I’ve been doing Windows Mobile for quite some time now and hooking devices up to Microsoft Exchange Active Sync for push email delivery, sync and notifications. It’s nothing new – been doing push email now since Windows Mobile 5.0. I’ve survived, struggled, used a variety of phone devices for years and for the most part, hookin’ them up and supporting them hasn’t been all that difficult. Sure, there were some extra tweaks for getting them to work with SBS and SSL certificates, but things are much better now. Now the new kid is on the block – Windows Phone 7. Sure – it’s targeted at Consumers, but as I’ve been saying at every event where I’ve demo’ed the various devices – it’s extremely useful in your work environment and for the most part – should fit the needs of most organizations.
So what do you do if you have someone who wants to hook up their new WP7 device to your exchange servers? What sort of resources do you have for working with, securing, managing and connecting these devices to your exchange environment? This new blog spun up with a blast of articles in December and early January – Windows Phone for IT Professionals. I’ve added it to my newsreader and have checked out the various quick articles which point to a downloadable set of resource documents. I wanted to share the blurbs and links to some articles from the blog targeting IT Pros for WP7.
The Windows Phone 7 design provides solid security through an interesting security model. Features such as requiring managed code, application sandboxing, and app certification/verification contribute to the overall security. And even though Windows Phone 7 isolates processes from each other and prevents inter-application communications, developers can use built-in cryptography to protect app data if they want. For more info, see the “Windows Phone 7 Security Model” article on the on the Windows Phone 7 Guides for IT Professionals page on the Microsoft Download Center.
The latest incarnation of Microsoft® Exchange ActiveSync® (EAS) provides security-related mailbox policy properties, which can be used by IT departments for security management purposes. For detailed information on which EAS policies are supported on Windows Phone 7, see the “Windows Phone 7 and Microsoft Exchange Server” article, also on the Windows Phone 7 Guides for IT Professionals page.
The Internet Explorer Mobile browser that ships with Windows Phone 7 has some great user mobile functionality, but there are also some security-oriented design features that are very useful. Because most malware threats are introduced through web browsers, reducing the attack surface of the browser wherever possible makes good sense.
From a security perspective, Internet Explorer Mobile on Windows Phone 7 always runs at the least-privileged level and operates independently of all other phone applications. It’s designed so that it can’t access data in the phone’s file system, or access information from other applications in memory. All of this helps to minimize the risk of malicious software (also called malware) attacks. For more info, see the “Windows Internet Explorer Mobile on Windows Phone 7” article on the Windows Phone 7 Guides for IT Professionals page on the Microsoft Download Center.
Microsoft developers of the Windows Phone 7 operating system created an interesting new security model, one that relies on isolating computer processes from each other and providing privileges based on need rather than hunger.
The Windows Phone OS 7.0 security model defines four different types of virtual “chambers,” each of which has different privileges and strictly defined boundaries. All applications (apps) installed from the Marketplace Hub run in a least-privileged chamber created specifically for the app, and controlled by a policy system that assigns capabilities based on what the app needs. In other words, no one-size-fits-all set of capabilities—each app gets what it needs, and when apps run they are strictly isolated from each other. So is app data—it can’t be accessed from other apps. This is a step up for app security on smartphones. For more info, see the “Windows Phone 7 Security Model” article on the Windows Phone 7 Guides for IT Professionals page on the Microsoft Download Center.
The depth of integration between Windows Phone 7 and Microsoft Exchange Server provides some really cool capabilities. Much of this integration is achieved through the Exchange ActiveSync® (EAS) protocol—version 14.0 is what ships with Windows Phone 7.
EAS emerged in the days of Exchange Server 2003, and has undergone many changes and improvements since then—and the number of EAS features has steadily increased. One noteworthy feature in EAS version 14.0 is syncing of message reply state, which makes sure that the device and the server know if any message has been forwarded or replied to from any source—Microsoft Outlook® on the desktop, Outlook Anywhere (browser), or Windows Phone 7. The document “Windows Phone 7 and Microsoft Exchange Server,” explains security features and EAS security–related policies that are supported on Windows Phone 7. These articles are now available on the Windows Phone 7 Guides for IT Professionals page on the Microsoft Download Center.
Organizations need an effective certificate infrastructure because certificates are essential to security. Windows Phone 7 trusts most major commercial certification authorities (CAs). All of these CAs and their root certificates that are pre-installed on Windows Phone 7 phones are identified in the article Windows Phone 7 root certificates. Root certificates are included in web browser applications such as Windows® Internet Explorer® and Internet Explorer Mobile because they play a significant role in Secure Sockets Layer (SSL) communications (which are used extensively in online commerce transactions on the World Wide Web). The article Windows Phone 7 and certificates discusses several ways of installing certificates on Windows Phone 7, and provides additional relevant certificate information.
Some observations? While WP7 is a different beast, it does have similar capabilities from a connectivity and management perspective to previous generations.
- all exchange server communication is via an SSL connection
- limited policy is possible (force pin, device timed lockout, remote wipe)
- apps can only be installed via marketplace (except on dev device)
- marketplace apps must be signed and are authorized by Microsoft.
- apps are sandboxed and isolated from each other
- no file system access or removable media access
a couple of things that should be noted:
- WP7 does not have S/MIME email.
- There is no on device encryption – mitigated by app sandboxing/isolation and no file system access / removable media.
Remember – this is a device targeted at consumers, that is part of an evolving platform. There are updates slated for this year (thankfully more frequently and not carrier / device specific or dependant) that will be bringing new capabilities and performance improvements to the platform.
Check out my about.me profile!
NOTE: To be completely transparent – I don’t work for the product team, but I DO have a passion around mobile devices and WILL discuss / highlight confirmed IT Pro info.