The Year in Enterprise Mobility: A Review of 2013


We strive to keep you informed of the challenges, benefits, and ever-changing trends in the rapidly evolving world of enterprise mobility. Let’s take a moment to recap of some of the most important and exciting trends that we noted in 2013.

Enterprise Mobility Is Still a High Priority

The biggest trend we saw in 2013 was that enterprise mobility continued to be a high priority for business. In a 2013 survey of 200 IT executives, 82 percent identified enterprise mobility as very important. On the other hand, only 8 percent of survey respondents have a well-defined mobility strategy. Obstacles include cost, lack of in-house expertise, and especially security (less than 50 percent of respondents have a mobile security solution). The survey suggests that many IT executives recognize the need for outside help, and half of the respondents say that they are considering mobility-as-a-service solutions.

It’s clear that businesses and industry leaders want to take enterprise mobility to the next level, and they understand that in a world of proliferating mobility devices, apps, and support options, planning and strategy matter. We saw more evidence of this approach in some of the milestones that we crossed at Enterprise Mobile in 2013. We now manage more than 500,000 mobile devices across more than 70 countries, and we were recognized in Gartner’s very first Magic Quadrant for Managed Mobility Services for offering comprehensive services across a broad range of software and devices.

 The Mobile Landscape Is Changing

It may be cliché to say “the only constant is change,” but when it comes to the mobile landscape, it’s true. 2013 was no exception, and many businesses scrambled to take the guesswork out of choosing among the latest devices and platforms reaching the market. The next wave of mobile devices is arriving and enterprise mobility is rapidly moving beyond tablets and smartphones.

Wearable technology isn’t science fiction anymore. Most of us have heard about Google Glass, but that’s just the tip of the iceberg. The UK research company Visiongain found that wearable technology generated US$4.6 billion of business in 2013, and it predicts “explosive growth” in the sector over the next five years. All this rapid innovation might make it daunting to find and choose the best devices for your business, but with the right support and guidance, it’s an exciting challenge.

 BYOD Remains Relevant

Bring-your-own-device (BYOD) programs remained a big force in enterprise mobility in 2013. Allowing employees to use their own devices for work can be a double-edged sword, but as companies develop coherent BYOD policies, they are avoiding potential chaos and opening the door to increased productivity and greater employee satisfaction. As businesses determined the real costs of BYOD—such as management, support, security, stipend practices, and legal considerations—they have started to gather requirements, set goals, define budgets, and optimize their BYOD strategies and execution.

 Mobile Security Is a Top Concern

BYOD or not, dozens of devices, or just a few, security is always a top concern in enterprise mobility. Securing any network is hard, and savvy IT executives know that safeguarding disparate devices, connections, and applications takes a well-planned mobile security strategy.

In 2013, we saw organizations develop policies that address a range of issues, such as regulation compliance, information privacy, device and application inventory, and data storage. Organizations that manage mobile security in-house often find it limiting—not to mention a time-sink for the IT staff. Others find that a trusted service provider can help them meet current threats, stay on top of industry trends, and optimize their mobile environment. By combining mobile device management, mobile application management, and mobile content management software, businesses can build an effective overall mobile management and security infrastructure that gives employees the agility they need without putting devices, apps, or data at risk. The upshot is that effective organizations use rigorous security planning to determine their mobile security path.

 Get Ready for More

2013 is almost over, but it’s not too late to get in on the hottest enterprise mobility trends of 2014. Check out our 2014 Enterprise Mobility Predictions, and learn what you can expect in the new year.

Image source: Forbes

What’s Next in Enterprise Mobility

What’s Next in Enterprise Mobility_BLOG IMAGEToday’s mobile landscape is shifting more quickly than a late-model sports car. New feature-rich devices, security advancements, and innovative content management options mean that organizations have a lot to consider. Being aware of some of the coming trends will help you make smart choices as you look down the road.

Emphasis on Apps and Content

Until recently, most organizations have focused on which devices to deploy, but more and more are starting to put thought into enterprise apps (whether purchased off the shelf or custom developed) and content management. New online storage options provide flexibility in the way that organizations think about where content lives and the kinds of connectivity that are required to use and share that content. For example, a retailer could use a solution like Box to remotely push targeted content to the devices used by employees on the retail floor each day. That content might include details about daily sale items, videos about seasonal items, or tips for product usage, all of which employees could share with customers—without needing WiFi connectivity to download the content. Having new, industry-specific solutions to choose from can help you get ahead and derive the most value from your mobile environment.

