Mobile Device Manager Frequently Asked Questions
2/9/2009
This topic provides some frequently asked questions about System Center Mobile Device Manager. Read the information below to get an idea of the product features and capabilities.
Contents
- Planning
- Network Topology
- Active Directory
- Gateway Server
- Enrollment
- Software Distribution
- Line-of-Business Applications
- Device Wipes
- SQL Server
- Client Devices
- Device and Emulator Settings
Planning
How does MDM differ from System Center Configuration Manager, which can also manage mobile devices?
System Center Configuration Manager (SCCM) manages assets on the internal network with Inventory, Software Distribution, and Reporting capabilities. These assets include laptops, desktops, Windows Embedded CE devices, and other computing devices.
MDM offers external mobile devices security-enhanced VPN access to applications and services on the internal network, and requires no additional client installation. MDM also pushes control policies and software application packages targeted to mobile devices and collects inventory from devices over VPN.
Does MDM Setup affect other components on the server?
MDM Setup restarts IIS without notification. This could affect Web sites within your organization. Installing MDM Device Management Server on an existing Windows Server Update Services (WSUS) server causes some MDM objects to appear in the WSUS console.
Does MDM 2008 SP1 support Windows Server 2008?
Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 does not support installation of MDM server roles on Windows Server 2008. Installation of MDM server roles is supported on Windows Server 2003 only.
However, MDM 2008 SP1 supports Windows Server 2003 and Windows Server 2008 Active Directory domain and functional levels. MDM 2008 SP1 supports installation in Active Directory domains at the following domain and forest functional levels:
Functional Level | Supported? |
---|---|
Windows 2000 mixed (default) |
No |
Windows 2000 native |
No |
Windows Server 2003 interim |
No |
Windows Server 2003 Native |
Yes |
Windows Server 2008 Native |
Yes |
For more information about supported software versions, see System Requirements for MDM Servers and Managed Devices.
Does MDM work with Line-Of-Business applications such as Microsoft Exchange Server?
Yes, though MDM has no dependency on any line-of-business (LOB) applications, including Microsoft Exchange Server. MDM is a mobile device management solution that provides security-enhanced network access to any LOB application.
Is there a preferred vendor who can configure the network proxy service for filtering Web content?
No, the MDM platform does not require a proxy from any specific vendor.
Network Topology
Can I use a load balancer in front of the MDM Gateway Server?
You do not need a load balancer because gateway load balancing does not rely on network load balancing services (NLBS) technology. NLBS does not work properly with MDM, which uses a Domain Name System (DNS) scheme for load balancing the servers running MDM Gateway Server.
Typically, you issue static IP addresses to several servers running MDM Gateway Server, which are then bound to a single fully qualified domain name (FQDN). For example, gateway.contoso.com is bound to IP addresses 74.92.226.130 and 74.92.226.131, which are the IP addresses of servers Gateway1 and Gateway2.
Configure each server running MDM Gateway Server with a pool of virtual IP addresses, which the devices use in the Mobile VPN sessions.
The managed device gets the two IP addresses from DNS and connects to one at random. If the connection fails, the device tries the next IP address and gets the next server.
If the managed device has a previously-issued IP address from the pool and contacts the server running MDM Gateway Server with that IP address pool, then the device continues to use that IP address. If the device connects to a different server running MDM Gateway Server, then it receives a new virtual IP address.
Can I place the MDM Servers behind a load balancing solution?
Yes, except for MDM Gateway Server. For information on configuring the MDM servers, see the MDM Planning Guide.
Are there any requirements on the types of load balancers that MDM supports?
MDM requires a standard load balancer, with the ability to enable Affinity. MDM requires no specific characteristics beyond a standard load balancer.
Can I have more than one Device Management Server per domain forest?
Yes, you may have more than one MDM Device Management Server per domain forest in a load-balanced topology. This topology supports scale-out and redundancy. However, MDM supports up to 100 instances per domain forest. Administrative rights are not delegated per MDM Device Management Server, but by MDM instance, as all MDM Device Management Server computers share a single SQL Server infrastructure.
Can my MDM WSUS server be downstream from another WSUS 3.0 host?
Yes, but this configuration may have performance impact considerations, depending on the number of devices supported and how software distribution is managed.
Active Directory
Does MDM extend the Active Directory schema?
No, while MDM does make changes in Active Directory, it does not make changes to the schema.
Can I use multiple organizational units (OU) to manage devices?
Yes, devices can exist in multiple groups of multiple organizational units (OUs). MDM supports up to 100 instances per domain forest. When you create a custom OU, you must run the Set-EnrollmentPermissions cmdlet in MDM Shell to delegate the appropriate permissions to the Enrollment server to access the new OU. You do not need to run this cmdlet for the default OU.
Gateway Server
Why won't my MDM Gateway Server work properly after importing a new certificate?
If you replaced the MDM Gateway Server computer certificate or certification authority, and imported the new certificate to the Gateway Web site, then you must uninstall and re-install the MDM Gateway Server component.
Does MDM support MDM Gateway Server computers with only a single network adapter?
