Tuesday, November 25, 2008

iPhone best for business


As reported on cnbc.com, JD Powers have awarded the iPhone the prize as the best for business. Link here: http://www.cnbc.com/id/27575986

Read it once, then read it a 2nd time and look for the word "security". Don't see it? Me neither. Amazing!

It's merely question of time before the bad news hits the press about someone losing an iPhone that had critical personally identifiable information on it, with no way of wiping it, recovering the data or doing anything but waiting for bohica to hit. IMNSHO, that's when it's really going to hit the fan.

and thanks to my colleague, Chris de Herrera for passing these 2 links through to me on why the iPhone isn't going to be 'business ready' any time soon:

Why iPhone 2.0 won't yet rule the roost in the enterprise The 13 key omissions Apple must fix before it can really compete with BlackBerry and Treo - http://www.infoworld.com/article/08/07/24/30TC-iphone-enterprise-flaws_1.html?source=fssr

Reports are that these items are still not fixed.

iPhone 2.2 update doesn't fix key business flaws - http://www.macworld.com/article/137070/2008/11/iphone_business.html?lsrc=rss_main

Thursday, November 20, 2008

Another resounding SPLAT!

Interesting article in this week's Business Week entitled "The Only True SmartPhones" by Stephen H. Wildstrom.

Link here: http://www.businessweek.com/magazine/content/08_47/b4109000821845.htm?chan=technology_tech+maven+page+-+new_this+week%27s+column

Coming from his perspective - that of user and consumer - I'd agree with him. He makes a number of points, which when viewed solely from the user perspective do indeed possess a high degree of validity and merit.

I just did a quick search on his article looking for the word "business". Didn't find it. Hmm. Isn't this Business Week?

Tried the same thing with "Enterprise". Nope. Struck out.

Because of this he has entirely missed the point of WM (+SCMDM). It's an enterprise product aimed at the business user, period. Everything he points out as being detrimental to the user experience is addressed by a properly managed device (for example, you only want your users to have Opera? Great! You control whether it's there or not - not the OEM's and not the Carriers).

The only way for a SmartPhone to be accepted as a business-class device and as the wonderful business tool that it is, is for it to be treated as such. This means having the capability to manage it exactly as you would a laptop or desktop - exactly as MS have done through SCMDM.

It also means that a SmartPhone must be trusted to the same degree as a laptop or desktop. Without having the mechanism for secure access to mission critical resources beyond just email, a SmartPhone is merely another useful gadget. Given trusted access to, say, a CRM or Sales-Force Automation-type application, however, and it suddenly becomes an immensely powerful tool which also permits the enterprise to save significant $'s - which, given the current climate, is of paramount importance.

As for the huge weaknesses in both the iPhone and Blackberry, well, again this is completely overlooked because of being viewed from the wrong perspective.

iPhone's are beautiful consumer devices. No security (to speak of) therefore unusable in the enterprise. I'd go as far as saying that any mention of the iPhone is simply inappropriate and mis-placed in a business-targeted article such as this. It's not a business tool and any attempt at making it so is going to be as successful as every other attempt to put a round nail in a square hole. On the other hand, SCMDM was built with security baked in therefore there's no need to to try add it on later.

And as for BlackBerry, Business Continuity is one of the key drivers for the enterprise and in addition to failing to scale to the enterprise, introduces 2 horrible single points of failure, the 1st being the NOC itself, which has a tendency to go down every time MS makes another announcement on Mobility, plus the Blackberry Enterprise Server (BES) themselves which have no failover or redundancy capability. SCMDM has neither of these weaknesses meaning that it is now viable to consider the SmartPhone an enterprise-class device.

I hope that as the paradigm continues to shift - as it must, given that the domestic (US) market is effectively saturated with little room for differentiation between the various consumer products - that authors such as Mr Wildstrom come to recognize that mobile phone can only truly become enterprise-class devices when they are treated as such. This is exactly what Microsoft have done with Windows Mobile 6.1 and SCMDM.

Sunday, November 16, 2008

New words entering the English language

Bought a phone recently?

There's a lot of stuff on it that you don't want, isn't there? Especially the stuff that the carriers want you to click on and maybe sign up for (can we say "Cha Ching"?).

True, there's some useful stuff (like AT&T's GPS service. If you want to throw away $9.99 a month then knock yourself out, but it's easily hacked - hint do a search on BlackJack II Hacks. You'll find it) but it's all aimed at the consumer and is an inconvenience to the enterprise. Or ringtones - everyone should spend $3-$5 on a happy little tune instead of uploading the .mp3 of your choice. Yes, I'm being sarcastic.

Hence the creation of two new words. Credit goes entirely to Scott Bedrick of Pfizer.

(Noun): Crapware. Everything that's put out there purely for generating revenue for the carriers.
(Verb): Decrappify. The process (ideally automated) of removing all the crapware that really shouldn't be there in the first place.

We're living in interesting times, folks. Either they're enterprise devices or they're not - and I emphatically come down on the side that says they are.

It would be no more acceptable to get laptops sourced with a whole bunch of crapware on them (OK, so the manufacturers do this with the consumer market, but they know better than to try that with enterprises).

The paradigm is shifting. This is a very cool place to be!

Wednesday, November 5, 2008

Quantum Cryptography is here!

Very, very, very cool!


Free Exchange2007 Book

Thanks to Michael Francis from simple-talk.com for letting me know about the free Exchange book they're giving away, Sybex’s Best of Exchange Server 2007. Link here: http://www.simple-talk.com/exchange/

Did I mention 'free'? . OK, there's no free lunch. You sub to their monthly newsletter in return for getting the book, but from what I've seen the articles are well worth reading, so it's win-win.

