System Center Mobile Device Manager 2008 Release Notes

10/3/2008

Microsoft System Center Mobile Device Manager (MDM) 2008 is a Microsoft technology that helps managed Windows Mobile powered devices work within the IT infrastructure of an organization as trusted and managed members of the enterprise.

This document describes the following issues in MDM that are not included in other MDM documents.

Contents

Updates To MDM Release Notes

MDM Installation Issues

ADConfig Issues

Configuration Issues

MDM Console Issues

MDM Software Distribution Issues

Managed Windows Mobile Powered Device Issues

For more information about the hardware and software requirements for MDM, see System Requirements for MDM Servers and Managed Devices.

Updates to MDM Release Notes

The following changes and additions have been made to the MDM Release Notes.

Release note update	Change Date
Added the release note topic, Cannot Have Multiple Computers with Same Common Name.	March 19, 2008
Added the release note topic, Uninstalling or Upgrading MDM Gateway Server May Fail.	March 17, 2008
Added the release note topic, Evaluation Release Expiration.	March 17, 2008
Added the release note topic, Package Approved for Removal Displays Delayed Status.	March 14, 2008
Added the release note topic, Printed Report May Not Paginate Correctly.	February 12, 2008
Added the release note topic, Device May Be Reoffered an Installed Update.	February 1, 2008
Added the release note topic, Packages Do Not Inherit Approval.	February 1, 2008
Updated the release note topics, User OU Does Not Display in Pre-Enrollment Wizard, and Pre-Enrollment Wizard User Picker Scope Dialog Box Does Not Display Selected OU, to refer to the Pre-Enrollment Wizard correctly.	January 31, 2008
Updated the release note topic, Use Only Alphanumeric Characters for Server Names, to indicate that certification authority names can include spaces.	January 31, 2008

Evaluation Release Expiration

If you install Microsoft System Center Mobile Device Manager (MDM) 2008 Evaluation Release, the software will stop running one hundred twenty days after you install it. When this occurs, you may receive errors in MDM Console or when you use a cmdlet, including, "The MDM evaluation license has expired" and "Error contacting server: The operation has timed out."

MDM Installation Issues

MDM Server Setup Restarts IIS Without Warning

When you install MDM Gateway Server, MDM Enrollment Server, or MDM Device Management Server, Setup restarts Internet Information Services (IIS) without warning. This may affect other services that are running on the server or in the organization.

Warning or Error Messages from Perflib

When you install MDM, you may receive warning or error messages in the Application log from the performance library, Perflib, that have Event IDs such as 1017, 1021, and 2003. You can safely ignore these informational messages.

Do Not Run Multiple Installations at the Same Time

If you install more than one of MDM Device Management Server, MDM Enrollment Server, MDM Gateway Server, or MDM Administrator Tools on the same computer, or if you install more than one copy of any of these on a single computer, wait at least five minutes after you start the first installation before you start the next installation. If two installations start at the same time, the installation will be unstable.

Do Not Install Prerelease Version on a Computer Running Released Version

Do not install a prerelease version of MDM Enrollment Server, MDM Device Management Server, MDM Gateway Server, or MDM Administrator Tools on a computer that is running the released version of MDM, or the MDM system will not function correctly.

Uninstalling or Upgrading MDM Gateway Server May Fail

If you attempt to uninstall MDM Gateway Server, or if you attempt to upgrade to the released version of MDM Gateway Server, and the uninstall or upgrade fails, then everything is rolled back properly except that the IPSECVPN driver is not restored. The computer is now in an unstable state.

If the uninstall fails, use MDM Clean-Up Tool to completely remove MDM Gateway Server and install it again. As an alternative you can attempt to repair the installation (run Setup and select the Repair option) and then uninstall it again. To download MDM Cleanup Tool, see MDM Server Tools at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=108953.

If the upgrade fails, try to repair the installation (run Setup and select the Repair option) and then try to upgrade again.

