What's New in Mobile Device Manager 2008 SP1
2/9/2009
Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1, the latest release of the MDM system, includes a number of new features and changes.
What's New in MDM 2008 SP1
New features in MDM 2008 SP1 include multiple-instance deployment. In MDM, an instance specifies a separate, independent installation of MDM in a forest or in a domain. MDM 2008 SP1 can support multiple instances in a single domain or across a forest, which provides flexibility and increased manageability for companies that deploy MDM in an enterprise-wide topology. This architecture provides a security-enhanced boundary between each MDM instance. Therefore, users have access only to MDM servers in their instance. Managed devices do not have access to other instances.
MDM 2008 SP1 supports multiple MDM instances running in each Active Directory forest. As an administrator, you can set up one or more instances and individually manage the devices associated with each instance. This differs from MDM 2008, which supports only one instance in each forest. The following list shows the new functionality that was added to support multiple instances:
- Each instance runs independently from any other instance in the forest. Instances can span multiple domains.
- IT administrators can limit the actions of the MDM administrator to specific instances throughout the forest. This lets Help Desk administrators, Server administrators, and Device administrators manage devices in assigned instances only.
- IT administrators can use MDM Console or MDM Shell to detect the instance to which they are attaching. Commands are denied at the MDM Shell level if an administrator tries to run commands against an instance to which he or she has no permissions. Administrators can only access consoles of instances that they have authority to manage.
- Enrollment autodiscovery finds a specific MDM Enrollment Server from an e-mail address that the user enters in the device enrollment tool.
The following list shows changes that were made to MDM Self Service Portal:
- MDM Self Service Portal is now part of MDM. In previous versions, it was part of the MDM Resource Kit Tools.
- You now install MDM Self Service Portal by running MDM 2008 SP1 Setup instead of by manually running a separate MDM Self Service Portal Setup .msi file.
- By default, you must be a member of SCMDMAuthorizedUsers, SCMDMServerAdmins, or a domain administrator group to access MDM 2008 SP1 Self Service Portal. In MDM 2008 SP1, access to the portal is enabled by default for domain-authenticated users in the SCMDMAuthorizedUsers group.
The following shows other changes that were made in MDM 2008 SP1:
Password reset was added to let a user who has forgotten his or her device password reset the password. The user can access MDM Self Service Portal or contact the IT Help Desk to request a one-time recovery password that is stored on MDM Device Management Server. The user can use this password to reset the password on the device.
.NET Framework 2.0 Service Pack 1, instead of .NET Framework 2.0, must be installed before you can install MDM 2008 SP1 servers.
You can now install MDM in Active Directory domains at the Windows Server 2008 domain and forest functional level. In previous versions, you could only install MDM at the Windows Server 2003 domain and forest functional level.
MDM can now run on virtual computers that are running on a host computer that uses Windows Server 2008 Hyper-V technology. The virtual machine on which MDM is installed is subject to the same requirements, dependencies, and restrictions as a physical computer. In particular, the guest operating system of the virtual machine must be Windows Server 2003.
Note
Because of unavoidable variations in deployment options, physical hardware variances, and support for virtualization, we make no claims regarding the performance of MDM 2008 SP1 running on guest operating systems that use Hyper-V, though we tested MDM 2008 SP1 with 500 devices in such an environment.
What's New in MDM Documentation
The following table shows some of the new and updated topics in MDM 2008 SP1.
