Neil Chapman's Blog

HTC Hermes customisation tool can turn on HSDPA

neil.chapman — Fri, 18 Aug 2006 08:46:00 GMT

A colleague of mine pointed this out to me this morning:

It's a tweaking interface to configure the HTC hermes (Orange SPV M3100, HTC TyTN, T-Mobile MDA Vario II). It can't change everything, but has some interesting features. Apparently, download without registration is not possible which is not great, and the site registration process is in german.

The most interesting features of this tweaker :

switching on HSDPA (that is by default switched off in some models of HTC Hermes, for example for Vodafone and O2)
showing GPS icon in settings
showing wireless plugin (that shows provider, Bluetooth and Wi-Fi status information)
disabling skin of the phone
removing wireless tray icon
disabling SMS sent notification
improving quality of stereo audio over Bluetooth (A2DP)

I'll grab it today and see if it can deliver on it's promises. Get it from here.

Neil

Quick review of the HTC MTeoR

neil.chapman — Mon, 14 Aug 2006 13:36:00 GMT

I recently obtained and started using the HTC's MTeoR, one of the first devices to be sold under the HTC brand.

As this had 3G, and was very slim, I thought this was the Windows Mobile smartphone I had been waiting for. In almost all respects it was. I think this is my favourite smartphone form factor so far. The buttons are easy to use, the screen clear, and I like the fact that it has a jog wheel on the side. (Although I would have preferred it on the right, not the left) The external audio speaker wasn't as good as the speaker on the I-mate SP5, but was usable, and the joystick was much better than any I'd used before.

Unfortunatley, a couple of things let it down. The battery life is poor. Even compared to other Windows Mobile 5 smartphones it doesn't hold up, I had to charge it twice daily, once in the morning, and once again at night to keep it from turning off. I tested another MTeoR device and had the same issues.

Having 3G on any small mobile device will lead to power being an issue, but even so, it was worse that I expected. I turned off up to date server activesync and bluetooth, but this didn't seem to help much.

Also, why did they remove the video calling? If you pay the extra cost of 3G device, surely you'd want all the bells and whistles? Something else I would of liked to see is an audiojack. I guess HTC believe that we'll all be using bluetooth if we want to charge the device while talking on it in the car or listening to music.

A colleague of mine disabled 3G on his SIM card, and this seemed to improve his battery life while the device only used GPRS.

In short, this would be my device of choice if the power could last a bit longer.

Neil

Wireless 802.1x authentication on Windows Mobile 5 (Part 2)

neil.chapman — Fri, 11 Aug 2006 15:14:00 GMT

I now have some more information about using 802.1x WiFi with WM5. Keep in mind I haven't looked at third party 802.1x clients at this stage, just the WM5 default client.

I posted in my last blog that I couldn't understand why a username/domain prompt appeared on the device when trying to authenticate to Radius using EAP-TLS. For example, when using an XP machine with EAP-TLS, I just have to provide the personal certificate, and don't have to input anything.

Ok, so why do I get the username / domain prompt with WM 5 EAP-TLS? The answer is this:

The WM5 device 802.1x client does not associate a certificate to a SSID connection until connecting for the first time.
This means that even though you select a certificate in the client EAP-TLS setup before connecting, the client still doesn't use this certificate for authentication.
The username/domain prompt is the mechanism for creating this association.
If you have multiple personal certificates on your device, this is when the right cert is used for the right SSID for 802.1x authentication.

The reg key that is set when this association is created is:

HKCU\Comm\EAPOL\Config\<SSID>\Identity (REG_SZ) - <Domain\Username>

My initial thoughts on all this are that I understand why the WM5 client does the check, but is this really needed if you have only one personal certificate? What else is it going to pick?

Once again, if you have successfully rolled out EAP-TLS at all using any 802.1x client on WM5, I'd like to hear from you.

