Marco Nielsen at myITforum.com

SCMDM Future Roadmap

Since the release of SCMDM SP1 back in December 2008 there has been very little information on the roadmap. One of my colleagues let me know that updated information on this topic was recently posted to the System Center Mobile Device Manager blog: http://blogs.technet.com/mdm/archive/2009/06/25/scmdm-roadmap.aspx

This confirms what was told to the audience at the recent MMS 2009 and Tech Ed North America 2009 conferences the last few months. It was similarly posted to the SCMDM Forum as an answer to a question about the future of the product.

I don’t think it will come as a big surprise and having a strong combined System Center Configuration Manager (SCCM) product should only be a good thing. Especially if you are a Microsoft shop that already is using SCCM.

It will be very interesting to see what features the SCCM team will unveil at the upcoming Tech Ed Europe 2009 in November 2009 on their vNext product that will be released in CY2010.

Some good links to get your feet wet with SCCM:
http://www.microsoft.com/systemcenter/configurationmanager
http://technet.microsoft.com/configmgr
http://blogs.technet.com/configmgrteam
http://myitforum.com/articles/42/section.asp

|\\arco..

MobileMonday – MoMo Chicago

For those local in the Chicago area I will be at the next Mobile Monday Chicago chapter meeting on Monday June 29th. I will give a brief overview of Enterprise Mobile and what we do in the mobile supply chain. Please see the details below.

Date: Monday, June 29, 2009
Time: 6:00 pm – 8:00 pm
Topic: Start-Up Showcase 
Location: Acquity Group, 500 W Madison St, Suite 2200, Chicago, IL 60661
Location Notes: Participants can sign-in at the reception desk on the 3rd floor (picture ID required)

Please see the press-release here:
http://www.pr.com/press-release/160634

Sign-up to attend here:
http://www.eventbrite.com/event/345245639

Look forward to meeting folks there!

|\\arco..

Apple iPhone OS 3.0 For The Enterprise

Due to the recent announcement on the new iPhone 3G S model and the updated 3.0 OS upgrade there has been a lot of buzz about the software and new hardware features. Some say that the iPhone with these upgrades is now ready for the corporate enterprise. That may be true, but I was still concerned about the lack of security features I knew from the previous release so I had to dig a little deeper into this after the release material is now available..

Hardware Encryption

One of the few new security features mentioned is the hardware encryption and instant wipe feature that appears to be included on the iPhone 3G S model and not the older models. This is highlighted on the more features page and also in the iPhone Security Overview on the Enterprise page:

“iPhone 3G S hardware encryption uses AES 256 bit encoding to protect all data on the device. Encryption is always enabled, and cannot be disabled by users.“.  The key phrase is: always enabled. So it is active out of the box!

I think this is probably the single most interesting new feature for iPhone in the Enterprise by a long shot. Mostly in due to the previous security risks that I have mentioned previously.

Anthony Vance has an excellent recap on current thoughts around this new feature and the previous gaps here. Also some interesting comments from the author of the iPhone Forensics book, Jonathan Zdziarski, at the bottom of the entry!

Security Updates

Any large enterprise customer will also want to know what specific security fixes are included in a major OS upgrade. Apple comes through at this point, and has posted a support article with the known CVE security issues patched in the iPhone OS 3.0 software update here.

Enterprise Support on iPhone 3G

Apple has a new Enterprise Deployment Guide updated for the OS 3.0 upgrade. But I was unable to find any mention of the new hardware encryption feature in it.

But if the hardware encryption is enabled out of the box on all the 3G S devices, what can be done for the older 3G devices? There is no mention of software based encryption in the OS 3.0 upgrade. So it could be tricky to authorize and permit e-mail/VPN access towards the users of the newer 3G S devices, and not the older 3G devices.

There are some 3rd party solutions that may fit this security void and also provide some device management features. I think this area will only grow but today I believe there are still some gaps that need to be weighed against your corporate requirements, security risks and TCO..

|\\arco..

SCMDM 2008 SP1 Support for Windows 2008 CA

Just noticed that Michael Jimenez recently blogged and announced official Microsoft support for Windows 2008 Enterprise Edition Certificate Authority with SCMDM 2008 SP1.

I have successfully used the KB951840 patch on down-level devices to remove the error message that otherwise will appear. On the device it will complain that the Root certificate is not installed, even though the certificate chain locally shows it is there. :-) This will also prohibit the IPSec VPN from coming up.

Also as a recap of the different Windows Mobile build numbers and AKUs as I posted previously, you should also be aware of the Password Reset Client on the down-level devices. The important difference being that you could deploy the Password Reset .CAB file out to the devices once enrolled in SCMDM, but the Windows 2008 CA patch you are unable to since the VPN won’t come up without it..

Windows 2008 CA Patch (KB951840) installable on:
Windows Mobile 6.1 devices, Build 19202.1.0.0 and higher. Un-necessary to install on Windows Mobile 6.1.4 devices (Build 20757.1.4.0) or higher.

Password Reset Client installable on:
Windows Mobile 6.1.1 devices, Build 19559.1.1.0 and higher. But stated supported for only for Windows Mobile 6.1.4 devices and higher. So I assume un-necessary to install on Windows Mobile 6.5 devices but I shall test on the newly released emulator. :-)

|\\arco..

Windows Mobile 6.5 Device Emulators and more 6.5 Information

With the Windows Mobile 6.5 device emulator images now finally released we can probably start to see much more information about Windows Mobile 6.5 being made available to the public.

Grab the 6.5 Professional or Standard emulators here:
http://www.microsoft.com/downloads/details.aspx?displaylang=en&FamilyID=20686a1d-97a8-4f80-bc6a-ae010e085a6e

I already had the Windows Mobile 6.1.4 Professional images and Device Emulator 3.0 installed and the 6.5 images appeared to work straight away:

Please click on any of the pictures below to enlarge them for better viewing. My main purpose for using the emulator is for additional device testing, and not so much on the development side..

Connectivity on Windows Mobile 6.5

To get network connectivity you can follow the same steps as with previous emulators. Please see this blog posting for additional information. 

The emulator network properties:

Walkthrough in a WM 6.5 emulator image: 

MyPhone on Windows Mobile 6.5

Another tip in using the emulator is using the built-in MyPhone client to get more “live” data easily into the emulator for testing and usage. I did get a upgrade prompt to install the latest and greatest MyPhone client in my emulator.  You can now install the open beta MyPhone client on any of your existing Windows Mobile 6.0 or 6.1 devices, back-up the data and then restore it within the emulator.

MyPhone walk-through on the WM 6.5 emulator:

Windows Mobile 6.5 Widgets

Jorge Peraza has posted some quick information on how to get your feet wet with widgets on Windows Mobile 6.5: http://blogs.msdn.com/windowsmobile/archive/2009/06/04/getting-started-with-widgets-on-windows-mobile-6-5.aspx.

What’s Hot about Windows Mobile 6.5

At the recent TechEd this TechTalk was recorded with Dale Coffing and Chris De Herrera to discuss the new user interface, MyPhone and Windows Marketplace for Mobile services:
http://www.msteched.com/online/view.aspx?tid=5471dd4c-9d1f-47c8-85df-c3bf5bfe678c

Network Utility on Windows Mobile 6.5

I did a quick test of the Enterprise Mobile IP Utility and it works under the Windows Mobile 6.5 emulator just fine and could be a very useful tool for troubleshooting:

System Center Mobile Device Manager (SCMDM) 2008 Support in WM 6.5

Of course testing out the SCMDM client embedded in Windows Mobile 6.5 is something I had to test out as well. :-) It didn’t disappoint and the VPN came up fine against a SCMDM 2008 SP1 instance over the Internet. I did notice a new option and error messages provided in the client:

|\\arco..