Use Only Alphanumeric Characters for Server Names

MDM supports only the characters A-Z, a-z, 0-9, dash (-), and underscore (_) for the following names:

• All FQDNs, including host and domain names
• Certification authority names (certification authority names can contain spaces)
• Microsoft SQL Server instances
• Microsoft Windows Software Update Services (WSUS) server instances

Important

MDM Setup lets you enter other characters for these names. However, this may cause errors in the overall MDM system.

Cannot Have Multiple Computers with Same Common Name

When you install MDM Enrollment Server or MDM Device Management Server, you may encounter the following errors:

• An event in your server event log with the error, "Failed to add Computer Name to EnrollmentServers security group" or "Failed to add Computer Name to Device Management Servers security group." Setup also fails with one of these error messages.
• An exception error in the setup log files beginning with "CAAddYonaServerToSecurityGroup:System.ArgumentException: Multiple AD entries found for server Computer Name" and including the same error text as above.

If you encounter both of the above errors, it means that there are multiple computers with the same common name in different domains. To correct this, delete any accounts in Active Directory that have the same netBIOS name as the server on which you are installing MDM Enrollment Server or MDM Device Management Server.

Cannot Specify Localhost for SQL Server Location

When you install MDM Device Management Server or MDM Enrollment Server, you cannot specify "localhost" or "localhost\<sqlinstance>" for the location of SQL Server. You must use the machine name or the Fully Qualified Domain Name (FQDN) instead of "localhost".

For example, specify "mdm.contoso.com\sqlinstance" instead of "localhost\sqlinstance".

Database Installations on Windows Server 2000 May Fail

If you install MDM databases on a computer that is running Microsoft® Windows Server® 2000, the installation may fail if the name of the computer that is running Microsoft SQL Server® and the name of the computer that is running MDM Device Management Server, or MDM Enrollment Server, begin with the same characters. To correct this problem, rename the computer that is running SQL Server, or use a later version of Windows, such as Windows Server 2003 with Service Pack 2 (SP2).

For example, if you install MDM databases on a computer that is running SQL Server named mdmsql.contoso.com, and MDM Device Management Server or MDM Enrollment Server are named mdm.contoso.com, the database installation may fail. We recommend that you install SQL Server on Windows Server 2003 with SP2.

.NET Framework Language Requirement

MDM services might not start correctly if you do not install the .NET Framework language in the same language as MDM. To download and install the .NET Framework Version 2.0 Language Pack, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=105268. Make sure that you select the language and then choose Change to refresh the page before you choose Download.

Special Installation Option if SQL Server Is in a Different Language

If you install MDM Enrollment Server in a language that differs from that of the Microsoft SQL Server installation, and you connect to the computer that is running SQL Server remotely, you must install MDM Enrollment Server at a command prompt. During the installation, you must specify the name of the Anonymous account on the computer that is running SQL Server by using the ENWEB_SVC_ACC property. The following example shows you how to run Setup if you install the English version of MDM Enrollment Server but use a remote connection to a computer that is running the German version of SQL Server:

msiexec /i Enrollment.msi ENWEB_SVC_ACC="NT-AUTORITÄT\ANONYMOUS-ANMELDUNG"

If you install MDM Device Management Server or MDM Enrollment Server, while Anonymous, Network Service, or Local Service accounts are already present in the SQL logins on the computer that is running SQL Server in a language that differs from that of the computer on which you want to install MDM Device Management Server or MDM Enrollment Server, the installation will fail. Delete these accounts from the computer that is running SQL Server before you install MDM Device Management Server or MDM Enrollment Server or use a different SQL instance.

Do Not Install Upgrades in a Different Language

Do not install an MDM upgrade or software update that is in a language different from the language of the MDM system. MDM does not support this configuration.