Cheers,

Neil

Wireless 802.1x authentication on Windows Mobile 5

neil.chapman — Thu, 10 Aug 2006 12:44:00 GMT

I'd like to pass on some of the experience I've had with Windows Mobile 5 and getting it running on 802.1x Wi-Fi authentication standards in the enterprise, particularly using EAP-TLS.

An example situation for an enterprise is this:

There is an existing Wireless infrastructure with several hundred access points.
A Windows PKI infrastructure is already in place.
The certificate Authority does not use standard templates.
XP Notebooks are already running on WPA, EAP-TLS for authentication to the Wireless network.
They enrol the certificates through Windows group policy.
Microsoft's IAS is used for the Radius authentication, and is connected to the AD with the user accounts.

The challenge is this:

Deploy several thousand Windows Mobile 5 devices
Get them using WPA, EAP-TLS authentication with personal certificates to meet security policy.
Make the whole process easy to use for a non-technical end user.

So, I do some digging around to see what other companies have done for large scale Windows Mobile device Wi-Fi authentication, and all I can find is WEP keys and WPA - PSK. This avenue wasn't giving me much guidance, so I concentrated on testing the limits of what Windows Mobile 5 could do.

The main issues I came across:

1. Getting a personal certificate onto the device.

Firstly, let be clear about two things, Firstly, WM5 devices do not support Machine certificates. I know they have a hidden cert store that looks like it might be able to, or it looks like we may be able to attach a machine ID to the personal cert and use this in auth....but don't bother, it won't work. Secondly, using the WM 5 devices' web browser to enrol a personal certificate on the CA will also not work. The browser just can't support the ActiveX controls required.

A lot of WM5 devices come with enrollers for personal certificates, but most don't seem to cope with custom certificate templates. (DELL wrote one that did thou) So, the only way around this is to go back to the manufacture and ask, or write your own. I opted for writing my own, as the code is available on Microsoft's website. As the enroller also requires a network connection to the CA to get the cert, we had a choice. We could A) Connect it to a pc that can get to the CA through Activesync C) Authenticate the device using WEP or WPA-PSK to a "provisioning" Wi-Fi VLAN that has access to a CA. B) Forget the enroller, copy the cert over manually from a PC or smart card and use a third party utility to install the cert. Your choice should depend on how you're going to deploy the devices. Some management software can also put the cert on the device for you, but once again requires network connectivity.

2. Getting a userid / domain request when EAP-TLS authenticates to IAS.

When I use EAP-TLS on an XP laptop, the wireless access point passes the request back to the IAS radius server, and uses the username and issuer fields on the certificate to authenticate the connection. The laptop uses doesn't have to do anything.

On the windows mobile 5 device, the wireless access point passes the request back to the IAS radius server, and then I get a request on the device to enter the username and domain. I enter in these credentials, and away I go. I still don't understand why I have to enter these details when an XP certificate authenticates without interaction using EAP-TLS. This might have been OK, until I roamed to another AP. I get asked for authentication again!!?!! I cannot understand or explain this behaviour, and couldn't fix it. It may be related to the brand of AP, some IAS tweak, but it's not something I could find in the time I had. PEAP-MSCHAPv2 also behaved identically.

What does all this mean? From my perspective, EAP-TLS is very hard work, with very little information out there for support on WM5 devices. You could always try PEAP-MSCHAPv2, but I still got the authentication box pop up when I roamed.

If you've managed to deploy EAP-TLS successfully, please let me know by contacting me through this blog.

Neil

WiMAX - When will I see it, and what will it do for me?

neil.chapman — Wed, 05 Jul 2006 14:04:00 GMT

I've been keeping an eye on WiMAX (IEEE 802.16) and the impact it will have. After reading several articles like "WiMAX in the UK. Here's why it won't fly." on the register, I tried to find out more about the technologies' future while attending the European Mobility Summit in London.

A chap called Tom Foale from Urban WiMAX was a dicussion panel speaker. Urban WiMAX will be the first to offer WiMAX business servics in the UK from November.

