Microsoft System Center Mobile Device Manager 2008
System Center 2008 Mobile Device Manager is the latest addition to the System Center suite of management tools.
The Microsoft System Center is a modular collection of products designed to provide the IT administrator with the ability to capture detailed information about the hardware, software, policies and processes in use within the organisation and to harness that information to dynamically manage the systems and operations to reduce costs and improve availability.
The suite consists of the following products:
- System Center Operations Manager – provides the ability to track the performance of PCs and servers on the network and view high-level reports of the overall health of the IT infrastructure
- System Center Configuration Manager – provides the ability to deploy software patches and applications quickly and easily automatically over the network
- System Center Data Protection Manager – provides a centralised data backup and recovery system
- System Center Essentials – provides the ability to simplify routine IT managements tasks by providing a single console to manage servers, clients, hardware and software
- System Center Virtual Machine Manager – a management interface for Microsoft’s Virtual Server application
- System Center Capacity Planner – a pre-deployment, capacity-planning application
The Mobile Device Manager 2008 is the latest addition to this suite of products, providing the administrator with the ability to centrally manage remote Windows Mobile-based Pocket PCs and Smartphones.
Architecture
The Mobile Device Manager consists of the following 4 components:
The MDM Gateway Server is designed to sit in a DMZ or perimeter network environment (ie not in the company domain), and provides a secure IPSec tunnel to the remote Windows Mobile client device. Remote devices are authenticated on the Gateway Server against a list of blocked devices that is configured by the administrator.
The MDM Device Management Server sits on the local network and is the interface between the Windows Mobile device and the Domain Controller and Windows Update (SUS) Server. It enables support for policy-based configuration management, software distribution, asset management and device wipe. The interface is designed to reflect the other elements of the System Center so that administrators can manage Windows Mobile-powered devices in the same way that they manage desktop and laptop PCs.
The MDM Enrollment Server also sits on the local network and essentially provides the Windows Mobile device with an ‘identity’ within the Active Directory. Before a device can be authenticated by the Gateway Server it must first be enrolled in the domain. The enrollment process works as follows:
The administrator creates a new device enrollment request. This generates a password that is emailed to the user with the device to be enrolled.
On the Windows Mobile device, the user launches the Enroll Device wizard and enters their full email address and the password they have been issued with (NOTE – this is NOT their account password, but the password issued by the Device Management server). The wizard performs a DNS lookup on the domain entered in the email address and from that locates the IP address of the enrollment server.
The Enrollment Server verifies the credentials and, provided that they are correct, creates the necessary entries within the Active Directory and on the Gateway Server. This process is examined in more detail later.
The solution stores all of the configuration settings and user-customised policies in a SQL database which requires that a SQL 2005 Server be available on the network.
Below is an illustration of how the solution would typically be deployed:
NOTE – it is not strictly necessary for the different server roles to be fulfilled by separate machines – the Device Management Server, Enrollment Server and Database Server could all reside on the same physical machine. However, for security purposes the Gateway Server should ideally live in the DMZ or Perimeter Network as shown in the above diagram.
Pre-requisites
With the exception of the SQL 2005 Database Server, all MDM components require Windows Server 2003 SP2 64-bit.
It is recommended that the servers possess 2 Intel / AMD processors at 1500 MHz or higher.
All servers should ideally have at least 4GB of RAM and 100GB of available hard disk space.
The Device Management Server must also have Windows Server Update Services 3.0 SP1 (WSUS) installed, which itself requires access to a SQL database and at least 3GB of hard disk space.
The Administration Tools require Powershell 1.0 to be installed.
Functionality
Device Management
Once installed, the Mobile Device Manager integrates into Group Policy Manager and Active Directory, allowing the administrator to choose from over 130 pre-defined policies controlling hardware and software elements on the Windows Mobile device, including:
- Bluetooth
- WiFi
- SMS/MMS
- IR
- Camera
- POP/IMAP
- Add/Remove Internet Connections
- Allow/Disallow use of removable storage
- Force encryption of removable storage
- Remote device wipe
as easily as he or she might add a user to a distribution group.
Software updates and applications can be deployed to remote devices Over The Air. MDM will integrate with Windows Software Update Services (WSUS) 3.0 so that patches can be ‘allowed’ by the administrator and then deployed automatically.
Inventory and Reporting
MDM also has extensive inventory and reporting options allowing the administrator to take a snapshot of the status of the remote device infrastructure at any given moment.
Mobile Optimised VPN
The MDM solution also enables secure, mobile VPN access to LAN-based resources, such as a corporate intranet. The VPN client built into Windows Mobile can establish a secure IPSec-based VPN to the Gateway Server and thence to the local network.
Installation
Considering that this product is being aimed squarely at the Blackberry market, I personally found the installation procedure relatively complicated when compared to the market leader.
