As PDAs become increasingly powerful and the need to access and store larger amounts of data rises, so does the need to secure that data. When deploying mobile devices and granting users remote access to local network resources, be it email, an intranet site, file shares or specific line of business applications, the administrator needs to know that those devices are doing so securely, will automatically lock themselves if left unattended and can be remotely wiped if they are suspected of being lost or stolen.

In this article I shall look at the foremost products available today, in the author's opinion, as well as the features that should be considered when evaluating a device management solution. If you are interested in knowing more, or have any questions relating to any of the information in this article, call Brightpoint today on 0870 849 0225.

When choosing a device management solution, there are a number of approaches that you can take: you may have decided a client device type and wish to know what solutions are compatible; you may have a specific feature set that you need to be available to your users; or similarly a set of features you don't want to be available.
In this article I shall look at the foremost device management solutions available currently, in this author's opinion, providing support for Windows Mobile, Symbian, BlackBerry, Android, Windows (ie, desktops) and the iPhone.

Features

When considering a device management solution, there are a number of guidelines that should be taken into account:

• All communications between the client and the server should be secure.
• The solution should not tie you into a particular client platform or device, nor a particular mobile network operator - the solution should be "agnostic" of the client device type as well as the means of connecting to the Internet.
• The solution should be available abroad.
• The solution should offer, at the very least, the ability to enforce password usage on client devices as well as the ability to remotely wipe or 'kill' devices in the event that they are reported lost or stolen. The ability to remotely install and uninstall applications, collect device inventory information and generate usage reports for mobile cost management should preferably also be available.
• Should the solution require a specific client application, this client should be deliverable over the air without the need for the device to be brought to the IT department.

The Players

In this article I shall look at the following products:

• Microsoft Exchange
• IBM Lotus Traveler
• Google
• Microsoft System Center Mobile Device Manager
• EveryWAN Mobility Manager
• SOTI MobiControl
• Perlego
• DME by Excitor
• Fromdistance
• Sybase Afaria
• RIM BlackBerry Enterprise Server

Technologies

The Open Mobile Alliance (OMA) is a standards body responsible for developing and ratifying open standards for the mobile phone industry and currently maintains a number of protocols providing device management functionality adopted by a wide range of device manufacturers, including:

• OMA-CP: Open Mobile Alliance Client Provisioning
• OMA-DM: Open Mobile Alliance Device Management

The OMA Client Provisioning protocol enables the remote configuration of device settings by the sending of specific SMS text messages, including such elements as:

• Internet Access Points (IAPs)
• Browser Bookmarks
• Device Management (OMA-DM) Server address details
• POP / IMAP email account settings
• VoIP settings

Provided that the handset supports the standard OMA-CP protocol, it can be configured with the necessary settings to enable it to be able to connect to the Internet and connect to a OMA-DM server, with no need for any additional software or user expertise, simply by sending the device a specific SMS message. All that is required from the user is to accept the message and, if configured, enter a security PIN code.

The OMA Device Management (OMA-DM) protocol is an open standard enabling the configuration of a wide range of device parameters. XML-based configuration files are delivered to client devices from an OMA-DM server, these files containing virtually every setting you can think of that can be configured, including Exchange ActiveSync, VoIP, Certificates, VPN, Intranet and VoIP parameters.
I have written about these technologies previously in a separate article (http://blog.brightpointuk.co.uk/what-oma-dm)

Microsoft Exchange Server 2003 SP2

Although a messaging and collaboration platform primarily, Exchange 2003 is worth a mention in this article as it does possess limited device management capability and thanks to its widespread adoption, companies looking for basic remote wipe and password enforcement features may find that they have the necessary tools already.

The Server ActiveSync protocol introduced with Exchange 2003, not only provides bi-directional mailbox data synchronisation, but can also be used for the enforcement of a password policy on any device that supports Server ActiveSync, including Windows Mobile 5 or later, the Nokia E and N series, HTC Android-based devices, as well as the iPhone:

All of the devices mentioned above have the corresponding Server ActiveSync client built in. In the case of Nokia handsets updates to the Mail For Exchange application are released regularly and can be downloaded free of charge from the Nokia web site: http://europe.nokia.com/find-products/nokia-for-business/software/email-...

