Remote Wipe
After installing SP2, you need to install the Exchange Server ActiveSync Web Administration tool before you can use the remote wipe feature. The Web Administration tool is a browser-based tool that provides the remote administration and remote wipe feature for all mobile devices running Windows Mobile 5.0 and MSFP, as well as any device that supports third-party EAS clients. You can download the tool at http://www.microsoft.com/downloads/details.aspx?familyid=e685 1d23-d145-4dbf-a2cc-e0b4c6301453&displaylang=en.
When you open the downloaded file, it prompts you for a folder to which to extract files. After extraction, open the folder and double-click MobileAdmin.msi to create a new folder called MobileAdmin under the server's default Web site. To access the Web Administration tool, open a browser and enter
https://mail/mobileadmin
where mail is the name of your Exchange server.
After authenticating, you'll see the Mobile Device Settings page of the Mobile Admin Web Form, which Figure 4 shows. Click Remote Wipe to display the Remote Device Wipe page similar to that which Figure 5 shows. To find a device, you must enter the mailbox name or SMTP address of a user who synchronizes with Exchange from one or more devices. EAS tracks each device from which a user synchronizes, and the Mobile Admin Form uses this information to display a list of devices associated with the specified mailbox.
As the Remote Device Wipe page shows, a Pocket PC is associated with my account. The page displays the date and time of the last synchronization and offers two actions: Wipe and Delete. If I click Delete, Mobile Admin clears the association between the Pocket PC and my account. If I subsequently synchronize again using that device, EAS will re-create the association. The Delete feature lets you perform housekeeping when a device is no longer used.
Let's say my Pocket PC has been stolen. When I click Wipe, the tool issues a remote wipe command to the Pocket PC. Figure 6 shows the status of my Pocket PC after I initiate a wipe. If the device is currently on and connected via the long-lived HTTP connection (a port 443 TCP connection that doesn't time out) used by MSFP's Direct Push technology, the device will erase all its data within seconds. Otherwise, the wipe won't take effect until the next time the device connects to the Exchange server.
For what it's worth, I tried issuing a remote wipe command to a Pocket PC that didn't have MSFP loaded. The device didn't wipe its data, of course, but the synchronization did fail and issued support code 0x85010013. So, although devices that aren't MSFP-enabled can't carry out remote wipe commands, you can at least disable continued synchronization for that device if you lose control of it.
The Web Administration tool tracks the status of the remote wipe command, so that you can return to the Remote Device Wipe screen and check for completion of the command. If the user recovers the device before the wipe command is carried out, you can cancel the command by returning to the Remote Device Wipe page and clicking Cancel Wipe.
Caveats
There's no guarantee that your Windows Mobile device will support remote wipe or a centrally mandated password policy because those features are part of the optional MSFP. Support for MSFP depends on the device manufacturer—and sometimes on the carrier. Before buying a Windows Mobile device, make sure it comes with MSFP or that the feature pack is available from the carrier or manufacturer. (Microsoft offers a buyer's guide of Windows Mobile 5.0 devices at http://www.microsoft.com/windowsmobile/devices/default.mspx.)
EAS support in mobile devices isn't limited to Windows Mobile devices. Manufacturers such as Nokia and Motorola and ISVs have licensed EAS, and DataViz makes EAS clients for a variety of phones based on Palm OS, Symbian, and Java Mobile Information Device Profile (MIDP). Before you buy, read the specifications or manual to make sure you understand whether the third-party EAS-compliant device or client software you're considering supports remote wipe and mandated password policy. Also, be aware that some devices that support HTTPS-protected EAS and Direct Push are limited to a finite Certification Authority (CA), which means the device refuses to connect to your Exchange server unless you purchase a digital security certificate from one of the commercial CAs that the device supports, such as VeriSign or its subsidiary, thawte.
Some mobile devices let you store email attachments on a removable flash memory card to conserve internal memory. Doing so carries a big risk, however, because attackers can easily remove Secure Digital (SD) and other such memory cards—possibly before theft is reported or before your remote wipe command is carried out. Moreover, some of your organization's most sensitive data is likely to be found in attachments. EAS with MSFP is apparently supposed to disable the ability to store attachments on the device's removable storage, but if you want to use that feature, I recommend testing specific devices and software to make sure it works correctly.
A Good Step Forward
How secure does MSFP make the data and credentials on your mobile devices? Some analysts, such as Gartner, complain that Microsoft hasn't done enough with encryption to combat more sophisticated attackers who crack open a device and attempt to extract data from its memory. The Trusted Computing Group's Mobile Phone Work Group subgroup is working on mobile-device security, and I expect mobile devices to become more secure in the future. (For more information, see https://www.trustedcomputinggroup.org/groups/mobile.)
If your biggest concern is the theft of user domain credentials, you might consider implementing client certificates to control access to EAS. Enrolling Windows Mobile devices for client certificates is much easier than in the past, thanks to the new Enroller application on the device Start menu, which lets you request a client certificate from your Windows Server CA. At some point, we'll probably see biometric access controls on devices, and tamper-proof chips that contain an encryption key will protect data. For the time being, however, SP2 and MSFP take you a good step forward in mitigating the biggest risks associated with mobile devices.
Register
123sheila321 February 09, 2009 (Article Rating: