Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.

About Windows Mobile in Symantec Mobile Security 7.2

Created: 28 May 2013 • Updated: 29 May 2013 | 11 comments
Language Translations
Mick2009's picture
+9 9 Votes
Login to vote

The Story So Far...

This is the third in an informal series of illustrated articles about how admins (and end users) can best protect their mobile endpoints using Symantec Mobile Security 7.2. (This is a cool Enterprise product aimed at corporate networks, rather than a company that just has a few Androids or Windows Mobile devices that need protecting.) The two earlier articles:

  1. Illustrated Guide to Installing Symantec Mobile Security 7.2: how is the management server (Symantec Management Platform) of SMS 7.2 installed, and what does its interface look like? 
  2. Getting to Know the Symantec Mobile Security 7.2 Client: what does SMS 7.2 look like on an Android phone or tablet?  How to view its activities, launch an update, know when it is trying to alert you to danger.... 

This article will cover how SMS 7.2 protects Windows Mobile devices (phones, PDA's, various Point-Of-Sale equipment) and how to administer them from the server console.

 

Windows What?

Though it may have a small market share of today's cell phone market, Microsoft has been in the mobile game since the beginning.  They have offered Pocket PC, Windows CE (Compact Edition) and many other cool products for PDA's and cell phones that have evolved over the years.  Symantec Mobile Security 7.2 (like the older Symantec Endpoint Protection Mobile Edition 6) can work with the older WM versions that are built on Windows CE.  That is, Windows Mobile 5, 6.0, 6.1 and 6.5.

Operating Systems Support for Symantec Mobile Security Products
Article URL http://www.symantec.com/docs/TECH102048

The newer Windows Phone 7 and Windows Phone 8 are built from a completely different code base- they are somewhat similar in name, but that is about it.  The SMS 7.2 client software will not install on them. 

Here’s Symantec's public KBs on the subject:

Symantec AntiVirus Product for Windows Phone 7 Platform
Article URL http://www.symantec.com/docs/TECH145141

Those who would be interested in an Enterprise product for this platform can cast a vote for the following Connect Forum Idea (enhancement request): Symantec Endpoint Protection Mobile Edition for Windows Phone 7

 

Windows Why?

Though viruses and exploits against WM are not as popular these days as threats written for Android, there are still plenty of ways to attack Windows Mobile (and POS devices that use it!).  See the article How to Secure Your Mobile Point of Sale Devices and remember: embedded devices, PDA's and mobiles are powerful enough to do a lot of damage, and often serve as an unprotected "back door" into networks that focus all their defenses on traditional servers and desktops.  Ensure they are protected!

scan_wm.jpg

 

What does SMS 7.2 Do on Windows Mobile?

The SMS 7.2 client is different on Windows Mobile than it is on Android.  On Android, there's malware protection, web protection, anti-theft features and so on.  On Windows Mobile, there are three main components:

  1. AntiVirus: scans for malware.  SMS 7.2 on WM features Auto-Protect technology, scheduled scans, and manual scans. 
  2. Firewall: blocks unwanted network connections
  3. Mobile Security Agent: keeps the client in touch with its server.

wm_three.jpg

 

There are some other features, too (like AntiSpam for text messages and a File Access Log).  Full details on the protection and features can be found in Section 3, Securing Windows Mobile devices, of the Symantec Mobile Security 7.2 MR1 Implementation Guide

 

Installing SMS 7.2 on Windows Mobile

Installation on the Windows Mobile device is pretty straightforward.  There's a .cab file  ("Symantec Mobile Security 7.2 Windows Mobile 6.0/6.1/6.5 Agent (.zip)") which needs to be copied to the device.  This can be downloaded from the device's browser, emailed to the device, copied manually or sent over by the customer's Mobile Device Manager software, if they have a MDM managing the devices. Once it is on the device, a simple click will start the install process...

reboot_wm.jpg

Note that there will be a reboot needed in order for the firewall to work correctly. 

One cool trick is that the SMS client software can be installed on Windows Mobile silently (that is, without showing the end user screens like the one pictured above.  Details can be found in the following article:

How to Install and Uninstall Symantec Mobile Security 7.2 Silently on a Windows Mobile device
Article URL http://www.symantec.com/docs/TECH206648 
 

 

One Common Issue

When the SMS 7.2 client is installed on the Windows Mobile device, it is initially "unmanaged."  In order to know which server to connect to and receive policies from, there is a file called AgentInstallConfig.xml which must be exported from the SMP and dropped into the device's \My Documents\ directory.  (Once it is copied there, it will be immediately processed by SMS 7.2 and will disappear.)

The AgentInstallConfig file is exported from the Mobile Security Agent Policy page of the SMP.

create_agent_installation_file.png

In case there are any failures to register and communicate, ensure that Windows Mobile's wifi is switched on and then check out the advice in the following article.

Error Messages Displayed When Attempting to Deploy the Initial Configuration Files to Windows Mobile Devices Running Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH96607 
 

After that, there should be a "Healthy Connection" to the server.  The client will download and apply new policies, upload logs and inventory, and appear in the server's management console.

healthy_connection.jpg

 

Windows Mobile: Doing Things a Little Differently.... 