Tom gave an honest if bleak picture, citing the many issues his company has had in the UK implementing the technology. This ranged from limited licensed frequency available, to decent WiMAX infrastructure hardware not being produced in a timely fashion. In short, there appeared to be some fairly major quality issues that will take a while to resolve.

In the UK, we will see Fixed WiMAX (802.16d) first, but won't see Mobile WiMAX (802.16e) working for some time. Based on what I heard at the Mobility summit, mobile WiMAX on laptops won't appear until late 2008, and mobile WiMAX capable devices like smarthones and pocket pcs' possibly won't be around until 2010.

Mobile WiMAX gives all the regular benifits of high speed broadband, but has the potential to be much more. For the enterprise, one main issue with running VOIP applications on mobile devices has been ensuring QoS when relying on ad-hoc public domain connectivity to the internet. Due to the large geographical range, SLA's around eventual QoS and speed, external and internal VOIP telephony solutions and the cost savings they bring may finally be possible for enterprise business in city locations. This will probably not be a serious offering until 2008/9 however, and trying to compete for business against the traditional network operators won't be easy, especially when they are still trying to claw back revenue from their 3G implementations.

In summary, WiMAX Mobile, which has the true benifits of WiMAX opposed to WiMAX Fixed, is still a while off, but has potential. However, I can see the technology taking a long time to be a viable option for many in the enterprise, and the next "big" communication network technology is always just around the corner.

Neil

For more info on WiMAX and any definitions of the above, go here.

Activesync 4.1 - Activesync will not connect to the device on a USB connection

neil.chapman — Wed, 15 Mar 2006 17:16:00 GMT

There is an issue with Activesync 4.1 and Windows XP I've seen a couple of time now, and I'd like to pass on a workaround.

The Issue: Activesync doesn't connect to your Windows Mobile device when you plug it in using a USB cable to your PC. You've checked the settings in activesync, they allow a USB connection, and the device is also set up to allow connection to a PC.

If you look under network connections on your PC, a virtual network connection for the mobile device is created when you connect it with the USB cable. Activesync however, doesn't connect to your device.

The Microsoft Mobile site then points out that you may have an issue with the Firewall on your pc. You test this by turning off the firewall for a moment, but you still can't connect with Activesync.

To resolve: Connect your device, then open network connections on your pc. Find the network connection created when you connected your device with the USB cable. It will be listed under the "LAN or high speed Internet" heading. It will be called "Local Area Connection x" (the x will be replaced by a number), and will usually be the last connection listed.

Right click on this, and select properties. You should see in the Connect using area "Windows Mobile-based Device" In the box below this titled "This connection uses the following items", you will need to place a tick in all the boxes listed. This will re-bind the network protocols to your connection. Click OK to close the property window.

From this point on, Activesync will kick into life when you connect your device, and you should only have to do this workaround once.

Note: the problem will sometimes re-occur if you connect another device, or hard-reset your current one. I have noticed that the issue most likely occurs if you are running VPN software other than than the windows VPN on your pc.

A better way to view Activesync logs.

neil.chapman — Thu, 16 Feb 2006 10:56:00 GMT

I just tried the SQL script for getting a useful view of the activesync logs from here:

http://blogs.technet.com/exchange/archive/2006/02/14/419562.aspx

It works well, I used the log parser command to output as CSV:

LogParser.exe -i:IISW3C -o:CSV file:c:\drv\sql\HitsByUser.sql

I recommend you try this tool, certainly gives a better picture of Activesync usage.

Exchange Activesync Web Admin tool issue

neil.chapman — Mon, 13 Feb 2006 11:58:00 GMT

Update 19/02/06 - The tool that can be downloaded from here has resolved the domain traversal issue. The install bug with the default web IP needing to be reset to "all unassigned" remains.

------------------------------------------------------------------------------------

The Exchange Server ActiveSync Web Administration Tool was released on the 7/12/05, to enable remote wipe of AKU2.0 (windows mobile 5 devices with the MSFP) phones and Pocket Pc's.

