Neil Chapman's Blog

HTC Hermes customisation tool can turn on HSDPA

neil.chapman — Fri, 18 Aug 2006 08:46:00 GMT

A colleague of mine pointed this out to me this morning:

It's a tweaking interface to configure the HTC hermes (Orange SPV M3100, HTC TyTN, T-Mobile MDA Vario II). It can't change everything, but has some interesting features. Apparently, download without registration is not possible which is not great, and the site registration process is in german.

The most interesting features of this tweaker :

switching on HSDPA (that is by default switched off in some models of HTC Hermes, for example for Vodafone and O2)
showing GPS icon in settings
showing wireless plugin (that shows provider, Bluetooth and Wi-Fi status information)
disabling skin of the phone
removing wireless tray icon
disabling SMS sent notification
improving quality of stereo audio over Bluetooth (A2DP)

I'll grab it today and see if it can deliver on it's promises. Get it from here.

Neil

Quick review of the HTC MTeoR

neil.chapman — Mon, 14 Aug 2006 13:36:00 GMT

I recently obtained and started using the HTC's MTeoR, one of the first devices to be sold under the HTC brand.

As this had 3G, and was very slim, I thought this was the Windows Mobile smartphone I had been waiting for. In almost all respects it was. I think this is my favourite smartphone form factor so far. The buttons are easy to use, the screen clear, and I like the fact that it has a jog wheel on the side. (Although I would have preferred it on the right, not the left) The external audio speaker wasn't as good as the speaker on the I-mate SP5, but was usable, and the joystick was much better than any I'd used before.

Unfortunatley, a couple of things let it down. The battery life is poor. Even compared to other Windows Mobile 5 smartphones it doesn't hold up, I had to charge it twice daily, once in the morning, and once again at night to keep it from turning off. I tested another MTeoR device and had the same issues.

Having 3G on any small mobile device will lead to power being an issue, but even so, it was worse that I expected. I turned off up to date server activesync and bluetooth, but this didn't seem to help much.

Also, why did they remove the video calling? If you pay the extra cost of 3G device, surely you'd want all the bells and whistles? Something else I would of liked to see is an audiojack. I guess HTC believe that we'll all be using bluetooth if we want to charge the device while talking on it in the car or listening to music.

A colleague of mine disabled 3G on his SIM card, and this seemed to improve his battery life while the device only used GPRS.

In short, this would be my device of choice if the power could last a bit longer.

Neil

Wireless 802.1x authentication on Windows Mobile 5 (Part 2)

neil.chapman — Fri, 11 Aug 2006 15:14:00 GMT

I now have some more information about using 802.1x WiFi with WM5. Keep in mind I haven't looked at third party 802.1x clients at this stage, just the WM5 default client.

I posted in my last blog that I couldn't understand why a username/domain prompt appeared on the device when trying to authenticate to Radius using EAP-TLS. For example, when using an XP machine with EAP-TLS, I just have to provide the personal certificate, and don't have to input anything.

Ok, so why do I get the username / domain prompt with WM 5 EAP-TLS? The answer is this:

The WM5 device 802.1x client does not associate a certificate to a SSID connection until connecting for the first time.
This means that even though you select a certificate in the client EAP-TLS setup before connecting, the client still doesn't use this certificate for authentication.
The username/domain prompt is the mechanism for creating this association.
If you have multiple personal certificates on your device, this is when the right cert is used for the right SSID for 802.1x authentication.

The reg key that is set when this association is created is:

HKCU\Comm\EAPOL\Config\<SSID>\Identity (REG_SZ) - <Domain\Username>

My initial thoughts on all this are that I understand why the WM5 client does the check, but is this really needed if you have only one personal certificate? What else is it going to pick?

Once again, if you have successfully rolled out EAP-TLS at all using any 802.1x client on WM5, I'd like to hear from you.

Cheers,

Neil

Wireless 802.1x authentication on Windows Mobile 5

neil.chapman — Thu, 10 Aug 2006 12:44:00 GMT

I'd like to pass on some of the experience I've had with Windows Mobile 5 and getting it running on 802.1x Wi-Fi authentication standards in the enterprise, particularly using EAP-TLS.

An example situation for an enterprise is this:

There is an existing Wireless infrastructure with several hundred access points.
A Windows PKI infrastructure is already in place.
The certificate Authority does not use standard templates.
XP Notebooks are already running on WPA, EAP-TLS for authentication to the Wireless network.
They enrol the certificates through Windows group policy.
Microsoft's IAS is used for the Radius authentication, and is connected to the AD with the user accounts.

The challenge is this:

Deploy several thousand Windows Mobile 5 devices
Get them using WPA, EAP-TLS authentication with personal certificates to meet security policy.
Make the whole process easy to use for a non-technical end user.

So, I do some digging around to see what other companies have done for large scale Windows Mobile device Wi-Fi authentication, and all I can find is WEP keys and WPA - PSK. This avenue wasn't giving me much guidance, so I concentrated on testing the limits of what Windows Mobile 5 could do.

