DEVICE MANAGEMENT EXTENSIONS

(1)

(2)

Document Information

Date: 4/13/2011

registered trademarks of Microsoft, Inc. in the United States and other countries. RIM and BlackBerry are registered trademarks of Research In Motion Limited in the United States and may be pending or registered in other countries. Apple, Mac OS, iPhone, and iPad are registered trademarks of Apple Inc., registered in the United States and other countries. Android is a trademark of Google Inc. Nokia is a registered trademark of Nokia Corporation. Other product or service names may be trademarks or registered trademarks of their respective owners.

This document contains material that is proprietary of Odyssey Software, Inc. and is protected by copyright. Copying, reproducing, or disclosure of this document, or any part of this document is prohibited without the written permission of Odyssey Software, Inc.

Odyssey Software, Inc. shall not be held liable for technical or editorial errors, or for any consequential or incidental damages caused or allegedly caused by

information contained in this document.

For specific information on the software or our packages, please contact us at

(3)

Introduction

Odyssey Software’s Athena™ mobile device management product is designed to extend and complement the native device management capabilities of the Microsoft® System Center Configuration Manager platform. Unlike other device management products, which require their own proprietary servers and consoles, Athena uniquely integrates seamlessly into the native

infrastructure of Configuration Manager without the need for additional Athena servers or consoles. Athena's architectural advantage enables

organizations to leverage their existing strategic investment in Configuration Manager to also provide comprehensive management of mobile devices. The purpose of this document is to provide an overview of how Athena integrates into the Configuration Manager platform and to outline the device management features that Athena adds to the Configuration Manager

platform.

In addition to integrating into the current System Center Configuration

Manager 2007 platform, Odyssey Software is a launch partner for Microsoft’s forthcoming System Center Configuration Manager 2012 release. Athena’s approach for integration with Configuration Manager 2012, and value

proposition for management of Windows® Mobile, Android, iOS, Windows® Phone 7, BlackBerry® and Windows® Embedded CE devices is comparable to the Athena integration and value-add for the Configuration Manager 2007 platform. The device management feature matrices in this document provide details about the value-add of Athena to both Microsoft platforms.

Please note that this document does include information about the

forthcoming Athena device management agent for Windows Phone 7, which Odyssey Software plans to release in Q3 2011. Athena agents for Windows® Mobile, Android, iOS, BlackBerry® and Windows® Embedded CE have been introduced and/or are released.

Athena License Migration Program

The Athena license migration program for System Center Configuration Manager enables customers enrolled in Odyssey Software’s Support and Maintenance program to easily transfer their Athena licenses between Configuration Manager 2007 and Configuration Manager 2012 without any additional licensing cost.

Odyssey Software’s license migration program is designed to complement its commitment to ensuring successful technical customer migrations for Athena between these two Microsoft enterprise management platforms. Protect your investment in Athena as you migrate from Configuration Manager 2007 to Configuration Manager 2012 by including Odyssey Software’s Support and Maintenance program with your purchase of Athena licenses.

(6)

Summary of Athena Benefits for IT

Professionals

Leverages your organization’s investment in Configuration Manager  Fast, low-cost deployment by utilizing existing management

platform infrastructure.

 No additional server hardware or proprietary server software required.

 Athena-enabled functions extend and complement the native device management capabilities of Configuration Manager.  Familiar console navigation provides savings in Help Desk and

training costs.

Non-impactful to device and network resources

 Ultra-low impact on mobile device performance and battery life.  Uses bandwidth efficiently. Never interferes with business

operations sharing the network. Nominal impact on metered wireless plans.

Addresses real-world management needs of mobile device users  Enables increased efficiencies through fast, uniform distribution

of applications and updates to mobile workforce.

 Improves device-user productivity through decreased downtime.  Decreases costs through the ability to quickly and efficiently

troubleshoot and solve issues remotely for Windows Mobile, BlackBerry smartphones, and Windows Embedded CE devices. Helps achieve first-time resolution to problems.

(7)

Athena and Configuration Manager Architecture

The Athena device management extensions for Configuration Manager

consist of on-device Athena agents for Windows Mobile, iOS (iPhone/iPad), Android, and BlackBerry smartphones as well as Windows Embedded CE devices, management console extensions, the Athena Tunnel Service, and PowerShell extensions from Configuration Manager 2007 to Exchange 2007 or 2010. The extensions enable core device management support functions for Exchange ActiveSync-enabled mobile devices platforms that do not yet have an Odyssey Software developed agent such as Nokia Mail for Exchange and HP webOS devices. Configuration Manager 2012 includes access to Exchange for setting Exchange ActiveSync policies and collecting core device information.

The following diagram shows the integrated Athena/Configuration Manager architecture.

(8)

Native Configuration Manager Device

Management Capabilities

Configuration Manager 2007

Configuration Manager 2007 provides the following core device management capabilities for Windows Embedded CE and Windows Mobile devices:

 Device discovery.