Tuesday, November 4, 2008

Webcast w/AT&T

I'll be doing a Microsoft Webcast on Nov 18th with AT&T. This ties into their SCMDM service offering that was announced back in August.

· Title: Microsoft Webcast: How to Take Advantage of Windows Mobile to Enhance Productivity in Your Organization (Level 100)
· Presenter: Patrick Salmon
· Webcast Length: 60 minutes
· Date/Time: 11/18/2008 1:00:00 PM PACIFIC

Attendee Registration URL:

Friday, October 24, 2008

Sorry, Bob. Not this time

Robert X. Cringely, whose articles I've read for years and have thoroughly enjoyed his perspective, just put this article out basically stating the Windows Mobile is dead.

Link here: http://www.pbs.org/cringely/pulpit/2008/pulpit_20081023_005500.html

His premise is that in a market which will become more and more competitive (d'uh!), there won't be room for WM. It'll simply be squeezed into non-existance.

Based on the reasoning in his article I'm inclined to agree with him.

Where he's missed the point is that WM is so much more than that. WM vs iPhone vs RIM vs Android is a stretch as an apples-to-apples comparison.

RIM won't scale without killing you.
iPhone is a wonderful product that is not designed for the enterprise. Period
Android? Remains to be seen.

Each has worth and considerable standing in its own right. None of the above has a genuine enterprise-oriented focus.

WM + Yona is a truly tremendous combination and he speaks not one word to the real needs of the enterprise-focused technology which addresses real business needs.

Nice try, Bob. Thanks for playing.

One of us is wildly wrong, and I don't think it's me.

Friday, October 17, 2008

iPhone and Security

Interesting article: http://blogs.securiteam.com/index.php/archives/1148

Also worth noting on that site is the list of 'sploits and issues on the right hand side of the screen. Runs the gamut of pretty much everything. Good resource and worth book-marking.

Tuesday, October 7, 2008

Hotel wireless

Apart from the $10-$15+ fee per day that many hotels hit you with, here's another reason why tethering your WM phone (or using an AirCard) is a much more cost-effective and secure means of conducting business when on the road.

A study from the Cornell University School of Hotel Administration found that most hotels do not take adequate security precautions on the Internet connections they provide for their customers. The study compiles data from 147 written survey responses and from visits to 46 hotels. Twenty percent of the hotel networks use simple hub topologies, making them unsecured networks. Most of the other hotel networks channel guest traffic through switches or routers, which are more secure than hubs, but still make users susceptible to man-in-the-middle attacks. The researchers recommend that the hotels set up Virtual Local Area Networks (VLANs) to best protect guests from Internet threats.

Monday, October 6, 2008

Gartner Symposium ITExpo 2008

Link here: http://www.gartner.com/it/sym/2008/sym18/sym18.jsp

I'm doing a session on Weds (13th) on WM/SCMDM Adoption. Have built considerably on the vs. RIM Migration session webcast that I did back in March and have some seriously good comparitive numbers to share - this is the content that MS Legal wouldn't let me share publicly before because it required data from 3rd parties that they couldn't (easily) get permission to use.

Got a boatload of cool info from Palm to work with on WM and the stuff they're doing, too.

Oh and I'm looking for someone to come out play golf with me Thurs at Falcon's Fire (and no, neither I nor EM are picking up your tab).

Friday, September 26, 2008

Great pricing on Redfly

Announced today, Celiocorp (http://www.celiocorp.com) are releasing a limited quantity of Redflys at $199 ea through Oct 31st. Great deal.

I lurv my Redfly. It's incredibly useable.

Available here: https://store.enterprisemobile.com/

what the good guys (and the bad ones) are doing to get at the data on your phone

John mentioned CSI Sticks in the Network World article. Worth reading more on to educate yourself a bit about what they do:


Available here: http://www.csistick.com/. Note the list of devices isn't that large.

Even better (or worse, depending on your viewpoint) is this: http://www.cellebrite.com/.

So, the onus is more and more on the people implementing and supporting mobile phones in the enterprise to educate your users.

The greatest risk is, imo, human. Social engineering is a long-standing practice which gets used a lot for the simple reason that it works.
If I'm sitting next to you in the airport and ask to borrow your cellphone to let my wife know that my flight is delayed, the probability is really high that you'd agree. Where's the harm, eh?

If, however, you're not educated to the risks and make the simple mistake of not treating a corporate resource appropriately - exactly as you would, or rather should do with a laptop - you're opening the door to the bad guys.

4 Steps to take control of your mobile device

Hot off the press from Network World (hard copy comes out next week). Mighty quick, as John only interviewed me on Monday for contributing to this piece. He's done a good job of getting the salient points out:

4 steps to take control of your mobile devices
Managing every iPhone, Android device and connection is key, wireless experts say
By John Cox , Network World , 09/25/2008

If you've ever let a stranger borrow your corporate smartphone, you may have just given him a gift of your company's data.
The reason: he might have palmed a small USB device called the CSI Stick, and surreptitiously plugged it into your phone. The device can drain every bit of data from a cell phone in seconds, says Patrick Salmon, a mobility architect for Enterprise Mobile, a technology services company that specializes in Windows Mobile deployments.
Increasingly, companies want to give mobile or field-based employees direct, instant access to critical corporate applications previously accessible only from a desktop. To do so, existing security, authentication and management infrastructures have to be extended and adapted so that mobile devices, along with their data and wireless connectivity (cellular or Wi-Fi), are managed as surely and fully as desktop PCs.
(Compare client management products.)
But that's not the case in many mobile deployments today, according to consultants who, like Salmon, specialize in working with enterprise customers. "What we see is an ill-defined policy regarding devices," says Dan Croft, president and CEO of Mission Critical Wireless, a technology services company that specializes in mobile deployments.
Often personal handhelds are granted wireless access, something that would never be allowed with a personal computer, creating security vulnerabilities, manageability challenges and tech support burdens, Croft says. Companies don't plan beforehand about how to handle lost, stolen or broken devices, or the data on them. "IT needs to get control of wireless [mobility] within their company," he says.
Taking control falls into four broad areas, says Jack Gold, principle of J. Gold Associates, a mobile consulting company: securing and managing every device; managing every connection; protecting every piece of data; and educating every user.

