Presentation is loading. Please wait.

Presentation is loading. Please wait.

Hoe houd ik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist Microsoft B.V.

Similar presentations


Presentation on theme: "Hoe houd ik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist Microsoft B.V."— Presentation transcript:

1 Hoe houd ik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist Microsoft B.V.

2 Hoe houd ik de controle Agenda 1.Microsoft & Mobility 2.Waarom beveiliging? 3.Exchange Server 4.System Center Mobile Device Manager Samenvatting

3 Microsoft & Mobility

4 Waarom Mobile? Grootste groeier! YOY % shipping growth CAGR Source: Gartner Dataquest, and IDC % Mobile PCs 5.8% Mobile Phones 3.9% Desktop PCs 34.1% Converged Mobile Phones

5 Access Control Firewall Mobile and Traditional Traditional Devices Devices TeamWorkspaces Web and Video Conferencing Documents and Files Calendaring InstantMessaging Identity and Presence LOB Applications Intranet Web Applications Managed PC Unmanaged PC (Home PC, Kiosk, etc) Wired INTERNET Wireless Microsoft's visie op Mobility

6 ProductivityReliabilityCost Business Value Re-Use Knowledge Easy to Manage/Support Scalable Secure Secure Device Choice Easy-To-Use Enabling Lifestyle Microsoft’s Mobile Value Proposition

7 Demo 7

8 Windows Mobile is all about choice!

9 Waarom beveiliging?

10 Ferjan’s top 5 meest gehoorde vragen: 1.Hoe ‘provision’ ik de mobiel? 2.Hoe kan ik programma’s of hardware uitzetten? 3.Hoe beveilig ik de data die op de mobiel staat? 4.Hoe krijg ik software op de mobiel? 5.Hoe zit het met virussen?

11 Exchange Server

12 Mobile Functionality /Time Exchange and Mobility DirectPush introduced Policy enforcement (7 policies) Remote/local device wipe 9 new policies Self-service via OWA SharePoint and File access 30 new policies Encryption Hardware control Software control

13 Built-in: no special server or services required Rich access for the many, not the few Anywhere Access Outlook experience from desktop to mobile devices

14 Architecture Overview EAS SSL – Port 443 Direct Push Internet

15 Securing the Servers -Restricting access –Inbound port 443 (SSL) to Client Access Server –Works with existing firewalls and Microsoft’s ISA Server -Data inspection –All communication can be inspected and filtered -Complete Exchange Security Hardening Guide available from Microsoft –Exchange us/library/aa aspx us/library/aa aspx –Exchange us/library/bb aspx us/library/bb aspx EAS

16 Securing the Communication -Secure Sockets Layer –Standard for securing communications over the Internet (i.e. online banking/shopping) –Encryption RC4, 3DES, AES* –Authentication Password or certificate authentication RSA SecureID support -~80% of Exchange customers has this in place today for OWA SSL – Port 443 Direct Push Internet * Requires Windows Server 2008

17 Securing the devices -Policy enforcement -PIN password -Local and Remote wipe device -Encryption -Application control -Hardware control

18 Policies - General -Targeting users with policies –Exchange 2003 SP2 One policy that applies to all users Users can be exempted from policy (no policy applied) –Exchange 2007 & SP1 Multiple policies supported Targeting based upon user/group membership Exchange 2007 SP1 adds a default policy

19 Policies - General -Allow/Deny non-provisionable devices –What devices are allowed to connect -Refresh Interval (hours) –How often is the policy refreshed on the device

20 Password Policies -Require device password -Minimum password length -Require alphanumeric password -Inactivity timeout (in minutes) -Number of failed attempts allowed

21 Security Device Data Encryption -All device and storage encryption utilizes AES encryption -Require encryption on the storage card –Requirements: Ex2007 RTM and Windows Mobile 6 –Ensures that any data written to the storage card is encrypted -Require encryption on the device –Requirements : Ex2007 SP1 and Windows Mobile 6.1

22 Sync Settings Exchange 2007 & 2007 SP1 -Allow sync when roaming This setting allows administrators to disable DirectPush while device is roaming. User must sync manually. -Allow attachments to be downloaded to device -Maximum attachment size -Allow HTML formatted

23 Sync Settings Exchange 2007 SP1 -Include past calendar items -Include past items -Limit size to –Define the maximum size of sent to the device by default (user can still request a full message) -Allow HTML formatted

24 Mobile Policies In SP1 Exchange 2007 SP1 -Allow removable storage -Allow camera -Allow Wi-Fi -Allow infrared -Allow internet sharing -Allow Remote Desktop -Allow Desktop Sync -Allow Bluetooth –All or headset profile only

25 Mobile Policies In SP1 Exchange 2007 SP1 -Allow browser -Allow consumer mail -Allow unsigned apps -Allow unsigned installation packages -Allowed applications -Blocked applications

26 Manageability Self Service

27 End User Experience John Litware Inc.’s Exchange Server

28 System Center Mobile Device Manager 2008

29 MDM helps to… -Safeguard corporate data from unauthorized access. -Reduce the cost and complexity of mobile deployments. -Maintain persistent and enhanced security for connectivity. -Simplify device management.