 Provisioning of device software and settings.  Inventory of core device information.

 Retrieval of files and file information.

Configuration Manager 2012

Microsoft is incorporating additional features for Windows Mobile 6.1 and 6.5 devices for inclusion in Configuration Manager 2012, which have been

migrated from the System Center Mobile Device Manager 2008 platform. The following functions are included:

 Device policy management.  Application allow/deny.

 Encryption of data at rest on the device or memory card.  Device lock/wipe.

 OTA bootstrapping and software deployment.

Configuration Manager 2012 also enables remote administration of Exchange ActiveSync policies to devices that support these Exchange ActiveSync

(9)

Summary of Athena Device Management Extensions

The following tables summarize the core platform and value-added device management features enabled by the Athena device management extensions for Windows Mobile, Windows Embedded CE, Android, iOS (iPhone/iPad), Windows Phone 7, and BlackBerry smartphones for the Configuration Manager 2007 and 2012 platforms.

Table 1. Summary of core and Athena-enabled device management capabilities for the Configuration Manager 2007 platform

Core and extended mobile device management features for System Center Configuration Manager 2007

Device Management

Category

Mobile Device Management and Security Capabilities Windows CE Windows Mobile Windows Phone iOS Android BlackBerry Symbian

Other Exchange ActiveSync Enabled Devices (e.g HP WebOs) Report core device information (e.g. device type and device OS) Core+ Core+ Athena Athena Athena Athena Athena Athena Reporting of detailed device hardware, software and health information Athena Athena Athena Athena Athena Athena N/A N/A

Reporting of device location information Athena Athena Athena Athena Athena Roadmap N/A N/A

Reporting of device OS tampering (e.g. jailbreak, rooting) N/A N/A N/A Athena Athena N/A N/A N/A

Provision device policy settings through Exchange Active Sync N/A Athena Athena Athena Athena N/A Athena Athena

Provision core device policy settings through device agent Athena Core+ N/A Athena Athena Roadmap N/A N/A

Provision advanced device settings through device agent (e.g. device accounts and restrictions) Athena Athena N/A Athena N/A Roadmap N/A N/A

Automated provisioning of files and applications Core+ Core+ N/A N/A N/A N/A N/A N/A

Automated detection and repair of corrupt/missing files and missing applications Athena Athena N/A N/A N/A N/A N/A N/A

Full Remote device wipe through Exchange N/A Athena Athena Athena Athena N/A Athena Athena

Full or selective device wipe based on policy, device state, or on-demand through device agent Athena Athena N/A N/A N/A N/A N/A N/A

Selective device wipe (Files or Folders [WinCE/WinMo], PIM data [iOS]) Athena Athena N/A Athena N/A N/A N/A N/A

Remote device lock Athena Athena N/A Athena Athena Roadmap N/A N/A

Remote Control Athena Athena N/A N/A N/A Athena N/A N/A

Live access to device subsystems Athena Athena N/A N/A Athena Athena N/A N/A

Enterprise Mobile Library for self-service distribution of in-house applications, files, video, etc. N/A N/A Athena Athena Athena Roadmap N/A N/A Leverage mobile platform's push notification service to alert device users of new mobile library content N/A N/A Athena Athena Athena N/A N/A N/A Key: Core = Core feature included with System Center Configuration Manager 2007

Core+ = Core feature included with System Center Configuration Manager 2007 with additional features available through Athena device management extensions Athena = Extended feature enabled by Athena device management extensions to System Center Configuration Manager 2007

Roadmap = Planned near-term roadmap feature for Athena device management extensions to System Center Configuration Manager 2007 N/A = Feature not available

Mobile Library Reporting

Provisioning Software distribution Wipe & Lock

(10)

Table 2. Summary of core and Athena-enabled device management capabilities for the Configuration Manager 2012 platform

Core and extended mobile device management features for System Center Configuration Manager 2012

Device Management

Category

Mobile Device Management and Security Capabilities Windows CE Windows Mobile Windows Phone iOS Android BlackBerry Symbian

Other Exchange ActiveSync Enabled Devices (e.g HP WebOs)

Report core device information (e.g. device type and device OS) Core+ Core+ Core+ Core+ Core+ Athena Core Core

Reporting of detailed device hardware, software and health information Athena Athena Athena Athena Athena Athena N/A N/A

Reporting of device location information Athena Athena Athena Athena Athena Roadmap N/A N/A

Reporting of device OS tampering (e.g. jailbreak, rooting) N/A N/A N/A Athena Athena N/A N/A N/A

Provision device policy settings through Exchange Active Sync N/A Core Core Core Core N/A Core Core

Provision core device policy settings through device agent Athena Core N/A Athena Athena Roadmap N/A N/A

Provision advanced device settings through device agent (e.g. device accounts and restrictions) Athena Core N/A Athena N/A Roadmap N/A N/A

