Fromdistance (www.fromdistance.com) is a Finnish company which develops a comprehensive device management solution for Symbian (S60, S80 and UIQ), Windows Mobile (5, 6 and 6.1) as well as Windows (XP and Vista): Fromdistance MDM (Mobile Device Manager).

In this article I shall focus on the features available for the Symbian platform.

Features

MDM uses the standard OMA-CP (Open Mobile Alliance Client Provisioning) protocol to send ‘silent’ configuration messages to supported client devices via SMS.
I shall look at the features available in more detail, but areas of functionality include:

• Enforcement of security policies on remote devices (use of device lock and password access)
• Remote device kill
• OTA provisioning of Internet access points (CSD, GPRS, 3G, WLAN)
• OTA provisioning of Bookmarks
• OTA provisioning of POP, IMAP, Server ActiveSync Exchange email settings
• OTA provisioning of VoIP settings
• OTA provisioning of specific applications including Nokia Mail For Exchange, Lotus Notes Traveler, F-Secure, Nokia Call Connect
• File delivery and execution. File move, copy and delete
• Application blacklisting
• VNC-based remote device control

Architecture

The Mobile Device Manager solution requires an Internet-facing server component which needs to be accessible via SSL. A client application is also required on the remote device. Although many Symbian S60 handsets have an OMA client built in, the Fromdistance solution uses an enhanced OMA client of their own design, as well as a client for communicating with the MDM server via TCP.
The server software itself can run on either Windows or Linux platforms, requiring a database back-end (Microsoft SQL or MySQL), a web server (IIS or Apache) as well as PHP5 or later.

The solution is 'agnostic' of the means of connecting to the Internet and can be used over low-bandwidth connections such as GPRS as well as via WLAN, 3G, or even locally via a LAN.

Below is a diagram of the solution architecture:

In order to be able to deliver SMS messages, the solution does require an SMS gateway. This can be configured within the System Settings and could be an SMS gateway service, a GSM device connected physically to the MDM server itself, or you could equally use the FromSMS application which I posted about here:

http://blog.brightpointuk.co.uk/fromsms

Versions

There are 3 methods of using the MDM solution:

• A purchased behind the firewall server-based model
• A leased behind the firewall server-based model
• A hosted web-based model

An 'MDM Express' version of the product is also available that provides a remote kill functionality as well as a reduced device management feature set - for a lower cost.

Licensing

There is a one-off cost for the server software, and individual user licenses which are purchased separately. There is also an optional ongoing maintenance cost which provides access to software updates.

Administration

All administration of the MDM solution is done via a web browser. Multiple administrative logins can be created with varying permission levels.

Client Installation

All client packages can be downloaded from http://www.mdmclient.net if desired. These are the generic client packages so would need to be configured with the server address details. These packages could be installed onto devices via a memory card.
Alternately a link to the client application can be delivered to the remote device via SMS from the MDM server, which when clicked will download the correctly-configured client.

When logging into the administration web interface, the default view will list registered handsets:

I will look at the different sections of the interface in a moment. In the Messages sections is an option for MDM Client Link and Activation:

Here you can enter the telephone number that the link that should be sent to, and specify a PIN number that the SMS message should prompt the user for.

The text message will be received by the client containing the link:

If configured, you will be prompted to enter the PIN defined by the administrator. When installing the client you will be warned that the client will establish a data connection to the Internet:

Once installed the main client connection summary screen will be displayed:

An icon for the client will also have been added to the Installations folder:

During the installation process, you will receive an additional text message with your default MDM security code:

And you will be prompted to change the default password within the client:

The security code is a built-in security feature within the client that will prompt you to enter the security code in the event that the SIM in the phone is changed. If you forget the code you will not be able to access the client.

A connection will then be established to the server automatically. Once the initial connection has been initiated, the new device will be listed within the admin interface as an 'unregistered device'. The administrator will then need to 'approve' the device, and enter the details of the user that is associated with that device.