Securing and managing every device
Mobile devices, whether bought by the company or by the individuals, are accessing company networks and company data. Device security and management are closely intertwined, because you have to be able to monitor the devices in order to enforce policies.
In most cases, practitioners recommend standardizing on two or three mobile device models, minimizing the support, security and management challenges. "Other smartphones [brought in by users] might not be capable of supporting your specific security and administration polices," Enterprise Mobile’s Salmon says.
Using mobile device passwords or PINs is advised. "If your enterprise doesn't enforce a password policy on those devices, you might as well stop with all your [other] security measures," Croft says. Salmon favors PINs, coupled with a limit on the number of access attempts. After that number, the next attempt triggers an automatic lock or wipe of the handheld.
Enforcing effective passwords is one of the essentials at Florida Hospital, in Orlando, where wireless notebooks are widely used by staff and nurses, along with BlackBerry devices for e-mail. The hospital also is exploring what's involved in granting access to clinical systems from physicians’ smartphones.
The hospital enforces regularly changed passwords (a function of its enterprisewide identity management infrastructure), up-to-date antivirus software and some ability to remotely wipe data from mobile clients, says Todd Franz, associate CTO. "We see the need to protect the data on these mobile devices just as much as we do on a desktop PC," he says.
On selected notebooks, the hospital also uses the CompuTrace service from Absolute Software, a kind of "LoJack for laptops." A stolen computer can be traced and tracked down. Franz won't say how often hospital laptops have been stolen, but the hospital has successfully resolved 100% of the cases involving CompuTrace-protected laptops. According to some accounts, 10% to 15% of all mobile devices go missing.
Consider using comprehensive device management applications such as Sybase’s Afaria, Credant's Mobile Guardian, Nokia's Intellisync, Microsoft's System Center Mobile Device Manager, and others from the likes of Checkpoint and Trust Digital, to name just a few. These policy-driven suites blend monitoring and enforcement capabilities focus on mobile clients, and typically work with back-end authentication and other servers.
It's also important to have the ability to wipe, lock or kill any mobile device that’s stolen, lost or unaccounted for on a moment’s notice, including its SD card if it has one. A network manager should be able to issue a command that locks a device until the right password is used, wipes or deletes some or all of the corporate data on it, or shuts it down entirely, Croft says.

Managing every connection
"These connections are a pretty significant exposure if they're not done right," Gold says. "Don't leave it up to the end users."
These practitioners favor enforcing VPN connections with IPSec for mobile deployments. "SSL, which uses TCP port 443, is the path of least resistance," Enterprise Mobile's Salmon says. "I consider this the weaker of the two options." That's chiefly because while the target server has a certificate and is trusted, the SSL client is not. IPSec requires that ports have to be specifically opened, but both ends of the connection have certificates, he says.
A related issue is allowing mobile devices to connect only if they pass muster. Is the antivirus software up-to-date? Is the VPN active? Is the Wi-Fi connection from a public hotspot?

Protecting every piece of data
Selective data encryption should be an essential item in any mobile deployment.
With a managed mobile device, you can distribute and enforce encryption policies for specific data. "Document folders, your e-mail in-box, user data, contacts, certificates, and so on as the kinds of things that should be encrypted," consultant Gold says. Also consider encrypted or encryptable removable storage devices, such as high-capacity SD cards, he says.
"Unless you're in a 'James Bond environment,' most encryption levels will give you far more security than sending an unencrypted e-mail over the Internet, which happens all the time," Croft says.

Educating every user
"Few companies educate end users on the proper procedures and policies to safeguard [mobile] corporate assets," Gold says. "Get the users on your side."
"The greatest vulnerability is human," Enterprise Mobile's Salmon says. "If a stranger asked to borrow your laptop for five minutes to check his stock portfolio, you'd say 'No!' because you've been educated about the risks. There's no way you're going to let a stranger use your laptop. The same thinking has to apply to your mobile phone."
To school its nurses in mobile technology, Florida Hospital relies on trainers who also have been, or are, nurses. "They speak the same language as the users," Associate CTO Franz says. "We try to keep IT people out of the way of this training, because they do not speak the same language."
Franz makes a key point about nurses and mobile technology that's relevant to all such deployments. "People don't go to nursing school to become a clerk-typist," he says. "They go because they want to help people. Technology can assist them in doing that."
Acceptable use policies should be short and to the point, otherwise they won't get read. Training should cover all the elements (explaining the device, applications and intended usage), says Alphons Evers, global solutions manager with the mobility practice of Getronics, a global IT services company.
Educating users means willing to be educated yourself. Franz says Florida Hospital discovered that one major problem facing nurses with wireless laptops was finding enough convenient surface space with electrical power so they could be recharged, and finding a lockable locker or drawer to store the laptops when not in use. That was one aspect of mobility that hadn’t been anticipated.

Sometimes the technology advances are really slow...

In fairness, I'd add that if used as a projectile the iPhone could be every bit as effective as a rock. They need to work some on ruggedizing it in order for it to go beyond 'one-time use', but the destructive potential is definitely there.