Automated provisioning of files and applications Core Core N/A N/A N/A N/A N/A N/A

Automated detection and repair of corrupt/missing files and missing applications Athena Athena N/A N/A N/A N/A N/A N/A

Full Remote device wipe through Exchange N/A Core Core Core Core N/A Core Core

Full or selective device wipe based on policy, device state, or on-demand through device agent Athena Athena N/A N/A N/A N/A N/A N/A

Selective device wipe (Files or Folders [WinCE/WinMo], PIM data [iOS]) Athena Athena N/A Athena N/A N/A N/A N/A

Remote device lock Athena Athena N/A Athena Athena Roadmap N/A N/A

Remote Control Athena Athena N/A N/A N/A Athena N/A N/A

Live access to device subsystems Athena Athena N/A N/A Athena Athena N/A N/A

Enterprise Mobile Library for self-service distribution of in-house applications, files, video, etc. N/A N/A Athena Athena Athena Roadmap N/A N/A Leverage mobile platform's push notification service to alert device users of new mobile library content N/A N/A Athena Athena Athena N/A N/A N/A Key: Core = Core feature included with System Center Configuration Manager 2012 platform

Core+ = Core feature included with System Center Configuration Manager 2012 platform with additional features available through Athena device management extensions Athena = Extended feature enabled by Athena device management extensions to System Center Configuration Manager 2012

Roadmap = Planned near-term roadmap feature for Athena device management extensions to System Center Configuration Manager 2012 N/A = Feature not available

Remote Assistance Mobile Library Reporting Provisioning Software distribution Wipe & Lock

(11)

Athena Extensions to Configuration Manager

The two primary components of the Athena device management extensions are management console extensions and an on-device agent.

Management Console Extensions

Management console extensions allow all Athena-enabled device

management capabilities to appear in the native Configuration Manager Administrator console as a “single pane of glass”. Athena’s management console extensions are constructed with navigation similar to the

Configuration Manager native user interface, minimizing training required to start using the Athena device management features. The console extensions supplement the scalability, security, and reliability of Configuration Manager.

On-device Agent

The Athena on-device agent is architected as an extensible engine, which contains individual plug-ins (service modules) that power Athena’s device management functions. Athena device management is designed for very low impact on device performance and battery life. All of Athena’s device

management capabilities are optimized for operation over any IP-based wired or wireless network including wireless wide area networks (WWAN) and

wireless local area networks (WLAN).

The Athena agent transmits collected data to Configuration Manager by calling .NET web services that are installed on the Management Point server. These .NET web services call the native Configuration Manager Management Point API to post device discovery, device hardware/software inventory, and health status to Configuration Manager’s SQL Server database.

(12)

Device Management

The Athena device management capabilities provide additional functionality and expand the native device management capabilities of Configuration Manager.

Windows Embedded CE and Windows Mobile Devices

The Athena agent can be deployed to Windows Mobile and Windows Embedded CE-based devices through a wide variety of methods. Some

methods include browsing with the device to a secure portal to download and install the Athena agent over-the-air, delivering and installing the Athena agent using the native Configuration Manager mobile client, or installing the Athena agent from a device memory card. Once the Athena agent is installed and running on a device, it will be automatically discovered by Configuration Manager and the device will appear in the applicable Configuration Manager collection(s).

Athena Tunnel Service

The Athena Tunnel Service is a client-initiated SSL tunnel with 2-way certificate-based authentication. The Athena Tunnel Service provides a secure path to connect to a mobile device and establish a live remote session. A session can be established across inherently private network connections such as GSM.

Inventory and Status

The on-device Athena agent periodically performs tasks such as collecting device hardware inventory, software inventory, network information and health status. The Athena agent also checks for available software

(13)

Athena Device Explorer

The Athena Device Explorer extensions to the Configuration Manager administrator console access data stored in SQL Server to provide a

comprehensive view of device hardware, software, and health information. The Athena Device Explorer also serves as the launch point for a live remote control/remote tools session for immediate diagnosis, troubleshooting, and repair of a connected mobile device.

Athena Device Explorer with Windows Mobile device (Configuration Manager 2007)

(14)

Athena Package Creation and Distribution

For software, settings, and application distribution, Athena provides wizard-based tools for package creation and distribution that are integrated into the Configuration Manager administrator console. Native Configuration Manager collections are leveraged to target packages for distribution, and the

packages are staged on Configuration Manager’s native distribution points for on-demand or scheduled pickup by a mobile device.

Athena Device Software Package Wizard (Configuration Manager 2007)

(15)

BlackBerry Smartphones

Management of BlackBerry smartphones with the Athena device

management extensions to Configuration Manager is designed to enhance the native device management capabilities of both Configuration Manager and the BlackBerry Enterprise Server. Athena’s key device management functions for BlackBerry smartphones are remote control/remote tools and hardware/software/health reporting.