Dataviz RoadSync is a third party client application that enables Server ActiveSync functionality on devices with no native client, including Android, Palm and Symbian UIQ devices. This client application does not require any additional configuration on the Exchange server and can extend the device management capabilities of Exchange 2003 to a wider range of devices.

Any device, provided that it has a Server ActiveSync client installed, can also be remotely 'killed' from the Exchange server by the administrator by the installation of a free update to Exchange 2003 from Microsoft, called the Mobile Device Administration update. This tool adds a web interface to the Exchange server, accessible at https://(exchange_server)/mobileadmin:

Microsoft Exchange Server 2007 SP1

The release of Exchange 2007 added several device management features to the Server ActiveSync protocol, all of which have now been carried over to Exchange 2010. The full range of features is only available to Windows Mobile devices, running version 6.1 of the WM operating system or later, but a varying degree of functionality is also available to other devices depending on how much of the EAS protocol the device manufacturer has been able to implement on their hardware.
New features include:

• Application blacklisting
• Ability to prevent users from installation applications (this can be further divided into signed and unsigned applications)
• Ability to prevent users from synchronising locally with a desktop PC
• Ability to prevent users from using the device as a modem (tethering)
• Ability to disable:
  • Browser
  • Camera
  • Bluetooth
  • WiFi
  • SMS / MMS
  • POP / IMAP email
  • Memory card

These settings can be saved as policies and be assigned to individual users or groups, meaning that different types of users can be assigned more or less control over their devices as required.

In addition to these new features, Exchange 2007 can still enforce password usage and remotely kill all Server ActiveSync-capable devices, with the addition of the ability of users to remotely kill their own devices via Outlook Web Access (OWA).

With both Exchange 2003 and 2007 / 2010, client devices need to be able to contact the Exchange Server directly, therefore the server must be Internet-facing. A front-end, back-end deployment is supported, as is Microsoft's ISA server product.
Client-Server communications are secured via SSL. Ideally the Exchange server should have a root-trusted certificate installed on it to simplify client setup. Self-issued certificates can be used, but can require on certain devices that the corresponding client certificate be installed onto devices manually.
Device Management policies are applied to devices automatically when they authenticate against the Exchange server to synchronise mailbox data, therefore users do require Exchange mailboxes and at least one mailbox folder must be successfully synchronised (be it Mail, Contacts, Calendar or Tasks) for the device management policy to be applied to the device.
Server ActiveSync connections require that the user know and enter the following information: server address, username, password and domain.

IBM Lotus Traveler

As with Microsoft Exchange 2003, IBM Lotus Traveler is a remote email synchronisation product primarily, but version 8.5.1 of the product does provide limited device management functionality for the Windows Mobile platform as well as Symbian and the iPhone. Therefore, companies using Lotus Domino as their email platform who are looking to deploy, or already have deployed, a remote email solution and require basic device management tools to enforce password usage on client devices and the ability to remotely kill lost or stolen devices, should consider Louts Traveler.
I have posted about this product previously in the Domino section of the blog: http://blog.brightpointuk.co.uk/lotus

Google

Google has added a number of device management features to its Premier Apps service, enabling businesses that pay to have their email service hosted by Google to perform the following actions on their devices remotely via group policy, or by the administrator via a web browser:

• Encrypt data on device
• Remotely wipe all data from lost or stolen mobile devices
• Lock idle devices after a period of inactivity
• Require a device password on each phone
• Set minimum lengths for more secure passwords
• Require passwords to include letters and numbers
• Allow synchronisation while roaming
• Allow camera

Microsoft System Center Mobile Device Manager

SCMDM is part of the Microsoft System Center suite of products and is designed to enable the administrator to manage a fleet of Windows Mobile client devices using Active Directory Group Policy. Devices are 'enrolled' into the domain and any device configuration or usage policies are applied automatically, depending on the user's group membership, in exactly the same way that desktop PCs and user permissions are managed. Only Windows Mobile devices running version 6.1 of the WM operating system or later are supported.
I have posted about this solution in detail in a separate article here - http://blog.brightpointuk.co.uk/microsoft-system-center-mobile-device-ma...