Tuesday, September 23, 2008

Exchange Connections, Fall 2008

If you're interested, I'll be speaking at the up-coming Exchange Connections conference in Las Vegas (ptooey) in November.

Link here: http://www.devconnections.com/shows/FALL2008EXCH/default.asp?s=124

Much as I despise Vegas with a vengeance, and will plan on getting in as late as I possibly can then leaving in great haste, the conference itself is something I'm really looking forward to.

Coming from a very strong Exchange background, it's going to be a heck of a lot of fun to educate folks in just how powerful and enabling MDM is. It's a beautiful complement to the neat things you can do with both Exchange and OCS and ties things in together neatly.

Here are my session outlines:
EXC13: SCMDM and Exchange: Is there Room for Both? Like Exchange, SCMDM 2008 has numerous policies which the administrator can apply to the Windows Mobile device. At first glance it may appear that there’s considerable overlap, thus making it hard for the decision-maker to make the best choice for their organization. This session is aimed at the Architect, designer, and implementer who is looking to put the best solution in place for their organization and will highlight the differences and commonalities between both products.

EXC14: Fitting SCMDM into Your Exchange Environment Exchange is the "quick hit" Line of Business (LoB) application for SCMDM. Most customers when discussing provisioning, supporting, and managing Windows Mobile in the enterprise will look to Exchange as being the primary application that they’ll want to make available to their Windows Mobile community. This session is aimed at covering the key issues when it comes to planning, deploying, and scaling SCMDM in order to successfully integrate it with Exchange in your environment.

EXC15: Security Lessons Learned for OCS, Exchange, and SCMDM Deployment While taken from the numerous challenging customer scenarios encountered during the SCMDM 2008 TAP, the lessons shared here are equally applicable for those deploying OCS and Exchange Edge servers into the perimeter network. That hardest part of working with any security team is getting a Windows Server 2003 server into this exposed and potentially high-risk zone. This session is aimed at helping you, as someone tasked with equal responsibility for protecting the enterprise, to work with security, networking, and firewall professionals on the basis of presenting them with solutions instead of challenges.

Accessing production resources from your test environment

Comes up a lot. "I'm standing up MDM in the lab but really want to be able to get at (insert LoB here. Usually Exchange, but it can be anything)".

Makes perfect sense and adds a lot of validity to your testing. Plus, it means that if you're getting at your production email then you're more likely to actually use it, rather than have to carry a 2nd device solely for the purposes of kicking the tires.

My experience has been that the novelty wears off very quickly for customers if they don't have a genuine motivator to encourage usage, and putting their production email on the test device is a very good way of achieving this.

It's actually extremely easy to do (so long as you have buy-in from your Security and Firewalls team since they're the ones who have to approve this and make it possible to work).

The simple fact is that once an MDM device has connected to the MDM Gateway it has access from that point onwards to anything you choose - it comes down to whether (a) the host can resolve (usually through DNS) and (b) if there's a route from the vpn pool of addresses through the internal firewall to the target host.

The above image shows how it works giving Exchange (2K3-SP2, E2K7-RTM or E2K7-SP1) as the example of the target LoB host(s) in your Production environment.

On the left hand side you have your QA environment where you've stood up the MDM components (and requisites, like SQL, WSUS & CA). Completely separate from this is your Production environment where the Exchange mailboxes reside.

The device, once enrolled, will be managed from your QA environment. That's the left arc, showing the DM pushing down policies and .cab files. The users mailbox and corresponding AD User object, however, are located in the other domain.

All that the device has to do in order to access Exchange is, as detailed above, resolve the mailbox server and be able to route to it, following the right-hand arc/flow.

Client authentication takes over from this point, either with the user credentials being passed through the IPsec connection within an SSL tunnel, or the certificate being passed through via the same route. Very easy. Beyond MDM providing the transit route between the device and the GW, everything else is handled by the internal resolution/routing/authentication mechanisms.

That's why I refer to MDM as an enabler - it enables things like this very, very easily indeed. The Admin intervention is negligible, beyond getting the approval and active participation of your Security and Firewalls/Routing team.

Secondly, this highlights also just how low impact MDM is once it's in[1]. Nothing needed to be added since the MDM infrastructure is in place and the device can securely connect; all that was required was to ensure the device could get at the target host. Easy, eh? :-)

[1] OK, so I'll admit that getting it installed and working is a biotch, but once it's there everything else really is extremely easy indeed.

Sunday, September 7, 2008

Converting videos captured on your WM6.1 Phone

Just ran into this problem myself and as I found the fix it makes sense to pass on:

The default file type of a video file is .3gp... whatever the heck that may be. Copy the file across to XP or Vista and it doesn't have a clue what to do with it. Same thing if you take the "do you want to search the internet?" option.

cut to the chase, I found a freebie converter (one of many) that works really well. Free. No need to sign up for anything, no need to subscribe and get a gazillion unwanted emails.

Link here: http://www.dvdvideosoft.com/products/dvd/Free-3GP-Video-Converter.htm

Thursday, August 28, 2008

Tuesday, August 26, 2008

Ooooh! Cat fight!

MSN posted yesterday on "The 11 things we hate about iTunes". Link here: http://tech.msn.com/products/articlepcw.aspx?cp-documentid=9372475

Not to be out-done, MacWorld riposted this morning: http://tech.msn.com/products/articlepcw.aspx?cp-documentid=9372475

Pretty entertaining reading. Doesn't change my nsho that trying to use iTunes in the enterprise to push other stuff down is just plain silly.

IMO, the bestest thing to evah come out of Apple was the product code name "BHA". MS come out with some good ones (Yona et al being case in point), but they'd really have to go some to top that one. Link here: http://en.wikipedia.org/wiki/Apple_Inc._litigation#Libel_dispute_with_Carl_Sagan

Thursday, August 21, 2008

MDM Troubleshooting

This should probably be a faq entry.

