On 6 June 2005, Microsoft announced that its MSFP for Windows Mobile 5.0 will ship in 4Q05. The pack, when combined with Exchange Server 2003 SP2, is meant to deliver push-based e-mail, Exchange integration, and enhanced manageability, security and control for Windows Mobile 5.0 devices.

The MSFP includes improvements, but Microsoft has implemented too few of Gartner's recommendations to make Windows mobile devices enterprise-ready (see "What Does Trustworthy Computing Mean for Pocket PC?"). Microsoft told Gartner in 2002 that it would raise security on the platform significantly — to the enterprise level — in the next major release. In our opinion, the improvements in Windows Mobile 5.0 and the MSFP are insufficient and do not meet basic enterprise security needs.

MSFP security improvements include:

• Certificate support
• Wiping the device's main memory after too many failed password attempts
• A facility that allows Exchange administrators to instruct the device to wipe itself the next time it connects via TCP/IP to the server
• Policy and configuration management

The pack also has:

• Patch support, without having to "reflash" the entire memory of the device and erase user data
• Better Exchange integration through established Outlook Web Access technology and push-based e-mail

Wiping the devices' memory is of limited use, since data on removable media is not erased and remains exposed. Because mobile devices have limited storage capacity, most users store data on media, such as memory cards, that can simply be removed from one device and read in another. Data encryption is required to secure the device. The Crypto application programming interfaces (APIs) are already built into the operating system, so such a feature should have been easy to implement.

Microsoft has missed an opportunity to show leadership in mobile security and have the market declare that the company has made Windows Mobile 5.0 secure. We believe it should have provided an integrated management and security framework for the platform. Microsoft continues to rely on third-party vendors to plug its mobile-security shortcomings.

Recommendation: Buy third-party security software to make Windows mobile devices enterprise-ready.

Analytical Sources: Dion Wiggins and Nick Ingelbrecht, Gartner Research

Recommended Reading and Related Research

• "How to Tackle the Threat from Portable Storage Devices" — Adopt strict security policies for mobile devices and use tools to manage port access. By Ruggero Contu
• "Windows 5.0 Presents Challenges and Opportunities for Microsoft" — After a long hiatus, Microsoft has finally provided its next major upgrade to the Windows mobile environment. By Ken Dulaney and others

(You may need to sign in or be a Gartner client to access the documents referenced in this First Take.)