Failure to Set Inventory Default Settings

When you install MDM, you may see the message, "Failed to set the inventory default settings" at the end of the installation process. To correct this issue, follow these steps to restore the original inventory settings:

1. Make sure that you have the appropriate permissions to run the Restore-MDMInventoryDefaults cmdlet.
2. Wait for Active Directory replication to finish after you have installed MDM Device Management Server.
3. Open MDM Shell on a computer on which you have MDM Administrator Tools installed.
4. Run the Restore-MDMInventoryDefaults cmdlet.

If the cmdlet returns an error, check the MDM Active Directory Service Connection Point (SCP) for MDM Device Management Server and make sure that you set the URL to the FQDN of MDM Device Management Server or the MDM Device Management Server load balancer. For more information about how to configure the SCP, see Modify MDM Active Directory Service Connection Points.

Administrator Tools Repair Option Installs All Components

If you select Click here for support information and then choose Repair to repair the 64-bit Administrator Tools installation from Add or Remove Programs in Control Panel, Setup tries to install all components of Administrator Tools whether you installed all components at the first Setup. If a required system component is not present on the computer, such as Group Policy Management Console, the installation will fail.

To repair the installation in Setup by using your original custom installation settings, in Add or Remove Programs, choose Change, and then select the Repair option.

Cannot Uninstall MDM if IIS Is Uninstalled

You cannot uninstall MDM Device Management Server, MDM Enrollment Server, or MDM Gateway Server if you have uninstalled IIS. IIS must be installed and must have the correct metabase for you to be able to uninstall MDM Device Management Server, MDM Enrollment Server, or MDM Gateway Server.

Uninstall of MDM Gateway Server Requires Reboot Before Reinstall

If you uninstall MDM Gateway Server and then plan to reinstall it, you must reboot the computer before you reinstall the software.

Location of Setup Log Files

By default, when you run MDM Setup from the Setup menu, log files are created in the system temp directory, %temp%. Depending on the MDM system component that you install, Setup creates the following files:

• MDMSetup.log
• Enrollment.log
• DeviceManagement.log
• Gateway.log
• AdminTools.log

If you use command-line commands to install MDM software, specify the log file command-line option, /l*xv, to create log files. For example:

msiexec Enrollment.msi /l*xv Enrollment1.log

This example puts the log file in the current folder. You can also specify a path for the log file in the command line.

ADConfig Issues

Must Use ADConfig /unconfig Options in the Correct Order

If you use the /unconfig command-line option in the ADConfig tool, you must use the /gpsecurity /unconfig, /enabletemplates /unconfig, and /createtemplates /unconfig options before you use the /domain /unconfig option.

If you use the /domain /unconfig option first, the account SCMDM2008EnrollmentServers remains in CA Security Permissions However, the name changes to "Account Unknown (specific SID)". To correct this, follow these steps on the certification authority server where you enabled the templates:

• Open the Certification Authority console under Administrative Tools.
• Right-click CA Instance and then select Properties.
• Select the Security tab and delete the entry for "Account Unknown (specific SID)". Delete any entries for which there is a security ID (SID) instead of a name. Make sure that you only delete these entries.
• Choose OK and close the console.

In addition, if you use the /domain /unconfig option before you use /gpsecurity /unconfig, any accounts that were previously defined remain with permissions on the Group Policy objects, and possibly on the default Group Policy security descriptor. However, the name changes to "Account Unknown (specific SID)". You can safely remove these accounts on the Group Policy objects.

ADConfig Displays Error if CA Server or CA Name Is Invalid

If you provide the ADConfig tool with an invalid certification authority server or certification authority name by using the /enabletemplates command-line option, ADConfig terminates with a generic error and a message states that remote procedure call (RPC) is unavailable. Make sure that the certification authority server and certification authority name that you specify are correct and that the server is online.

Configuration Issues

Maximum Server Memory Configuration

The SQL Server default value for maximum server memory is approximately 200 GB. Configured such as this, with MDM Device Management Server or MDM Enrollment Server installed, SQL Server could become unusable. You may have to modify this value in order to provide the best performance for the database.