What I'm observing on the MDM Forum is a common thread of issues that folks are encountering. MS have done a tremendous job with this product in easing the installation and implementation process, plus hiding just how many complex tasks are being carried out behind the scenes, but because there are so many dependencies it's comparitively easy to get wrapped around the axle.

Jarrett Renshaw of MS (you go, Jarrett!) posted a great troubleshooting article on the MDM Team blog the other day. Very well worth checking out. There's an onwards link to it below.

Today I added a post to the MDM Forum that links this plus gives some other useful things to work through in parallel.

And you also get back to the bottom line of this particular product that you can't get away with downloading the executables and then fire up setup - well, you can, and many have tried but I'll guarantee nobody's had it come straight up for them when this approach is taken.

Most of us have had to fight against the (bad) habit of not referring to documentation until we absolutely have to. Stubborn pride, I guess, and yes I am equally guilty of doing this. With MDM all the information you need is there and must be referenced first. I can't stress enough the importance of taking the time to go through the Planning Guide in detail and leverage the heck out of the BPA.

Link here: http://forums.technet.microsoft.com/en-US/SCMDM/thread/557b52cc-0091-43f2-b4c1-bf49ae446c4f

Jott for Outlook

Very cool. Now you can add calendar appointments and tasks direct to Outlook through Jott. Much, much prettier than the cludgy way I was doing this before by using Jott to create appointments in my Google Calendar and then having it two-way sync (see earlier post on texting and driving on how to do this).

BTW, now they've gone out of beta this is part of a number of pay-for options they're introducing. $15/mo seems a bit high for Pro, but the $3.95 deal may be worth it. The jury's out on that one. I use it a lot, but certainly not enough to justify almost $200 in recurring annual costs.

The free service is still there and well worth it, even if it is now ad-supported :-(.

The kicker to this remains that your Security people may have some heartburn over you making a corp resource accessible externally. Actually, no, I'll re-phrase that: they will have some major heartburn, so watch out that you're not contravening a corp policy.

Link here: http://jott.com/jott/jott-for-outlook.html

Tuesday, July 22, 2008

Planning on going to the Olympics?

From today's SANs Newsbites (http://www.sans.org/):

--Gordon Brown Aide's BlackBerry Stolen on China Trip (July 20, 2008) An aide to UK Prime Minister Gordon Brown fell prey to a likely "honeytrap" scheme in January when his BlackBerry phone was stolen after he brought a woman he met at a disco in China back to his hotel room.
The aide was accompanying the PM on the trip; he reported the device missing the next morning. Officials suspect the incident was orchestrated by Chinese intelligence. It was not disclosed whether the device held top-secret information, but even so, it could potentially be used to gain access to the Downing Street server. Blackberrys used by Downing Street staff are password-protected but most are not encrypted. The aide has been informally reprimanded.
[Editor's Note (Ullrich): A nice reminder to leave electronic devices at home when traveling abroad. And if you are geek enough to take them, being all for sudden popular with women is a dead giveaway for an intelligence operation.
(Northcutt): Classic! If you know anyone going to the Olympics, please share this story with them and suggest they leave their laptops and other electronics at home. This will be a field day for Chinese intelligence gathering. They have been targeting people and are quite
(Paller) Or take "travel-tops" and "travel-phones" that are throw-aways without sensitive data or access to sensitive systems.

I especially liked the comment "being all for sudden popular with women"! That one raised a chuckle.

Unless the chinese telco's block the IPsec ports then this probably couldn't happen with a WM6.1 device running under SCMDM and better yet you'd be able to wipe it remotely to eliminate the risk of compromise[1]. If the vpn comes up you're golden.
And as for the bit about Gubmit employees using phones that aren't encrypted, that's a bit of a shocker. WM6.1 would have taken care of that nicely, too.

Better would be using your phone with a Redfly (what the editor referred to as a "travel-top", although I hadn't heard it called that before). No need to take your laptop with you at all. Link here: http://www.celiocorp.com/

[1] Not the same kind of compromise as the article speaks to ;-)

Wednesday, July 2, 2008

Professional news and not quite so

The title of this post is very typical of me, actually.

Hadn't seen mention of it, so I'll do it here: the MDM Team Blog is now open for business. Link here: http://blogs.technet.com/scmdm/archive/2008/06/16/welcome-to-the-system-center-mobile-device-manager-product-team-blog.aspx

Dieter's team are just wonderful and he's a great guy. They're already participating en masse in the technet forum, and I have no doubt that you'll glean some useful gems from this link also.

On the not-quite-so-professional front, here's a pretty picture:

The 17th, and signature, hole at Summerbrooke Golf Club in Tallahassee, FL. Right around the corner from where I live. Actually, it's not even 300 yds away from my front door, and I've driven by it on an almost daily basis for the past 5 yrs, but have only played the course a dozen or so times.

I aced it today.

The sweetest 7-iron you could ever hope to hit. One bounce, and it was in the hole.

I know that's the object of the exercise, but actually doing it (after a gazillion mis-starts) makes the actuality of it all come as quite a shock. A nice shock, but a shock all the same.

It's not a joke when I say it took 40 years for it to happen for me. I don't play anything like as often as I'd like to, and my dad introduced me to the game when I was about 4 yrs old.

And for the cheapskates out there, Weds at 3pm is a tremendous time to get a hole-in-one. There will be nobody in the bar.

If you want to share the joy, however, plan on coming back later (as I did ).

Sunday, June 8, 2008

More new docs

MOSS Integration and a Global Deployment guide.

