Windows Mobile as secure as Blackberry – are you joking?

At TechEd US 2008 this year I’m presenting a session which is called – ‘Windows Mobile as secure as Blackberry – are you joking’

I wanted to cover this topic as there is so much FUD out there on the Windows Mobile Security story. 

Sorry – FUD – That’s Fear Uncertainty and Doubt (off topic but I recently discovered that FUD means something very different in Scotland – please  Live Search this off your Corporate Network – I take no responsibility for any offence caused)

I’m starting to collate my content for this session but I thought I’d ask those of you who read my blog what issues/topics you thought I should include?

Comments (10)
  1. MobileAdmin says:

    Jason love your blog as you have a good pulse on things mobility and I’d love to see this presentation but you are not going 1-1 with BES.  Windows Mobile against Exchange only is not as secure as Blackberry against BES.  Your policies are limited, and there is NO reporting, assest management through exchange unless you want to phrase out IIS logs.

    Yes with System Center 2007 Device Manager you approach what BES does but at that point your TCO is double that of a BES CAL.  Device manager should be PART of exchange and not SC2007 and an extra expense.

    If anyone would you might know this .. will SCDM support the Iphone?

  2. Dieter Bohn says:

    Hey Jason –

    I’d love to see a point-by-point head to head between BES and MSCMDM as well.  I’d also love to hear about on-device encryption.  We had a question about this very topic on our last podcast:

    …and both Malatesta and myself weren’t able to fully answer the question about what happens when somebody steals your WinMo phone, pulls the battery before you can wipe, then takes it apart and starts going after the memory chips.  Basically when on-device encryption hits on WM6.1, how strong will it be and how much will it affect performance.  Also — will on-device encryption be made available to people without MSCMDM?

  3. Greg Lowe says:

    Jason, sorry I’m going to miss your presentation, but believe that it is important to address the need to have a direct connection into the network is still better than relying on a 3rd party NOC 😉

  4. kla says:

    MobileAdmin – SCMDM won’t support the iphone,  at least not for a long time.  The 6.1 devices that are compatible have a client built into them.

    I’m not even sure if the iphone complies with any OMA DM standards?

    As you may know they are releasing the enterprise model, but this just means it will have EAS support,  not to sure if any of the EAS DM stuff will work on it.


    You should bring up the fact that MSCMDMS can be run locally and in house, and the ever lasting problem of all BES users mail going through global servers (and being cached?) is a massive flaw.  

    The on-device-encryption is always going to be a problem, unless they start holding the keys on the server instead of the device.. Which makes the term ‘mobility’ pretty redundant.

    Even companies that solely focus on security still hold the keys on the device. and rightly so, it doesn’t make any sense to have a mobile device who’s data cant even be read by the server.

    I’d also like to hear about the control enterprises have over the device, there is plethora of software out there that companies can use to their advantage,  with BES this is pretty limited, i think i remember one of the guys in house here who used to work on BES, saying that if you want software installed on a BB it has to be sent off to RIM and signed?

    I think basically as it stands blackberry may be more secure at the moment,  but solely because of the number of unmanaged windows mobile devices out there.  the potential is there for WM to be quite restrictive, more so than BB.  It’s just not like that out of the box!

  5. kla says:

    Not to mention IPSEC.    its so bloody secure you can’t troubleshoot problems… this is the main frustration im finding with MDM.  if somethings going wrong in the tunnel its pretty hard to pinpoint

  6. Rishi Shah says:

    WHy not mention that even if you went for the poor mans version and only used Exchange 2003 or 2007 without SCMDM the over the air encryption can be changed to the much stonger TLS without any additional components, as this works even if the device is connecting directly to the front-end exchange server (or CAS for 2007) or being proxied via an ISA.

  7. Simon H says:

    Really like Windows Mobile and have had this implemented in the enterprise but as for accreditation for security try ‘CESG Blackberry’  Windows Mobile is still not approved for protectively marked information in the UK.  Once it does then Hooray!

  8. MobileAdmin says:

    The lack of MDM for Iphone will be a dissappointment.  I’m in the 2.0 beta and it’s very basic security and not quite what Windows Mobile 5.0 MSFP offered.

    With BES 4.1 and later you pretty much have a policy via BES to control / lock down every aspect of the device if you choose.

    The code signing has nothing to do with 3rd party applications but more so with internally developed that you wish to put on the Blackberry.  I believe the current cost is $25 per company to have a signed java key.

  9. djcreedy says:

    The security can be tweaked.  Are you using the mmc to change the policies on the device? (You must manually add the mobile templates to your mmc.)

    There is quite a lot of settings to play with there.

    BB of course will be easier to secure, but I’d attribute this to it being limited from the word go.  It is much easier to play around with WM settings, as we pretty much have open access to the whole device.

    You can lock down pretty much any aspect of the WM device you choose, even without MDM its possible to create a completely secure SOE with only basic desktop tools. Notepad.exe being the key player. The underlying XML CSPs that were even in ppc2003 and WM5, allow for a massive amount of control even from a humble cab file.

  10. Paul Ockenden says:

    Can I suggest something NOT to mention – that’s the ‘number of policies’ war that seems to be going on. You guys continually adding more, and my RIM contacts pointing out that they’ve still got more. It’s getting silly, and no one cares about quantity – it’s quality that’s important.

    The NOC vs. direct argument is important, from a security POV. There are good arguments on both sides, but I doubt you’re looking for ideas to present a balanced comparison!  😉


Comments are closed.