Expanded Mobility

Adoption There have been several highly regulated industries that have not yet been able to take full advantage of mobility in general and Mobility-as-a-Service in particular. But as more organizations push to equip employees with mobile devices, some of those walls are coming down. Already, governments, healthcare organizations, and even financial services companies are starting to do more with mobile devices in limited use cases. That trend is likely to continue as vendors place greater emphasis on the enterprise mobile environment, rather than the current focus on consumers. Vendors will, by necessity, improve their security and encryption layers to give those in highly regulated industries greater flexibility when it comes to mobile device use and Mobility-as-a-Service options.

Replacement of Traditional Tools

So far, mobile devices have been considered an “and,” rather than an “or” in the business setting. Organizations deploy laptops and smartphones, tablets and traditional devices. But increased device power, processing speed, portability, and robust functionality is changing that. Soon we’ll start to see a true replacement; organizations may stop deploying laptops and only adopt tablets, or they might remove credit card processing machines and have employees use smartphones instead.

Specialty Solutions – Native Capabilities

Today, there are several niche solutions—such as those associated with mobile device management (MDM), mobile application management (MAM), and mobile content management (MCM)—that organizations need to consider and deploy to properly manage their mobile environments. As more organizations invest in mobile management software, there will be greater incentive for new players to enter the marketplace, which may cause a quantum shift in the way that MDM, MAM, and MCM are handled. Operating system developers may start to natively incorporate those capabilities. As a result, it will be critical for specialty solution providers to innovate to bring new capabilities to the industry. Even with this forward-thinking approach, it is likely that mobile management vendors will need to deal with market consolidation in the months and years ahead.

Next Steps

But you can’t wait for tomorrow’s advancements. Your organization’s productivity and overall effectiveness depends on putting the right mobile strategy in place today. However, keeping the industry’s fluidity in mind can be helpful as you invest in mobility. Here are a few suggestions for making the most of your mobile environment now, without locking you out of future capabilities:

  • Consider using subscription services rather than purchasing full licenses so that you can get the tools you need without long-term commitments.
  • Lease devices to give your employees the latest and greatest features but retain the ability to refresh as new devices enter the market.
  • Carefully determine the reasons for upgrading your mobile environment; don’t do it just for the sake of staying current. Make sure you’re investing in the right devices, apps, and storage options, and know what’s coming down the pike.
  • Think about storage. Larger file sizes make finding appropriate storage solutions an imperative. Make sure you know where you’ll store your content and how you can access and easily share it.

For help determining the next steps in mobility for your organization, learn more about Enterprise Mobile and watch the recent webcast about putting the right mobile strategy in place.


Part II: Planning a Mobile Security Strategy

Part II Planning a Mobile Security Strategy_BLOG IMAGEIn Part I of this blog, I discussed some of the biggest challenges in securing mobile environments and made some recommendations about mobile device management (MDM) software and how best to get started with planning. Here, I’ll address the importance of incorporating mobile application management and mobile content management solutions into your mobile security strategy.

Although using MDM software can be an important element in protecting your mobile environment, combining it with savvy mobile application management (MAM) and mobile content management (MCM) leads to the most effective overall mobile management and security. It’s not always easy to know how to best handle MAM and MCM for your organization, but adopting the right strategies is critical to your success.

MAM—While MDM is all about locking down devices, MAM helps safeguard mobile environments by controlling application access; only certain users can use particular applications on particular devices. If you are considering a Bring-Your-Own Device (BYOD) strategy, MAM helps you do so without putting corporate data at risk because corporate and personal apps can peacefully (and safely!) coexist on the same device. Employees are responsible for the security of the personal apps on their devices, while IT staff can protect and remove corporate apps if a device needs to be wiped.

Note some MAM best practices:

  • Decide on relevant acceptable use policies to help set expectations. Make sure employees are clear on which applications they’re allowed to access and which are blacklisted.
  • Use MAM tools to transparently install and configure business or security apps, especially if you have BYOD in play; you can’t always count on employees to do it properly on their own.
  • Establish a way to track app downloads and ongoing usage, monitor to detect outdated or disabled apps, and enforce the removal of blacklisted apps.