If you read the release notes on the download page, you will see the statement:

"To function properly, the tool must be used in conjunction with Exchange Server 2003 Service Pack 2 and compatible mobile devices.
The current release of the Exchange ActiveSync Web Administration Tool must be installed in the same domain as the user accounts being managed."

To further explain this, if you are an enterprise who puts mailboxes into a resource domain, and accounts in another resource domain, the tool cannot resolve the user accounts. The tool will only install on an exchange server, and placement of the tool in user accounts domain will still not solve the problem.

The tool itself is a quick and easy install, which creates a virtual directory in IIS called MobileAdmin. An additional bug sometimes occurs if your default web site is set to use a specific IP address rather than "all unassigned". It will create an additional "default web site" instance. To remedy this, set the IP address of the default web site to "all unassigned", then change back when finished the install.

An updated version of the Mobile admin tool (06.05.7775) was released on the 2/01/06, which also has the same issues.

Microsoft has a fix, but you will need to contact them to get it for the moment.

The Microsoft Mobile Device management Gap

neil.chapman — Tue, 07 Feb 2006 16:34:00 GMT

Towards the end of Feb the AKU 2.0/2.2 release of Windows Mobile will be available, which will include the MSFP (Messaging and Security Feature Pack). This gives some management functionality for Windows devices though Exchange 2003 SP2, but only the most important basics. The next version of Microsoft Systems Management Server (SMS) was to add further management features for Windows mobile devices. But there hasn't been much movement on this in some time.

This leaves me in a position wondering exactly how Microsoft is going forward with their Mobile Device management strategy.

The contenders:

1. The next version of SMS. (or a plug in for SMS 2003)

2. Exchange 12 Mobile Policy features are extended.

3. A new server product altogether.

My guess is that we will see a lot more emphasis on mobile management in Exchange 12, but we won't see the SMS offering for some time. This will still leave a gap for a full management solution for Windows devices. Third party vendors will fill this space for a while yet.

The main problem this leaves is the increase of the TCO of using Windows Mobile devices, as a full in-house management solution will still involve third party software and implementation costs, not to mention increasing the complexity of the project. Device and management bundles are around from the big telecom vendors, but are still sadly lacking in the Windows Mobile device area, especially for Windows Mobile 5.

Having seen Exchange SP2 in action, I think a main technical challenge across all three is how to integrate the Mobile device management interface into Domain Group Policy/ Active Directory/Existing Desktop Management system. This challenge is not just with Microsoft, but all mobile device management vendors. To achieve this first would be a huge differentiator.

Watch this space....

Exchange SP2 and feature pack issue with ISA 2000.

neil.chapman — Thu, 01 Dec 2005 14:00:00 GMT

Thinking about implementing Exchange SP2 with the new AKU 2.0 feature pack windows mobile 5 devices?

If you use ISA 2000 to reverse proxy your Activesync requests, I've come across an issue where the Exchange server cannot apply the new policies to a WM5 MSFP device.

In short, ISA 2000 has a bug in the way it deals with the OPTIONS verb, which is important for setting the SP2 management polices on the device when it connects.

To fix this, you need to do this:

http://support.microsoft.com/Default.aspx?ID=304340

Neil

Certificate Authentication and Windows Mobile 5

neil.chapman — Tue, 08 Nov 2005 10:49:00 GMT

I applauded the move for Windows mobile 5 now supporting certificate authentication for Activesync. I thought I'd share a couple of points about this that I get regularly asked.

