Excitor (http://www.excitor.com) is a Danish software development company specialising in remote device management and cost control solutions for the enterprise.
The DME Mobile Solution Suite is Excitor's modular framework that provides a feature-rich, multi-platform device management solution combined with state of the art security tools as well as an optional mobile email and PIM manager.

Including support for both OMA-CP and OMA-DM industry-standard device provisioning and device management protocols, at its simplest level, DME can be used to remotely provision compatible devices with Internet, email, VoIP and bookmark settings using SMS configuration messages with little to no user intervention required, granting access to corporate email and telephony systems quickly and easily. For more advanced functionality, the full DME client application can then be delivered over the air. Using the DME client application, devices can be fully managed remotely enabling the administrator to enforce password usage, corporate usage policies (ie disable hardware and software elements), send files, deploy applications as well as collect inventory information on device usage, installed applications and running processes.
Devices can naturally be remotely 'killed' in the event that they are reported either lost or stolen. The extent to which devices are wiped can be defined by the administrator: specific data locations can be erased, including removable storage, or devices can be factory reset completely. Devices can also be configured to automatically wipe themselves in the event that the user password is entered incorrectly too may times in succession, or even if the SIM card in the device is changed (or substituted for one that is not specifically authorised).

When the optional SmartEncrypt module is added to the solution, on-device encryption can be enforced on client devices, down to a granular folder level specified locally by the administrator as a policy on the DME server.

The DME solution also features an optional email and PIM manager module that can interface with either Microsoft Exchange or Lotus Domino, providing push-based synchronisation, on-device PIM data encryption as well as local and server-based search. Enabling this module removes the need to expose the corporate messaging platform to the Internet, requiring only that the DME server have access over the local network. The solution can integrate with Active Directory or an existing LDAP source, meaning that users need only remember one set of login credentials.
DME user and group profiles can also be based on existing Active Directory groups.

Using the Files module, users can synchronise documents on their client device with a remote network file server, again using active directory authentication if required.
The SmartLink module allows users to embed links to documents stored on the local network in email messages. When selected on the client device, the DME client is able to retrieve the document securely from the remote file server with no need for a separate VPN infrastructure.

A further optional module in the solution suite is Voice Extender: a client-based application that can be used to replace operator voicemail services by recording messages locally before the incoming call is diverted to your voicemail box. This allows users to listen to messages 'offline' without needing to place a call to the operator (an effective cost-saving measure when abroad), keep messages for as long as desired as well as send messages via email as an audio file attachment.

The DME client application can upload to the device management server comprehensive information on device configuration, including operating system, installed applications, running processes and memory usage. Details of voice, data and SMS/MMS usage can also be recorded, enabling the administrator to generate detailed reports on mobile voice and data costs by region and by operator. Alerts can also be triggered when users approach a pre-defined usage threshold.
As a further cost-control measure, specific roaming networks can be defined by the administrator ensuring that client devices only use approved operators when abroad.

I will look at all of these features separately.

Supported client device platforms include Windows Mobile (5, 6, 6.1, 6.5), Symbian (S60, UIQ), selected Java devices as well as the Apple iPhone. Full details can be found on the Excitor web site - http://www.excitor.com/supporteddevices

Features

• Support for industry-standard OMA-CP and OMA-DM configuration protocols
• Internet connectivity, bookmark, email, VoIP setting delivery
• Remote client delivery
• OTA software, patch and file delivery
• Password enforcement
• Device encryption as well as centrally managed file encryption
• Remote device kill
• Optional device wipe upon SIM card replacement
• One-click user blocking
• Email and PIM data synchronisation
• File synchronisation between server and devices
• Choice of push, pull, scheduled and manual synchronisation
• Application blacklisting
• Lock-out of settings on client devices, preventing user tampering or modification
• Hardware activation / deactivation
• Set preferred operator in every country
• Easy to use browser-based configuration
• AD / LDAP integration
• Ability to change AD password from device
• User and Group management
• Detailed logging of user and server actions
• Detailed reporting capability
• Automatic administrator event notification

Architecture

The DME solution utilises a server-client model, requiring that an Internet-facing server be deployed and a client application be installed on devices. Client-server communication is performed over 2 TCP ports that can be defined by the administrator. All client-server communications are encrypted using 128-bit AES encryption and can be further secured via TLS/SSL certificates. The solution is agnostic of the means of connecting to the Internet, or the mobile operator used.