No, MDM requires two network adapters: one for communicating with external client devices, and one for communicating with internal servers. MDM does not support binding internal and external IP addresses to a single network adapter.
Can I use the MDM Mobile VPN connection to enable Exchange ActiveSync on Intranet-based Microsoft Exchange Servers?
Yes, if you want tighter security than SSL access, you can use the MDM Mobile VPN connection to transport SSL-encrypted messages within an IPsec tunnel. MDM supports DirectPush in this VPN to Exchange ActiveSync scenario.
Enrollment
How do devices get certificates through the Enrollment server?
The device generates the certificate request and passes the request to the enrollment server, which impersonates the device account just long enough to submit the certificate request to the certification authority. The enrollment server does not have permissions to the device-specific certificates and templates on the certification authority, only the device account has permissions. The private key never leaves the device.
Can I automate the enrollment process for new devices?
You can perform bulk enrollments using MDM Shell. Users can also provision their own Windows Mobile devices by using MDM Self Service Portal. However, MDM Self Service Portal only provisions devices into a single organizational unit (OU) that you designate as the MDM administrator. For information about MDM Self Service Portal, see the Deployment Guide for MDM Self Service Portal. To download MDM Bulk Pre-enrollment Tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.
Can I unenroll an enrolled device?
MDM has no administrative tools for unenrolling a device. You should submit a wipe request for the device to remove all of the appropriate objects, such as the objects in Active Directory and SQL Server. Wiping also adds the device to the Blocked Devices list. The enrollment record remains in the database so that MDM can block the device. When re-enrolling a device, you should specify a new device name. To download MDM Enrollment Cleanup Tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.
How do I configure MDM to send the enrollment e-mail message?
By default, MDM uses localhost@EnrollmentServer.com to send the e-mail message containing the one-time enrollment password. To specify an SMTP server for sending these messages, run the following command in MDM Shell:
set-EnrollmentConfig -SmtpServer smtp.yourdomain.com
You can modify the other parameters similarly by running the following commands:
set-EnrollmentConfig -SmtpServer
set-EnrollmentConfig -EmailSubject
set-EnrollmentConfig -EmailBodyTemplate
set-EnrollmentConfig -EmailSender
How do I check to see if a device is enrolled?
On the device, select Settings, select Connections, and then select Domain Enroll. The Device Status field indicates if the device is enrolled or not.
Can users disable the Mobile VPN Connection?
Yes, if allowed by MDM Group Policy. To disable the Mobile VPN connection, on the device, select Settings, select Connections, select Mobile VPN, and then select Disable. You can also enable or disable the Mobile VPN connection using the MDM VPN Diagnostics Tool. For information about this tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.
What are the consequences of disabling the Mobile VPN Connection?
The device is not protected because without the Mobile VPN connection, it connects to a public Internet connection. Therefore, it is exposed to all of the threats on the Internet.
Device wipes will not function because MDM sends the wipe notification through the alerting mechanism provided by MDM Gateway Server. If you disable the Mobile VPN connection, MDM Gateway Server cannot address the device.
If your company only has MDM enrolled devices and Microsoft Exchange Server ActiveSync is not exposed to the Internet, then devices cannot connect to Microsoft Exchange Server ActiveSync if you disable the Mobile VPN connection.
Does MDM support Windows Mobile Device Center/ActiveSync Desktop Pass-Through Connections using USB or Bluetooth?
No. MDM client devices and device emulators cannot establish Mobile VPN connections using Windows Mobile Device Center/ActiveSync Desktop Pass-Through connections.
If I establish a Windows Mobile Device Center/ActiveSync Connection, what is the Mobile VPN connection status, and how is network traffic routed?
The following table summarizes how network traffic is routed when you connect the device to a desktop computer.
Mobile VPN Connection Status | Mobile VPN Connection Enabled |
---|---|
Activesync RNDIS Multihoming on |
|
Activesync RNDIS Multihoming Off |
|
Activesync Serial USB Multihoming on |
|
Activesync Serial USB Multihoming off |
|
Activesync Serial Bluetooth Multihoming on |
|
Activesync Serial Bluetooth Multihoming off |
|
Software Distribution
How do I permanently remove a device so that it no longer appears under Managed Devices?
Use MDM Cleanup Tool to clean up any remnant device objects. For information about MDM Cleanup Tool, see MDM Server Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.
Can I stop MDM Software Distribution while roaming?
Yes, MDM has the Configure device management when roaming Group Policy with the following options:
- Allow device management
- Check frequency multiplier
- Allow software downloads and Windows Update
Does MDM Software Distribution have any dependencies on Windows Update?
No, MDM uses Windows Server Update Services (WSUS) instead of Windows Update.
Can I use MDM Software Distribution to uninstall a package?
Yes. Before you distribute installation packages, you must approve the packages for specific managed devices, or groups of managed devices. You can also approve a package for removal, which uninstalls the package from the device. The software distribution component can remove and un-install software that was installed through MDM, or some other means such as Active Sync or external storage media. If you install software using other means, then you must publish the packages in MDM, and make sure that the inventory on the device is aware of the software.
Line-of-Business Applications
Do MDM policies take precedence over Microsoft Exchange Server policies?