30 What IT pains does MDM solve? How to: -Manage mobile devices like PCs on the corporate network -Manage policies and software distribution to multiple groups of users -Provision mobile devices without physically touching them -Allow more secure connectivity with single-point network access control -Allow specific business units individual control over the devices in their business unit

31 MDM enables Windows Mobile 6.1 devices to be deployed and managed like PCs and laptops in the IT infrastructure, providing them network access to corporate data and making them first-class citizens on the corporate network. Management Workload Deployment: inside firewall Network Access Workload Deployment: in DMZ Machine authentication and “double envelope security” Session persistence Fast reconnect Internetwork roaming Standards support (IKEv2, IPSEC tunnel mode) Single point of management for mobile devices in enterprise Full OTA provisioning and bootstrapping OTA Software distribution based on WSUS 3.0 Device data and inventory reporting SQL Server 2005-based reporting capabilities Role-based administration MMC snap-ins and Powershell cmndlets WMU on/off control OMA-DM compliance Active Directory Domain Join Policy enforcement using Active Directory and Group Policy targeting (>130 policies and settings) Communications and camera disablement File encryption Application allow and deny Remote wipe OMA-DM compliance Security Management Device Management MobileVPN

32 Samenvatting

33 Waarom beveiliging? De antwoorden! 1.Hoe ‘provision’ ik de mobiel? Gebruiker kan OTA met + wachtwoord / PIN code de mobiel klaarmaken voor gebruik 2.Hoe kan ik programma’s of hardware uitzetten? Zowel Exchange 2007 SP1 als SCMDM kunnen gebruikt worden om functies en programma’s aan- of uit te zetten 3.Hoe beveilig ik de data die op de mobiel staat? Via policies kunnen wachtwoord en encryptie verplicht worden, met remote wipe kan een verloren of gestolen mobiel leeggemaakt worden 4.Hoe krijg ik software op de mobiel? Met SCMDM kan OTA software gedistribueerd worden 5.Hoe zit het met virussen? Tiered security op de mobiel, alleen ‘gesignede’ applicaties toestaan, gebruikers opvoeden en eventueel anti-virus software installeren

34 Samenvatting Exchange 2003 SP2: Direct Push , Contacts, Calendar Basic Security PIN-code, device-lock, device-wipe Windows Mobile 5 and newer Exchange 2007 RTM: Enriched PIM-experience HTML , Out-of-Office SharePoint- & UNC-access to files Enhanced Security Storage Card Encryption, Password Recovery Windows Mobile 6 and newer* Exchange 2007 SP1: Direct Push Bandwidth optimization uses up to 1/3 less bandwidth S/MIME support Enhanced Security Device Encryption, Hardware Control Windows Mobile 6.1 and newer* SCMDM 2008: Security Management Device Encryption, Hardware Control Device Management Software Distribution, Inventory Mobile VPN Windows Mobile 6.1 and newer * Version needed for enhanced functionality, backwards compatible down to Windows Mobile 5

35 Tot slot Vragen?

36 Mensen maken

37 het Nieuwe Werken

38 Appendix

39 Key Deployment Steps 1. Ensure Exchange Server 2003 SP2 or Exchange Server 2007 are in place 2. Ensure TCP Port 443 is able to reach Client Access Server 3. Ensure customer has implemented SSL security 4. Adjust firewall connection timeout values 5. Enable Exchange ActiveSync and policies on Exchange Server 6. If needed, deploy certificates to devices If you are using Outlook Web Access, much of this will already be in place.

40 Configure all communication points (firewalls) between the Exchange Server and Windows Mobile device with the same idle session timeout Microsoft recommends increasing the idle session timeouts to 30 minutes Available Documentation Firewall Configuration: Network Security Impact: Mailbox Server HTTPS (443) Advanced Firewall Perimeter Network Front End / CAS Server Exchange 07 Edge Server Increase idle session timeout to 30 mins Increase advanced firewall idle timeout to 30 mins Increase idle session timeout to 30 mins Adjust Firewall Timeout Settings


Download ppt "Hoe houd ik de controle? Veilig mobiel samenwerken Ferjan Ormeling Mobile Solution Specialist Microsoft B.V."

Similar presentations


Ads by Google