Once approved, another connection will be established and the server will gather inventory information about the device. This can be accessed within the web interface immediately by clicking on the device's entry:

Available categories of information include - Device Information:

Applications:

Processes:

File Commands (a history of the commands that have been issued to the device from the server):

Logs (the results of the file commands issued to the device):

When deploying the client application, if required the server can configure an Internet Access Point on the remote device first via SMS configuration message before then sending the client to the device.
Once installed, the client can then be configured to use a different access point if required:

Groups

Devices can be placed into groups for ease of administration:

Security Policies

MDM provides for a number of security policies to be enforced on a remote device:

• Bluetooth State - Bluetooth operation mode can be set
• Phone AutoLock - enables the device's built-in device lock feature and enables the administrator to specify the password 'strength' and how many attempts users can have to enter their password correctly
• IMSI Check - enables the MDM client security feature that prompts the user for their security code in the event that the SIM card is changed in their device

Connection Policies

This section of the interface allows the administrator to specify which access points should be available on a device, and the order in which they should accessed by the device. One nice feature is that if when examining the inventory of a device the administrator sees an IAP that may be required by other users, he or she can add that access point to the Connection Policy by copy and paste quickly and easily.

The Access Point information itself is configured within the System Settings section and allows for the creation of CSD, GPRS/3G as well as WLAN access points, including authentication and proxy server information if required:

Application Blacklisting

This section allows the administrator to specify which applications cannot be run on client devices. Programs can be blocked explicitly if the administrator knows the name or UID of the application, or can review the inventories retrieved from connected devices and can block any applications listed that they do not approve of:

File Commands

This section is where the solution starts to become more flexible and powerful. Individual file commands can be grouped to form 'batches' effectively forming a script. Available commands include:

Batch Commands

As well as creating commands manually, the MDM solution includes a number of pre-written command templates for both Symbian and Windows Mobile devices:

Available templates for the Symbian platform include:

The template for the Nokia Mail For Exchange application allows the administrator to define server address, username, password and domain as well as content to be synced and content and schedule information:

An Exchange ActiveSync template is also available for Windows Mobile:

Messages

This section contains templates for OMA-CP messages that can be delivered to supported clients. We saw earlier how a message can be created containing a link to the MDM client application. Other available Message templates include:

The Connect message will cause the device to initiate a connection to the server via the TCP channel.
The Detonate message will cause the device to undergo a hard reset. The Detonate feature will also cause the internal and storage memory on the device to be overwritten a number of times with random data before being hard reset to ensure that any data that had been stored on the device is irretrievable (as much as possible at any rate).

Configuration Messages

This section allows the administrator to build and deliver OMA-CP messages for a variety of services, including email settings, bookmarks, internet access points, or device management settings:

Email account settings are defined within the System Settings section, as are Internet Access Points as we saw earlier:

Backup & Restore

This section allows the administrator to define backup and restore templates:

Contacts, Calendar, Notes, Bookmarks and the SMS Inbox can be backed up from the device and stored on the server in an encrypted file. That backup can then be restored to the same, or a different, device at a later stage.

Any backups that have been created are listed in the web interface:

Reports

This section allows the administrator to generate custom reports from the information contained within the inventories harvested from client devices as well as the server log files. The below image shows the types of reports available:

All reports can be exported to CSV format for viewing in Excel or compatible spreadsheet application.

System Settings

As well as defining Internet Access Points and Email services, the system settings section allows the administrator to define the time intervals within which client devices should connect to the MDM server:

Remote Device Control

Fromdistance have also developed their own VNC-based client application that can be delivered to the client device from the MDM server, installed, and then connected to directly from the MDM server web administration interface, providing advanced remote support and troubleshooting capabilities.

