When Microsoft introduced the latest version of its Windows Mobile phone platform, it also released a new server tool to help administrators manage handsets more effectively. However, only the newest handsets include support for this, so companies already using Windows Mobile with Exchange will have to run both systems in parallel until they have replaced all existing devices.

Windows Mobile 6.1 was unveiled at the beginning of April, adding a number of key improvements over last year’s version 6 release. As well as user interface tweaks, these include a new virtual private network (VPN) client and support for a new management tool, Microsoft System Center Mobile Device Manager (MDM).

With earlier versions of Windows Mobile, management of the handset is via a company’s Exchange mail server. However, customers said they needed a better solution for securing devices, and one that could scale to cope with a large number of handsets, according to Microsoft.

“There’s been a huge growth in mobile line-of-business solutions, and organisations need some way to manage and secure the devices for this,” said Jason Langridge, UK mobility business manager for Microsoft. He added that IT departments wanted to be able to manage mobile devices with the same processes used for PCs.

MDM enables companies to do this, effectively bringing mobile handsets under the control of Group Policy in Active Directory.

Among other features, this lets administrators lock down the Bluetooth and Wi-Fi interfaces on the handset, and govern whether users can send text messages or email, as well as enable or disable any built-in camera.

It also supports device inventory and reporting, over-the-air application deployment, remote wipe of lost or stolen phones, and control over which so ftware applications may run on company handsets.

But only Windows Mobile 6.1 includes the client agent required to link with MDM, and devices based on this are not set to ship until this summer. Upgrades are expected to be available for some existing Windows Mobile 6 handsets, but it will be up to the individual vendor to offer this, according to Microsoft.

Organisations using older versions of Windows Mobile will have to continue to manage these via their Exchange server, according to Microsoft, while MDM is recommended for new mobile deployments. However, the advanced features of MDM may not make it a necessity for every company, according to Langridge.

“If you’re just using handsets for mobile messaging, Exchange is still perfectly OK, Mobile Device Manager is for if you want to deploy applications,” he said.

Companies looking to use MDM with an existing fleet of devices can either upgrade them to 6.1 if this is an option, or simply continue managing them with Exchange until they are refreshed with newer models, he advised.

However, another option is to use System Center Configuration Manager 2007, according to Langridge. Previously known as Systems Management Server (SMS), this does not deliver Active Directory integration or the VPN support, but does provide management and access to applications.

MDM itself runs on the 64bit edition of Windows Server 2003 with SP2, and requires a server with at least 2GB memory and two processors clocked at 2GHz or above. However, it depends on other Microsoft-based infrastructure to function, including a Microsoft SQL Server, a Gateway server, and an Enrolment server. It must also be part of a domain with at least one Active Directory Domain Controller, but this last in particular is infrastructure that most companies will already have deployed anyway.

“You only strictly need two servers for a mobile deployment: the Gateway server located in the DMZ, and the MDM management server itself on the inside of the firewall,” said Langridge.

The Gateway provides the VPN connection to mobile devices using IPsec encryption, while all traffic along this link is also SSL-encrypted, making up what Microsoft terms “double-envelope security”.

This forms a secure tunnel between the handset and the corporate infrastructure behind the firewall. However, additional authentication may be required to access individual applications.

According to Langridge, MDM itself has been designed so that a single server can support tens of thousands of users, addressing the scalability issues that have been seen as a drawback of using Exchange for large corporate deployments.

Finally, MDM is based on the Open Mobile Association’s protocol for device management (OMA DM). In principle, this means there is nothing to stop MDM being used to manage non-Microsoft handsets, another factor that has counted against Exchange.

Langridge was uncertain whether this is something that Microsoft would actively support, but said there was nothing to stop a vendor such as Nokia from adding an MDM-compatible client to its handsets.