MCM—MCM focuses on the data itself, rather than your organization’s devices or applications. MCM strategies help establish a secure container around sensitive data, encrypting it and allowing only approved applications to access and distribute the data. The MCM market is still evolving, and upcoming integration improvements and the development of industry standards will make it easier for devices and apps to recognize the protections placed on data.

Even with some of the existing integration challenges, the number of MCM users is expected to grow by more than 10 percent annually for several years, according to a report by ABI Research. Proactive companies will look to capitalize on the advancements that the demand for high-quality MCM will bring, rather than waiting for complete maturity in that arena.

Of course, the key is finding that magic mix of MDM, MAM, and MCM strategies and tools. Although there doesn’t tend to be much overlap among these areas, you’ll need to do some testing to make sure that the products won’t limit each other or get in the way of other functionality.

Keep your eye on your top priorities for mobility management, whether those involve ease of use, cost, the amount of IT control, or specific features like asset management. These management solutions can’t be all things to all people, so find the ones that are right for you. With a suitable combination, you’ll be well on your way to having a mobile environment that meets your employees’ needs for productivity and flexibility without putting your devices, apps, or data at risk.

Learn more about planning your mobile security strategy.

Part I: Planning a Mobile Security Strategy

This is the first of a two-part blog. The aim of this first piece is to affirm some of the biggest challenges in securing a mobile environment and suggest the approach to getting started. In the second piece, I’ll dive into more details about the critical nature of security in a successful mobile environment.  

Securing a traditional internal network is a tough task on its own, but layering on disparate devices, a myriad of connection points, and unknown applications can cause even the most relaxed IT pro to lose sleep. It’s safe to say, though, that mobility is here to stay, and smart organizations are establishing strategies to safeguard their mobile devices, apps, and data. If they don’t, they can’t comfortably reap the productivity benefits enabled by mobile devices, and they limit employees’ flexibility to work from wherever they choose.

Rather than jumping right into the world of mobile devices and apps, companies need to be thoughtful about the planning process, especially where security is concerned. Getting the right policies in place can define your position on mobile security and keep employees from unknowingly putting the organization at risk. Before setting your mobile security policies, consider a few big-picture elements:

Regulatory concerns. Do you need to worry about compliance with industry regulations, such as HIPAA or Sarbanes-Oxley, when it comes to securing data on mobile devices? Do you need to take payment card industry (PCI) procedures into account if you handle credit card data?

Industry concerns. Do you need to ensure that client information stays private? What about threats from competitors when it comes to keeping your own organization’s devices and data safe? If you’re in the financial services industry, what do you need to do to protect financial data on mobile devices?

Flexibility. Mobile capabilities shift faster than a quick-change artist. You need your policies to be stringent enough to keep mobile devices, apps, and data secure but still allow you to adopt new advancements in the world of mobility. How much wiggle room do you want or need for the future?

Emerging trends. For example, bring-your-own-device (BYOD) environments are growing in popularity. While BYOD can save money, it requires you to allow access to the company’s networks from a variety of places and devices with unknown levels of security. Does it make sense to support BYOD in your particular organization? If so, what’s the best approach?

All this begs the question, what is the first concrete step in planning your mobile security strategy? Take an inventory of your devices to see which platforms are already at work in your environment. Determine whether the security-enablement features of those platforms meet your needs, and balance those features against the user features and apps that are available on those platforms. Set out to clearly understand not only what types of devices are on your network, but also what applications are on those devices and where that data is stored—all of this should factor into your strategy planning.

Next, decide whether managing your mobile infrastructure is something you want to handle in-house or with an outsourced service provider. Some organizations opt for in-house management but find that their mobile situation stagnates over time or that supporting it takes too much IT staff time and attention. Others determine that it’s helpful to work with a trusted service provider that stays on top of industry trends and optimizes their mobile environment. Either way, your hands aren’t tied—lots of organizations move back and forth between in-house and outsourced management as their needs change.