Exchange 2010 and Mobility

I’m an old Exchange administrator since the 5.0 days and a new version of Microsoft Exchange server is coming near you very soon. It brings a long list of new and enhanced features. This also carries over to mobility and is important for any enterprise Exchange administrator to understand in today’s very mobile world..

I will attempt to highlight some of the important mobile features I feel it brings to the enterprise table and reference places to find additional details and information. Please comment if you may have updated or additional interesting information!

Windows Mobile client Enhancements

Adam Glick has a great recap here:
http://edge.technet.com/Media/Exchange-2010-updates-for-Windows-Mobile/

Enterprise Mobile Security Interview

As I have blogged about previously, there was some interesting webcast  sessions on Windows Mobile, Security and Device Management on TechNet recently.

If you were unable to attend you can also catch a glimpse of one of the speakers I know, David Field here on TechNet Edge:
http://edge.technet.com/Media/Enterprise-Mobile-Security-Interview/

Dave Field spoke at TechEd on mobile security and gives us some insight into mobile phone security on topics such as:

• Areas where Windows Mobile security is strong against the competition
• Scenarios where companies will want to look to 3rd party solutions for mobile security
• Recommended ways to implement 2 factor authentication for phones

The Windows Mobile security whitepaper Dave mentions is something I also blogged about back in February, and available here: http://www.enterprisemobile.com/resources/white-papers.htm

|\\arco..

AT&T Samsung Epix (SGH-i907) ID1 Multipatch

For those of you who might have an AT&T branded Epix which is the Samsung SGH-i907 you probably will want to install this patch as soon as possible. It is now available from Samsung. It includes several patches, including a fix for the critical “Slog Dump” that has been dreaded by many users:

You can obtain it from here:
http://www.samsung.com/us/i907/multipatch

I think with the “Slog Dump” problem now fixed this will continue to be a great Windows Mobile 6.1 device for everyone!

|\\arco..

How to setup Proxy and Work Exceptions on Windows Mobile 6.1 with SCMDM 2008

There appears to be a lack of public information regarding the inner secrets of successfully navigating and configuring the proxy and work exceptions on the Windows Mobile platform. My fellow Enterprise Mobile colleague, Patrick Salmon, has broken through and made some very interesting observations and facts about how to get it all configured correctly. This article contains all of the material and information Patrick has researched.

Most of this boils down to how the Windows Mobile Connection Manager is handling the connections and the decisions it makes to route the traffic. The Connection Manager is well aware of the native L2TP and PPTP connection methods in Windows Mobile, but appears to lack direct support for the Windows Mobile 6.1 Mobile VPN that is used by SCMDM 2008. See more information here: http://msdn.microsoft.com/en-us/library/ms879581.aspx.

This article assumes you are already well familiar with the SCMDM network routing requirements and how to configure Group Policies.

Proxy Issues Today

1. If you set the proxy via the SCMDM 2008 Group Policy you may observe that the necessary connectivity to the SCMDM Device Management server and WSUS services break.

2. Trying to use the Work/Internet capabilities as currently documented breaks the SCMDM VPN.
Although http://technet.microsoft.com/en-us/library/dd261930.aspx does explain some of the necessary steps. Also on http://technet.microsoft.com/en-us/library/dd261921.aspx it also states to make sure that the SCMDM Gateway server is listed.

3. No visibility on the client of what is configured.
The Windows Mobile Connection Manager internally uses something called a URL Mapping Table to decide if a specific URL is destined for the Internet or the corporate network connection. It can use a URL pattern which we will go into in more detail below. Please see http://msdn.microsoft.com/en-us/library/aa455992.aspx.

Where to set the Proxy server setting in the SCMDM 2008 Group Policies:

The solution is to correctly configure the Internet proxy setting and also specify the routing of which URLs go to the “Internet” and through the configured proxy, and which are internal or go through “Work” back through the VPN connection.

Overall best practices

Keeping things as simply as possible will go a long way. The basics are:

1. “Internet” bound traffic = Route via proxy if defined, otherwise use Default Gateway on SCMDM Gateway Server.

2. “Work” bound traffic = Route traffic directly to internal network using local routing tables on SCMDM Gateway Server.

3. If the FQDN of the Proxy is part of an internal domain do not put the FQDN in the Proxy configuration!
This will not work, as it will be detected as an Internet domain, due to the dotted name and you won’t see it working as you think. The solution is to use the direct IP address. Example: instead of “proxy_host.company.com:8080” use “172.16.1.1:8080”.

Where to configure the specific Internet/Work routing is done through a “hidden” existing Group Policy setting:

The dialog window has two areas. One for the Internet domains (which will be routed to a proxy if configured so) and at the bottom for Work domains (not routed to the proxy if configured). This is what the default values are:

Next we will go into how to configure these entries in more detail.

Connection Manager URL Mapping Pattern

The Windows Mobile Connection Manager uses a general *://*.*/* URL type format. This can be further broken down into these examples:

• "*" & "?" can be used anywhere.:
  • “*” = Zero or more of any type of characters.
  • “?” = Can take the place for any single character.
• *:// = Any protocol (usually http or https).
• /*.*/ = Any FQDN namespace
• /*/ = Any NetBIOS/WINS name
• *://servername/* = specific NetBIOS server name
• *://*.company.com/* = Any host in a FQDN domain called company.com.
• *://host1.company.com/* = Only host1, any protocol, any website on target.
• *://host?.company.com/* = All traffic to host[a-z, 0-9], any website.
• https://host1.company.com/home = Only https requests to host1's "home' directory.

Some things to think about when defining you own URL Mapping table:

- Obey classic firewall rules – most granular is processed first
- Define your targets and know your internal name space
- Put in sequence (most specific first, least specific last)
- Decide whether traffic goes via the “internet” or “work” network routing from your SCMDM Gateway Server

Example and Outcome

Here is what a working example of URL Mapping Filter entries could look like:

Please note the above setting details:
- *://www.company.com/* - Externally hosted Internet site
- *://mdmvpn.company.com/* - Route SCMDM Gateway Server access through Internet
- *://*.company.com/* - Internal work namespace
- *://*.*/* - Catch all for all other Internet requests
- *://*/* - Catch all for all other internal NetBIOS/WINS requests – However, not found to work in testing, and removed so Internet requests are not caught by it!

Outcome with the above setting details:
- SCMDM VPN will connect correctly through the Carrier/MO/ISP on the device
- SCMDM Device Management and WSUS traffic will require no further invention.
- Internal Line-Of-Business application traffic will go direct.
- Internet bound traffic will go to the corporate proxy (if defined in separate Group Policy).

Internal namespace sans WINS

Since most companies are well on their way to totally get rid of WINS and have put in place DNS suffix search order standards. Another solution is to push a default DNS suffix to your Windows Mobile. Brian Puhl from Microsoft IT blogged about this last year here:

http://imav8n.wordpress.com/2008/08/21/getting-single-label-name-resolution-on-mdm-enrolled-phones/.

So this could ensure proper name resolution to a FQDN for internal names used on the Windows Mobile device. In the example above this could be routed to the “work” side of things by the *://*.company.com/* URL Mapping.

For more information on creating custom ADM templates for use in SCMDM 2008 please see: http://blog.enterprisemobile.com/2008/10/writing-custom-gpos-for-scmdm-2008/.