The DME "Gateway" Server is typically deployed in a DMZ environment. If the optional Messaging & Collaboration features are used, then an additional DME "Connector" Server is required. This would typically be installed on the LAN with access to the messaging environment, with ports opened between the Gateway and the Connector. For small-scale deployments including the messaging functionality, both Gateway and Connector roles can be installed on the same host on the LAN.
Multiple Connectors can be installed to service different messaging servers and platforms.

Both Gateway and Connector servers can be installed on Microsoft Windows Server or Linux-based hosts.

A back-end database is also required to store configuration parameters. This can be Microsoft SQL Server 2005 (for Windows-based deployments) or MySQL 5 (for Linux-based deployments) on separate servers from the DME Gateway. For small-scale deployments, the database can be homed on the same host, using SQL Server 2005 Express Edition on a Windows-based deployment.

The solution is administered via an HTTPS web application, providing an intuitive and logical interface with all features readily accessible without confusing nested menus.

In order for DME to use existing enterprise authentication mechanisms, meaning that users can use their network login and password without the need to remember any additional credentials, the DME server needs to have access to the LDAP or AD directory.

In order to be able to send configuration messages via SMS, the DME server will need either access to an SMSC account, or a locally connected GSM modem and active SIM.

Hardware Requirements

Gateway Server hardware requirements (for up to 1000 users)

A 32- or 64-bit Intel or AMD based server equipped with at least:

• 3.0 GHz processor
• 4GB RAM
• 75GB hard drive
• 100/1000 Mbit network interface card
• 1 available USB or RS232 communication port (USB only supported on Windows)
• Siemens MC35i modem or SMS Centre account
• CD / DVD drive

For larger systems, add more memory and hard drive space.

For small to medium installations, the the DME Connector can be installed on the DME Server machine. In this case, add 2GB RAM to the server.

Furthermore, a fast Internet connection is required, where the capacity is based on how many clients need to be concurrently connected. You can calculate this according to the following formula:

Internet bandwidth (in Kbit) divided by a typical GPRS speed of 42 Kbit = maximum number of concurrent users.
For example, a 2Mbit connection will support (2000/42) = 47 concurrent client connections).

To access the DME Web Administration Interface, at least Firefox 2.0 or Microsoft Internet Explorer 7 is required. IE 6 and 8 also work, but do not show all design elements correctly.

Connector Server hardware requirements

A 32- or 64-bit Intel or AMD based server equipped with at least:

• 3.0 GHz processor
• 4GB RAM
• 40GB hard drive
• 100/1000 Mbit network interface card

Software Requirements

32 or 64-bit operating systems supported, including:

• Red Hat Enterprise Linux 4,5 and 5.1 (5.1 without virtualisation support installed)
• SuSE Linux 10
• Fedora Core 8,9 and 10
• Microsoft Windows Server 2003 with all patches

Collaboration System Requirements

• 32-bit Lotus Domino 6.5 or later
• 32/64-bit Lotus Domino 8.5 or later
• Microsoft Exchange 2003
• Microsoft Exchange 2007

Database System Requirements

• Microsoft SQL Server 2005 on a separate server
• MySQL 5.0 on a separate server
• SQL Server 2005 Express on the DME Server
• MySQL 5.0 on the DME Server

Firewall Settings

The DME Gateway Server requires a public, Internet-facing IP address and access to the server needs to be allowed on any firewalls between the Internet and the server on ports TCP 5011 (SSL Sync) and TCP 5021 (SSL IP Push).

The DME Gateway Server management web interface is accessed from the LAN via port TCP 8080 by default, this can be adjusted by the administrator as required.

If an optional Connector Server is deployed on the LAN, the following TCP ports need to be opened between it and the Gateway:

• 1098
• 1099
• 3873
• 4444
• 4445
• 4446
• 4457
• 4458

The below diagram summarises the access required between the client, gateway and connector elements, as well as access to the database. In this example a Microsoft Exchange deployment has been assumed and the access required to Exchange, AD and DNS is also displayed:

I will look at the integration with Microsoft Exchange in more detail later.