Link here: http://technet.microsoft.com/en-us/library/cc135653(TechNet.10).aspx

Tuesday, June 3, 2008

Free MDM tools from Enterprise Mobile

Kudos to my colleagues in Engineering (yes, even you, Mark ). Announced today are a pair of very cool tools. Did I mention 'free'?

from the message Tomas Vetrovsky sent internally today:

"The purpose of releasing the utilities at no cost to the users was to demonstrate the knowhow and extended knowledge Enterprise Mobile has in regard to the challenges in the mobile space to prospects, customer and the Windows Mobile community.

Both tools are available from the website: http://tools.enterprisemobile.com which is linked from our main web www.enterprisemobile.com and will be also submitted to various blogs, medias etc. You can point anybody who is interested in downloading the utilities to http://tools.enterprisemobile.com where they need to provide an email address and can optionally fill in additional information about their mobile environment.

So without further due let me introduce:

Windows Mobile IP Utility
This utility combines basic troubleshooting tools commonly available on the desktop and widely used by IT Staff and Administrators (ping, traceroute, ipconfig) with some more advance capabilities (ping sweep, speed test) into one package that is compatible with WM 5, WM6 and WM 6.1
Windows Mobile IP Utility enables easy troubleshooting of connectivity on Windows Mobile devices, enables and eases out troubleshooting of MS SC MDM VPN connections and even enables troubleshooting of PCs connected to the same network as the WM device i.e. WiFi network.

Windows Mobile IP Utility provides:
• IPCONFIG for all adapters on the Windows Mobile device
• PING to any host or destination
• PING SWEEP of multiple hosts within the specified range
• Traceroute to any host or destination
• Speed Test to check your connection speed and performance
• Is compatible with WM 5, WM6 and WM 6.1 devices
• Requires .NET CF 2.0 (additional install for WM 5 devices, in ROM for WM 6 and later)

GUI CAB Signer Utility
This utility provides a graphical user interface (GUI) for signing CAB files (files used for installing software on WM devices) in order to easily creates secure mobile deployment. MS SC MDM requires each software distribution to be digitally signed, which may be a challenge for the Mobile Administrator using existing process and procedures. The utility makes the signature step super easy and simple.

GUI CAB Signer Utility provides:
• Graphical User Interface for CAB signing for easier and simpler process
• Enables faster deployment through visual verification of certificate
• Can be installed on any PC running Windows XP or Vista

I would like to extend HUGE thanks to the Architecture team, specifically to Steve Catron for the CAB Signer, Koush Dutta for the IP Util, to Dave Field for writing the specs, to Chris for working on the website (over the weekend!), to Mark Riley for his suggestions and testing as well as for demonstrating the capabilities to the ATT crowd and providing very good feedback!!! The Services team was also very helpful with comments during the testing period and had great suggestions for future version!

I am really happy to work with such a great team and now you and your customer can enjoy the same benefits by using the Utilities located at http://tools.enterprisemobile.com

Don’t forget to tell all that if they make their job easier, just imagine what happens if they hire Enterprise Mobile to help with the rest of the mobile deployment…"

I share Tomas' sentiments; Enterprise Mobile is a purty darn cool place to be in the midst of!

Oh, and make sure your Security Team know before you EVER try a ping sweep. Probably the safest way to use this is against the VPN Pool address ranges, and nowhere else - this is what it's actually intended for, so you can check for responses from connected managed devices. A wonderful capability, but one that's sure to trigger all the alarms on your HIDS and NIDS, so play it safe and get permission first.

Saturday, May 31, 2008

MDM and WM 6.1 Articles

How on earth did I forget to blog about this?

Those great guys at PocketPC mag published my article on MDM in the current edition. There's also a nice article by my colleague, Chris De Herrera, on WM 6.1

Worth checking out.

MDM: http://www.pocketpcmag.com/cms/_archives/Jun08/SystemCenterDevice
WM 6.1: http://www.pocketpcmag.com/cms/_archives/Jun08/WM6.1ANewUpdate

Interesting product dev

Looks like moves are afoot to tie the Zune (note: a very bad word in Hebrew - http://herenot.livejournal.com/29371.html) in with WM. Good move.

Oh, the 'good move' is tying it in with WM, which makes a lot of sense, and not the amusement derived from accidentally offending potential Israeli buyers.

All unconfirmed stuff, but don't be surprised when it happens. BTW I don't have any inside info on this; this is all stuff I gleaned from conversations and a brief googling - oops, I mean Live Search - session.

Links here: http://blog.seattlepi.nwsource.com/microsoft/category.asp?blogID=17&category=25 and a pretty picture here: http://content.zdnet.com/2346-12558_22-180846-5.html. Hey! That looks just like an iPho^h^h^h^h zune!

Friday, May 30, 2008

New MDM articles posted on Technet

The whitepapers “Integrating Mobile Device Manager with Microsoft Exchange Server” and “Configuring External and Internal Firewalls in Mobile Device Manager” are now live and posted to TechNet:


More coming soon. Stay tuned.

Tuesday, May 20, 2008

Links to docs

There's a slew of really good documentation (I know they're really good because I wrote some of them, plus I've worked really closely with the doc team on much of this content ) on MDM now available on Technet.

This should be your starting point for everything MDM. MS have done a great job of putting together very relevant material.

More coming soon, including a series of 5 Integration Guides, all of which should be available at the link below by the time Tech Ed rolls around:
- Exchange
- Firewalls
- Global Deployments.

Link here: http://technet.microsoft.com/en-us/library/cc135653.aspx

Monday, May 19, 2008

Cool Outlook (2007) Add-ins

Hot on the heels of Xobni (http://www.xobni.com), which has now gone from beta/invite only to general release, comes GigaOM. Very cool, very useful.