You can use either the certificate OR login name, not both on a configured device. The certificate replaces the login name and password.
The only way to obtain the certificate currently is to cradle the device to a pc attached to the network that holds the local certificate authority.
The cert enrollment tool for getting a personal cert that comes on most WM5 PPC edition is basic, and can only get a cert if you use the default templates on your cert authority. You need to do some coding otherwise, and most WM5 smartphones (depends on vendor) will need an app done as well.
This personal cert for Activesync authentication has nothing to do with the SSL Activesync connection. As a result, the authentication of the certificate for Activesync is not completed until the traffic hits the front end exchange server. SSL bridging/termination does not affect this. (Having said this, I'm testing this in 2 weeks cause I haven't seen it running yet)
This feature, as well as policy enforcement through the feature pack for exchange, is not available until the device ROM AKU 2.0 is available in mid November. Your current WM 5.0 can't utilise any of these features on AKU 1.1. (Most AKU 1.1 devices have an upgrade path through the vendor)

These are some of the basics, if you need any more info, post a comment and I'll get back to you.

Neil

Dataviz has released Roadsync - More devices now support Exchange 2003 Activesync

neil.chapman — Tue, 19 Jul 2005 10:24:00 GMT

Keeping an eye on the exchange team blog, Max Ciccotosto pointed out that Dataviz has released Roadsync. This means java, palm and Symbian based devices now can sync directly to Exchange Server Activesync infrastructure. The list of fully supported devices on the Dataviz site are here.

Dataviz state that they will update their product to work with Exchange SP2, but I assume this will not include support for security policy enforcement provided by the feature pack.

Neil

Windows Mobile 5.0 Device Management options with Exchange SP2 and Feature Pack.

neil.chapman — Wed, 08 Jun 2005 21:13:00 GMT

With the release if exchange SP2 and the feature pack, I had a look at what WM 5.0 device management options are available, how they are set, and how they are applied to devices. The management options need to be set on an Exch2003 SP2 + Feature pack server.

The new options are:

Through the ESM(Exchange server management)\ Global Settings\Mobile Services\:

Enable PIN on device
Require both numbers and letters
Inactivity Time
Wipe device after failed (attempts)
Refresh settings on device (hours)
Allow access to devices that do not support PIN settings
Exceptions list (add AD user Id’s)

Through Web browser:

Force Device Wipe

All the options through the ESM are set within global policy per Exchange organization, and exclusions can only be made on a user basis. An exclusion means no policy to be applied at all, as one org can’t support different policies. These policies are not linked to AD group policies in any way.

The idea of performing the device wipe through a web interface means the task doesn’t require a member of the helpdesk to use the ESM. The device wipe is quick, (worked in about 10 secs flat), and effectively performs a hard reset. It does not wipe the SD card.

The ability to keep sending down the policy on a schedule is a good idea, although I don’t know yet how much a user can tamper with the policy configured settings

The policies are applied the first time a WM 5.0 device connects to the Exchange environment through Activesync. Activesync notifies the user that a policy will be installed to continue, and is offered an OK or cancel button. Cancellation at this point results in the Activesync connection being terminated. If the user clicks OK, the enter password screen appears, and the user can’t continue until a password meeting the complexity requirements has been entered.

In summary, the new management policies cover the most valuable functions, PIN enforce and Wipe Device. Device provisioning, inventory, patch updating, software control and recovery are not covered at all. I think for a lot of businesses the core security functions that Exchange will offer will be enough for them to use it, without spending on third party management solutions.

Neil Chapman

Exchange SP2/Feature Pack – Push E-mail Revealed

neil.chapman — Wed, 08 Jun 2005 18:09:00 GMT

Been getting to the bottom of how the service pack 2 and the feature pack for Exchange 2003 will work with Windows Mobile 5.0 devices, particularly the way the new “push” e-mail works.

Firstly, let me state my understanding of what true “push” e-mail is.

User experience: As an e-mail is delivered to the user’s Exchange mailbox residing on a server, a server side trigger sends the e-mail directly to the user’s remote device. For the user, mail comes in to their device in real-time, not in scheduled chunks.
Security: The E-mail is pushed to a trusted device from a server residing in the perimeter network. The device does not initiate this connection. This means no external firewall port for incoming device connections is required. This is the security model that has contributed to blackberrys’ success.

Ok, so what push functionality does WM 5.0 and Exchange SP2 have? As per my definitions above, it only delivers the user experience.