The main issues I came across:

1. Getting a personal certificate onto the device.

Firstly, let be clear about two things, Firstly, WM5 devices do not support Machine certificates. I know they have a hidden cert store that looks like it might be able to, or it looks like we may be able to attach a machine ID to the personal cert and use this in auth....but don't bother, it won't work. Secondly, using the WM 5 devices' web browser to enrol a personal certificate on the CA will also not work. The browser just can't support the ActiveX controls required.

A lot of WM5 devices come with enrollers for personal certificates, but most don't seem to cope with custom certificate templates. (DELL wrote one that did thou) So, the only way around this is to go back to the manufacture and ask, or write your own. I opted for writing my own, as the code is available on Microsoft's website. As the enroller also requires a network connection to the CA to get the cert, we had a choice. We could A) Connect it to a pc that can get to the CA through Activesync C) Authenticate the device using WEP or WPA-PSK to a "provisioning" Wi-Fi VLAN that has access to a CA. B) Forget the enroller, copy the cert over manually from a PC or smart card and use a third party utility to install the cert. Your choice should depend on how you're going to deploy the devices. Some management software can also put the cert on the device for you, but once again requires network connectivity.

2. Getting a userid / domain request when EAP-TLS authenticates to IAS.

When I use EAP-TLS on an XP laptop, the wireless access point passes the request back to the IAS radius server, and uses the username and issuer fields on the certificate to authenticate the connection. The laptop uses doesn't have to do anything.

On the windows mobile 5 device, the wireless access point passes the request back to the IAS radius server, and then I get a request on the device to enter the username and domain. I enter in these credentials, and away I go. I still don't understand why I have to enter these details when an XP certificate authenticates without interaction using EAP-TLS. This might have been OK, until I roamed to another AP. I get asked for authentication again!!?!! I cannot understand or explain this behaviour, and couldn't fix it. It may be related to the brand of AP, some IAS tweak, but it's not something I could find in the time I had. PEAP-MSCHAPv2 also behaved identically.

What does all this mean? From my perspective, EAP-TLS is very hard work, with very little information out there for support on WM5 devices. You could always try PEAP-MSCHAPv2, but I still got the authentication box pop up when I roamed.

If you've managed to deploy EAP-TLS successfully, please let me know by contacting me through this blog.

Neil

WiMAX - When will I see it, and what will it do for me?

neil.chapman — Wed, 05 Jul 2006 14:04:00 GMT

I've been keeping an eye on WiMAX (IEEE 802.16) and the impact it will have. After reading several articles like "WiMAX in the UK. Here's why it won't fly." on the register, I tried to find out more about the technologies' future while attending the European Mobility Summit in London.

A chap called Tom Foale from Urban WiMAX was a dicussion panel speaker. Urban WiMAX will be the first to offer WiMAX business servics in the UK from November.

Tom gave an honest if bleak picture, citing the many issues his company has had in the UK implementing the technology. This ranged from limited licensed frequency available, to decent WiMAX infrastructure hardware not being produced in a timely fashion. In short, there appeared to be some fairly major quality issues that will take a while to resolve.

In the UK, we will see Fixed WiMAX (802.16d) first, but won't see Mobile WiMAX (802.16e) working for some time. Based on what I heard at the Mobility summit, mobile WiMAX on laptops won't appear until late 2008, and mobile WiMAX capable devices like smarthones and pocket pcs' possibly won't be around until 2010.

Mobile WiMAX gives all the regular benifits of high speed broadband, but has the potential to be much more. For the enterprise, one main issue with running VOIP applications on mobile devices has been ensuring QoS when relying on ad-hoc public domain connectivity to the internet. Due to the large geographical range, SLA's around eventual QoS and speed, external and internal VOIP telephony solutions and the cost savings they bring may finally be possible for enterprise business in city locations. This will probably not be a serious offering until 2008/9 however, and trying to compete for business against the traditional network operators won't be easy, especially when they are still trying to claw back revenue from their 3G implementations.

In summary, WiMAX Mobile, which has the true benifits of WiMAX opposed to WiMAX Fixed, is still a while off, but has potential. However, I can see the technology taking a long time to be a viable option for many in the enterprise, and the next "big" communication network technology is always just around the corner.

Neil

For more info on WiMAX and any definitions of the above, go here.

Activesync 4.1 - Activesync will not connect to the device on a USB connection

neil.chapman — Wed, 15 Mar 2006 17:16:00 GMT

There is an issue with Activesync 4.1 and Windows XP I've seen a couple of time now, and I'd like to pass on a workaround.

The Issue: Activesync doesn't connect to your Windows Mobile device when you plug it in using a USB cable to your PC. You've checked the settings in activesync, they allow a USB connection, and the device is also set up to allow connection to a PC.

If you look under network connections on your PC, a virtual network connection for the mobile device is created when you connect it with the USB cable. Activesync however, doesn't connect to your device.

The Microsoft Mobile site then points out that you may have an issue with the Firewall on your pc. You test this by turning off the firewall for a moment, but you still can't connect with Activesync.