Management of BlackBerry smartphones is identical to Athena’s management of Windows Mobile and Windows Embedded CE-based devices with the

following exceptions:

 The on-device Athena agent is deployed to BlackBerry

smartphones by browsing to a secure portal to download and install the Athena agent over-the-air, or by the BlackBerry

Enterprise Server deploying and installing the Athena agent on a BlackBerry smartphone.

 Software, settings, and application distribution to BlackBerry smartphones is accomplished through the native functions of the BlackBerry Enterprise Server.

Athena Device Explorer with BlackBerry smartphone (Configuration Manager 2007)

(16)

iOS (iPhone/iPad), Android and Windows Phone 7 Devices

The Athena agent for iOS, Android or Windows Phone 7 devices is downloaded by the device user from the Apple App Store, Android

Marketplace, or Windows Phone 7 Marketplace. User input of credentials automatically initiates device management.

Athena reports extended device hardware, software, and health information to Configuration Manager including installed applications, policies, memory, battery, and network information. Athena also detects and reports whether an iOS device is jailbroken, and whether rooting has been done on an Android device.

Athena Device Explorer with iPad (Configuration Manager 2007) Administrators can use this information to determine if a device is compliant and whether action should be taken to notify the device user or whether specific policies should be distributed to the device. Athena also periodically updates this information to the Configuration Manager database. This

prevents jailbreaking iOS devices or rooting Android devices after enrollment without detection.

Unique enterprise and device certificates used for authentication to corporate services are automatically provisioned to iOS and Android devices using the Simple Certificate Enrollment Protocol (SCEP).

Users can choose to have Athena periodically report the device’s current location to Configuration Manager. A breadcrumb trail of past locations is also maintained in the Configuration Manager database.

(17)

Configuration Manager to a remote iOS, Android, or Windows Phone 7 device. A selective wipe of PIM data (e-mail account and associated contacts,

calendar, e-mails, etc.) can also be invoked on iOS devices.

For iOS and Android devices, the Athena device management extensions include the Mobile Enterprise Library repository where enterprise resources such as applications, files, videos, links to other corporate resources, etc. can be stored for access by users. The Apple, Android, or Windows Phone 7 push notification services are used to alert users about the availability of new resources in the Mobile Enterprise Library or alert for other required device actions.

Athena Mobile Enterprise Library Manager (Configuration Manager 2007) The Athena device management extensions enable an administrator to

specify and invoke an extensive set of iOS, Android, or Windows Phone 7 policies directly from the Configuration Manager console. A summary of supported policies for these devices is included in Appendix A Policies.

(18)

Athena iOS Policy Configuration (Configuration Manager 2007)

Management of Nokia Mail for Exchange, HP webOS and other

Exchange ActiveSync-enabled devices

Odyssey Software has developed PowerShell extensions for Configuration Manager 2007, which enables Exchange ActiveSync policies to be specified and invoked on collections of Exchange ActiveSync-enabled devices from the Configuration Manager console to Exchange 2007/2010. Example Exchange ActiveSync mobile platforms include Nokia Mail for Exchange, and HP webOS-based devices. Core device information natively collected by Exchange is also reported through these extensions to the Configuration Manager 2007

database.

The Configuration Manager 2012 platform will natively include administration of Exchange ActiveSync policies to device platforms that support Exchange ActiveSync policies from the Configuration Manager console.

(19)

Detailed review of Athena Device Management Extensions

The following tables provide more detailed information about the value-added device management features enabled by the Athena device management extensions for Windows Mobile, Windows Embedded CE, Android, iOS

(iPhone/iPad), Windows Phone 7, and BlackBerry smartphones to the Configuration Manager 2007 and 2012 platforms.

Table 3. Supported Mobile Device Platforms using On-device Client/Agent or Extensions from Configuration Manager to Exchange ActiveSync

Feature Native Configuration

Manager 2007 Capability

Native Configuration Manager 2012

Capability

Athena-enabled Extensions for Configuration Manager 2007 and Configuration Manager 2012 Supported mobile devices utilizing on-device client/agent Windows Embedded CE 4.2, Windows Embedded CE 5.0 Pocket PC 2003, Windows Mobile 5, Windows Mobile 6 Windows Embedded CE 5.0 Windows Mobile 5, Windows Mobile 6.x

Windows Embedded CE 3.0 and newer, Pocket PC, Pocket PC 2002, Pocket PC 2003, Windows Mobile 5, Windows Mobile 6 and newer, Win32 including Windows XP Embedded, Windows Phone 7, Apple iOS 4.2 and newer (iPhone and iPad), Google Android 2.2 and newer, BlackBerry 4.3 and newer.

Remote administration of Exchange ActiveSync policies from the Configuration Manager console

-

Windows Mobile 5 Windows Mobile 6.x, Windows Phone 7, iOS (iPhone and iPad), Nokia Mail for Exchange, HP webOS, Android 2.2+ devices

Nokia Mail for Exchange and HP webOS devices.