One of the best ways to make mobile security less daunting is to implement mobile device management (MDM) software, which secures, monitors, manages, and supports mobile devices deployed across mobile operators, service providers, and enterprises. A mobility service provider can help sort out the best MDM software for you and then go on to provide strategic consulting about mobile apps and how best to secure them.

Once you have a plan in place for security, it is critical to keep it current. It’s smart to take a step back about once a quarter to assess new risk factors and indicators that may cause you to adjust your policies, device OS settings, etc. For instance, we’re all familiar with the abundance of mobile apps out there for consumers, but the buildup of enterprise mobile apps has just begun. And the BYOD world is becoming more realistic as dual-use devices and virtualization take hold in the mobile space.

Remember, focusing on rigorous security planning now puts you in a position to embrace the latest trends. Without solid strategies and policies in place, you won’t be able to take advantage of the value that mobility can bring to you and your employees. Don’t let opportunities pass you by—be ready and able to adopt what you need when you need it. Want to learn more about planning an enterprise mobile strategy? Watch our latest webinar on Building an Enterprise Mobile Strategy.

In my second post in this series, I’ll address the importance of incorporating mobile application management and mobile content management solutions into your mobile security strategy.

iOS 6 Release – Technical Services Bulletin – September 13, 2012

How iOS 6 Could Affect Your Devices

On September 12, 2012, Apple announced plans to release the iOS 6 update to the public on September 19, 2012.

As with previous OS updates Enterprise Mobile expects that new devices procured shortly after the release will soon be installed with iOS 6 instead of the previously released iOS 5.1.1.

For legal, not technical reasons, Enterprise Mobile will not be able to downgrade newly procured devices from iOS 6 back to iOS 5.x. This may also impact old devices that are sent to Apple repair, which may return upgraded.
The following device types will be supported for iOS 6 and possible to upgrade:

- iPhone 4S
- iPhone 4 (CDMA & GSM)
- iPhone 3GS
- iPod Touch 4th Gen
- iPad 2 (WiFi, WiFi + 3G – CDMA & GSM)
- iPad 3rd Gen (WiFi + CDMA & GSM)

The legacy iPad 1st Gen will not be upgradable.

Mobile Device Management (MDM)

It is not known if there are any new MDM features at this time included in iOS 6. We expect that the MDM vendors will make announcements with updated versions of MDM solutions in the next weeks/months.
Because the UDID feature has been deprecated in iOS 5, Apple has now removed the API used to retrieve the UDID in iOS 6. Please check with your MDM vendor if any updated clients or updated solutions are required to support iOS 6. This may include additional prompts the end-user may need to perform to enroll devices.
Note that there may not be time to update your MDM solution before the iOS 6 release. Enterprise Mobile strongly recommends that you have any iOS access version controls verified and possibly disabled if necessary to permit new iOS 6 upgraded devices to connect and access business critical functions. Enterprise Mobile can assist to answer any question you have with many of the MDM solutions.


If the iOS devices are already running iOS 5 or above and the devices have access to the Internet over WiFi towards Apple servers, an upgrade prompt may appear. End users have the option to download and upgrade their devices over-the-air (OTA) or tethered with iTunes. Some of your end-users will probably perform this upgrade on their own, on the first day the software is available.

Note that the upgrade may be fairly large in size (approx 700MB+) and could impact the telecom data plan of the iPhone or iPad and your monthly data plan costs. Please contact your telecom provider for more information.

Enterprise Mobile can assist if a large scale upgrade of devices is required, and can work with your internal support personnel to speed the process.

Testing iOS 6

If your company or you are developing custom iOS applications, you are likely a registered member of the Apple Developer program. Enterprise Mobile urges all developers to quickly and thoroughly test and validate that all their business applications run on iOS 6, with functionality retained. Initial testing can be performed with a beta release, but it’s important to test with the final release version of the operating system as in previous updates, Apple has continued to add features and bug fixes up-to the final public release.