The VPN application can be delivered to the client using a standard batch command template and is installed onto the client quickly and easily:

Summary

Available features include:

• Device Inventory collection
  • IMEI
  • IMSI
  • Roaming status
  • Battery status
  • Firmware version
  • Hardware
  • Manufacturer
  • Language
  • Storage card memory available
  • Device memory available
  • Installed software
  • Network configuration
  • GPS
  • Call logs
  • Data transfer logs
• Configuration Management
  • SyncML data synchronisation settings
  • OMA device management settings
  • SIP (VoIP) settings
• Internet Access Points
  • CSD settings
  • GPRS/3G settings
  • WLAN settings
  • Default access points
• Email
  • Email settings
  • Email data roaming settings
  • Exchange Server ActiveSync settings
  • Nokia Mail For Exchange settings
• Browser
  • Browser settings
  • Bookmarks
  • MMS (picture messaging) settings
• Software Configuration
  • F-Secure Mobile Security
  • Pointsec encryption
  • Siemens HighPath
  • Alcatel Lucent
  • Nokia Call Connect for Cisco
  • Nokia VPN
  • Lotus Notes Traveler
  • Application whitelist
  • Application blacklist
  • Corporate Policy Management
• Security
  • Enable / Disable Bluetooth
  • Enable / Disable Camera
  • Enable / Disable Control Panel
  • Enable / Disable device encryption
  • Enable / Disable user installation of applications
• Backup & Restore
  • Full device backup and restore
  • Selective file/folder backup and restore
  • Contacts
  • Calendar
  • Email messages
  • Tasks
  • Notes
  • Files and folders
  • Multimedia
  • SMS and MMS messages
  • Bookmarks
• Software Management
  • Silent installation
  • Installation parameters
  • Stop application
  • Start application
  • Install / remote / update applications
  • Remote desktop mnagement
• Security
  • Device reboot
  • Device wipe
  • Device lock / unlock
  • Certificate management
  • File system management
  • Read / delete / upload / download / execute / update
• User Alerts
  • Information
  • Confirmation
  • Select
  • Alert

Visit www.fromdistance.com for more information.

Addendum

Version 1.86 has added several new features to the solution:

Phone call logs

The solution now has the ability to record and report on the calls made from and received by any connected device. Whilst this functionality is now included, it is not enabled by default and administrators should be careful to be aware of any regional privacy legislation before enabling this feature.

Client Installation

When creating the client installation package, the administrator can now define a default security PIN that should be entered by the user when installing the client to verify that the package has indeed been delivered to the correct user and device.
As detailed above, the solution now has the ability to record call log information - this feature can be enabled within the client automatically, as can the ability to record GPS location information:

BlackBerry Support

Fromdistance now supports BlackBerry client devices. Although not officially supported until September, MDM now provides the ability to generate both hardware and software inventory information on connected BlackBerry devices. Although the BES product has the ability to do this, if managing a mixed fleet of devices including BlackBerry as well as Windows Mobile and Symbian, the MDM server web administration interface enables the administrator to view detailed information on all of his or her devices without the need to access multiple different systems and reporting tools.

Batch Commands

The batch command feature now provides support for administrator-created, PHP-based scripting. Whilst requiring that the administrator know how to create these scripts manually, this feature is very powerful indeed - providing "if x, then y"-style functionality governing whether the batch command should run or not. Examples would include determining the language installed on the client device, its operating system, free memory available, etc. Training is available from Fromdistance themselves, or naturally consultancy services can be provided by Brightpoint GB - call +44 870 849 0225 for more information.

FromSMS

I blogged about this service in this post - http://blog.brightpointuk.co.uk/fromsms
Developed by the same people that brought you the open source Kannel SMS Gateway (www.kannel.org), FromSMS version 2.01 now provides support for binary SMS messages.

FrOMA

The OMA-CP client for Nokia Symbian S60 devices used by the Fromdistance solution has been updated to version 2.0 which includes support for provisioning Internet Access point (IAP) groups, as used by the Nokia E75 and later devices for the Mail for Exchange application - http://blog.brightpointuk.co.uk/setting-mail-exchange-nokia-e75

Role-based management

The MDM solution now provides support for a greater number of 'user roles', especially valid when considering using the product in a hosted model.
The following roles are now available:

• Service Provider
• Administrator
• Helpdesk
• End User

You can view full details of the Fromdistance Mobile Device Manager product feature set online here - http://www.fromdistance.com/en/products/mdm/datasheets/Fromdistance_MDM_...