| Topic | Description |
|---|---|
ADConfig Tool (Changed) |
Updated with the new groups, parameters, and operations that the MDM 2008 SP1 Active Directory Configuration Tool (ADConfig) supports. |
Describes the new password reset feature in MDM 2008 SP1. |
|
Describes the MDM Shell cmdlets that you can run to perform various recovery password operations for MDM. |
|
Added information about device enrollment in a multiple-instance scenario. |
|
Describes how to disable file beaming over both IrDA and Bluetooth. |
|
Describes how to enable password reset for MDM. |
|
Gateway Server Cmdlets (New) |
Added a new cmdlet, Update-MDMGatewayServer, that updates each MDM Gateway Server in the MDM system by sending configuration and other information from the Mobile Device Manager Gateway Central Management component of MDM Device Management Server. |
MDM Gateway Server Deployment Guidelines (Changed) |
Added more information about when you should and should not use network address translation (NAT), and added a section about configuring the default gateway and outgoing proxy. |
Install and Configure SQL Server for MDM (Changed) |
Added examples to assist with scoping database size and growth needs, and updated the procedure for configuring Windows integrated security to work with SQL Server 2005. |
Install MDM Self Service Portal (Changed) |
Updated steps for installing MDM Self Service Portal. |
Manual Certificate Procedures (Changed) |
Added information about updating the Active Directory service connection point (SCP) with MDM 2008 SP1 certificate template object identifiers. |
Changed template names to MDM 2008 SP1 templates. |
|
Updated certificate template names with instance name. |
|
MDM Backup and Recovery (Changed) |
Updated to include the recovery of MDM dependencies and components, not just databases. |
Added new cmdlets to manage the certificate templates in the current MDM instance: |
|
Added new cmdlets to return information about MDM instances and specify the MDM instance you want to manage in the MDM Console: |
|
MDM Multidomain Multiple-Instance Configuration Topology (New) |
Provides an illustration of multiple MDM 2008 SP1 instances in multiple domains. |
Provides a high-level description of the new multiple-instance functionality in MDM 2008 SP1. |
|
Summarizes multiple-instance topology support in MDM 2008 SP1, and contains topics to help you plan for deploying multiple MDM 2008 SP1 instances. |
|
MDM Multidomain Multiple-Instance Configuration Topology (New) |
Includes an illustration of implementing a multiple-instance deployment of MDM 2008 SP1 in a multiple-domain environment. |
Added new cmdlets to manage MDM device recovery passwords: |
|
Updated steps for removing MDM Self Service Portal. |
|
Updated steps for repairing MDM Self Service Portal. |
|
Describes how to get the device recovery password by using the MDM Console. |
|
Helps you evaluate and deploy MDM 2008 SP1. |
|
Security Best Practices in MDM (Changed) |
Made the following changes:
|
Security Policies in MDM (Changed) |
Documented a new Group Policy setting: User Reset of Password—Enables you to control whether users can reset device passwords by using password reset in MDM or Exchange PIN reset, which uses functionality provided by Microsoft Exchange Server 2007. |
Security Considerations for MDM Self Service Portal (Changed) |
Lists the new default requirements for users to access MDM Self Service Portal. |
Server Administrator Roles in MDM (Changed) |
Added server administrator role information for the new cmdlets:
|
Setup Command-Line Options (Changed) |
Updated MDM Enrollment Server and MDM Device Management Server command-line installation strings with an MDM 2008 SP1 instance parameter. |
Signing .Cab Files in Packages (Changed) |
Updated to reflect that MDM 2008 SP1 includes a wizard for signing .cab files. Previously in MDM 2008, signing a .cab file involved running the CabSignTool utility from the MDM 2008 Resource Kit Tools. |
Step 1a: Configuring the Active Directory Domain for MDM (Changed) |
Added new parameters for creating and enabling MDM 2008 SP1 instances. |
Step 1b: Granting Permissions for Administrators to Install MDM (Changed) |
Documented new procedures for adding members to the new group MDM Security Administrators (SCMDMSecurityAdmins) and delegating other MDM roles by using an account from this group. |
Step 2: Installing MDM Enrollment Server (Changed) |
Updated Setup procedures for MDM 2008 SP1 multiple-instance functionality. |
Updated Setup procedures for MDM 2008 SP1 multiple-instance functionality. |
|
Step 5d: Creating and Importing the MDM Gateway Server Configuration File (New) |
Provides procedures for creating the certificate template object identifier XML file and importing it onto MDM Gateway Server. This process is necessary for keeping MDM 2008 SP1 instances separate in a forest. |
Provides Setup guidance for upgrading to MDM 2008 SP1. |
|
Describes the methods MDM 2008 SP1 uses to validate the communication within a single instance—certificate template object identifiers (OIDs) and Active Directory User Security Groups (USGs)—and lists the steps that you take as part of the MDM 2008 SP1 deployment process to set up the validation process. |