SCMDM 2008 SP1 Source-based Routing

Another feature that can be used to better assist with the complex nature of network routing, proxies and Internet access is the source-based routing feature present in SCMDM 2008 SP1. Some details can be found here: http://technet.microsoft.com/en-us/library/dd252779.aspx

The source-based routing option on the Gateway Wizard:

One example of how this could work is instead of having the default gateway on the External NIC of the Gateway Server, you place one on the Internal NIC. You can then configure the source-based routing option to an IP address of an external firewall that is accessible from the Internal NIC. Now Internet IPSec traffic will come in and terminate on the external NIC, but return back to the device through the Internal NIC and the IP address of the source-based routing, back to the Internet. Now any traffic from the Windows Mobile devices not configured to the proxy will default out to the Internal NIC gateway. This could be useful for applications that are not proxy aware, or if you won’t want to use any proxy but direct all traffic to the internal side and to be taken care of there for either internal or external Internet routing..

Split DNS

Another idea that could perhaps assist in some architectures is the use of split-DNS. In the Gateway Wizard you can specify the DNS server the Windows Mobile clients will use to resolve hostnames. Many simply use the existing DNS server present internally and make sure connectivity on TCP port 53 is open to it. Another idea could be to use a separate DNS server that contains hostname zone entries that could be similar but resolve to different IP addresses to better resolve network routing or DMZ issues at hand. DNS forwarding could still be used to forward remaining requests to the primary internal DNS servers.

Tethering Devices

Another Enterprise Mobile colleague, Dave Field, also points out:

“Please note that if you have a proxy setup on the device and you partner the device to a desktop that has “automatic” setup for the Connection setting, it will auto-configure the device proxy and overwrite whatever you have. It will configure it for port 80 automatically too.”.

At this of this writing I’m not sure if the Group Policies will automatically refresh the settings again down to the device. A work around may be to disable the tethering functionality all together if this is a big concern.

Wrap up

The final best advice is to have patience in troubleshooting and testing the proxy and network routing. It can be complex and quite difficult to get setup correctly in a large organization. Logic flow, re-verifying settings, and looking at logs could be your best friends.

Thanks again to Patrick Salmon for getting the answers together. Also a thanks to Wayne Phillips and David Creedy from Airloom for their feedback and corrections!

Please leave a comment or contact me directly if you have additional findings or feedback on how these settings work and act for you!

Reference links - for additional information:
Default URL Mapping values in Connection Manager:
http://msdn.microsoft.com/en-us/library/aa456095.aspx
How Connection Manager works:
http://blogs.msdn.com/fzandona/archive/2005/10/10/ConnectionManager02.aspx 
How the Mapping Index works and what are some of the high-end catch all values:
http://msdn.microsoft.com/en-us/library/aa455850.aspx
http://msdn.microsoft.com/en-us/library/aa456095.aspx
Using Connection Manager URL Mapping:
http://msdn.microsoft.com/en-us/library/aa455992.aspx
SCMDM Forum thread discussion on these settings:
http://social.technet.microsoft.com/Forums/en-US/SCMDM/thread/9a295dc0-55a6-4783-b43e-132748e8e7b5

|\\arco..

Updated on May 12, 2009 with some corrections.

Using Exchange Server Remote Connectivity Analyzer (ExRCA) for Windows Mobile ActiveSync testing

Don’t believe this is that recent news, but just learned about it and thought I would share as I think it could be quite useful for many enterprise scenarios..

This is a public website that can be used to troubleshoot Exchange server connectivity issues. Originally written by a Microsoft Escalation Engineer and continually updated.

You can test such things Exchange ActiveSync (EAS) issues, including Windows Mobile 5 and Windows Mobile 5 w/MSFP, Windows Mobile 6.1 clients with AutoDiscover, Outlook RPC over HTTP (Outlook Anywhere), Outlook 2007 and AutoDiscover and even inbound SMTP. The tool will give you a nice detailed report that you can drill down into and research where any failure might be.

It is accessed from here: https://www.TestExchangeConnectivity.com.

This could be very useful in testing your Exchange configuration and setup before you have Windows Mobile clients to access your environment. Validation of certificates and which Windows Mobile versions are supported is also included!

Main menu:

Apply test credentials:

Example report:

Reference Links:
Blog: http://msexchangeteam.com/archive/2009/03/25/450908.aspx
Video: http://edge.technet.com/Media/The-Remote-Connectivity-Analyzer-for-Exchange-Server/
Facebook Group: http://www.facebook.com/group.php?gid=58417140899
Twitter: http://twitter.com/ExRCA 

|\\arco..

The history of text messaging, the 160 character limit and Tweet messages

I love the History and Discovery channels on TV, and history in general. So as the rapid computer and telecommunications technology involves, things in the 1980s are now already historical and have shaped our everyday lives today. SMS text messaging is a good example of that.

The Los Angeles Times has a great little article about Friedhelm Hillebrand who in Germany in mid-1980s wrote up the SMS 160 character text message as a standard in the GSM implementation. Still in place today and now actively used on billions of phones:
http://latimesblogs.latimes.com/technology/2009/05/invented-text-messaging.html

Using a 7-bit character set instead of 8-bit, the 160 characters also only takes up 140 bytes of transmission data. I won’t dare to go into how much revenue this now common technology is making on the Mobile Operator side worldwide.. :-)

Today, Twitter, is also using the same 160 text message limitation. It has a 140 character limit per tweet with the remaining 20 characters reserved for the user name..

|\\arco..

Microsoft Webcast on SCMDM 2008 Deployment

If you missed any of the recent past Device Management and Security sessions, feel free to click on the links from my previous posts and view the recordings.

I also have another session to make you aware of for this coming Friday being done by one of my Enterprise Mobile colleagues (rescheduled from April 17th):

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Friday, April 24, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

Highly recommended to attend if you are interested in learning more about the deployment of SCMDM 2008 in your production environment.

|\\arco..

Celio REDFLY Mobile Viewer Beta – What it does and how it can be useful

One of my colleagues at Enterprise Mobile noticed the press release from Celio on a new piece of software from Celio, the makers of the REDFLY Companion hardware add-on for Windows Mobile devices. This new PC based software was announced at the CES 2009 in January with a delivery date in March.

This peaked my interest and wanted to figure out what this piece of software could do. Specifically how does it assist with using the REDFLY devices if it is running on my Windows XP or Vista machine??  So I went to Celio site and downloaded the public beta.

How it works

The installation was painless and quick on my Vista machine.

When I first ran the application it brought up this screen with the familiar logo and graphics, just like on the hardware REDFLY devices. Please notice the bottoms at the top, which mimic the traditional buttons on a Windows Mobile device.

I did have to allow my Vista firewall permissions for the application to access the network:
 

Once I connected a device through USB and the Vista based Windows Mobile Device Center (ActiveSync on Windows XP) came up, I clicked on the Connect button. The REDFLY Mobile Viewer application then promptly attempted a connection through the USB connection to the device:

..and brought up my device screen right away:

Findings

Through my quick testing I found that the beta software appeared to be very stable and didn’t feel beta to me what so ever. Simple to use and easy to install.  I didn’t try my Bluetooth connection from my laptop to see if that wireless connection method works as well..

Usage Scenarios

What many are now asking is why would Celio release such a piece of software and what is the reasoning behind it. I don’t know the official answer, but can come up with several scenarios where I feel the REDFLY Mobile Viewer could be very valuable:

Demoing – Through the use of the “Auto hide toolbar” option and a webinar session, you could quickly discuss and display the same experience as you would have on a real hardware based REDFLY device.  This is something that has been lacking when working in our virtual “less-travel-is-better” business world.

Application Development/Testing – One of the frequent questions when evaluating the hardware REDFLY units is how will my business applications running on the Windows Mobile device work and look like on the REDFLY unit? I believe with the REDFLY Mobile Viewer this support could be better tested and tried, without the need to have the actual REDFLY hardware.  This could potentially broaden the number of software vendors who support the REDFLY and the larger screen size formats.

