Configuring Managed Devices with Group Policy
2/9/2009
Group Policy delivers and applies one or more desired configurations or policy settings to a set of targeted users and computers in an Active Directory environment. This mechanism consists of a Group Policy engine and multiple client-side extensions (CSEs) that are responsible for writing specific policy settings on target client computers. With System Center Mobile Device Manager, it is possible to use the Group Policy Management Console (GPMC) to push these policies to managed Windows Mobile devices that are outside your company IT infrastructure.
Note
The MDM 2008 SP1 Group Policy management tools are not backward compatible with MDM 2008 servers. Only MDM 2008 SP1 Group Policy management tools should be used to manage group policies in an MDM 2008 SP1 environment. The reverse is also true: only MDM 2008 Group Policy management tools should be used to manage policies in an MDM 2008 environment.
Overview of MDM Group Policy Extensions
System Center Mobile Device Manager extensions to the GPMC and Group Policy Object Editor enable network administrators to control managed Windows Mobile devices in a familiar environment and in a manner consistent with how they manage their networked desktop and portable computers. The extensions support existing GPMC functionality such as scripting, backup of GPOs, planning mode, and logging mode.
These extensions are not supported for the Resultant Set of Policy (RSoP) snap-in.
Note
You must install MDM 2008 SP1 Group Policy extensions on 32-bit versions of a Windows-based operating system, or a 64-bit version of either Windows Vista or Windows Server 2008, that has GPMC already installed.
Group Policy Objects (GPO)
From the GPMC, you can configure managed devices by creating Group Policy objects (GPOs) that contain the settings to push to the devices. When you apply the GPO to the Active Directory Domain Services object that represents the managed device that you want to target, the settings will be sent to the device the next time that it connects to MDM Device Management Server. You can configure groups of devices by linking the GPO to an Organization Unit (OU) that contains Active Directory objects for the managed devices that you want to target. Additionally, you can use familiar tools such as Security Groups and Windows Management Instrumentation (WMI) filters to apply a GPO to a group of managed devices that meet certain specified criteria.
Note
The MDM Server Tools includes a set of tools to help administrators configure, deploy, and manage MDM and its components. The MDM Applications Hash Code Tool allows administrators to create an XML file for use with a GPO to allow or prevent an application from running on managed devices. To download the MDM Applications Hash Code Tool, see the MDM 2008 SP1 Resource Kit at: https://go.microsoft.com/fwlink/?LinkID=127030.
Administrative (ADM) Template Files
Most device-related settings are defined in an MDM administrative template (ADM) file that you can access through the Group Policy Object Editor user interface.
For instructions on creating custom ADM template files, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=109295
To have MDM use the custom ADM template, the registry key in the template should take the following format:
KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\<CSPName>\..."
For example, to set a registry value RegValue on the device, the ADM template might look like:
POLICY !!Policy_MyPolicy
PART !!Part_MyPolicy EDITTEXT REQUIRED
KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Software\MyApp"
VALUENAME "RegValue"
END PART
END POLICY
You must add the Mobile.adm file to the list of ADM template files for the target GPO. For more information about how to add an ADM file to a GPO, see Creating a New Group Policy Object for Devices.
Note
Enabling a policy that contains special characters might result in the policy not being applied. Do not use special characters in the policy. Special characters include the following: !@#$%^&*()_{}|:"<>?.
Device Management Settings
After you add the ADM file, policies that are related to managed devices appear in the GPMC navigation pane.
On computers that are running Windows XP or Windows Server 2003, policy settings related to security, encryption, and device management appear under Computer Configuration/Administrative Templates/Windows Mobile Settings. User related settings are located in User Configuration/Administrative Templates/Windows Mobile Settings.
Note
To obtain information about a managed device policy setting, locate the setting in the Group Policy Object Editor and then select it from the list in the details pane. The setting description is displayed with the setting in the details pane.
Network and Certificate Management Settings
The Group Policy settings for more complex tasks such as configuring new network connections, editing or deleting existing network connections, and managing certificate stores on the managed device are not defined in the Mobile.adm file. They are provided through custom extensions to the Group Policy Object Editor.
In the Group Policy Management console, network and certificate group policy settings appear in the results pane, on the Settings tab. When you click the Settings tab a report is generated that shows the group policy settings for the selected GPO. The network and certificate settings can be found under Administrative Templates > Extra Registry Settings. You can save the report by right-clicking in the results pane and selecting "Save Report..." from the menu.
In the Group Policy Object Editor, the network and certificate group policy settings appear under Computer Configuration/Policies/Windows Mobile Settings in the navigation pane.
Note
To avoid potential conflicts between settings, Microsoft recommends that you configure all the Internet/Work domain settings in a single GPO.