To resolve: Connect your device, then open network connections on your pc. Find the network connection created when you connected your device with the USB cable. It will be listed under the "LAN or high speed Internet" heading. It will be called "Local Area Connection x" (the x will be replaced by a number), and will usually be the last connection listed.

Right click on this, and select properties. You should see in the Connect using area "Windows Mobile-based Device" In the box below this titled "This connection uses the following items", you will need to place a tick in all the boxes listed. This will re-bind the network protocols to your connection. Click OK to close the property window.

From this point on, Activesync will kick into life when you connect your device, and you should only have to do this workaround once.

Note: the problem will sometimes re-occur if you connect another device, or hard-reset your current one. I have noticed that the issue most likely occurs if you are running VPN software other than than the windows VPN on your pc.

A better way to view Activesync logs.

neil.chapman — Thu, 16 Feb 2006 10:56:00 GMT

I just tried the SQL script for getting a useful view of the activesync logs from here:

http://blogs.technet.com/exchange/archive/2006/02/14/419562.aspx

It works well, I used the log parser command to output as CSV:

LogParser.exe -i:IISW3C -o:CSV file:c:\drv\sql\HitsByUser.sql

I recommend you try this tool, certainly gives a better picture of Activesync usage.

Exchange Activesync Web Admin tool issue

neil.chapman — Mon, 13 Feb 2006 11:58:00 GMT

Update 19/02/06 - The tool that can be downloaded from here has resolved the domain traversal issue. The install bug with the default web IP needing to be reset to "all unassigned" remains.

------------------------------------------------------------------------------------

The Exchange Server ActiveSync Web Administration Tool was released on the 7/12/05, to enable remote wipe of AKU2.0 (windows mobile 5 devices with the MSFP) phones and Pocket Pc's.

If you read the release notes on the download page, you will see the statement:

"To function properly, the tool must be used in conjunction with Exchange Server 2003 Service Pack 2 and compatible mobile devices.
The current release of the Exchange ActiveSync Web Administration Tool must be installed in the same domain as the user accounts being managed."

To further explain this, if you are an enterprise who puts mailboxes into a resource domain, and accounts in another resource domain, the tool cannot resolve the user accounts. The tool will only install on an exchange server, and placement of the tool in user accounts domain will still not solve the problem.

The tool itself is a quick and easy install, which creates a virtual directory in IIS called MobileAdmin. An additional bug sometimes occurs if your default web site is set to use a specific IP address rather than "all unassigned". It will create an additional "default web site" instance. To remedy this, set the IP address of the default web site to "all unassigned", then change back when finished the install.

An updated version of the Mobile admin tool (06.05.7775) was released on the 2/01/06, which also has the same issues.

Microsoft has a fix, but you will need to contact them to get it for the moment.

The Microsoft Mobile Device management Gap

neil.chapman — Tue, 07 Feb 2006 16:34:00 GMT

Towards the end of Feb the AKU 2.0/2.2 release of Windows Mobile will be available, which will include the MSFP (Messaging and Security Feature Pack). This gives some management functionality for Windows devices though Exchange 2003 SP2, but only the most important basics. The next version of Microsoft Systems Management Server (SMS) was to add further management features for Windows mobile devices. But there hasn't been much movement on this in some time.

This leaves me in a position wondering exactly how Microsoft is going forward with their Mobile Device management strategy.

The contenders:

1. The next version of SMS. (or a plug in for SMS 2003)

2. Exchange 12 Mobile Policy features are extended.

3. A new server product altogether.

My guess is that we will see a lot more emphasis on mobile management in Exchange 12, but we won't see the SMS offering for some time. This will still leave a gap for a full management solution for Windows devices. Third party vendors will fill this space for a while yet.

The main problem this leaves is the increase of the TCO of using Windows Mobile devices, as a full in-house management solution will still involve third party software and implementation costs, not to mention increasing the complexity of the project. Device and management bundles are around from the big telecom vendors, but are still sadly lacking in the Windows Mobile device area, especially for Windows Mobile 5.

Having seen Exchange SP2 in action, I think a main technical challenge across all three is how to integrate the Mobile device management interface into Domain Group Policy/ Active Directory/Existing Desktop Management system. This challenge is not just with Microsoft, but all mobile device management vendors. To achieve this first would be a huge differentiator.

Watch this space....

Exchange SP2 and feature pack issue with ISA 2000.

neil.chapman — Thu, 01 Dec 2005 14:00:00 GMT

Thinking about implementing Exchange SP2 with the new AKU 2.0 feature pack windows mobile 5 devices?

If you use ISA 2000 to reverse proxy your Activesync requests, I've come across an issue where the Exchange server cannot apply the new policies to a WM5 MSFP device.

In short, ISA 2000 has a bug in the way it deals with the OPTIONS verb, which is important for setting the SP2 management polices on the device when it connects.

To fix this, you need to do this:

http://support.microsoft.com/Default.aspx?ID=304340

Neil