Wrap up

Bottom line, think of the REDFLY Mobile Viewer as your virtual REDFLY emulator that can come in handy when trying to explain what a REDFLY device is, how it works, and what it can do for your business. I can only hope Celio will provide it free of charge after the beta period.  :-)

Also wondering if the current or newer Celio drivers could work on a Windows Mobile Device Emulator, then you could emulate the entire experience without hardware.

BTW, Celio also released updated REDFLY drivers to a bunch of devices today as well. Please see more information here and here.

|\\arco..

Upcoming Microsoft sessions on Device Management & Security – If you are at TechEd 2009 or not!

An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile. :-)

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407362&culture=en-US
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don't need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization's Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300) 
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032409997&Culture=en-US
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692&culture=en-US
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we'll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we'll look at various out-of-the-box devices and analyze their threat surface. Last, we'll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar! :-)

|\\arco..

Widgets for Windows Mobile 6.5

There appears to be a common theme going on for many platforms these days.. Web “Widgets”. Windows Vista, Internet Explorer 8, etc..  I didn’t even know that there is now a W3C standard for widgets as well!

It looks like it if also coming to the Windows Mobile platform in the upcoming 6.5 release:
http://blogs.msdn.com/windowsmobile/archive/2009/03/18/windows-mobile-6-5-what-s-in-for-developers.aspx

I think this could have interesting tie-ins for the corporate enterprise world, if the user interface functions nicely..

I’m thinking of:
- Business Intelligence reporting widgets – see KPIs and other key information at your finger tips through VPN
- ActiveX, (no Silverlight?) or Adobe Flash enabled training content
But probably the most important:
- Extending current web application functionality to your external customers on Windows Mobile devices – public web site widgets to make them easy to use on Windows Mobile devices..

The Widgets will also be available on the new Windows Marketplace and centrally downloaded from there. See all the details here: http://j2i.net/blogs/home/pages/more-windows-mobile-6-5-and-market-place-details-from-mix09.aspx

BTW, It also appears that feedback is still being pumped into the Windows Mobile 6.5 platform under development, so we can all still still make an impact.. :-)http://arstechnica.com/microsoft/news/2009/03/feedback-causes-changes-to-windows-mobile-65-honeycomb-ui.ars

|\\arco..

Security in the Mobile Device Enterprise

This of course is brought up all the time by the security software manufactures and always definitely something we should be aware of. As more and more devices are being used in daily life for all of our personal and corporate task, the risks will just get greater and greater, no doubt about it.  As it stands today, there are some vulnerabilities and malware out there, but not a whole lot.. Yet.. 

Mobile Security Looming As New Hacker Frontier:
http://www.informationweek.com/blog/main/archives/2009/03/mobile_security_1.html
$10,000 Mobile Hacking Competition to find new vulnerabilities: (so far no hits!)
http://dvlabs.tippingpoint.com/blog/2009/02/25/pwn2own-2009

But the single largest threat could be lost devices with no passwords being used. Some estimates are that up to 40% of all mobile devices have no password!

Windows Mobile Security

In the corporate environment Windows Mobile brings a lot to the table. Security wise there are several great options and mechanisms you can use to protect your corporate assets. Think certificates, not AntiVirus. I think historically there was just not a big push to prioritize this security realm and the necessary information was somewhat hard to find. I believe this has all changed, and most companies take this very seriously now.  If they do not yet have a strategy I believe they are long overdue to have one and execute on it!

Some great recent Windows Mobile security resources are mentioned here:
http://blog.enterprisemobile.com/2009/03/mobile-security-resources/
Vik also has a good round up of the current Windows Mobile encryption and security certifications:
http://blogs.technet.com/vik/archive/2009/03/03/windows-mobile-encryption-and-security-certifications.aspx

iPhone Security

The iPhone is a great consumer device, no doubt about it. But regarding iPhone security, there are well published and documented aspects you should be aware of if you are using and allowing the iPhone in your enterprise and giving permission for corporate data and e-mail to be stored, or even viewed!, on the devices.

Keystrokes, screen shots, GPS coordinates, and all data can all easily be retrieved if you have physical access to a device. Anyone can take an iPhone and connect it to a machine running iTunes and make a complete backup of it’s contents. For the causal consumer this is probably not a big deal, unless you are using it for all our online banking, personal e-mails (that you don’t want someone else to see), or any other online site you might be using on the device. But think identity theft. Think work related web sites and passwords!

A scenario: You are using a key corporate enterprise application or web site, where critical or sensitive information is shown on the iPhone screen. But when the user moves away from the application, unbeknownst to them, a screen shot of this critical or sensitive information is being cached on the iPhone.. Highly recommended reading:

iPhone hacking: Lessons from the front line:
http://searchmobilecomputing.techtarget.com/news/article/0,289142,sid40_gci1349572,00.html  iPhone Forensics: Recovering Evidence, Personal Data, and Corporate Assets:
http://www.amazon.com/gp/product/0596153589

Also, looking at the newly announced iPhone 3.0 features, I didn’t see anything at all about security or enterprise usage improvements to combat the security issues mentioned above..

Update June 22, 2009: Please see new post on the hardware encryption in the iPhone 3G S model here, and also the actual slide deck from the great forensics presentation Jonathan Zdziarski had from the Gartner Mobile Summit.

|\\arco..

SQL Server 2005 Reporting Services (SSRS) Installation and Configuration for SCMDM 2008 SP1 Reporting Services

This step-by-step guide can assist to install the necessary SQL Server 2005 Reporting Services (SSRS) components and its configuration. Depending on your configuration some settings and directions may vary.  For many more SCMDM step-by-step how-to guides please see Andreas Helland’s excellent collection of them.

This guide is organized in multiple sections:
- SQL 2005 Reporting Services Install
- SQL 2005 Service Pack Reapply
- SQL 2005 Reporting Services Configuration
- SQL 2005 Reporting Services Troubleshooting
- SCMDM 2008 SP1 Reporting Service Installation and Configuration

Due to the many screen shots in this guide, I have made them a tad smaller in size. I apologize, but you can easily click on them to enlarge them, or use your browser to zoom-in your screen view (works great in IE8).

Assumptions

That SQL 2005 with SP2 or SP3 is used. That the SQL Server was not already installed with SQL Reporting Services. Otherwise please skip to the SQL 2005 Reporting Services Configuration section.

Using SQL Instances

From trial and error it appears that the SCMDM 2008 SP1 Reporting installation does support installation to another SQL Server Instance. But the SQL Server Integration Service (SSIS) Scripts appear to do not..

SQL 2005 Reporting Services Installation

Use these instructions if you don’t have the Reporting Service installed. You can verify this by viewing the screen after you click “Change”.

Please bring up your Add or Remove Programs control panel applet:

Highlight the main SQL Server 2005 installation and click on Change.

Ensure that Integration Services is already installed..

Browse to the CD media, select setup.exe and click OK.

Accept and Next..

Click Next..

Click Next..

Ensure that there is no error and click Next.. You may need a reboot for example.

Click Next..

Select Reporting Services, click Next..

Leave on the Default instance, click Next..

Select System Account, if you don’t have a services account in the domain..

Click Next..

Click Install..

Click Next..

Click Finish.. Installation completed.

SQL Server 2005 Service Pack Reapply

Since you used the RTM media to install the SQL Server Reporting Services (SSRS), you must reapply the Service Pack that was used previously to bring it up to the same code level as the rest of the SQL installation.

