MDM and Microsoft Certification Authorities
2/9/2009
System Center Mobile Device Manager works directly with existing Microsoft certification authorities for client and server certificate signing. If no current Public Key Infrastructure (PKI) is in place, or if you want to maintain a separate certification authority for device authentication, you can add a Microsoft enterprise certification authority. The Windows Server 2003 Enterprise Edition operating system certification authority is the only supported issuing certification authority for MDM.
MDM uses certificates extensively on all server roles. For example, it uses certificates for the following functionality:
- For remote authentication of Windows Mobile devices.
- To ensure confidentiality and protect against tampering in administrative communication between client and server.
- For server-to-server authentication and communication confidentiality.
- To help protect servers against malicious configuration attacks.
Certificate use with MDM provides the following benefits:
- Data transfers confidentially between servers and managed devices by using encryption to prevent data exposure over public Internet links.
- Servers and managed devices verify the identity of one another by using mutual authentication during communication.
- MDM Gateway Server uses the device certificate to authenticate the device. The device uses the MDM Gateway Server certificate to authenticate the server, and then generates an Internet Protocol security (IPsec) connection. To authenticate line-of-business (LOB) applications and help provide end-to-end security, the managed device should use another certificate, or an authentication or encryption mechanism (such as Secure Sockets Layer) in addition to the IPsec-encrypted tunnel to the MDM Gateway Server.
Public Key Infrastructure
A PKI consists of the following basic components:
- Digital certificates
- Certification Authorities
- Certificate policy and practice statements
- Certificate repositories
- Certificate revocation lists (CRL)
- Certificate trust lists (CTL)
- Key archival and recovery
- Public key standards
For information about PKI, see the PKI documentation:
- Public Key Infrastructure for Windows Server 2003 Enterprise Edition. For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=68943.
- Designing a Public Key Infrastructure (March 2003). For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=78391.
- Best Practices for Implementing a Windows Server 2003 Enterprise Edition Public Key Infrastructure. For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=22667.
Certificates
MDM uses certificates from your existing Public Key Infrastructure (PKI).
Windows Server 2003 Enterprise Edition certification authority is the only fully supported certification authority for MDM. Its automatic enrollment and certificate renewal capabilities are key elements in making sure of the highest quality end-user experience during MDM enrollment.
Note
When you introduce a Windows Server 2003 Enterprise Edition certification authority into a production environment, server certificates are issued to domain controllers.
You must put one Enterprise Root certification authority in the root of the PKI infrastructure. You should set root certification authorities expiration time in such a way that renewal is not needed. You cannot renew the root certification authority in Windows Mobile. We recommend that you follow the best practices for PKI as outlined in the PKI documentation:
- Public Key Infrastructure for Windows Server 2003. For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=68943.
- Designing a Public Key Infrastructure (March 2003). For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=78391.
- Best Practices for Implementing a Windows Server 2003 Public Key Infrastructure. For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=22667.
We also recommend that you deploy at least one offline root certification authority and one subordinate (issuing) certification authority. Depending on your deployment, this might include one or more of the following:
- Active Directory directory service (Windows Server 2003 forest and domain functional levels)
- Microsoft Domain Name System (DNS), correctly deployed and configured
- Certification authority running Windows Server 2003 Enterprise Edition operating system
- At least one global catalog server in the same Active Directory site as the MDM servers
- Microsoft SQL Server 2005 Service Pack 1 (SP1), local or remote to the MDM Device Management Server
MDM Certificate Templates
The following certificate templates are created during the installation of each MDM instance. You can view these templates in the Certificate Templates MMC snap-in.
For more detailed information about these templates, see Manual Certificate Procedures in the MDM Deployment Guide.
SCMDMGCM (<Instance Name>)
MDM uses the SCMDMGCM template for digital signature and encryption.
The following shows information about this template.
Extensions |
Client authentication |
Validity |
Two years |
Automatic renewal? |
No |
Publish to Active Directory? |
No |
SCMDMMobileDevice (<Instance Name>)
MDM uses the SCMDMMobileDevice template for digital signature and encryption.
The following shows information about this template.
Extensions |
Client authentication |
Validity |
One year |
Automatic renewal? |
Yes |
Publish to Active Directory? |
Yes |
SCMDMWebServer (<Instance Name>)
MDM uses the SCMDMWebServer template for digital signature and encryption.
The following shows information about this template.
Extensions |
Server authentication |
Validity |
Two years |
Automatic renewal? |
No |
Publish to Active Directory? |
No |
Additional Resources
Windows Server 2003 PKI information
- For information about how to plan, configure, and implement a Windows Server 2003 Enterprise Edition PKI, see Securing Wireless LANs - A Windows Server 2003 Certificate Services Solution, at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=111414.
- For more information about how to design a PKI, see Public Key Infrastructure for Windows Server 2003 at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=111418.
Security and Windows Mobile Devices
- For more information about security on Windows Mobile devices, see Security Model for Windows Mobile 5.0 and Windows Mobile 6, at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=89639.
See Also
Concepts
Validating Communications within an MDM Instance
Configure a Certification Authority for MDM