Note: Athena extensions from Configuration Manager to Exchange are used only with Configuration Manager 2007 as Configuration Manager 2012 includes remote administration of Exchange ActiveSync policies.

(20)

Table 4. Detailed Table of Extended Capabilities enabled by Athena for Windows Mobile and Windows Embedded CE-based Devices

KEY

-

= Feature set not available

✔

= Core feature set available

✔+

= Enhanced feature set available Mobile

Platform Feature Manager 2007 Configuration

Mobile Device Client Configuration Manager 2012 Mobile Device Client

Athena-enabled extensions for Configuration

Manager 2007 and Configuration Manager 2012 Feature Athena

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE

Bootstrap

_✔

₊

_{Athena’s on-device agent can be} downloaded and automatically installed using Pocket Internet Explorer to browse to a web location hosted within the Configuration Manager infrastructure. Athena can also automatically provision predefined applications, files, and settings to the device during the bootstrapping operation. De vic e Pr ovisi on in g

Device Discovery

_✔

₊

_{The Athena agent can replace or be} co-resident with the native or Configuration Manager client. The Athena agent replicates all of the native agent functionality including device discovery. Over-the-air deployment of device software and settings

✔

+

WLAN and WWAN

✔

+

WLAN and WWAN

(21)

Platform Manager 2007 Mobile Device Client Manager 2012 Mobile Device Client

Manager 2007 and Configuration Manager 2012 Feature

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE Wizard-based tools to create and target packages to logical groups of devices. Updates are targeted to native Configuration Manager device collections

✔

De vic e Pr ovisi on in g Automatic detection and repair of corrupt or missing device files and applications (self-healing)

-

✔

+

Athena can automatically detect and repair incorrect, corrupt, or missing device files and applications. Athena is ideal to set and maintain desired device configuration management.

Automatic removal of files, or applications per a pre-determined schedule

-

✔

+

In addition to automatically taking actions to remove files or applications at a

pre-determined date and time, Athena also

includes removal metrics that are used to validate and report that the file or application has been successfully removed from the device.

Automatic updating of applications that are currently running

-

✔

+

Athena can automatically terminate a running application so that it can be updated, and then automatically launch the application when the update is complete.

(22)

Mobile

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE Automatic updating of common runtimes (e.g. .NET Compact Framework and SQL Server Mobile)

-

✔

+

Athena automatically detects all applications utilizing common runtimes and terminates these applications for update.

De vic e Pr ovisi on in g Unattended (silent) software installation

-

✔

+

Athena software and settings update

packages can be configured for notification and/or acceptance by the device user, or for silent, unattended installation. Check for updates on-demand or on a pre-defined schedule

✔

+

Athena can be configured to check for updates periodically or on-demand, plus Athena can automatically wake a sleeping device to check for updates. Updates can be designated as

critical. Critical updates are processed ASAP rather than using a pre-defined schedule. Report status

and details of provisioning history

✔

+

Athena provides a rich set of detailed information about the current status and history of updates provisioned to a device including detailed error messages.

(23)

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE Device hardware

inventory

✔

+

Athena provides extended device hardware details. Ass et Re p or ti n g Device software inventory

✔

+

Retrieve selected device files

✔

+

Retrieve selected device files and version information

✔

+

Athena provides detailed file version and attribute information utilizing a pattern-based file inventory scan. Device health information

✔

Provides basic battery and memory levels

✔

Provides basic battery and memory levels

✔

+

Athena provides status for extended battery, memory, and running processes on the device. Device network information

✔

Provides basic device MAC and IP address information

✔

Provides basic device MAC and IP address information

✔

+

Athena collects extensive information about all of the device’s network adapters including wired, WWAN and WLAN adapters. Device/network

performance information

-

✔

+

Athena provides graphical reporting of device memory, device power, network packet traffic, and wireless signal strength.

Custom reporting of device information

✔

+

Extended information collected by Athena is available in the database of the reporting tool. An extended set of predefined device reporting templates is available with Athena.

(24)

Mobile

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE

Remote Control

_-

_✔

₊

_{Athena’s remote control functionality is} optimized for operation across low bandwidth, congested, high latency networks. Up to eight helpdesk personnel can concurrently remote control the same device. This feature simplifies collaboration in diagnosing and repairing

problems with remote devices. Video and macro recording are also available.

In te racti ve Su p p o rt Remote access to device file system

-

✔

+

Athena provides live, interactive access to the device’s file system enabling files to be copied, deleted, renamed, moved, and imported to/exported from the device in real time.

Remote access

to device registry

-

✔

+

Athena provides live, interactive access to the device’s registry enabling sophisticated registry searches, and registry keys to be copied, deleted, renamed, moved, modified and imported to/exported from the device in real time.