You can find the download to the Service Packs here:

SQL 2005 SP2 - http://www.microsoft.com/downloads/details.aspx?FamilyID=d07219b2-1e23-49c8-8f0c-63fa18f26d3a&DisplayLang=en

SQL 2005 SP3 - http://www.microsoft.com/downloads/details.aspx?FamilyID=ae7387c3-348c-4faa-8ae5-949fdfbe59c4&DisplayLang=en

Execute it:

Click Next..

Accept and click Next..

Verify that only the newly installed Reporting Services need to upgraded to this Service Pack..

Click Next..

Click Next..

This screen might appear if the Reporting Service service process is running on the server.

It can be ignored for now.. Click Next..

Click Install..

Once complete it may ask for a server reboot..

Completed, click Next..

Summary screen, click Next..

Click Finish..

Click the double arrow, and move the privileges over, Click OK.. Reboot the server..
Service Pack reapplied successfully.

SQL 2005 Reporting Services Configuration

This section will verify and also fix any items that may not have been configured properly.
It is all done through the Reporting Services Configuration console.

Now bring up the Reports Services Configuration tool..

It should automatically populate the local server name and instance in which the Reporting Services was installed.

Click Connect.

If not running, click Start..

We will now go through all the various sections on the left side of the screen. We basically need to resolve any section with red marks.

If missing, click New.

Click OK.

Ensure that the creation was done without any warning or errors.

Click Apply.

If missing, click New.

Click OK..

Ensure that the creation was done without any warning or errors.

Verify which security context you wish to use.

To the right of Report Server, click New..

Input a pool name, such as ReportServer, and select an account.. Click OK.

For the second one, use the drop down to choose the newly created pool and click Apply..

Verify that the settings were done without any warning or errors.

Hit Connect, and OK.. For the Database click New..

Click OK..

Click Apply..

Click OK..

Click OK..

Hit Apply..

Click OK..

If you didn’t apply the Service Pack before this step, the upgrade script may fail.

Also make sure that the Reporting Service service is running on the server, otherwise the WMI provider will not be available for the upgrade script to function..

You should now be able to bring up the http://localhost/reports page:

If you cannot see this page, please see the next section on troubleshooting.

SQL 2005 Reporting Services Troubleshooting

If you instead get an error message with “The XML page cannot be displayed” or 404 “Page cannot be found”:

Make sure ASP.NET is allowed on the web server, and that the .NET Framework 2.0 or higher is correctly installed:

Once set, go back into the Reporting Services Configuration Manager and make sure all the “green lights” are still there. You may need to touch the Web Service Identity section again!

Another possible error:

This can be fixed by:

1. Edited C:\Program Files\Microsoft SQL Server\MSSQL.2\Reporting Services\ReportManager\RSWebApplication.config

1. Changed <ReportServerVirtualDirectory></ReportServerVirtualDirectory> to <ReportServerVirtualDirectory>ReportServer</ReportServerVirtualDirectory>

For further assistance on issues I recommend to go these links:

MSDN Community Forum:
http://social.msdn.microsoft.com/forums/en-US/sqlreportingservices/threads/
MSDN SQL Server 2005 – Reporting Services, aggregator site:
http://msdn.microsoft.com/en-us/sqlserver/bb671084.aspx

SCMDM 2008 SP1 Reporting Service Installation

Please download the SCMDM 2008 SP1 Reporting Services Resource Kit here:
http://www.microsoft.com/downloads/details.aspx?FamilyID=F72C0546-1B10-4636-96A5-A2455B1F77B3&displaylang=en

Picking the appropriate flavor of x64 or x86 or course to match your platform.. :-)
Execute it and extract it somewhere.
Locate and run the mdmreportingsetup.msi file to start the installation:

Click Next..

Accept and click Next..

If you select Custom you can see the different components:

Enter the server name on where the MDM Database is housed. Either remotely or the local server name if you are installing it on the same server.

Usually no need to enter the instance name which is default MSSQLSERVER.

Now enter the server name of the of the reporting SQL server.

Enter an account that has permissions..

Click Next..

Click Install..

It may take a few seconds..

Success!

If you receive error messages about failure and rolling back the installation make sure you tried the Reporting Services website before you started the MDM Reporting installation and have a working SQL Reporting Services configuration beforehand..

After you click Finish, this admin utility screen will then appear:

Enter the Reporting SQL server name and click Connect..
Enter the MDM 2008 SP1 instance name and click Add..
Click on the MDM Gateway Auth, and enter a valid account on the Gateway server(s) retrieved for the specified MDM instance. Click Update.

Click Exit.

The reports will now appear on the http://server/reports web site.

Click on MDM Reports.

But if you try to use one of the reports at this stage:

You will find that they will all fail.. This is due to the reporting data not being replicated over yet..

Final step is to get the first set of data in the Reporting database from the MDM database. This is done behind the scenes with SQL Service Integration Services (SSIS).

However the newly installed scripts must be kicked off manually the very first time. Thereafter it will automatically refresh every 1 hour..

Start the SQL Server Management Studio application from the Start menu:

Select Start Job at Step..

Click Start..

Make sure it completes successfully.. If you receive an execution error make completely sure you have filled out all the necessary fields on the MDM Reporting Admin Utility!

Congratulations! You should finally have some data in the reports and everything functional at this point!

SCMDM 2008 SP1 Reports

If you haven’t tried it, the MMC Add-in simply provides a “tree view” to the web reports which can be handy if you spend most of your time in the MMC as the administrator.

Please see my previous post for more details on the SCMDM 2008 SP1 reports themselves:
http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/12/scmdm-2008-sp1-reporting-services-overview.aspx

|\\arco..

Windows Mobile Troubleshooting - How to log like a developer

After writing up my last blog article about Windows Mobile troubleshooting and logging utilities (see it again here), I was more closely at the lookout for other tools and tricks that might help assist in a similar fashion.. Of course I found some more good additional information and have included it in this round.. :-)

.NET Compact Framework Logging

On Steve Hegenderfer and Reed Robinson's excellent blog Reed posted a great article about how to enable .NET CF loader logs and what to look out for. Specifically referencing this MSDN information on how to enable the logging: http://msdn.microsoft.com/en-us/library/ms229650.aspx. It is all controlled in specific registry keys on the device to enable 6 different flavors of .NET CF logging: "Interop", "Error", "Loader", "Network", "Finalizer", or "Trace".

The Power Toys for .NET Compact Framework v3.5 download gives you additional tools to make this easier. One is the Remote Logging Configuration Tool:

So the most interesting for non-developers trying to troubleshoot .NET CF applications is probably the "Loader" logging. This is where you can see if the application even makes it off the ground and why. As Reed suggests in the article I mentioned it could be referencing a .NET assembly not present on the device for whatever reason..

Additional details on how to read the "Loader" logging can be found here: http://msdn.microsoft.com/en-us/library/ms229667.aspx.

File System Logging

This is a type of extreme logging that can really slow down a working operating system. But it can also show you exactly what is going on at the file I/O level. Specifically what files are being accessed or written to. This could be useful to trace back missing files or folders, or figuring out the last file access a specific application did before failing.

I only recently found a tool called MobileMon v0.5 by Brian Dunn. His website, http://www.mobilmon.com/, has more information and you can download the .CAB file there.

Basically you can install and run it in the background while it logs file activity.

Once you are done you can save it to a log file. Be aware however that the file name "mobilmon.log" may be hard to open on the device itself unless you install a tool (Like Voyager or Total Commander) to rename the file to mobilmon.txt. Then you can open it with the native Word Mobile.

Memory Management and Monitoring

Another important area of concern for current Windows Mobile troubleshooting is available memory on the device.  Memory leaks, multiple running applications, and garbage heaps can all attribute to doing frequent soft-reboots to get a device functional again. A little known fact that I wasn’t fully aware of is that only 32 applications (actually processes) can run at the same time and each can at a maximum access 32mb of virtual memory..