When a device enrolls with MDM, it no longer has Exchange Server policies applied to it. Exchange Server 2007 SP1 includes a new cmdlet that allows administrators to block or allow specific devices to be managed by MDM.
Can I configure the port that devices use to connect to internal resources?
MDM uses VPN to connect devices to MDM Gateway Server. After the VPN connection is active, the device can connect to internal resources that are available from MDM Gateway Server. For example, if MDM Gateway Server is in the perimeter network, then the internal resources need publishing to this perimeter network. The port from the perimeter network to the internal network depends on the particular application.
Device Wipes
How do I initiate a wipe request?
In MDM console, right-click the device, and then select Wipe Now. You can also run the New-WipeRequest cmdlet in MDM Shell.
How does MDM process a wipe request?
MDM sends the request to the device over the Mobile VPN connection. The device then connects to MDM Device Management Server and retrieves its wipe request task.
Can MDM process a wipe request from a blocked device that is incapable of establishing a Mobile VPN connection?
No. If you want to wipe a managed device, do not block it.
Does MDM block a device automatically after a device wipe?
Yes, but only after the managed device is successfully wiped or un-enrolled.
Can I issue an immediate device wipe?
All wipes are immediate in the sense that MDM sends an alert. If the device is offline, then MDM cannot issue the wipe request until the device establishes a Mobile VPN connection and receives the alert, or when it connects at a regularly-scheduled time and receives the wipe request.
Can I still wipe a device after a failed wipe session?
Yes. If the session fails, the managed device reconnects to complete that session when it is powered up. It retries until the session successfully completes.
SQL Server
Does all SQL Server communication occur over port 1433?
Yes, the default communication port for SQL Server is port 1433, and MDM does not modify this port configuration.
Can I rename an MDM database?
No, you cannot change MDM database names.
Does MDM require a dedicated computer for SQL Server?
No, but you should deploy SQL Server for MDM on a dedicated computer unless you have relatively few devices. You might encounter memory consumption issues if you install MDM Device Management Server and SQL Server on the same computer.
Client Devices
How do I access MDM Self Service Portal?
Browse to the following URL: https://<servername>:port/pages/devicelist. To get the SSL port number, check the Web service for the portal in IIS.
Will MDM support non-Windows Mobile devices?
Not for Microsoft System Center Mobile Device Manager (MDM) 2008. This version only manages devices deployed with Windows Mobile versions 6.1 and later.
Can I use Internet Connection Sharing when my device is connected to MDM?
No, Internet Connection Sharing does not function when a device establishes a Mobile VPN connection with MDM.
Device and Emulator Settings
Why doesn't the Device Emulator install successfully on Windows XP SP2?
You need Microsoft .NET Framework 2.0 to run the Microsoft Device Emulator on Windows XP SP2.
Where can I find the build number information on a device?
For Windows Mobile 6 Standard, select Settings, and then select About. For Windows Mobile 6 Professional, select Settings, select System, select About, and then select the Version tab.
How can I change a device name?
From the Home screen, select Settings, select System, select About, and then select the Device ID tab.
How do I configure the data connection on a device?
In Windows Mobile 6 Professional, first check to see if you have network connectivity by starting Internet Explorer and browsing to a public Web site. If so, skip the steps below. If you cannot browse to any Web sites, then follow these steps:
- From the Home screen, select Start, and then select Settings.
- On the Connections tab, select the Connections application.
- In the My ISP section, configure the Mobile Operator (MO) data connectivity settings. If you see a Manage existing connections option under My ISP, select it. Otherwise, skip the next two points.
- Select and hold each item in the list, and then select Delete.
- Select OK to return to the main Connections window.
- Under My ISP, select Add a new modem connection.
- Select and enter your Mobile Operator data connection information.
In Windows Mobile 6 Standard, first check to see if you have network connectivity by starting Internet Explorer and browsing to a public Web site. If so, skip the steps below. If you cannot browse to any Web sites, then follow these steps:
- From the Home screen, select Start, select Settings, select Connections, and then select GPRS.
- To remove any and all existing connections, select each connection, select Menu, and then select Delete.
- Select Menu, and then select Add.
- Select and enter your Mobile Operator data connection information.
How do I determine which certificates are installed on a device?
To view the certificates installed in the personal, Intermediate, and Root stores, select Settings, select System, and then select the Certificates application. When a device enrolls, MDM installs a computer certificate on the device. You cannot see this certificate using the Certificates application, but you can see this certificate using the VPN Diagnostics Tool in diagnosis mode. Select Certificates, and then select Validate certificate chain.
You can also query all of the certificates installed on a device by using the CertificateStore configuration service provider. For information about this configuration service provider, see CertificateStore at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=115659.
For an example on how to query the certificate store, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=115660.
To view device certificates using external methods:
- In MDM Console, select Managed Devices, select the device, and then select the Certificates tab.
Note
After you deploy certificates to a device using group policy, it may take one policy refresh cycle (up to 8 hours) for the certificate to appear in MDM Console.
- Use the Security Configuration Manager Powertoy for Windows Mobile, which is a remote configuration tool that runs on a host computer. For information about this tool, please visit the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=132126.