1. Windows Phone 8 Enterprise
Mobile Device Management
(MDM)
Andrej Radinger
Windows Phone Development MVP
andrej@mobendo.hr
October 23rd 2013

2. Topics
•
•
•
•
Introduction
Windows Phone Applications 8 in the Enterprise
Windows Phone 8 Devices in the Enterprise
Building a Company Hub

3. Introduction

4. End Users are in the driver seat!
• 59% of employees use mobile devices to run LOB apps2
• 91% of employed adults use personally owned device for
business use1
• Currently 150 million employees is using their own
smartphones and tablets in the office (BYOD)3
• BYOD until 2014 >50%3
1 Survey
conducted by Harris Interactive, Feb 2012
State of Mobile Computing Survey, Jan 2012
2 Symantec,
3 Juniper
Research, 2012
2012
4 Forrester, Jan

5. IT department loosing control!
• 72% organizations have tablets in use without formal deployment.
• 40% of IT decision makers say they let workers access corporate information from
BYOD devices, but 70% of employees indicated they access corporate networks this
way2
• <10% of organization are fully aware of devices accessing their network3
• 50% companies experiences data breaches due to unsecure devices4
• Corporate IT policies that ban the use of employee-owned devices in the name of
security inadvertently create new security holes6
1 Dimensional Research|May
2011
2011
3 SANS Annual Mobile Security Survey, April 2012
2 IDC,
4 Ponemon and
5 Symantec,
6 Dell,
2011
WebSense sur4vey, 2012
State of Mobile Computing Survey, Jan 2012

6. Mobile Devices in Enterprise Today
•
The use of personally owned devices growing
By 2016 … or just 3 years from now:
– +10 billion mobile-connected devices (1.4 mobile devices per capita) – Cisco, Feb. 2012
– Smart connected devices (PCs, tablets and smartphones) shipments reach 1.84 billion units – IDC, Mar.
2012
– 1 billion consumers will have smartphones - Forrester, Feb 2012
•
BYOD usage is a reality and growing
”Currently 150 million employees is using their own smartphones and tablets in the office. This number is
predicted to rise to 350 million by 2014”
Mobile Security Strategies: Threats, Solutions & Market Forecasts 2012-2017 (Juniper Research, 2012)
•
IT is not in control
„40% of IT decision makers say they let workers access corporate information from employee-owned devices, but
70% of employees indicated they access corporate networks this way”
Consumerization of IT Study: Closing the “Consumerization Gap” (IDC, 2011 )
•
Restrictive policies are not the answer
„Corporate IT policies that ban the use of employee-owned devices in the name of security inadvertently create
new security holes.”
CIO Strategies for Consumerization: The Future of Enterprise Mobile Computing (Dell, 2011)
TOP IT Mobility Challenge
Cost effectively secure and manage the multiple devices in the Enterprise

7. MDM Overview
•
•
•
MDM addresses TOP IT Mobility Challenges
Fairly new solution area – consolidation & major shifts still ongoing
Common elements that MDM solutions include:
– Policy Management
– Inventory Management
– Security Management
– Device Service Management
• Device Software Distribution
•
Key attributes of high quality MDM solution:
–
–
–
–
•
High level of automatization
High quality reporting
Integration with existing security and management systems
Right balance of „User Experience vs. Security”
Few things to keep in mind:
–
–
–
Some device platforms will limit manageability (due to manufacturer design)
Android platform support is difficult (due to platform fragmentation)
Most MDM solutions focused on major device platforms (WP, iOS, Andorid), limited or no support
for other platforms not uncommon

8. Windows Phone apps 8 in
the Enterprise

9. Enable companies to deploy business applications to
their employees privately and securely.
Companies control which phones may run their apps
Enterprise apps may install and run only on phones that are enrolled with the associated
enterprise
Companies control the lifecycle of their apps
No ongoing interaction from Microsoft
Companies control the deployment and distribution
It’s highly recommended to authenticate users prior to app enrollment and app deployment

10. Enable end users to feel in control while preserving a
company’s right to protect their data.
App installs require user confirmation
Updates of existing apps can be done silently
Companies can inventory only their own apps
Marketplace apps, user settings, and other enterprise data is not available
The phone’s unique identifier is per-publisher
Publishers cannot correlate user data with other publishers or companies

11. Windows Phone Applications in the Enterprise
• Windows 8 allows enterprises to configure enterprise wide
application distribution
• The enterprise can create and distribute Windows Phone
applications without requiring them to be approved by the
Microsoft Windows Store
• User phones can either be managed or unmanaged
– Very high level of control over a managed phone
– An unmanaged phone can be used in a “Bring Your Own Device” mode
• An Enterprise can create its own Application Hub which can be made
available on managed devices

12. Enterprise Applications
• An Enterprise Application does not have any more access to the
underlying device than a “normal” one
• It does not have to pass the Marketplace certification
– This could result in less reliable/harder to use applications being published
by an enterprise
– Enterprises are advised to use the Marketplace Test Kit to internally validate
applications before making them available
• Capabilities are enforced on the device
– For example if an application needs to use the location service the user will
be asked for permission when the application is first run