An excellent resource of a virtual memory management overview is William Blanke’s article: http://www.codeproject.com/KB/mobile/VirtualMemory.aspx

In it he also has a small (12Kb) Virtual Memory tool (must register to download, the compiled .exe in included with the source code) you can run and visually see available memory (in red) for each of the 32 process slots.

Issue #1: One key thing apart from seeing how many of the slots are being used and if they are full, is finding the “device.exe” process. This process is responsible for loading up all the device drivers and William points out the potential issues if memory is low for this slot. Specific device features may simply not work.

Issue #2: Another area of concern could be applications that load up .DLL files. These can be loaded up in *any* processing slot and can be accessed by any process. This can be bad if your process or application running in the slot needs the memory and doesn’t use the particular DLL.

However William doesn’t address that in Windows Mobile 6.1 specific changes were made to better accommodate DLL files over 64Kb. These will now be loaded into specific slots higher and away from the process slots. Thus freeing up application space and reducing this potential worry. Please see more information on this 6.1 feature from Doug Boling here.

How sure if anything has/will change in Windows Mobile 6.5 as of yet. What we can look forward to is Windows Mobile 7.0 (which is based upon Windows CE 6.0) and it’s larger scale advanced memory management, explained in more detail here or here. But basically a little like Windows XP, and a limit of 32K processes and 2GB per process, compared to 32 and 32Mb per process. :-)

Issue #3: Careful on the usage of storage cards to install or run applications from. If the device goes into hibernation or sleep mode, it could power down the storage card and render any application housed there non-functional. See more tips here.

Some older reference links on Windows Mobile memory management: 
- RAM, ROM and Task Managers 
- How WM 5.0 Shell Handles Low Memory Situations 
- Memory Management on WM 6.x 
- MSDN Webcast: Memory Management for Windows Mobile
- DumpMem Utility
- NETCF: Memory leak... now what??

Update March 20, 2009: If you are using a Motorola/Symbol ruggedized device you also may want to ask your Motorola rep about their “Private SDK” and a tool called the “Remote Memory Viewer”. It may also be beneficial as Raffaele Limosani states here..

Hope this article further assists in troubleshooting Windows Mobile issues you might run into!

|\\arco..

Upcoming Microsoft Webcasts on Device Management

A quick heads up on some interesting new Microsoft webcasts coming up early next month on Windows Mobile Device Management and Security that may be of interest to many of you:

TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time

TechNet Webcast: Management Lockdown of Windows Mobile Devices (Level 300)Thursday, April 9, 2009
11:30 A.M.–12:30 P.M. Pacific Time

Register now and get it on your calendar! :-)

|\\arco..

Windows Mobile 6.1.x Upgrades and Build Levels - March 11, 2009

I've been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well implementing SCMDM and researching which devices are compatible. 

Several links fixed, and several devices purchased with WM 6.1.x builds now listed as reference as well. Interesting to see the slow uptake of devices having the 6.1.4 build finally that has the Internet Explorer Mobile 6 (IE6on6).

Included is the specific OS/AKU build for each device for SCMDM 2008 SP1 support.

If you know of others, updates or corrections, please let me know! 

Thanks to Paul for the corrections on the HTC links!

|\\arco..

Microsoft Windows® Marketplace for Mobile for the Corp Enterprise?

So most of the Windows Mobile blogs out there are now postings about this non-functional website that could be the future "launch pad" for the recently announced Marketplace to centrally house the best Windows Mobile applications..

My biggest question, and somewhat fear, is how will this be manageable from the corporate enterprise, if only targeted the mass consumers?  Will there be policies where you can enforce your corporate owned devices and users not to install unapproved software?  Will there be opportunities for companies to centrally place applications they want their users to access and install?  Will there be add-on features for SCMDM to address these questions?

Lots of questions, but probably no answers yet, so we shall see what this summer of twenty-09 will bring.. :-)

http://client.marketplace.windowsmobile.com/

Update March 11, 2009: Some public information on Marketplace for Mobile has now been announced: https://www.microsoft.com/presspass/press/2009/mar09/03-11WMMDevelopersPR.mspx, but further distribution details listed on http://developer.windowsmobile.com/Skymarket.aspx still remain sparse at this time..

|\\arco..

SCMDM 2008 SP1 - Sales Training Material

As Adam posted here, there hasn't been a lot of SCMDM 2008 SP1 material to come out of Redmond since it was released on December 15, 2008.  But it looks like he was notified of some additional material that was posted up on http://www.windowsmobiletraining.com:

15 Minute Sales Course (and Quiz)
Selling MDM 2008 SP1 (2 pages)
Product Reference Guide (43 pages)
SCMDM Whitepaper (11 pages)

It appears that the whitepaper is the same Wipro TCO whitepaper that I blogged about here..

Screen shot of the sales course:

|\\arco..

My favorite travel tools, tips and equipment

I have been traveling through airports and cities in the United States for quite some time now and at times get questioned about tools, or people see what I have been using.. So this post is an attempt to share information on some of the tips and useful tools I have been using for my travel needs.. Feel free to add your comments and your tips!!

Power Outlet | Targus APS03US | Product info | Review | Prices
You are in a busy airport or location and need to juice up your equipment and all the outlets you can find are being used people.. Your hotel room only has a few wall outlets, only one being at a convenient location.. What you need is a handy portable power strip so you have more outlets where you need it!

Pros:
- This adaptor is small and handy, fits in a corner of your bag. Cord plugs into one of the outlets so it is neat and tidy.
- Has a flat wall plug, so it fits in tight spaces and hangs downward.
- Has 4 outlets, on 3 different sides. Can handle multiple bulky power adaptors.
- Built-in surge protection so you have some protection of your equipment in foreign places..
Cons:
None that I have found so far! :-)

Universal Power Adapter | iGo everywhere 130 | Product Info  | Blog | Twitter
This should be no surprise for many of the road warriors out there. I was first sold on it when I saw one of my colleagues with it and saw how useful it was. (Thanks Doug!)

I also purchased the handy iGo organizer so I can keep my dual-power adapter (so you can power your laptop at the same time as other devices) and tip splitter organized together with all the device tips I have to charge almost any phone on the planet. And my Zune of course. :-)

Itinerary Tool | TripIt | Home Page | Blog | Mobile Site | Twitter
Another useful online-social-web site type application that is very slick and useful to keep track of all your itinerary information.. You setup a free account, and forward all your flight, rental car, and hotel confirmation e-mails to mailto:plans@tripit.com and viola!

By magic it scans and parses through all the e-mails and inserts all the relevant information into your TripIt account. This information can then be retrieved centrally from http://tripit.com or on your phone on http://m.tripit.com! It will automatically add map links, directions and weather information as well..

Everything you need in one place, on your mobile device, while you are on the go.. Absolutely marvelous in my mind and a true "life saver".. :-)  Using the "Share" feature you can also collaborate or view-only with your spouse or team members.

The TripIt team has now also opened things up with their own API, so other sites can access their platform and integrate your travel information into their online services..

Favorite Airline | Southwest | Home Page | Blog | Mobile Site | Twitter
I've been a long time Southwest fan. Just the ease and no hassle to change travel plans online has me hooked. Several larger airlines have just stuck it to me over and over again.. Enough I say.

Some good tips for the online check-in using the mobile site on your Windows phone go here.  Need to check-in and get a "A-group" seat? Try to go here. :-)

Airline Seating Tool | SeatGuru.com | Home Page | Mobile Site
When it comes to using other airlines, I always go to Seatguru.com to figure out my best options for seating arrangements.. I've been lucky a few times to get the right seats with power on certain flights. Their mobile site also makes it easy and useful.