As the Microsoft advertising tagline goes, System Center products are designed for "big". The solution requires a separate server running 64-bit architecture as well as a Microsoft SQL 2005 Server.
Client devices connect to the SCMDM server directly, therefore as with Exchange, there must be one Internet-facing server secured with an SSL certificate, ideally a root-trusted certificate to avoid the need to install self-issued certificates manually.
Pre-defined policies allow the administrator to automatically enable or disable:

• Bluetooth
• WiFi
• SMS / MMS
• Infrared
• Camera
• POP / IMAP email
• Memory card slot

But, unlike Exchange, users do not necessarily need to have an Exchange mailbox or synchronise mailbox data in order to have corporate device usage polices applied to their handhelds automatically.

On-device encryption can be enforced, Internet access points can be configured automatically on client devices, and devices can also be remotely wiped.
Software updates can be delivered to client devices by integrating the SCMDM server into an existing WSUS deployment.
The solution also provides extensive inventory collection and reporting capabilities, as well as a mobile-optimised VPN solution enabling access to LAN-based resources from the remote client device. Applications can be delivered to client devices and installed automatically.

Client devices can be configured for access quickly and easily using the Device Enrollment feature, pre-installed on Windows Mobile 6.1 devices. Users are assigned a password by the administrator on the SCMDM server. Users need then simply enter their email address and the password issued to them by the administrator. The device will 'know' from the domain entered in the email address, the address of the SCMDM server to look for. This does require that the administrator add an entry for the SCMDM server in external DNS along the lines of 'mobileenrol.domain.com', but does enable devices to be automatically configured without the need for the user to know complicated server and domain information as with Server ActiveSync as we saw earlier.

SOTI MobiControl

SOTI are considered by many to be the safe choice when evaluating device management solutions for the Windows Mobile platform only. MobiControl is a fully-featured solution offering real-time remote control and screen-sharing, file synchronisation, registry editing, screen capture and video recording, application installation, whitelisting and blacklisting, hardware control, you name it - if it is Windows Mobile-based, then SOTI MobiControl can achieve what you need to accomplish from a device management perspective, be it for a large corporate or a small IT helpdesk.

I have blogged about this solution in detail here - http://blog.brightpointuk.co.uk/soti-mobicontrol

Requiring Windows Server 2000 or 2003 for the server component, the solution also requires a Microsoft SQL server database to store configuration information. For smaller deployments, the free MSDE SQL Desktop Engine can be used. A client application must be installed on devices, which are 'built' on the server with the necessary connection settings and require no configuration by the user, which can be downloaded from a web site the link to which can be SMS'd to the user's device. The server itself needs to be Internet-facing for client connectivity and uses a single, administrator-defined, TCP port for client-server communication.
The solution also offers extensive inventory collection and reporting capabilities, and can also be integrated with GPS to provide real-time device tracking and location history:

EveryWAN Mobility Manager

For those companies looking to manage a fleet of devices running only the Windows Mobile platform, then alongside SOTI, EveryWAN Mobility Manager should also certainly be evaluated. Offering a similar feature set to SOTI in terms of device management, it also has the benefit of supporting Linux as the server platform and can use a wide range of database back ends including PostGRE SQL, MySQL and Oracle as well as Microsoft SQL Server.
I have blogged about this solution in detail here: http://blog.brightpointuk.co.uk/everywan-mobility-manager

As with SOTI, the EveryWAN solution offers real-time remote control and screen-sharing, file synchronisation, registry editing, screen capture and video recording, application installation, whitelisting and blacklisting and hardware control. The one element that EveryWAN does not offer currently is the GPS integration.
The server itself needs to be Internet-facing, and a client application needs to be installed on client devices, which communicates with the server using a single, administrator-defined, TCP port secured by TLS. The client installation package itself is 'built' on the server containing all the required connection information, requiring no further configuration by the user, and can be downloaded from a web server either within the device browser and or can sent via SMS as a link.