13. Creating Enterprise Applications
• An Enterprise can use its keys to sign applications that are then
posted in its own application store
• Devices are “enrolled” to allow them to install and run applications
from the Enterprise
• An Enterprise “token” is loaded onto the device when it is enrolled
• This allows it to allow it to validate enterprise applications
• Enterprise applications are published directly by the Enterprise, they
are not subjected to any Marketplace certification

14. Enterprise Client Application Example
• Microsoft have created an internal application hub that
provides corporate information alongside other information

15. Enterprise Registration
• An Enterprise must register with the Windows Phone Developer Center if it
wants to distribute enterprise applications to selected devices
– Microsoft provides the Enterprise with a set of tools that can be used to create
applications for deployment within the Enterprise
– Microsoft informs VeriSign that the Enterprise is registering
• Once the Enterprise has approved VeriSign will issue a certificate for the
key pair to be used by the Enterprise to sign applications
• This creates a new Enterprise Root and Certification Authority which is
trusted by the Windows Phone 8 security system
– Can be used to sign applications that can be deployed onto Windows Phones 8
devices

16. Overview
3
5
2
1
4
7
6

17. Account creation and cert acquisition
• Must be a Company account
• Publisher name displayed on phone
• Company approval required
• Private key, CSR, cert are local to PC

18. Enterprise certificate

19. App enrollment
• App enrollment token
(AET) is generated
once per year
1
• Delivered to the phone
over an authenticated
channel via email,
browser, or MDM
• Validated for signature
and expiration
2
2
3

20. App deployment
• App is signed using
tools in the WP SDK
8.0
1
• Delivered to the phone
over an authenticated
channel via email,
browser, MDM, or
company hub
• Validated for signature,
an associated AET, and
allowed capabilities
2
2
3

21. App launch
• User launches an
enterprise app via the
shell or an API
• Publisher ID is
extracted and used to
find the associated AET
• AET must be valid and
not revoked or
disabled
1
2
3

22. Phone home
• Phone sends device ID, publisher
IDs, and enterprise app IDs
• Phone receives status for each
enterprise
• Apps of invalid enterprises are blocked
from being installed or launched
• Scheduled daily, plus each enrollment
and app install
• After 7 consecutive failed
attempts, install of enterprise apps is
blocked, but launch of installed apps
still works
1
2

23. Phone home – sample protocol
• Response

24. Windows Phone 8 Devices
in the Enterprise

25. The Enterprise and Windows Phone Devices
• If the Enterprise just wants to distribute their applications to
selected phones they just need to register to do this
– They will sign the XAP files of their applications with their Enterprise
certificate
• An Enterprise can also deploy “managed” Windows Phone 8 devices
• A “managed” Windows Phone 8 device is under much more direct
control from the enterprise
• System management tools are provided that allow the phone to be
remotely managed
– Applications can be installed and revoked
– Data can be remotely deleted

26. Unmanaged and Managed devices
• An Enterprise can interact with “managed” and “unmanaged” Windows
Phone 8 devices
• An Unmanaged phone (which might be a Bring Your Own Device) is one
that is not integrated into the management regime in the Enterprise
– The user of an Unmanaged phone has control over which applications are
loaded onto the phone and what phone capabilities that the applications have
• An Enterprise has a high level of control over a Managed phone
– The Enterprise can automatically deploy and revoke applications on the phone
– An Enterprise can remotely delete data from a Managed phone

27. Managed vs Unmanaged Phones
Feature
Unmanaged Phone
Managed Phone
Device encryption
Yes
Yes
Private app distribution
Yes
Yes
Policy management
No
Yes
App Management
No
Yes
App un-enrollment
No
Yes
Remote delete of business data
No
Yes
Company Hub APIs
Yes
Yes

28. Device Enrolment
• The Enterprise can distribute applications to Managed and
Unmanaged Windows Phone 8 devices
– A device must be “enrolled” so that it can run Enterprise applications
– This provides it with an enrolment token that can be used to open
XAP files that have been signed by the Enterprise
– This is a “one time” action
• Managed phones are automatically enrolled to the Enterprise
• An Unmanaged phone must be enrolled before it can run the
applications

29. Enrolling an Unmanaged Phone
• There are a number of ways that an unmanaged phone can be enrolled:
– Send the phone the token using an email secured by IRM (Internet Rights
Management)
– Email a message containing a web link to the token – the user must authenticate
on the web site before being given the token
• Once the phone has been enrolled into the enterprise the user can
download and run enterprise applications
• Enrolment does not affect any other aspects of phone use
– It does not allow remote management of the enrolled phone
• Microsoft does not provide tools to track the number of unmanaged
phones that have been enrolled

30. Enrolment on Managed and Unmanaged Devices
Feature
Unmanaged Phone
Managed Phone
App enrollment
By attachment in email
Via web link
Integrated with device enrollment
Implemented by Enterprise IT
Provisioned by
System Center
By attachment in IT email or
by web download
Integrated with device enrollment
Implemented by Enterprise IT
Provisioned by
System Center
App un-enrollment
N/A
Integrated with device
un-enrollment
Containment
Low
High
Enterprise app store
Enterprise client install
App inventory