Don't fly again without weighing your seat options for the particular plane type you are booked on!

Flight Tracker | FlightStats | Home Page | Mobile Site
At this time my favorite flight tracking and airport status web site is the FlightStats one.

Since you can also get a listing of flights on a specific flight route between two cities, it is also very useful if you need to find another flight a specific day with any airline, or see when the next available flight is!

Also with it's handy mobile site, you can check up on flights while on the go..

Conference Bridge Calling | Windows Mobile Professional
So one of the least known tricks I believe when scheduling conference calls and having participants on the road is to list the conference bridge number in the body of the Outlook Meeting Request so it is super easy for the folks on the road to dial in.  You don't have the write down the number from an e-mail and then manually risk to mistype it into the phone. Jason Langridge blogged about it here.

Basically you prefix the number with a "TEL:", and it will make the string after it hyperlinked You can add "," (comma) or "p" characters for pauses. And of course the "#" to signal the end of a phone number or passcode. Thus a conference dial-in with a passcode could look something like this: TEL:1-800-555-5555p123456#, and in Outlook and on the Windows Mobile Professional device it will be hyperlinked so you can tap it and the device will execute the entire string in your dialer!

You don't need to do the "TEL:" trick on a Windows Mobile Standard (non-touch screen) device, but it would still be advantageous to use the string to reduce the mistyping of the passcode or other digits needed after the phone number..

This way none of your participants on the road can say that they mistyped the bridge number and unable to dial-in. :-)

In Case of Emergency (ICE) | Windows Mobile
This is an idea that is a few years old, and not officially sanctioned by all the various first responders and/or police.  But my view is if it helps just one family it is probably still worth it. :-)

Heck it could perhaps also help get lost devices back in your hands from kind people out there.. :-)

The excellent idea my colleague Patrick Salmon highlighted was to use the Owner Information screen in Windows Mobile and make it display upon power on. This would make it much easier to view without knowing how to operate or login to the phone. Especially a corporate device with a PIN lock. :-)

To do it (quoting Patrick Salmon's blog):
On both PocketPC/Professional and Smartphone/Standard Phones go to Start->Settings->Owner Information.
In Professional, use the Address field. With Smartphone use the “Notes” field.
Put the following information here:
(i) ICE {contact name} {phone number}
(ii) Relevant medical information. Blood group, if you know it. Are you diabetic? Allergic to penicillin? List any prescription medications.
Finally, while still in the Owner Information screen (Professional Only) go to the Options tab and select the checkbox that says “Show Owner Information at power on?”

ICE Reference links:
http://en.wikipedia.org/wiki/In_case_of_emergency
http://www.snopes.com/crime/prevent/icephone.asp

So that's all the travel tools tips I could think of in this round.. I'm eager to hear what others are using and even better tools!

|\\arco..

System Center Mobile Device Manager Total Cost of Ownership (SCMDM TCO)

There hasn't been much mention of this I believe, although I could have missed last year with all the activity going on. :-) But it recently caught my attention that Microsoft has indeed published material on the TCO of SCMDM 2008.

White Papers, Reports and Calculators oh my

All the Microsoft mobility white papers and reports are linked from here:
http://www.microsoft.com/windowsmobile/business/strategy/tco.mspx

An interesting white paper that pits a RIM BES 4.1 environment against SCMDM 2008 for TCO is detailed in this paper. Here is the direct link and title:

Wipro: SCMDM 2008 - The case for Managing Mobile Devices using SCMDM (Oct 2008):
http://download.microsoft.com/download/2/E/9/2E9676F1-2457-4F16-87A2-71416601296E/Wipro%20-%20System%20Center%20MDM%20v1-1%20Jan%2009.pdf

This white paper appears to cover SCMDM 2008 RTM and not SCMDM 2008 SP1, so the additional scalability available in SP1 might not be factored in as well. This provides an additional large scalability boost.

SCMDM 2008 SP1 Scalability Boost

As I mentioned above, there is a huge difference in scalability with SP1 of the product. Here is a good overview I put together to show this:

Please see all the details at http://technet.microsoft.com/en-us/library/dd261960.aspx for the SP1 hardware specs and policy conditions to met these management numbers. One thing that is lacking I believe however is clear SQL Server requirements and numbers..

|\\arco..

Microsoft Recite Technology Preview

I used the excellent Jott service a little last year when it was still free and know how easy it was to use by calling 866-JOTT-123. The integration with other online applications was also really slick.. It appears Microsoft is also building upon the voice recognition that their mobile Live Search product has. So far not as elaborate as the Jott service, but possible useful none-the-less..

Basically the Microsoft Recite application provides the quick and easy functionality of a old fashioned voice-recorder, but makes it searchable and provides a timeline of the recordings.

Some quick screen shots of it in action:

When you click "Remember", it will record the voice recording:

After several recordings you have a timeline, that you can browse through. Clicking "Search", lets you record what you want to search and provides a browseable results pane where you can play back the best matching results:

During my brief tests it appeared to successfully and accurately locate previous recordings with the spoken search words I gave it.

I had some issues on my Palm Pro when testing the application. Not sure if it was just some bugs or quirks of me trying out the application.. :-)  Appears that it is not touch screen aware, but if you are on the go I think it's simple construction would make touch screen support unnecessary.

I think this preview shows promise of some of the powerful aspects of voice search could have to retrieve other information on the Windows Mobile device or available through a connection. We shall see where Microsoft decides to take it..

References:
http://recite.microsoft.com
http://blogs.msdn.com/recite
http://getsatisfaction.com/microsoft/products/microsoft_recite

|\\arco..

Verifying Microsoft Installation Media

A question that has come to me several times has been how to verify if an specific installation is running a time limited evaluation copy or full blown copy. Many Microsoft products can now be downloaded and installed as evaluations and you usually can't tell the product apart at all until one day it stops to function.

The same is true for System Center Mobile Device Manager 2008 (SCMDM 2008). From the Console if you select Help->About you can retrieve the Product ID for the installed product. The first 5 digits is called the Microsoft Product Code, "MPC" and identifies the product that has been installed.

This is what SCMDM 2008 RTM looks like using Volume License (VL) bits:

This is what SCMDM 2008 SP1 looks like using Volume License (VL) bits:

Please notice the Product ID field and the second grouping of 3 digits. These are the Channel ID for the media, or "CID". Using the listing on http://wiki.lunarsoft.net/wiki/Product_IDs, it shows that the second 3 digits “270” are indeed Volume Licensed bits..

If you download the SCMDM 2008 SP1 120-day TechNet evaluation copy from http://technet.microsoft.com/en-us/evalcenter/cc339027.aspx, the Help->About screen looks like this:

Notice that the second 3 digit grouping in the Product ID field, the Channel ID, is "849" in this case, not "270". It appears that the some of the Channel ID numbers vary from product family to product family, so I was unable to get information on what the "849" is representative of at this point in time.. If you have more details please comment!

This article explains the details of the Product ID and various media channels on the Windows 2003 Server OS side: http://support.microsoft.com/?kbid=889713. perhaps not directly reverent for SCMDM, but shows more of the complexity behind the media and versions out there for other product families..

|\\arco..

Windows Mobile Troubleshooting - How to log like an expert

As part of supporting Windows Mobile in an enterprise environment, one of the things that often will come up is what tools are available for troubleshooting..

