OMA DM Overview
This topic describes Open Mobile Alliance (OMA) Device Management (DM) with respect to its implementation in Windows Mobile .
For OMA DM to function properly and without interruption, OMA DM uses IP security (IPsec) virtual private network (VPN) technology that is based on Internet Key Exchange (IKE) version 2, Mobile IKE, and IPsec tunnel mode (TM).
To enable basic OMA DM operations, a mobile operator must make sure that the following ports and protocols are not blocked by the mobile operator's firewall:
User Datagram Protocol (UDP) ports 500, 4500, and 8901, which are used for setting up the device and controlling traffic to and from the device.
Encapsulating Security Payload (ESP) IP protocol or UDP port 4500, which are used for IPsec tunnel traffic. Which of these a mobile operator should unblock depends on whether is the company is using a network address translation (NAT) router between the phone and the OMA DM server. ESP tunneling is used either when the phone is assigned a public IP address or when the phone is operating with a private access point name (APN) that directly connects the device to a company network without a NAT router between them. The UDP port 4500 for UDP tunneling is used in all other cases.
The IPsec standard supports both ESP and UDP encapsulation. ESP encapsulation is the more efficient of the two, and there are usually fewer timeouts with it. Selecting ESP or UDP is done automatically during IKE version 2 and is based on whether there is a NAT router between the Windows Mobile device and the OMA DM server.
The OMA DM VPN tunnel is kept alive at all times through periodic keepalive messages. Keepalive messages are sent to prevent network timeouts such as Packet Data Protocol context timeouts and NAT router and firewall timeouts. OMA DM uses a dynamic detection algorithm to compute the optimum keepalive period for the current network; it then adjusts its keepalive frequency to fit the observed mobile operator network conditions.
On a non-optimized mobile operator network, OMA DM may have to send frequent keepalive messages. This can proportionally increase battery drain, negatively affect the user experience, and unnecessarily increase the amount of overhead traffic that is sent over the network. To help reduce these negative effects, increase the NAT timeout on the UDP port 4500 by 30 to 45 minutes and increase the ESP protocol timeout by 4 to 8 hours. For most mobile operator default configurations, the ESP protocol has an 8-hour timeout.
OMA DM VPNs do not allow split tunneling because it might allow backdoor access to a corporate network from the Internet. Also, by not using split tunneling, all traffic bound to the Internet is passed through the VPN to the corporate network and from there rerouted to the Internet. This allows inspection and auditing of phone activity by the corporation.
The VPN gateway is an integral component of OMA DM and is required to achieve a high level of security. However, activating it is optional because the needs of the deploying company may not require it. An example is when employees are using Wi-Fi devices on factory facilities, which doesn't require a VPN. However, a mobile operator might need a VPN gateway for customers who already have private, secure APNs that lead directly from the phone and the Gateway GPRS Support Node (GGSN) to the company intranet.
The OMA DM VPN does not make exceptions for multimedia messaging service (MMS) or IP Multimedia Subsystem (IMS) services that are not on the Internet. All traffic is routed through the VPN. However, users can access the Internet and MMS/IMS services directly if the OMA DM VPN is temporarily disabled by the user, or if the OMA DM VPN is not deployed by the company.
OMA DM is a trusted manager of Windows Mobile devices and can control any functionality that you configure by using configuration service providers (CSPs) or the registry. OMA DM controls device policy by following Active Directory Group Policy (ADGP). It can also distribute software in RAM applications, but not Firmware upgrades, based on Microsoft’s Windows Server Update Services (WSUS) functionality.
OMA DM does not automatically disable other parallel management systems that are used by mobile operators, and it can operate alongside another device management system. A mobile operator can decide to make OMA DM the exclusive device manager, but this is not the default.