Monday, May 5, 2008

To NAT or not to NAT

It's coming to be pretty much understood now that you can't put the MDM Gateway on a NAT'd IP address. The reason why is that it 'breaks' the Alerter service, and thus the Wipe Now capability is lost.

In reality, it's acting as designed; the client will check the source address of an alerter message and if the source IP address has changed (as it must, when NAT is used) will failsafe and presume that the originator cannot be trusted and thus will drop the packets.

It looks like things aren't working, when in fact they're working exactly as they're supposed to, with Security first and foremost.

Inconvenient, perhaps, but well thought-through and well implemented.

Bear in mind that "Wipe on Next Connect" is not impacted here since the device will re-connect to the DM on whatever schedule the admin has defined (default is 8 hrs) and then will accept and process the Wipe command.
One suggested workaround is to use the Exchange device wipe capabilities instead, since there is a high probability that waiting until the next connection is unacceptable and the device really does need to be blown out of the water sooner rather than later.

Actually, the risk of waiting until next connect is that the target device can be connected and accessing your LoB hosts as normal. The 'next connect' refers explicitly to the device checking in with the DM to see if there are any packages, policies or commands waiting for it. In the meantime it's business as usual.
Can definitely see that being unacceptable for a lot of folks.

Thursday, May 1, 2008

PKI Legerdemain

Legerdemain is French and literally means "lightness of hands". In English we usually translate it as 'sleight of hand' and it speaks to the actions of a magician when he makes that coin appear from behind our ear, or magically picks the one card out of 52 that we'd glibely selected from the pack.

The subject of PKI and MDM comes up a lot. Customers approach it with trepidation - and who can blame them, since we're talking about something that was designed by committee?

I'm very much a proponent of MS PKI, but I can say that because I've been in places and positions most people haven't. I've worked with brilliant PKI people who were only too happy to share their knowledge with me. In my former life as a Security Conslutant with Moldevort, Incorporated [1,2], I got to design and implement enterprise-wide PKI's and have seen how well they can work. But I'm the exception and not the rule.

The subject of this post refers to legerdemain because MS has done a very clever act of legerdemain; in bundling their PKI offering into the base server license it makes it almost look like you're getting a free lunch, but as we all know there's no such thing.

That not withstanding, products like OCS and now MDM rely very heavily on this technology - the subtle but important difference between the two is that MS backed off on pushing the MS PKI route for OCS and you can very easily implement OCS using a 3rd party offering. Not so MDM - sure, there's a compromise solution in place in that by design it (the MS PKI) functions wonderfully as a subordinate of an existing Public Key Infrastructure, but the reality is that for MDM to work you must have a Microsoft Enterprise Certificate Authority in place or it won't work, period (or 'full stop').

So, now we have MDM wrapped up into the PKI bundle. It must use the MS PKI for reasons I'll go into in my Tech Ed session in June, but what does this really mean? Just how difficult is it to implement PKI in the enterprise? Is it really that difficult? Or does paranoia abound?

Questions, questions, questions...

I'm going to give this some thought, do some research, and post a series out here on my spin on how to approach it.

The beauty of not working for Microsoft and not posting stuff like this on the Enterprise Mobile blog is that anything that may prove to be crap comes down on my head alone and doesn't reflect on anyone else. I'm cool with that. There's a reason why I found a pair of asbestos y-fronts under the tree this past Christmas .

Stay tuned.

[1] Otherwise known as 'they who shall not be named'
[2] The Spoonerism was unintentional but works quite well, I think.

Thursday, April 24, 2008

MDM Public Forum now open!

The Public forum for MDM is now open, link here: http://forums.technet.microsoft.com/en-US/SCMDM/threads/

Use this for any and all questions that come up on MDM and everything associated with it. There's a great bunch of out people out there, many of whom are my colleagues and Enterprise Mobile, who will be only too happy to help get you going in the right direction.

Wednesday, April 23, 2008

The Code Name Story

Well, Sohail's recording of "Yona is a bear" prompted a number of questions about the origin of this code name.

Credit lies with Bogdan Tepordei of the MDM Product Team. Way to go, Bogdan! Love it!

Yona is the Cherokee work for bear. Now do you see how it ties into Sohail's sound clip?

That's also why you may have seen the bear logo (above) being used. All now sadly defunct since Yona became MDM.

The next releases (which I can't state here because they're subject to NDA) follow this theme.

It would appear that part of the Redmond culture revolves around coming up with really cool code names. There's a website on CorpNet that I found a while back (and haven't been able to find since, dadgummit) that lists hundreds of products going back a very long way.
Some are better than others, obviously, but all in all fascinating reading.

Monday, April 21, 2008

Yona preserved for posterity

Sohail Zafar, one of the PM's on the MDM Product team, and the originator of the famed "Yona is a bear" saying graciously agreed to record it for me. Now everyone can hear the man himself.

Prizes [1] will be awarded for the best impersonation.

[1] send me $10 via PayPal, and I'll send you back a $5 t-shirt!

Wednesday, April 2, 2008

How to Text and Drive, Safely.

Did this as an internal Enterprise Mobile session back at a meeting we had in January. The premise was how to use voice capabilities while driving to be safer yet still productive using a tremendous voice-to-data capability through a (free) product called Jott.

Remember, Friends don't let friends text and drive.

With this - and note that I was just speaking; no typing at all - I was able to:

(1) Send a text (SMS) message to an individual
(2) Send a single text message to multiple recipients using pre-defined groups
(3) Send a reminder to myself.
(4) Create Calendar appointments
(5) Capture expenses (sorry, no link to ExpenseWire just yet, but they told me it’s coming)
(6) Update my blog.