The short of it is, everything is still “pull”. That is, the device initiates almost everything. The new addition is that notifications to the device to begin a pull are now IP based, rather than the messy and expensive SMS approach.

How it works:

The WM 5.0 device registers to a GPRS data network.
Activesync (if configured) on the device then connects to the exchange server.
This connection state is maintained, controlled by the session disconnect interval on your firewall. If the device loses connection, or the firewall drops it, it will re-connect again.
The WM 5.0 device lets the exchange server know it’s network IP. It will update the server if this changes.
The Front End Exchange server, monitoring the back end mailboxes for changes, fires off a notification to this IP if a new e-mail comes in.
The device receives the notification, and then begins an E-mail pull.

All data traffic between device and server is XML through HTTPS (with SSL). GZIP is used to compress the data to keep data usage to a minimum.

What does this mean? On the good side, a better user experience, less data sent and recieved overall through GZIP. I also noticed the first initial sync is a lot faster. The new WM 5.0 interface looks great too, and with viewing for powerpoint, word and excel files built in, it is more useful out of the box for attachments. (Although smartphone viewing an attachment isn't so hot) Apparently better battery life…according to the Microsoft chaps, although I’m still not sure how true this is.

On the down side, the pull still means that you can’t compare WM5.0 and Exchange SP2 apples for apples with blackberry, as the Blackberry still has a better security model. This is the biggest issue for me when trying to put mobile devices into the enterprise, far more a hurdle than up to date e-mail was.

Neil Chapman

Nokia entering the corporate E-mail market.

neil.chapman — Wed, 16 Feb 2005 11:49:00 GMT

I saw that Nokia has made a move to incorporate Microsoft ActiveSync client into future Nokia phones.

If a business has Exchange 2003 installed, most of them are thinking about leveraging the in-built mobility through ActiveSync or OMA. For a lot of small companies with fewer concerns around security, this is often a matter of putting a Front-end server in, then opening a hole in the firewall. Devices are often either personal, or bought on an ad-hoc basis where-ever they're cheapest. The Nokia platform having ActiveSync will be another good device option for E-mail.

However, larger customers with enterprise requirements have had a few issues in the past, which will still need to be addressed before devices running ActiveSync can fulfil the promise of being a serious contender in the corporate space where blackberrys' abound.

All ActiveSync traffic is "pull" initiated, that is, the active sync client kicks off sync, and then contacts the e-mail server through an external hole on the business firewall. Even the proposal of IP based notifications in service pack 2 for exchange 2003 just notifies the device to begin a pull. The device can authenticate using basic (which is easily countered using SSL), but cannot present any other level of authentication such as certificates. The built-in VPN client can be used, but many do not use ISA Server as a corporate VPN termination point. IPSec is often the corporate standard for VPN's ruling out PPTP to other vendor VPN concentrators.

Currently no software vendor offers VPN for Microsoft Smartphone, although I did see Certicomm's Movian client have a go at it with the Sierra VOQ. Don't know what happened to that one.

This raises security concerns for many, especially when two-factor authentication is the norm for getting access to internal services from the net.

To mitigate this, a business can currently purchase private GPRS/3G infrastructure, or use a third party "push" solution (i.e. Blackberry).

I see that some Nokia devices already have a Firewall client on them, which I assume gives the option to terminate into Nokia hardware. How this will integrate with use of ActiveSync will be interesting to see, but if it works, it will be a serious alternative to Microsoft based devices for E-mail.

Blackberrys' strength to business is a clear cut cost model for TCO's. From meetings I've had with telecomm vendors, the cost models of Microsoft smartphones aren't clear from the outset. ROI's for any device are always a bit of a stab in the air.

Based on the recent decisions Nokia are making, I think they are very keen to have their slice of the business pie.

Nokia and Microsoft both will need to encourage data and voice suppliers for the enterprise business to develop a blackberry-esque model for TCO comparison if they want to get more footing in this market.

Neil