Remote access to system level functions

-

✔

+

Athena provides live, interactive access to system level functions such as

installing/uninstalling applications, start/stop device processes, and warm/cold device resets. Remote access

functions are operational over all wired and wireless IP-based connections

-

✔

+

Athena includes the Athena Tunnel Service, which provides a secure, robust device-initiated HTTPS communications link. The Athena Tunnel Service enables Athena’s Interactive Support functions to operate across all wired, wireless, or cradled connections.

(25)

Pack Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE Current and historical device location information

-

✔

+

Provides detailed status about a device’s GPS module and satellite association information.

Po sit io n in g

-

✔

+

Offers remote access to current location of a device and historical (bread crumb) location information.

-

✔

+

Positional history can be collected based upon pre-determined distance changes and/or time intervals.

Device lock and

wipe

-

✔

+

Lock/wipe progression is fully configurable including sequence from locking with “power-on password” to “administrator password” to “wipe of specific registry keys/files/folders/storage cards”, to a complete device wipe.

Sec u ri ty E ss en ti al s

-

✔

+

Configurable device screens and/or audio files can automatically be played on the locked device.

-

✔

+

Lock actions survive a device reset.

-

✔

+

Lock/wipe actions can be initiated by an IT administrator remotely on-demand, or

automatically though a prescribed set of configurable “out-of-band” conditions.

-

✔

+

Phone operation can be permitted while a device is locked.

(26)

Mobile

Pack Win d ows Mo b ile Provides detailed phone status, utilization and messaging information

-

✔

+

Remotely access detailed information about a device’s phone status, WWAN signal strength, cell tower association, and carrier information.

Ph

on

e

-

✔

+

Provides information and statistics on incoming, outgoing, missed and dropped calls.

-

✔

+

Provides a summary of sent/received

e-mail, SMS and MMS messages.

Mo to ro la/ Sy mb ol d evic es Win d ows Mo b ile an d Wi n d ows E mb ed d ed CE -b as ed d evice s on ly Barcode Scanning and Smart Battery information for Symbol/ Motorola devices

-

✔

+

Manage integrated bar code scanners in most Symbol/Motorola Windows Mobile and Windows Embedded CE-based devices.

Bar co d e Scan n in g an d Sm ar t Bat te ry

-

✔

+

Configure, enable, and disable scanner features.

-

✔

+

Monitor scan statistics and raw input data.

-

✔

+

View and log smart battery information

such as serial number, date of manufacture, and charge cycles.

(27)

Table 5. Extended Device Management Capabilities enabled by Athena for iOS, Android, Windows Phone 7, and BlackBerry Smartphones

Key:

-

= Feature set not available

✔ = Core feature set available

✔+ = Enhanced feature set available

Mobile

Platform Feature Configuration Native

Manager 2007 capability Native Configuration Manager 2012 capability

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 iO S 4.x an d n ew er (i Ph o n e/ iPad ) Simplified _Enrollment with Active Directory Integration N/A as there is no native Configuration Manager client for iOS. N/A as there is no native Configuration Manager client for iOS.

✔+ Device user downloads Athena agent from Apple App Store,

inputs credentials (username, password and domain) to

automatically bring the device under management.

Extended hardware and software inventory

-

✔

+

Upon enrollment, Athena reports extended hardware and software inventory including installed applications, policies,

memory, battery, and network information. Administrators can use this information to determine if a device is compliant (e.g. a

required password policy is in force on the device) and whether action should be taken to notify the device user or whether specific policies should be distributed to the device. Athena also

periodically reports this information to the Configuration Manager database.

(28)

Mobile Platform Feature Native Configuration Manager 2007 capability Native Configuration Manager 2012 capability

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 iO S 4.x an d new er (i Ph o n e/ iPad ) Jailbreak detection and reporting

-

✔

+

Upon enrollment, Athena detects and reports whether a device is jailbroken. Administrators can use this information to determine if a device is compliant (e.g. jailbroken devices are not allowed to access enterprise resources) and whether action should be taken to notify the device user, or whether specific policies should be distributed to the device. Athena also periodically reports this information to the Configuration Manager database so that devices cannot be jailbroken without detection.

Automatic provisioning of certificates

-

✔

+

Upon enrollment, unique enterprise and device certificates are automatically provisioned to the device using the Simple Certificate Enrollment Protocol (SCEP). These certificates are used for authentication to corporate services.

Zero-touch

management

-

✔

+

Updates such as hardware and software inventory, and jailbreak status are reported by Athena to Configuration Manager without user intervention.

Find my phone and location history

-

✔

+

Device users can choose to allow Athena to periodically report the device’s current location to Configuration Manager. A breadcrumb trail of past locations is maintained in the Configuration Manager database.

(29)

Platform Configuration Manager 2007 capability Configuration Manager 2012 capability Configuration Manager 2012 iO S 4 .x a nd new er (iP hon e/ iP ad ) Remote lock and wipe – full or selective

-

✔

Full remote wipe action can be implemented through Exchange ActiveSync from the Configuration Manager console.