Two quick differences to be aware of:

  1. When Mobile Security clients for Android enroll to the SMP, they generally require an approved user account (membership of a particular Active Directory group, etc).  There's no similar restriction for Windows Mobile clients.  No special user accounts need to be configured.
  2. Androids communicate to the SMP through a Mobile Security Gateway (MSG): either the one that is automatically installed on the SMP, or perhaps another MSG deployed in the DMZ.  Windows Mobiles don't use a MSG.  They communciate directly to the SMP- so do be sure that the Windows Mobiles use an IP or FQDN that ensures SMP connectivity! 

  

OK, Windows Mobile: Here's What to Do....

The policies which configure Windows Mobile devices are not as prominently featured as the policies for Androids.  In the Symantec Management Console, go to Manage > Policies > Mobile Security > Windows  and chose the policy desired.

Here are illustrated instructions on how to direct the Windows Mobile device to look for new LiveUpdate definitions from an internal server, rather than the Internet LU source servers:

Updating Windows Mobile Devices from an Internal LiveUpdate Administrator 2.x Server
Article URL http://www.symantec.com/docs/TECH159934

In case any difficulty is encountered getting those policies applied to the Windows Mobile devices, the following article provides some important tips....

Applying Policies Configured for Windows Mobile Devices in Symantec Mobile Security 7.2
Article URL http://www.symantec.com/docs/TECH201752 
 

 

Life of Pie

Want to know how those Windows Mobiles are doing? The Windows Mobile reports on the SMP can be found under Resports> Mobile Security> Windows.

Here's an example Infected Status Summary Report for Windows Mobile Devices:

wm_infected_summary.png

 

Here is the LiveUpdate Status Summary Report:

lu_status_summary.png

Not all of the reports are pie charts.  Here's an example Security Infections & Breaches Report:

wm_security_events.png

There's a similar Threat Details report under All Mobile Devices- one of the few reports where data from Androids and Windows Mobiles is listed side-by-side.

both_security_events.png

 

If all you are looking for is a list of the managed Windows Mobile devices, click on Device Information.  Right-clicking on the entries will all you to take a closer look with Resource Manager.  It's possible to View Inventory and View Events from that page, getting detailed information on the activities of that device.

listed_wm_devices.png

 

 

In Conclusion.... 

Many thanks for reading!

Please do leave comments below to provide feedback on how your Windows Mobile devices function with SMS 7.2, and highlight any tips you have discovered that other admins may find useful.

Comments 11 CommentsJump to latest comment

Nalini Raj's picture

Mick,

"It’s time for Android’s ugly older brother to get its moment in the spotlight.  &: )" .....Nice article!

Nalini.

 

Regards,

Nalini Raj.

“Whenever you are asked if you can do a job, tell 'em, 'Certainly I can!' Then get busy and find out how to do it.”

+1
Login to vote
Mick2009's picture

Many thanks! &: )

With thanks and best regards,

Mick

0
Login to vote
Nalini Raj's picture

Mick,

Thank you for knowledge sharing!

Regards,

Nalini.

 

Regards,

Nalini Raj.

“Whenever you are asked if you can do a job, tell 'em, 'Certainly I can!' Then get busy and find out how to do it.”

+1
Login to vote
MeloSep's picture

Very good article Mick, thanks for sharing.

+1
Login to vote
SreejithV's picture

Very useful indeed. Thanks for the article, Mick.

+1
Login to vote
abhishek8866's picture

Thank you. Wonderful article.

+1
Login to vote
Mick2009's picture

Glad to assist, mobile fans!  Please do add comments below if there are any suggested topics for future articles on SMS 7.2. 

With thanks and best regards,

Mick

0
Login to vote
Mick2009's picture

Just adding a cross-ref to a new article that may be of interest...

How to test that Symantec Mobile Security 7.2 is able to detect malware
http://www.symantec.com/docs/TECH207261 
 

With thanks and best regards,

Mick

-1
Login to vote
Mick2009's picture

Just adding two quick notes...

  1. If the Mobile Agent displays "Register Error," the most common reason is a lack of connectivity between the Windows Mobile device and the SMP.  Check that wifi or other means of network access is working.
  2. Android is the mobile target for most of the malware authors thee days.  New definitions for Android are released almost every day.  The Windows Mobile defs need to be updated roughly once per month, on average.  It is normal to run LU on a Windows Mobile client, and find nothing new even if the date seems pretty old.

liveupdate_running.png

 after_successful_liveupdate.png

 

 All_up_to_date.png

With thanks and best regards,

Mick

-4
Login to vote
Mick2009's picture

Hi all,

There is now a fourth article in this SMS 7.2 series.....

Upgrading Mobile Security Gateways for Symantec Mobile Security 7.2
https://www-secure.symantec.com/connect/articles/upgrading-mobile-security-gateways-symantec-mobile-security-72

With thanks and best regards,

Mick

-4
Login to vote