To set a fixed amount of memory, follow these steps:

1. In SQL Server Management Studio, in Object Explorer, right-click the SQL Server name, and then select Properties.
2. In the Select a page area, select Memory.
3. In the Server memory options area, select Dynamic memory configuration.
4. Enter values for Minimum server memory and Maximum server memory.

With the Dynamic memory configuration option selected, SQL Server changes its memory requirements dynamically based on available system resources. The default setting for Minimum server memory is 0, and the default setting for Maximum server memory is 2,147,483,647 megabytes (MB). The minimum amount of memory that you can specify for Maximum server memory is 16 MB.

For more information, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=110809.

OMA Session Time-Out Must Be Less Than Firewall TCP Idle Time-Out

The Open Mobile Alliance (OMA) session time-out that you set for MDM Device Management Server should be at least 30 seconds less than the TCP protocol idle time-out value in the network firewall. For example, if the firewall idle time-out is set to eight minutes, you should set the OMA session time-out to seven minutes and 30 seconds, or less. You set the OMA session time-out by using the Set-DeviceManagementConfig cmdlet in MDM Shell. The following example shows you how to set the OMA session time-out by using the SetDeviceManagementConfig cmdlet.

Set-DeviceManagementConfig -OMASessionTimeout "0:07:30"

MDM Console Issues

User OU Does Not Display in Pre-Enrollment Wizard

In the Pre-Enrollment Wizard, the Select Organizational Unit dialog box does not display Users organizational units (OUs). This occurs when you follow these steps:

1. On the wizard Select User page, select Active Directory User, and then choose Browse.
2. In the Select User dialog box, on the Scope menu, choose the Modify User Picker Scope command.
3. In the User Picker Scope dialog box, select View all users in specified organizational unit, and then choose Browse.

The Select Organizational Unit dialog box displays all OUs except Users. You can view Users OUs in the Select User dialog box if you have set that dialog box to display the whole Active Directory forest.

Pre-Enrollment Wizard User Picker Scope Dialog Box Does Not Display Selected OU

In the Pre-Enrollment Wizard, the User Picker Scope dialog box does not always display the OU that you select. This occurs when you follow these steps:

1. On the Select User page of the wizard, select Active Directory User and then choose Browse.
2. In the Select User dialog box, on the Scope menu, choose the Modify User Picker Scope command.
3. In the User Picker Scope dialog box, select View all users in specified organizational unit and then choose Browse.
4. In the Select Organizational Unit dialog box, select an OU and then choose OK.
5. In the User Picker Scope dialog box, notice that the OU you selected is displayed in Organizational Unit. Choose OK.
6. In the Select User dialog box, on the Scope menu, select the Modify User Picker Scope command.

In the User Picker Scope dialog box, notice that Organizational Unit is blank. The OU that you selected remains selected. However, it does not display.

Available Device Commands Not Always Updated in MDM Console

In MDM Console, if you cancel a device block or wipe request, the Actions pane may not update automatically to show that block or wipe commands are now available for the device. This behavior may occur if you do not have the Device Status tab selected in the Device Details pane. To update the Actions pane, select the Device Status tab in the Device Details pane, or select a different device and then reselect the original device.

MDM Software Distribution Issues

MDM Requires WSUS 3.0 with SP1

MDM software distribution requires that you install WSUS 3.0 with Service Pack 1 (SP1) on the computer that is running MDM Device Management Server. To obtain a copy of WSUS 3.0 SP1, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=105090.

Event Message from Software Distribution

If a managed Windows Mobile powered device responds to MDM software distribution with incomplete information, a message that resembles the following appears in the event log:

Event Type:     Warning
Event Source:   Device Manager
Event Category: None
Event ID:       8041
Date:           <date>
Time:           <time>
User:           N/A
Computer:       <computer running MDM Software Distribution Console>
Description:
Software Distribution service received insufficient query results from device <deviceId>.
Missing LocUri ./Vendor/MSFT/SwMgmt/Download?list=StructData.

This warning does not always indicate a problem on the managed device. It may indicate a problem in MDM software distribution, or there may be no problem.

