A slight departure from the usual virtualization related articles on the blog. Recently I finished up a Windows Mobile deployment for about 350 users and wanted to share some of the lessons learned. Some will be obvious and some could be eye openers. This will be posted in multiple parts, follow ups will be posted in the coming days probably.
- Select a platform. Whether it is Blackberry, iPhone or Windows Mobile choose a platform and stick to it. Windows Mobile was chosen in this project for the integration features that it has with Exchange 2007, Dynamics CRM and Sharepoint. Be aware that there is no management tooling available at the moment for iPhone deployments (at least none that I have seen so far for business environments I would not recommend those).
- Limit the amount of types of handsets (brands and models). Not limiting this will make managing the handsets a very labor intensive job because each update that you do has to be tested on each different type of handset and mobile phone vendors do not adhere to a strict update schedule throughout their range for the Windows Mobile software as well as the mobile devices themselves. Just look at the speed at which HTC pushes out new models (and subsequently declares the old ones EOL – End of Life).
- Either make a special arrangement with a vendor about device availability and lifespan (usually only possible when you are talking really high volume) or prepare to have to switch device models roughly each year. This is also related to the point made above: not limiting the amount of different device models results in an uncontrollable growth of the amount of configuration profiles that you need to maintain in your management layer.
- Select a management tool for phone configuration and management. Key functionality is:
- Ability to remote wipe
- Ability to configure “self-destruct” mechanism
- Ability to authorize users
- Ability to control the availability of applications and functions on the device. For business or security reasons it could be necessary to have to ability to switch off things like the camera, games, Internet etc.
- Ability to push configuration changes, updates en new apps over the air (OTA)
- Ability to lock down the phone preventing the user from installing his own software
- An application that does this all (and a lot more) is iAnywhere Afaria from Sybase. There are several others that you can find with a bit of Google searching like System Center Mobile Device Manager from Microsoft and Cloudsync.
- Select a management tool that also supports locking down your Outlook Web Access. The OWA functionality usually has to be internet facing to provide webmail functionality to your remote users. OWA is also used however to sync the devices and therefore can be configured by anyone who has an Exchange capable phone and a network account. All the security in the world on the company devices will not stop an infection if it is caused by an unauthorized device that connects and syncs through this functionality.
- Be aware that most phones have a hard reset function. This erases all the software and data on the phone returning it to factory default mode. This will also kill any security software that was installed. If you have not prevented synchronization of unauthorized devices than it will be tempting for users to get rid of that pesky security software by performing a hard reset. Company security policies can prevent this to a degree but it is better to take this into account when planning the deployment.
I will write about implementation and related subjects in a follow-up post as well as add to the above subjects should anything pop into my head during that time.