One tool that has been around since the dawn of the first computer programs is logging. Here are a few important Windows Mobile logging tips that can be extremely helpful and save your day:

Exchange ActiveSync Device Logging

Nice write-up from Vik Thairani on how to enable the verbose logging on Windows Mobile for Exchange ActiveSync troubleshooting:
http://blogs.technet.com/vik/archive/2008/12/04/setting-up-verbose-logging-in-windows-mobile-and-parsing-logs.aspx

The log is saved in text file in the \Windows\ActiveSync folder starting with "serverlog" and a sequential number.

SCMDM Device Management Logging

With MDM Connect Now Tool, you can enable or disable various types of logging as necessary. To enable enrollment logging on a device using MDM Connect Now Tool, select Menu, and then select Logging.

For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

1. EnableNodeMon log - If this option is checked, the system generates a log file at \NodeCache.txt.
2. Enable OMADM log - If this option is checked, the system generates a log file at \deviceupdate.log.
   See http://technet.microsoft.com/en-us/library/dd252860.aspx for some information on what this log can show.
3. Enable Enroll log - If this option is checked, the system generates a log file at \deviceupdate.log.
4. Enable Scheduler log - If this option is checked, the system generates a log file at \Application Data\Logs\Scheduler.txt.
5. Enable alerter log - Generates a log file at \deviceupdate.log.
   If this option is checked, the system enables the following values:
   • Alerter - Search for "Rejecting packet" or "Successful push packets" in the log.
   • Nodemon InitSession
   • Nodemon configuration service provider
   • Software Distribution
   • TDET settings

Please see http://technet.microsoft.com/en-us/library/dd261878.aspx for additional details on these logs.

SCMDM VPN Device Logging

The MDM VPN Diagnostics Tool can be downloaded from http://go.microsoft.com/fwlink/?LinkID=127030.

To enable and disable Mobile VPN logging on your Windows Mobile device, run the MDM VPN Diagnostics Tool and follow these steps:

1. On the Start page, select Menu.
2. Select Logging.
3. Select Enable or Disable.

MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.

Network Traffic Device Logging

Sometimes the best recourse for technical troubleshooting is determining what is going on on the network level. On a Windows Mobile device this can also be accomplished.

The Microsoft Windows Mobile Network Analyzer PowerToy v1.0 can be directly downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=081c6401-49d4-4506-a03b-c41bc76c2f51&displaylang=en.

If you have a storage card inserted, Network Analyzer will write all logs under \Storage Card\NetworkLogs. If there is no \Storage Card, it will write all logs under \NetworkLogs.

To capture the network traffic (NetMon) log for analysis, run the start analyzer script in the Program directory. Run the stop analyzer script to stop the network logging.

Then you can view the .cap file in your network protocol analyzer of your choice to properly decipher all the information. I highly recommend the freebie WireShark efforts from http://www.wireshark.org/.

An example (from http://technet.microsoft.com/en-us/library/dd252860.aspx) to troubleshoot SCMDM VPN issues on a Windows Mobile device:

1. Install the Windows Mobile Network Analyzer PowerToy.
2. Install MDM VPN Diagnostics Tool.
3. Start MDM VPN Diagnostics Tool, select Menu, and then disable VPN.
4. Make sure that you can browse the Internet using Internet Explorer Mobile through your WiFi or Mobile Operator (carrier) data connection.
5. Start the Windows Mobile Network Analyzer PowerToy to capture network traffic on the device.
6. Enable VPN using MDM VPN Diagnostics Tool.
7. When the VPN connection fails, stop capturing network traffic, and save the trace file.
8. View the VPNDiag report and the ipsecvpnpm.txt file from the device.

For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.

|\\arco..

New White Paper: Windows Mobile Application Security Configuration for Enterprise Deployments

My esteemed colleague from Enterprise Mobile, Dave Field, has published a new fabulous white paper titled "Windows Mobile Application Security Configuration for Enterprise Deployments".

It recommends how enterprises can take advantage of the powerful security features of Windows Mobile to defend against malicious and unsupported application use. Taking a very pragmatic approach, Dave outlines how various features work and how to implement them. 

Specifically the security features of Windows Mobile, such as certificates, roles and the actual policy configuration values itself.

The 47 page white paper is available for download on this website, at http://www.enterprisemobile.com/resources/white-papers.htm after a quick form to be filled out.

A recommended read for any IT professional interested in better managing security on the Windows Mobile platform!

|\\arco..

SCMDM 2008 SP1 PIN Reset or Password Recovery Feature

This is a brand new feature of SP1 of great interest in an enterprise implementation. This mimics the similar Exchange and Windows Mobile device functionality, but without the need for any Exchange requirements. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.

Overview

As nicely stated in the MDM Password Reset Client v1.0 download overview:

"MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.

Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.

To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password."

What is required?

Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But "your mileage may vary" (YMMY) as they say..  The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly!  Please note the installation failures on the devices that are below the 6.1.1 levels.

You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.

How it works:

After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use.  This can be verified with a cmdlet or on the MDM console by seeing that the "Display Recovery Password" action is no longer grayed out on the right hand side of the screen when a managed device is selected:
 

More details can also be found here on the overall user experience of this feature: http://technet.microsoft.com/en-us/library/dd252841.aspx

Client Functionality

These are actual screen-shots of a managed device that has the client patched installed.

In a locked state, the "Reset Password" option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:

After the "Reset Password" option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.

It will then let the user create a new password. Using the same requirements that might have been enforced to the device.

Now the user must contact the administrator or help desk. In this example the administrator clicks on the "Display Recovery Password" in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.

The user must type in the 20 digit recovery password to validate the new password.

If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!

Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a "Display Recovery Password" button at the bottom which will display the 20 digit recovery password:

The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here: http://technet.microsoft.com/en-us/library/dd261796.aspx.

Password Recovery References

SCMDM Cmdlets: http://technet.microsoft.com/en-us/library/dd261726.aspx
SCMDM User Experience: http://technet.microsoft.com/en-us/library/dd252841.aspx
Windows Mobile 6.x AKUs: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/31/windows-mobile-6-x-akus.aspx
Windows Mobile 6.1.x Upgrades and Build Levels: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/24/windows-mobile-6-1-x-upgrades-now-available.aspx

|\\arco..

Windows Mobile 6.x AKUs

"What is an AKU and why is it important to me?" you might ask yourself.. As stated nicely here:

"Microsoft creates updated builds of the Windows Mobile operation system called Adaptation Kit Updates (AKU). These releases are rarely intended directly for consumers, and are usually a result of some extra features or fixes required by a particular Windows Mobile device. For example, if an OEM (Original Equipment Manufacturer) decides to add a new kind of external keyboard to a Windows Mobile Pocket PC, then some extra driver code will be required - in that case, Microsoft creates an AKU to drive the hardware."

So different levels of the OS could have different features, patches and updates. For an enterprise environment this is of course very relevant to determine issues and resolutions for problems.

How to find the Build and AKU number?
On a touch screen Professional/PocketPC device go to: Start->Settings->System tab->About.
On a non-touch screen Standard/Smartphone device go to: Start->Settings->More->About.
The AKU version is also stored in this registry key: HKLM\SYSTEM\Versions\Aku.

The AKUs are numbered incrementally after the Build number. See the table below for more details and known WM 6.1 builds. It is not meant to be a complete overview.

A listing of older WM 5 and WM 6 AKUs are posted here. And don't forget my previous postings of Windows Mobile 6.1.x Upgrades and Build Levels. :-) That gives a good overview of some of the devices out there and their AKU level.

What is important is knowing the AKU level for specific SCMDM features. In particular the MDM Password Reset Client feature, which can be downloaded from here: http://technet.microsoft.com/en-us/scmdm/cc304591.aspx.

I will go into more details on this feature in my next posting.

|\\arco..