Perlego

Extending the umbrella beyond solutions that only cater for Windows Mobile, Perlego is a completely hosted, web-based device management solution requiring that no server hardware be deployed by the customer. Because the solution is hosted, there is also virtually no lead-time to get the solution up and running. I have posted about this solution in more detail here:

http://blog.brightpointuk.co.uk/perlego

Supported client platforms include:

• Symbian S60
• Symbian S80
• Windows Mobile 5 / 6 / 6.1

A client application needs to be installed onto the device, but is this downloaded simply by browsing to the Perlego web site. As the solution is hosted, there is no configuration required on the client - the user simply needs to enter a license key which they can get from the company administrator.

The administrator can then upload applications and documents to the Perlego servers and specify which clients should have access to those files.
Script-based routines can be configured on the server that can deploy a wide range of configuration settings to devices. This does require that the administrator know what format these scripts need to be in, but provided you know your way around OMA-DM XML configuration, the solution quickly becomes quite powerful.
The solution also provides a full or selective device backup and restore feature.

DME by Excitor

Excitor is a Danish software development company specialising in device management and cost control solutions for the enterprise. DME is a modular suite of applications enabling remote management of Windows Mobile and Symbian devices as well as an optional email synchronisation application for Windows Mobile, Symbian, Android and the iPhone.

The device management capabilities of the solution include the ability to deliver initial Internet connectivity, email and VoIP configuration settings via SMS, after which a full client application can be downloaded to the device to enforce password usage policies, collect inventory information, disable specific hardware and software elements on the device and deliver applications and documents.

The solution also features a number of additional tools including an on-device encryption utility and a tool for recording voicemail messages.

I have blogged about the solution in detail here - http://blog.brightpointuk.co.uk/excitor-dme-mobile-device-management

The solution uses a server-client model, requiring an Internet-facing server that can run either Microsoft Windows Server or Linux as well as a database installation (either MS SQL or MySQL).

Fromdistance

Fromdistance is a device management solution for Windows Mobile, Symbian and more recently BlackBerry devices, using the OMA-CP and OMA-DM protocols.
Again using a client-server model, the server uses the LAMP (Linux, Apache, MySQL, PHP) platform and can be deployed very quickly and cheaply. Client devices can be configured for Internet access via SMS using the OMA-CP protocol, and a link to the full DM client can also be sent via SMS. Once downloaded and installed, the DM client can then connect to the DM server and perform further device management tasks.
SMS messages can be sent from the server to client devices using Fromdistance's own SMS application, FromSMS (http://blog.brightpointuk.co.uk/fromsms).
The solution supports a wide range of hardware and software control policies, inventory collection and reporting, file and application package delivery.
The solution also provides VNC-based remote control of supported client devices.
I have blogged about this solution in detail here - http://blog.brightpointuk.co.uk/fromdistance-mobile-device-manager

The decision to support BlackBerry does not offer any features that the BES solution cannot, which I will look at in a moment, but it does mean that administrators managing a mixed environment can choose to manage BlackBerry devices from within Fromdistance alongside their Windows Mobile and Symbian devices.

BlackBerry Enterprise Server

Because the BlackBerry server solution and handset devices are all developed by RIM, the solution features extensive device management capabilities: but only on Blackberry devices.
Virtually any element of the device's hardware and software functionality can be enabled or disabled through policy settings on the BES, including:

• Camera
• Memory card slot
• Phone
• Browser
• SMS / MMS
• POP / IMAP email
• VoIP
• Bluetooth
• WiFi

Because all data requests issued from BlackBerry handhelds go via the BES, any DNS restrictions applied on the LAN are automatically applied to the handheld devices, so if Facebook or MySpace, etc have been blocked on the LAN these sites will also be unavailable on the remote devices, by virtue of the fact that they sit "behind" the BES. The same applies to firewall restrictions: any ports blocked between the BES and the Internet will be unavailable to client devices.
The installation of third party applications can be blocked, and updates to existing applications can be delivered OTA from the BES using the Mobile Data Service (MDS).