Client Installation

Should the client device feature native support for the OMA-DM protocol (in this article I used the Nokia E71) the built-in OMA-DM client can be configured with the address and port of the DME server via SMS message:

Which will deliver the necessary initial connection settings to the device. The user will need to open the message and select the option to save the delivered settings. If desired, the SMS message can be protected by a PIN code to prevent unauthorised access.

The OMA-DM client on the handset can then establish an IP-based 'pull' connection to the DME server over the Internet and download the full DME client, which will be added to the Installations folder on the device:

This procedure is known as "bootstrapping" and can be initiated in one action from within the admin interface. The administrator can optionally define which Internet access point on the device the DME client should use (which could also be configured on the device via SMS configuration message):

The installation will again need to be accepted by the user. At this stage the client is a 'vanilla' build pre-configured with the address of the server. No policies will be applied to the device until the user logs into the client using their credentials - these could be the user's Active Directory credentials if integration with AD has been configured. I will look at how this is configured later.

Once logged in, the user will see those elements that have been enabled for that user by the administrator:

Any packages and device management policies defined by the administrator on the DME server and assigned to the user (or the group the user is a member of) will now be downloaded and applied automatically.
The user can now access the Email, PIM, SmartEncrypt and Voice Extender applications. I will look at each of these in turn later.

Should the DME server be using a self-signed SSL certificate rather than a root-trusted one, the root certificate of the authority that assigned the cert to the DME server can be pushed to the client before the DME client:

Device Management Administration

The DME solution provides a single point of administration for all functionality via an optionally SSL-secured web interface, by default running on port 8080:

The web interface is accessible from Internet Explorer, Firefox, Safari and Google Chrome.

A list of connected clients (together with device images) will be displayed together with their associated user. Selecting a device entry will display detailed information on the status of that device, including hardware specs, memory usage, installed applications and running processes. This means helpdesk support staff can retrieve the existing configuration of a device while the user is on the phone, invaluable for remote fault diagnosis and troubleshooting:

Applications can be blocked with a single click by selecting the "Block" action next to the program's entry in the inventory. Once blocked, users will receive notification on the device the next time they try to use the application:

Comprehensive log files can also be accessed detailing all client server operations and any errors encountered.

When setting up a new device, or should a device have been hard reset, or the settings have become corrupt, SMS messages can be sent directly to devices, as well as the OMA-DM and SSL certificate settings:

Applications and file packages can be "packaged" on the server and push deployed to clients:

Groups can also be configured meaning that a single change made by the administrator on the DME server can be deployed automatically to any number of remote clients.

Security

DME's security measures allow your users to carry and instantly access sensitive corporate data without the risk of exposure of that data.
Password usage and encryption policies can be automatically applied to client devices. Devices that are suspected of being lost or stolen can be remotely wiped at the click of a button directly from the web interface:

The memory card can also be wiped during a device wipe if desired.

Devices can be configured to wipe themselves automatically in the event that the SIM card is replaced. Details of authorised SIMs can be defined:

The hardware and software elements that users are allowed to access on their devices can be defined automatically - preventing users from accessing Bluetooth, for example, or installing unauthorised applications. Should you suspect that users will attempt to edit the settings that have been applied by the DME solution, access to configuration areas can be locked down altogether, meaning that users are not able to circumvent the intended usage profile.

In addition to on-device PIN protection, access to email and PIM data can be secured by LDAP authentication. The data areas on the client device that require LDAP authentication can be defined flexibly.

SmartEncrypt

SmartEncrypt is an optional on-device encryption application. The folders and memory areas on the device that should be automatically encrypted can be defined and managed centrally on the DME server:

Encrypted files and folders can only be accessed when the user is successfully logged into the DME client. When logged out, these locations are not accessible:

Email and PIM Management

The device management capabilities of the DME solution can be used to push configuration details to client devices for Exchange ActiveSync, Mail for Exchange and Lotus Traveler automatically, setting up devices for access to existing email systems.

The DME Suite also includes its own push email and PIM manager client application that can be used to automatically encrypt all email messages as well as require LDAP authentication before access to the client will be granted (in addition to the standard on-device PIN).
This feature of the solution can be used in conjunction with Microsoft Exchange 2003 / 2007 and also with Lotus Domino 6.5 or later.