✔

+

Athena enables a device lock or wipe command to be issued directly from Configuration Manager to a remote device. In

addition, a selective wipe of PIM data (e-mail account and associated contacts, calendar, e-mails, etc.) can also be invoked (no Exchange ActiveSync required).

Self-service software distribution via Enterprise Mobile Library

-

✔

+

Included with the Athena device management extensions is an Enterprise Mobile Library repository where enterprise resources such as applications, files, videos, links to other corporate

resources, etc. can be stored for access by device users. Utilizes push

notifications

-

✔

+

The Apple push notification service is used to alert device users about the availability of new resources in the Enterprise App Store or other required device user actions.

(30)

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 iO S 4 .x a nd new er (iP hon e/ iP ad ) Specify and invoke all native iOS policies

-

✔

Supported Exchange ActiveSync policies can be specified and deployed from the Configuration Manager console.

✔

+

Athena leverages the native iOS 4 MDM API which enables an administrator to specify and invoke the native iOS policies directly from the Configuration Manager console (no Exchange ActiveSync required).

Note: A summary of supported iOS policies in is included in Appendix A iOS Policies.

An d ro id 2.2 an d new er Simplified Enrollment with Active Directory Integration N/A as there is no native Configuration Manager client for Android. N/A as there is no native Configuration Manager client for Android.

✔+ Device user downloads Athena agent from Android Market,

inputs credentials (username, password and domain) to

automatically bring the device under management Extended

hardware and software inventory

-

✔

+

memory, battery, and network information. Administrators can use this information to determine if a device is compliant (e.g.

password policy is required on the device) and whether action should be taken to notify the device user or whether specific

policies should be distributed to the device. Athena also periodically reports this information to the Configuration Manager database.

(31)

Platform Configuration Manager 2007 capability Configuration Manager 2012 capability Configuration Manager 2012 An d ro id 2.2 an d new er Rooting detection and reporting

-

✔

+

Upon enrollment, Athena detects and reports rooting of an Android device. Administrators can use this information to

determine if a device is compliant (e.g. Android devices with rooting are not allowed to access enterprise resources) and whether action should be taken to notify the device user, or

whether specific policies should be distributed to the device. Athena also periodically reports this information to the Configuration

Manager database so that rooting of Android devices cannot be done without detection.

Automatic provisioning of certificates

-

✔

+

Upon enrollment, unique enterprise and device certificates are automatically provisioned to the device using the Simple Certificate Enrollment Protocol (SCEP). These certificates are used for authentication to corporate services.

Zero-touch

management

-

✔

+

Updates such as hardware and software inventory, and jailbreak status are reported by Athena to Configuration Manager without user intervention.

Find my phone and location history

-

✔

+

Device users can choose to enable Athena to periodically report the device’s current location to Configuration Manager. A breadcrumb trail of past locations is maintained in the Configuration Manager database.

(32)

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 An d ro id 2.2 an d new er Remote lock

and wipe

-

✔

Full

remote wipe action can be implemented through Exchange ActiveSync from the Configuration Manager console.

✔

+

Athena enables a device lock or wipe command to be issued directly from Configuration Manager to a remote device (no

Exchange ActiveSync required).

Self-service software distribution via Enterprise Mobile Library

-

✔

+

resources, etc. can be stored for access by device users. Utilizes push

notifications

-

✔

+

The Google Cloud to Device Messaging (C2DM) push notification service is used to alert device users about the

availability of new resources in the Enterprise App Store or other required device user actions.

(33)

Platform Configuration Manager 2007 capability Configuration Manager 2012 capability Configuration Manager 2012 An d ro id 2.2 an d new

er Specify and _{invoke all}

native Android policies

-

✔

+

Athena enables an administrator to specify and invoke the native Android policies directly from the Configuration Manager console (no Exchange ActiveSync required).

Note: A summary of supported Android 2.2 policies in is included in Appendix A Android 2.2 Policies.

Win d ows Ph on e 7 Simplified Enrollment with Active Directory Integration N/A as there is no native Configuration Manager client for Windows Phone 7. N/A as there is no native Configuration Manager client for Windows Phone 7.

✔+

Device user downloads Athena agent from Windows Phone 7 Market, inputs credentials (username, password and domain) to automatically bring the device under management.

Extended hardware and software inventory

-

✔

+

memory, battery, and network information. Administrators can use this information to determine if a device is compliant (e.g. a

required password policy is in force on the device) and whether action should be taken to notify the device user or whether specific policies should be distributed to the device. Athena also

periodically reports this information to the Configuration Manager database.

(34)

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 Win d ows P hon e 7 Find my phone and location history

-

✔

+

Device users can choose to enable Athena to periodically report the device’s current location to Configuration Manager. A breadcrumb trail of past locations is maintained in the Configuration Manager database.