Due to the architecture of the BlackBerry solution, which involves a middleware server deployed by RIM with the mobile network operator, known as the 'RIM Relay', the BES server does not need to be available from the Internet; it simply needs outbound access on TCP port 3101.

Detailed articles on the whole BlackBerry product family can be found in the BlackBerry section of the blog: http://blog.brightpointuk.co.uk/blackberry

Sybase Afaria

Sybase Afaria can be regarded as the "Gold" device management solution. I have posted about this solution in detail in a separate article here:

http://blog.brightpointuk.co.uk/sybase-afaria

Afaria requires a separate server running WIndows 2000 or 2003 Server, and again that server needs to be Internet-facing for the client devices to be able to access it.
Afaria supports a wide range of client device platforms including:

• Windows (2000 / XP / Vista)
• Windows Mobile (2003 / 5 / 6 / 6.1)
• Symbian (S60 / S80 / UIQ)
• Palm
• Java
• BlackBerry
• iPhone

The solution requires that a client application be installed onto client devices. The client can be pre-populated with the server address details and a variety of authentication mechanisms are supported. New to version 6 of the solution is the ability to deliver the client via SMS OMA-CP configuration messages onto to supported clients (Symbian S60 currently).

All client-server communications are secured using SSL on a single TCP port (3007 by default, but this is customisable by the administrator)

Afaria is a modular product, with the solution being divided into a number of optional ‘Channels’, each Channel being independent of the others and being enabled or disabled based on the license key used to install the product:

• Software Manager – deliver and install commercial or custom-built software packages on client devices
• Inventory Manager – interrogate and report on the hardware and software resources available on client devices
• Document Manager – publish and deliver groups of documents to client devices, be they text files, images, HTML web pages, etc
• Configuration Manager – enable, disable and configure hardware and software elements on the client device, delivering connection settings, blacklisting applications, disabling camera and Bluetooth features, for example
• Backup Manager – backup and restore specified files from the client device to a specified location on the corporate network
• Session Manager – the most powerful feature of the solution, enabling automation of file distribution, directory management, registry management.
• Data Protection Manager – define and enforce security settings on the client device, including power-on passwords, encryption settings. Users can be allowed a set number of attempts to enter the password correctly, after which specific events can be triggered automatically, including removal of specific PIM data and/or files and applications, or a complete device hard reset
• Patch Manager – deliver operating system patches and security updates to clients automatically (Windows 32 only)

NOTE – not all Channels are available on all client platforms.

Multiple channels can be configured, with each channel having one or more of the supported client types associated with it, or specific users or groups subscribed.

The most powerful feature of the solution is the Session Manager. This component allows 'worklists' to be created using script-based commands and variables which effectively allow the administrator to query any element of the device's hardware or software configuration and have specific actions carried out based on the results returned. Email alerts can be generated automatically should any element of the worklist fail and extensive reporting capabilities are available.

Miscellaneous

For administrators who do not require a server-based device management solution, but who would like to make their lives easier by having access to template-driven tools enabling the bulk configuration of devices simply by connecting them to a PC and applying a pre-defined template to those devices, tools are available for both Nokia and Apple devices, read these articles for more information:

Apple - http://blog.brightpointuk.co.uk/apple-iphone-configuration-utility-30
Nokia - http://blog.brightpointuk.co.uk/nokia-enterprise-configuration-tool

Summary

It is important to bear in mind that whilst I have looked at a number of device management solutions in this article, that support a number of different platforms, this is by no means an exhaustive summary of the solutions available. In this article I have made no reference to the Palm platform. This is not to say that there are no solutions available for this platform, simply that demand has caused me to exclude it at this time. The Afaria solution supports Palm, as is reflected in the chart below.

For a summary of the current features offered by the products discussed in this article, view the chart below, and as always, if you need any further information or require anything clarified contact Brightpoint today on 0870 849 0225