When launched, the installation splash screen will be displayed:
Before any of the server roles can be installed, the Active Directory must first be populated with the necessary containers and entries which the solution will make use of. Selecting the option to Configure Active Directory for MDM will launch the ADConfig.exe utility with a ‘/help’ switch which will display the available options. Be sure to read them carefully.
A simple installation would be effected with the command:
ADConfig /domain:(domain)
(where
The Active Directory will then be prepared for the installation, be sure to make sure that all operations complete successfully:
Once complete, you will see 2 new containers within the Active Directory Users and Computers MMC snap-in:
- SCMDM2008 Infrastructure Groups
- SCMDM2008 Managed Devices
At this stage the user account that is being used to install the solution should be added to the SCMDM2008ServerAdministrators group, then the server logged off and back on again for the permission changes to take effect.
Once logged back in, re-launch the installer and install the desired server roles. The Device Management Server and Enrollment Server roles can be installed on the same machine.
During the installation you will be prompted to enter the details of the SQL 2005 Server as well as a database administrator user account.
You will also be prompted to enter details of a certificate authority should you wish to secure communications to the enrollment server (recommended).
Once installed, you will see a number of additional SCMDM services added to the server:
Be sure to verify that all services have started successfully.
Now install the Administration Tools. There are 3 options available:
The Group Policy Management Manager option will be de-selected. It is important that this component is NOT installed on the server: this component requires that the Group Policy Management Console (GPMC) be installed, which in turn requires the Dot Net Framework 1.0 be installed. The Dot Net Framework is not available in a 64-bit version, installing it on a 64-bit operating system will cause unpredictable performance from the IIS service.
Administration
Once the Admin Tools have been installed, a number of entries will have been added to the Start Menu in the System Center Mobile Device Manager folder, including the System Center Mobile Device Manager Administrator Console.
Mobile Device Manager
This console allows the administrator to issue passwords to allow users to enroll new devices to the server, to view detailed information on the hardware and software elements of any given (enrolled) device, to disable devices from being able to contact the server, or to wipe (hard reset) devices completely.
Available information includes:
- NAP Settings (Network Authentication Protocol)
- VPN Settings
- ROM Packages
- Certificates
- Installed Software
- File Information
- Device Status
- Device History
- General Information
- Application Settings
- Device Settings
- Proxy Settings
To enrol a new device, select the option to Create Pre-Enrollment, the following wizard will be launched automatically:
Click Next.
Enter an alphanumeric name for the device to identify it once listed within the list of enrolled devices. Click Next.
Select the option to enroll an Active Directory user (selecting Browse will display the Global Address List), and tick the option to Send an email confirmation with enrollment password to device user. Click Next.
Verify the settings chosen and click Create.
An email with the necessary enrollment password will be emailed to the user, who will now need to run the Domain Enrolll wizard on the Windows Mobile client device and complete the email address and enrollment password fields.
The Domain Enrolll icon can be found under Start --> Settings --> Connections:
Tap Next to begin the enrollment process (NOTE – an active connection to the Internet [or LAN] will be required). The following screen will be displayed:
Tap Next. The user will be prompted to enter their email address. The wizard will then determine the location of the enrollment server automatically, by performing a DNS lookup on the domain entered in the email address (this requires that the domain have a DNS record for a server with the name of ‘mobileenroll.domain.com’ and that that host have a public IP address).
A connection to the Enrollment server will then be made and the user will then be prompted for their enrollmet password. Should the wizard not be able to locate the server automatically through DNS, the user will be prompted to enter the address or FQDN of the enrollment server.
Once enrollment is complete, the device is then configured to direct all future traffic through the Gateway Server.
Software Distribution Manager
This console allows the administrator to create software ‘packages’ to be delivered to Windows Mobile client devices. Once created, packages need to be ‘approved’ for delivery, and can be delivered on a per-user or per-group basis.
NOTE – packages to be delivered must be in either CAB or CPF format.
To create a new package, select the option to Create. The folllowing wizard will be launched automatically:
Click Next.
Browse to where the CAB or CPF file is and enter a description for the package to identify it. Click Next.
Select the client platforms that you wish the package to be delivered to. Click Next.
Specify whether the user should have the ability to uninstall the package once delivered. Click Next.
Specify the client languages that the package should be delivered to. Click Next.
Specify any dependent software that the package requires to be present prior to installation. Click Next.
Review the settings entered and click Create.
Once complete, click Finish.
The Package will now be listed. It must be approved before delivery to the specified recipient criteria will be scheduled.
Group Policy Manager
As mentioned above, the Group Policy Manager cannot be installed on the MDM server itself, but can be installed, say, on the administrator’s PC:
From here the administrator can define policies for virtually every element of functionality of Windows Mobile Classic, Standard and Professional devices.