ActiveSync’s missing pieces lie in System Center Mobile Device Manager

Microsoft’s release of ActiveSync policies in the Exchange RTM was a very mild effort: a mere 16 policy settings to allow admins to control mobile devices connected to an Exchange environment. Those policies received a boost with the release of Service Pack 1 and now there are 27 settings for Standard CAL and 43 for Enterprise. This may seem like a giant leap, surely a competitive jump for Microsoft to now go head-to-head with BlackBerry IT policies — but that isn’t quite the case.

The BlackBerry Enterprise Solution offers roughly 400 policy settings — 400!

One might think Microsoft was sleeping at the wheel by not releasing even more with ActiveSync in SP1. But Redmond released a new product instead: System Center Mobile Device Manager 2008. SCMDM is part of the System Center product line, which is increasingly becoming a formidable set of tools that includes backup-recovery solutions; it also continues SC Operations Management 2007.

SCMDM 2008 has the ability to challenge the BlackBerry’s dominance, according to Computerworld’s Matt Hamblen and Eric Lai. InfoWorld did a write-up of the product when it was released.

What does the SCMDM bring to the table? It enables enterprise admins to make mobile devices more than external devices that can have basic policies applied (as we see with ActiveSync). Rather, those devices can become first-class citizens on the network by allowing Active Directory Group Policy settings to be applied to them, enabling greater security. The SCMDM can support up to 30,000 devices and boasts more than 130 settings and policies.

Some of the settings may seem familiar if you are comfortable with what ActiveSync or BlackBerry offer. They include disabling the camera on the mobile device for security purposes, or disabling Bluetooth, infrared, Wi-Fi, and so forth. You can enable passwords and PIN settings. These are all basic settings.

But for more granular control, you can enable more advanced settings. You can put the devices into different OUs (organizational units) that, through Group Policies, allow you to control which policies apply to which users. As with ActiveSync, you can remotely wipe mobile devices that have been lost or stolen thanks to the always-on connection. This is a key element to any mobile device that you use in the enterprise.

One of the more impressive MDM features is the Mobile VPN connection that is created with what is called “double envelope security”: Both the device and the user have to be authenticated. Your device will connect to a VPN gateway server (typically located in your network perimeter, the DMZ) and the device will check in to the management server to apply policies. There is also an enrollment server that handles the request for enrollment and manages requests and retrieval of certificates for devices. It’s also responsible for creating the AD objects. One the back end are SQL servers that work with the device management and enrollment servers, maintaining databases that manage device configuration, tasks, and status settings.

There are a few interesting drawbacks and competitive BlackBerry offerings that are worth considering before you run out and integrate SCMDM into your environment. For one thing, for mobile devices to utilize the many features, you have to be running Mobile 6.1 (so you have to consider the clients you have and whether they are upgradable to the 6.1 platform first). In addition, CA released its own management solution called CA Mobile Device Management. This supports the ability to take AD attributes and push them through the BES Server, thus taking BES policies and functionality and raising it to match some of the functionality of Microsoft’s SCMDM.

In the end, it may come down to the device you feel most comfortable using. BlackBerry may have more difficulty maintaining its lead in this market if comfort is the deciding factor, as opposed to functionality, server control, security, or some other area where Microsoft is now catching up. BlackBerry is still ahead, but the margin is narrowing fast.

What mobile devices is your enterprise using? And how do you manage them? What features would you like to see added? You never know: Your insightful comments here may be read by the right person and those features may find themselves into the next release of your device or server.