The “golden master” or GM release of iOS 6 was made available to all iOS developers on September 12, 2012, one week in advance of the publicly available version.

iOS 6 Changes
This upcoming iOS release provides a slew of new features. While mostly geared to the consumer market, it may be beneficial to have knowledge of or promote the following list of business related features :

Hands free operation:
- Siri can read items from Notification Center
- "Eyes Free" allows car companies to build-in Siri integration

- A new application that manages a user’s boarding passes, travel loyalty cards and others
- Passes are updated in real-time if changes are made such as spending money on a store card, flight time updates, and gate changes
- Passes are location and time-based, appearing on the lock screen when relevant

- "Bluetooth" is moved to the top of the Settings list
- Addition of "Do Not Disturb" mode, allowing users to avoid calls and notifications unless calling parties are on the user’s Favorites group
- New Privacy Controls in which apps must now ask for permission to access the user’s photos, calendars, contacts and reminders
- "Wi-Fi plus cellular" option added under "Cellular", to allow apps to use data over cellular if experiencing issues establishing connection through Wi-Fi

- Addition of phone icon on lock screen for additional ignoring options, similar to the camera sliding icon on the lock screen in iOS 5.1
- When ignoring a call, the user can message the caller or set a Reminder to call them back later or send one of three customizable quick SMS response

- VIP inbox stars important emails from user defined VIP group members
- Flagged emails inbox
- Open password-protected Microsoft Office documents
- Added Pull-to-Refresh gesture to update Mail accounts
- Per account Signatures

- Ability to Search All Fields
- Custom Vibrations for Text Message Notifications

- Full screen landscape mode (for iPhone 3GS and newer; iPod Touch 4th Gen and newer)
- iCloud tab syncing across iOS devices and Macs
- Offline reading list caches the user’s reading list for later use, even when not connected to the Internet (not available for iPhone 3GS and iPod Touch 4th Gen
- Faster JavaScript engine
- Support up to 25 open tabs on iPad

- Removed as an integrated app due to an ended licensing deal with Google. Google created a stand-alone YouTube app for the App Store that is available for download as of September 11, 2012

Lost Mode:
- If the iPhone is lost, Lost Mode triggers an attention grabbing sound, prompting the person who finds the iPhone to call a specific number set by the owner remotely

- Global Network proxy for HTTP
- IPv6 support for Wi-Fi and LTE

- Addition of Kernel Address Space Layout Randomization (ASLR)

- Updating an app no longer requires the iTunes password to be entered
- Installation of free apps without an Apple ID (This feature appears to be removed since beta)

Accessibility Guided Access:
- Allows user to lock exiting of the app in Single App Mode
- Allows users to disable certain controls within a specific app
- Locks the home button from being used to act like a kiosk


iOS 5.1 Release – Technical Services Bulletin – March 7, 2012

As previously published back in October of 2011 when the last major iOS release was announced and released, here is some fresh information on this latest update to iOS 5.1 that may be useful.

How iOS 5.1 Could Affect Your Devices

On March 7th, 2012 Apple announced plans to release the iOS 5.1 update immediately to the public.

As with previous Apple iOS updates (please see, Enterprise Mobile expects that new devices procured shortly after the release will soon be pre-installed with iOS 5.1 instead of the previously released iOS 5.0.1.

For legal reasons, Enterprise Mobile will not be able to downgrade newly procured devices from iOS 5.1 back to iOS 5.0.1. This may also impact old devices that are sent to Apple repair, which may return upgraded.

iOS Changes

The full listing of the iOS 5.1 security updates can be found here:

The Safari privacy vulnerability and a long list of WebKit (Safari browser engine) have been patches. Also the Password unlock and Siri vulnerability have been patched.

Mobile Device Management (MDM)

It is not known if there are any new MDM features at this time included in iOS 5.1.
Because you may not be able to update your MDM solution before the iOS 5.1 release, Enterprise Mobile strongly recommends that you have any iOS access version controls verified and possibly disabled if necessary to permit new iOS 5 upgraded devices to connect and access business critical functions.


If the iOS devices are already running iOS 5 or iOS 5.0.1 and the devices have access to the Internet over WiFi, an upgrade prompt may appear. End users have the option to download and upgrade their devices over-the-air (OTA) or tethered with iTunes.

This is an example of the prompt that may appear:

Please note that the upgrade may be fairly large in size (approx 200Mb) and could impact the telecom data plan the iPhone or iPad using and your monthly data plan costs. Please contact your telecom provider for more information.

Please note that some of your end-users that will perform this on upgrade on their own, on the first day the software is available.

Enterprise Mobile can assist if a large scale upgrade of devices is required, and can work with your internal support personnel to speed the process.