To verify that MDM software distribution is working correctly with the managed device, check the state of the device in MDM Software Distribution Console by using the reporting tools, or check the managed device itself.

MDM Software Distribution Console Unresponsive

When you cancel the Modify Package Wizard in MDM Software Distribution Console, the console may become unresponsive. If this occurs, you can correct the problem by forcing the console to end and then restart it.

To force MDM Software Distribution Console to end, open Task Manager. On the Applications tab, select System Center Mobile Device Manager Software Distribution and then choose End Task.

For more information about related issues with MMC, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=110811.

Cannot Edit Registry Dependency If Set to Exists

In the Create Package Wizard or Modify Package Wizard, if you create a registry dependency with the operation Exists, you cannot edit that registry item to change the operation to something other than Exists. To make this change, delete the item and create it again.

Packages Do Not Inherit Approval

If you have nested device groups, and you approve a package for a parent group, the package is not approved automatically for the children of the parent group. Additionally, in the Approve Packages dialog box, the Same as Parent and Apply to Children options do not function. If the approval indication for a group is Install (inherited) or Removal (inherited), the package is not actually approved for that group. You must approve the package for each device group individually.

Republishing Content May Trigger Reinstall

If you publish content and it is installed on a managed Windows Mobile powered device, and then you republish the same content within the device reconnection interval, the content is reoffered to the device and the content is uninstalled and installed again. To avoid this, wait at least one device reconnection interval (the default is eight hours) before you republish content.

Device May Be Reoffered an Installed Update

If a managed Windows Mobile powered device is offered a software update and the device installs the update, under certain conditions the status for the installation may not be received by the server. In this case the software update is reoffered to the device and the device reinstalls it. The result is that the user may see the update installed multiple times and multiple entries for the update may appear in the Managed Programs history on the device.

This situation occurs when the device goes offline after installing the software but before the next OMA session connection. The default OMA session connection interval (ConnectInterval value) is eight hours. If the device then stays offline for longer than the software update reoffer period, MDM software distribution offers the update to the device again the next time that the device connects. The default setting for the reoffer period (ReofferPeriodInDays value) is seven days.

Package Approved for Removal Displays Delayed Status

When you approve a package for removal, the package status is displayed as Not Applicable until the software update reoffer period passes. The default setting for the reoffer period (ReofferPeriodInDays value) is seven days. After the reoffer period, MDM software distribution checks the device for the package status and displays Applicable if the package was successfully uninstalled and Installed if the uninstall failed.

Printed Report May Not Paginate Correctly

The printed version of a package or device report, or an exported PDF file of the report, may not be paginated correctly, resulting in issues such as extra blank pages. To correct this, click the Page Setup button on the report toolbar and set the right margin to 0.8 inches or less before printing or exporting to a PDF file.

Avoid Large Detailed Reports

We recommend that you limit the size of device or package reports to 200 pages or fewer. If you generate detailed reports for many devices or packages, the result can be very memory-intensive and time-consuming. Detailed reports are most effective for smaller subsets of your devices or packages. You can use different filters to reduce the size of the report, or you can choose the tabular format instead of the detailed format to reduce the number of pages.

Managed Windows Mobile Powered Device Issues

Managed Device Operating System Requirement

Windows Mobile powered devices that you manage by using MDM require the Windows Mobile 6.1 operating system, and later versions of Windows Mobile.

No Internet Sharing with Mobile VPN Enabled

The Internet Sharing application on a managed Windows Mobile powered device will not function while the Mobile virtual private network (VPN) is enabled. In order to avoid user confusion, you may choose to do one of the following:

• If it is not required, disable Internet Sharing permanently. The user will be unable to use Internet Sharing even when the Mobile VPN is disabled. We recommend this option if, by policy, you do not let users disable Mobile VPN.
• Inform users who use Internet Sharing that they must disable Mobile VPN manually. However, you can only do this if, by policy, you let the user disable the Mobile VPN.