Remote wipe

_-

_✔

_Full remote wipe action can be implemented through Exchange ActiveSync from the Configuration Manager console.

✔

Athena enables a device wipe command to be issued directly from Configuration Manager to a remote device (Exchange ActiveSync is required). Self-service software distribution via Enterprise Mobile Library

-

✔

+

(35)

Platform Configuration Manager 2007 capability Configuration Manager 2012 capability Configuration Manager 2012 Win d ows Ph on e 7 Specify and invoke all native Windows Phone 7 policies

-

✔

Athena enables an administrator to specify and invoke the native Windows Phone 7 policies directly from the Configuration Manager console (Exchange ActiveSync is required).

Note: A summary of supported Windows Phone 7 policies is included in Appendix A Windows Phone 7 Policies.

Bl ack B er ry 4 .3 an d n ew er

Bootstrap N/A as there is no native Configuration Manager client for BlackBerry. N/A as there is no native Configuration Manager client for BlackBerry.

✔+

Athena’s on-device agent can be downloaded and

automatically installed by browsing with Pocket Internet Explorer to a secure portal hosted within the Enterprise. Alternately, the

Athena agent can be deployed by the BlackBerry Enterprise Server. Device

Discovery

-

✔

+

The Athena device management extensions for Configuration Manager enable automatic discovery of BlackBerry smartphones with the on-device Athena agent.

Smartphone hardware and software inventory

-

✔

+

Athena reports hardware, software, and device health information to Configuration Manager. This information includes platform/processor details, display, memory, power, and installed applications details.

Smartphone network information

-

✔

+

Athena reports detailed information about the smartphone’s WLAN and WWAN connections.

(36)

Athena-enabled extensions for Configuration Manager 2007 and Configuration Manager 2012 Bl ack B er ry 4 .3 an d ne w er Remote

Control

-

✔

+

Athena’s remote control functionality is optimized for

operation across low bandwidth, congested, high latency networks. Up to eight helpdesk personnel can concurrently remote control the same smartphone. This feature simplifies collaboration in

diagnosing and repairing problems with remote smartphones. Video and macro recording are also available.

Remote access to smartphone modules

-

✔

+

Athena enables remote access to view module details, and to install or remove modules from the smartphone.

Remote access to smartphone network information

-

✔

+

Athena provides live access to view detailed information about the remote smartphone’s network connection(s).

Remote access to system information

-

✔

+

Athena provides live access to view detailed information about the remote smartphone’s system information.

Remote access functions are operational over all wireless connections

-

✔

+

The Athena Tunnel Service provides a secure, robust smartphone-initiated HTTPS communications link. The Athena Tunnel Service enables the Athena Interactive Support functions to operate across all wired, wireless, or cradled connections.

(37)

Appendix A Policies

iOS Policies

Accounts

 Exchange ActiveSync  IMAP/ POP email  VPN  Wi-Fi  LDAP  CalDAV  CardDAV  Subscribed calendars

Policies

 Require passcode  Allow simple value

 Require alphanumeric value  Passcode length

 Number of complex characters  Maximum passcode age

 Time before auto-lock

 Number of unique passcodes before reuse  Grace period for device lock

(38)

 Number of failed attempts before wipe  Control Configuration Profile removal by user

Restrictions

 App installation  Camera

 Screen capture

 Automatic sync of mail accounts while roaming  Voice dialing when locked

 In-application purchasing

 Require encrypted backups to iTunes  Explicit music and podcasts in iTunes

 Allowed content ratings for movies, TV shows, apps  Safari security preferences

 YouTube  iTunes Store  App Store  Safari

Other settings

 Certificates and identities  Web Clips

(39)

Android 2.2 Policies

 Lock now

 Reset password

 Set maximum failed passwords for wipe  Set maximum inactivity time to lock  Set password minimum length  Set password quality

 Wipe data1

 Password expiration (number of days)2

 Password history (max number of past passwords stored)2  Password complex characters required2

 Data Encryption2

Notes:

1 - Wipes user data on device; does not wipe memory (SD) card 2 - Android 3.0 required

(40)

Windows Phone 7 Policies

 Password required

 Set minimum password length

 Set maximum failed passwords for wipe  Set maximum inactivity time to lock  Allow simple password

 Password expiration (number of days)

 Password history (max number of past passwords stored)  Disable removable storage

 Disable infrared data connections  Disable desktop sync

 Block remote desktop  Block internet sharing  Wipe Data

DEVICE MANAGEMENT EXTENSIONS

Document Information

Table of Contents

Introduction

Athena License Migration Program

Summary of Athena Benefits for IT

Professionals

Athena and Configuration Manager Architecture

Native Configuration Manager Device

Management Capabilities

Configuration Manager 2007

Configuration Manager 2012

Summary of Athena Device Management Extensions

Athena Extensions to Configuration Manager

Management Console Extensions

On-device Agent