Testing iOS 5.1

If you, or your company, is developing custom iOS applications, you are probably already a registered member of the Apple Developer program. Enterprise Mobile urges all developers to quickly and thoroughly test and validate that all their business applications run on iOS 5.1, with functionality retained. This can be done with a beta release, but also importantly with the final release version of the operating system as Apple is previously known to continue to add features and bug fixes up-to the final public release.

Upcoming Microsoft sessions on Device Management & Security – If you are at TechEd 2009 or not!

An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile.

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL:
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don’t need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization’s Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300)
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL:
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL:
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we’ll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we’ll look at various out-of-the-box devices and analyze their threat surface. Last, we’ll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar! :-)


Upcoming Microsoft Webcasts on Device Management & Security

A quick heads up on some interesting new Microsoft webcasts coming up early next month on Windows Mobile Device Management and Security that may be of interest to many of you:

TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)

Tuesday, April 7, 2009
10:00 A.M.-11:00 A.M. Pacific Time

TechNet Webcast: Management Lockdown of Windows Mobile Devices (Level 300)Thursday, April 9, 2009
11:30 A.M.-12:30 P.M. Pacific Time

Register now and get it on your calendar! :-)


Mobile Security Resources

Windows Mobile security best practices are a key component of Enterprise Mobile’s expertise and services, but recently we’ve been much more vocal about it! First off, there’s the excellent WM Application Security White Paper that my colleague Dave Field just published. Here’s a brief synopsis:

This technical paper recommends how enterprises can take advantage of the powerful security features of Windows Mobile to defend against malicious and unsupported application use. Taking a very pragmatic approach, the paper describes how various features work and how to implement them to protect devices based on Windows Mobile 5.0, 6.0 and 6.1.

I highly recommend it for any IT professional who’s interested in Windows Mobile security. Dave has put incredible detail into this paper, making it invaluable for an organization who is currently using (or planning to deploy) Windows Mobile devices and applications.

Next up, there’s an interesting Network World article by John Cox about Mobile browser security that Dave and I are quoted in.  The article focuses on the impact that a new generation of mobile web browsers will have on how enterprise IT organizations handle mobile device security.  John sums up the three key areas that enterprises should focus on:

IT departments, according to experts, need to focus on three areas: assessing the security architecture and features in the mobile browser and the underlying operating system; working with users on smart and safe browsing practices; and creating a solid handheld device management system.

In fact, choosing a mobile platform with a strong and flexible security model in hand with a solid device management system can help you minimize the headaches that users have to endure. With those first two handled, educating users on smart and safe browsing practices is something that is applicable to both traditional desktop web browsers as well as the new crop of full-featured mobile browsers. Read the full article, titled “Mobile browsers bring new security headaches” now for more information.

SCMDM 2008 SP1 PIN Reset or Password Recovery Feature

This is a brand new feature of SP1 of great interest in an enterprise implementation. This mimics the similar Exchange and Windows Mobile device functionality, but without the need for any Exchange requirements. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.


As nicely stated in the MDM Password Reset Client v1.0 download overview:

“MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.

Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.

To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password.”

What is required?

Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But “your mileage may vary” (YMMY) as they say..  The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly!  Please note the installation failures on the devices that are below the 6.1.1 levels.

You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.

How it works:

After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use.  This can be verified with a cmdlet or on the MDM console by seeing that the “Display Recovery Password” action is no longer grayed out on the right hand side of the screen when a managed device is selected:

More details can also be found here on the overall user experience of this feature:

Client Functionality

These are actual screen-shots of a managed device that has the client patched installed.

In a locked state, the “Reset Password” option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:


After the “Reset Password” option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.


It will then let the user create a new password. Using the same requirements that might have been enforced to the device.


Now the user must contact the administrator or help desk. In this example the administrator clicks on the “Display Recovery Password” in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.


The user must type in the 20 digit recovery password to validate the new password.


If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!


Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a “Display Recovery Password” button at the bottom which will display the 20 digit recovery password:


The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here:

Password Recovery References

SCMDM Cmdlets:
SCMDM User Experience:
Windows Mobile 6.x AKUs:
Windows Mobile 6.1.x Upgrades and Build Levels:

mnielsen (at)