All of the above without ever needing to take my eyes of the road while fumbling with the keyboard on my phone, thus helping me to be safer while driving still yet use the ‘down time’ productively.

Friends don’t let friends text and drive!!!

This message will be broken up into three parts:
(1) ICE
(2) Basic JOTT
(3) Advanced JOTT
a. Using Jott to update your calendar
b. Saving expenses on-the-fly
c. Updating a blog.

ICE stands for In Case of Emergency. EMT’s and first responders are being trained to look at an accident victim’s cellphone to see if there is an ICE contact there. Note: this is a worldwide initiative, not just the US, and I strongly urge you to implement it and tell everyone about it; you will be doing yourself and those who care about you a huge service. You could wind up saving a life – your own or someone else’s.

To do it:
On both Professional and Standard Phones go to Start then Settings then Owner Information.
In Professional, use the Address field.
With SM use the “Notes” field.
Put the following information here:-
(i) ICE {contact name} {phone number}
(ii) Relevent medical information. Blood group, if you know it. Are you diabetic? Allergic to penicillin? List any prescription medications.

The first entry will enable the emergency services to contact your spouse/partner/nearest and dearest in a timely fashion. Otherwise they have to go through a bunch of digging to find out who you are, get contact information, and try to find someone who knows you.
The second entry will speed treatment in the ER.

Finally, while still in the Owner Information screen (Professional Only) go to the Options tab and select the checkbox that says “Show Owner Information at power on?”. I _think_ SM will do this by default by don’t have one in front of me that I can test with.

(2)Basic JOTT.
Go to http://www.jott.com/
Signup. Get an account. Follow the instructions.
You will need to add contacts. If prompted to have them look at your AddressBook please decline.
Set up a Speed Dial number for Jott for regular use, and also use voice activation (plus Bluetooth headset) while driving.

Have fun!

(3)Advanced Jott:
You will need:
(i) A Jott account
(ii) A Gmail account (if you don’t have one ping me. I’ll send you an invitation).
(iii) For expenses, go to http://www.xpenser.com/ and create an account (free!)
(iv) For blogging go to http://www.blogspot.com/ and create an account (free!).

Go to Jott and select “Jott Links”.
Click on “Google Calendar” and follow the prompts.
To get Calendar entries that you’ve created using Jott into your Outlook Calendar (and thus, through ActiveSync) onto your phone, there are two options:
(1) Go to http://www.daveswebsite.com/ and pull down a copy of GSyncIt. Cost is $9.99, or
(2) The free version is here: http://office.microsoft.com/en-us/outlook/HA101674951033.aspx

Go to Jott and select “Jott Links”.
Click on “Xpenser” and follow the prompts.

Go to Jott and select “Jott Links”.
Click on “Blogger” and follow the prompts.

Finally, I look forward to you getting back to me at some time in the future and teaching me about capabilities that I may not yet have encountered. As I defined in my demo , Cool is the “Wow!” factor, Cooler is when you get to do it, too, and by far and away COOLEST is when you take what you’ve learned and start teaching me!

Tuesday, April 1, 2008

My new toy


don't I just wish! Would love to use this against the idiot who nearly side-swiped me because their conversation is more important to them than not killing someone else.

Yeah, I'm on the anti phone/text/email/whatever while driving bandwagon. Will follow up with the tools I use through Jott to try to maintain some degree of safety while driving.

Enterprise Mobile and Celio Corp partnership announced

Very cool product! Redfly is just the right vehicle for truly being able to replace your laptop with your Windows Mobile device.

Announcement here: http://www.celiocorp.com/news_03312008.php

Reviews on Redfly here: http://search.live.com/results.aspx?q=Redfly+%2B+Celio&src=IE-SearchBox

Yay! We can finally talk about it MDM and Windows Mobile 6.1!


Tech Ed #2

The two breakout sessions I'm scheduled to present are on areas that I'm pretty pumped about: How to work with your Corporate Security team to basically make their life - and yours - easier when you go about implementing SCMDM, and a 2nd session which goes into some detail on why IPsec really is the better choice of protocol for the mobile device.

Tech Ed itself is going to be a great learning experience - whether in my role as presenter, working with my colleague Doug Field on the SCMDM Hands-On Lab, or sitting in on one of the gazillion other sessions as an attendee to learn cool stuff.

Tech Ed

Sweaty is me.

6 Sessions. Oh crap.

The breakouts will be a hoot and worthwhile attending. I've given a lot of thought to these and am simply not interested in wasting your time. You have questions; I have answers.

The "Interactive Theatre" sessions are going to be even more interesting, owing to he unavoidable yet inherent spontaneity. These take the form of a number of MS gurus plus yours truly taking the stage to any and all questions from the participating audience. Since we have no clue what may hit us, this is definitely going to be fun!

Link here: http://www.microsoft.com/events/teched2008/default.mspx

There are a bunch of neat SCMDM sessions lined up.

RIM to WM Migration

In case you hadn't heard, the first salvoe was fired on March 27th.

Poor RIM! Why did they have to schedule down time for the prior weekend? Worse, why did they need more down time the weekend after?

Contentious though it may be, I maintain my stance that if you don't have a Business Continunity story then you don't have a Security story at all. Period. It really doesn't matter how secure you may have made the device, if the service is down then the device is worse than useless.

Link to webcast is here: https://www.livemeeting.com/cc/mseventsbmo/view?id=1032372620&role=attend&pw=F9FE6E6E

Enjoy. Feel free to hit me with questions,

Thursday, March 27, 2008

RIM-to-Windows Mobile Migration

Anything I can't get to during the Live Meeting session on 3/27 will be answered here. Thanks!