The email and PIM module is built into the DME client application - if this module is not enabled on the server, it is simply not visible on the client. This does mean that the native email, contacts and calendar applications on the client are not used, but the interface is easy to use and offers superior functionality over the native client such as on-the-fly data decryption when data is accessed as well as local and server search capability:

All mailbox folders can be synchronised (contacts, calendar, to dos and email), including subfolders. Messages can be sorted, moved between folders and attachments can be downloaded and viewed. File synchronisation can also be initiated from here, should this module also be enabled:

Synchronisation schedules can be defined, so that mails are automatically pushed to the client during core business hours, synchronisation is performed automatically every 30 minutes, say, in the evening, and then manually by the user outside of those hours and at the weekend.
All settings can be defined by the administrator and access to all client settings can be locked down if desired:

Mobile Cost Control

The DME Mobile Solution Suite can also provide the enterprise with a transparent view of how mobile devices are being used and the costs that that usage incurs, as well as a number of tools to help minimise those costs.

Reports can be generated detailing voice and data traffic statistics, by user, by group, by device platform, by country, by application, etc, putting you in a strong position when negotiating favourable rates from operators.

Roaming partners can be specified and prioritised, ensuring that users attach to the cheapest operators when abroad:

Asset Management

The DME solution also offers simple asset management tracking:

Voice Extender

This modular feature of the DME solution bypasses operator voicemail services. Essentially, rather than letting calls go to the operator's voicemail service after x number of unanswered rings, calls are recorded on the device itself using the device's built-in software capabilities and are stored locally as sound files.
This means that users can playback recordings locally without the need to dial into the operator's voicemail service - potentially representing a large cost saving when abroad. Messages can be listened to regardless of the order in which they were received.

Sound files can also be forwarded as attachments to other parties via email or uploaded to file servers.

Should the device be lost or stolen and a remote device wipe initiated from the DME server, all messages will be erased.

Integration with Microsoft Exchange

In terms of Microsoft Exchange, the DME solution accesses mailboxes using the Exchange WebDAV (Outlook Web Access) protocol, so this feature needs to be enabled on the Exchange Server and on user mailboxes:

There is no need for the OWA web site to be Internet-facing if not desired: it only needs to be accessible to the DME Connector Server over the LAN.
User mailboxes can be accessed by the Connector in two manners:

• Users authenticate against Exchange "as themselves", using their own Active Directory login credentials. User credentials can optionally be stored on the DME server to reduce the amount of request traffic generated from the DME client. If this feature is enabled, credentials are encrypted on the DME server.
• Using a Service, or "courier", account. In this approach a specific user account needs to be created within Active Directory. This user account can be assigned Full Mailbox Access Rights to all users of the DME solution who are using the Messaging component:

  (Exchange 2003)
  

  (Exchange 2007)
  
  

  or for large deployments the service account can simply be assigned Full Access Rights to the Exchange Information Store:

  (Exchange 2003)
  

  (Exchange 2007)
  

Summary

DME Mobile Device Management by Excitor should be included in the list of products to evaluate by any company looking to trial and deploy a device management solution that offers a wide range of supported clients, industry-standard provisioning mechanisms, integration with existing messaging systems as well as scalability and ease of use.

The below diagram details the whole capabilities of the full modular suite:

You can find a collection of datasheets and other material in the File Library.

For more information visit the Excitor web site - http://www.excitor.com

Addendum

Version 3.5 of the DME Solution promises to add a raft of new features to the solution, including:

• Custom device configuration – new device configuration capabilities makes it possible to silently configure smartphones with any setting including VoIP, bookmarks and access points.
  
• Configuration of 3rd party mobile e-mail – configuration settings for Mail for Exchange, native PIN code and native encryption can be pushed from DME, making these 3rd party e-mail applications easily accessible and more secure.
• iPhone configuration and new push mechanism – iPhone profiles including for example VPN, private certificates and native PIN code activation can be pushed to iPhone users. New email alerts are also possible.
• iPhone swipe authentication – a new authentication option that makes it much faster/easier to log into DME.
• Android device management and traffic logging – DME now offers device configuration, software deployment and file back-up for this new and upcoming platform as well as data/voice traffic logging
• BlackBerry traffic logging – with the DME client installed on BlackBerry devices, all traffic can be monitored - enabling organizations to optimize their voice/data plans and reduce mobile costs