detailing how to define Nokia Mail For Exchange settings on the Symbian S60v3 platform.
DDF files are available free of charge from most developer web sites, including the Nokia Forum web site for Nokia devices, and the MSDN web site for Windows Mobile.
These documents allow the administrator to construct the required XML document that can be sent to the device in order to automatically provision settings. This information is available to all, but is quite technical in nature: what the commercially available applications do is to create the templates for you, so that all you need to enter are the variables for, in this example, your email environment.
As well as DDF files, there is a wealth of sample XML template files available on these developer web sites as well as a number of tools to help you create XML documents, such as the Nokia Configuration Tool (http://blog.brightpointuk.co.uk/nokia-enterprise-configuration-tool)

It is not only device manufacturers that can use OMA-DM XML-based templates to configure devices: third party software developers can use OMA-DM to provision their applications directly from the OMA-DM server. Companies such as PointSec and F-Secure already have DDF documents available and their products have been incorporated into most commercially available OMA-DM solutions.

TARM

Another feature of OMA-DM is the ability to define and enforce security policies on client devices: having configured devices with the required settings for email, VoIP etc, those settings can then be locked down so that they cannot be changed by the user. Settings controlling device lock and password strength can also be enforced.
This feature is referred to as TARM: Terminal Administration Rights Model, and requires that a 'trust relationship' be established between the client device and the OMA-DM server: the client device must therefore be able to trust the SSL certificate used to secure the HTTPS connection with the OMA-DM server. If the certificate used is not a 'root-trusted' one, the root certificate used by the CA that issued the certificate to the OMA-DM server must be installed on the client.
On Nokia handsets, an additional icon is displayed on the screen when the device is in TARM mode.

OMA Device Management is a very powerful tool indeed, and thanks to its adoption by major manufacturers and the 'open' nature of the standard, it looks to be here for a long time to come.

If you want to find out more information, useful references include:

Forum Nokia - http://www.forum.nokia.com/Resources_and_Information/Documentation/Devic...
Microsoft Developer Network - http://msdn.microsoft.com/en-us/library/bb737404.aspx
IBM - http://www.ibm.com/developerworks/wireless/library/wi-oma/

Summary

Below is a quick summary of the features on the Nokia E and N-series range of handsets that can be configured via OMA-DM:

Settings Management

• Internet Access Points (IAP) for GPRS/3G, WLAN
• SIP and VoIP settings (using the native phone client)
• POP/IMAP email (using the native phone client)
• OMA-DM Server settings
• OMA-DS server settings
• Bookmarks

Security and asset management

• Settings enforcement
  • Use of Internet access points
  • Email settings
  • Instant messaging settings
  • TARM
• Device lock and wipe
• Inventory
• List running processes

Application Management

• Distribution of any Symbian (SIS / SISX) or Java (JAR) application
• Install, upgrade and uninstall
• File transfer (read, write, delete, move)
• Silent install mode

Device Customisation

• Install, activate and delete themes
• Set image files as wallpapers
• Set operator logo

Application Settings Management

• F-Secure
• Mail For Exchange (Server ActiveSync)
• Nokia Intellisync Call Connect
• PointSec for Symbian
• Symantec Mobile Security for Symbian
• Cisco SCCP

Connectivity

• Scheduled client connections
• Event-based client connections
• Server-triggered client connections
• End user initiated connections