11/11/2008

Before you deploy System Center Mobile Device Manager (MDM), make sure that a certification authority server that is running Windows Server® 2003 Enterprise Edition operating system with Service Pack 2 (SP2) is available that meets MDM requirements. To successfully install and operate the MDM system, follow the requirements and steps in this section.

Note:
MDM does not support multiple root certificate authorities.

To review the system requirements for the certification authority, see System Requirements for MDM Servers and Managed Devices.

Requirements for Certification Authority Configuration

Review the following requirements when you configure a certification authority that the MDM system components will access:

  • Enable issuing Secure Sockets Layer (SSL) certificates: You must configure the certification authority to issue Web server SSL certificates. The ability to issue Web server SSL certificates is required to enable all MDM certificates. This includes certificates for managed Windows Mobile devices and MDM system components, to roll up to a single root certification authority. A rollup to a single root certification authority is required for MDM.

  • Configure required client certificate renewal settings: You must enable the following settings on the certification authority to support client certificate renewal directly by using the certification authority server Web site:

    • Accept client certificates

    • Enable client certificate mapping

  • Restart MDM Enrollment Service NT service after updating group membership: If you add a new member to the CERTSVC_DCOM_ACCESS group, you must restart the Microsoft® Windows NT® service on servers running MDM Enrollment Server. This updates the new group membership information Kerberos ticket on MDM Enrollment Server.

  • Make sure that Request Certificates permissions are configured: If you have changed the default permissions on the certification authority to disable Request Certificates for authenticated users, MDM Setup might be unable to obtain required certificates. To enable Setup to obtain certificates, you must manually grant Request Certificates permissions to the SCMDM2008ServerAdministrators group.

Enable Client Certificate Renewal

To support client certificate renewal directly against the certification authority server Web site, follow these steps on the certification authority server.

To enable client certificate renewal

  1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Internet Information Services (IIS) Manager.

  2. In IIS Manager, expand the server name, right-click Web Sites, and then choose Properties.

  3. In the Web Sites Propertiesdialog box, on the Directory Securitytab, select the Enable the Windows directory service mapperbox, and then choose OK.

  4. In IIS Manager, expand Web Sites, expand Default Web Site, right-click CertSrv, and then choose Properties.

  5. In the CertSrv Propertiesdialog box, on the Directory Securitytab, in the Secure Communicationsbox, choose Edit.

  6. In the Secure Communicationsdialog box, in the Client certificatesbox, select Accept client certificates, and then choose OK.

  7. In the CertSrv Propertiesdialog box, choose Apply, and then choose OK.

Co-Locate MDM with a Certification Authority or Domain Controller

To install MDM on a certification authority or an Active Directory® domain controller, follow these steps.

Note:
This is not a recommended configuration.
To assemble MDM together with a certification authority or domain controller

  1. On the Active Directory domain controller, choose Start, choose All Programs, choose Administrative Tools, and then choose Active Directory Users and Computers.

  2. In Active Directory Users and Computers, choose View, and then choose Advanced Features.

  3. Expand the domain and then choose SCMDM2008 Infrastructure Groups.

  4. Right-click SCMDM2008EnrolledDevicesand then select Properties.

  5. In the SCMDM2008EnrolledDevices Propertiesdialog box, on the Securitytab, choose Advanced.

  6. In the Advanced Security Settings for SCMDM2008EnrolledDevicesdialog box, choose Add.

  7. In the Select User, Computer, or Groupdialog box, choose Object Types.

  8. In the Object Typesdialog box, select the Computerbox, and then choose OK.

  9. In the Select User, Computer, or Groupdialog box, in the Enter the object name to selectbox, type the computer name, and then choose Check Names.

  10. After Active Directory verifies the computer name, choose OK.

  11. In the Permission Entry for SCMDM2008EnrolledDevicesdialog box, on the Objecttab, select the This object onlybox.

  12. In the Permissionsbox, in the Allowcolumn, select the Read Permissionsbox.

  13. On the Propertiestab, in the Apply ontolist, select This object only.

  14. In the Permissionsbox, in the Allowcolumn, select the Read Membersand Write Membersboxes, and then choose OK.

  15. Repeat steps 6 through 14 but in step 9, replace <computer name>with Network Service.

  16. In the Advanced Security Settings for SCMDM2008EnrolledDevicesdialog box, choose Apply, and then choose OK.

  17. In the SCMDM2008EnrolledDevices Propertiesdialog box, choose OK.

  18. In Active Directory Users and Computers, expand the domain, right-click SCMDM2008 Managed Devices, and then choose Delegate Control.

  19. On the Welcome to the Delegation of Control Wizardpage, choose Next.

  20. On the Users or Groupspage, choose Add.

  21. In the Select Users, Computers, or Groupsdialog box, choose Object Types.

  22. In the Object Typesdialog box, select the Computerbox, and then choose OK.

  23. In the Select User, Computer, or Groupdialog box, in the Enter the object name to selectbox, type the server name of the enrollment server, and then choose Check Names.

  24. After Active Directory verifies the computer name, choose OK.

  25. On the Users or Groupspage, choose Next.

  26. On the Tasks to Delegatepage, select Create a custom task to delegate, and then choose Next.

  27. On the Active Directory Object Typepage, select the Only the following objects in the folderbox, select the Computer objectsbox, select the Create selected objects in this folderbox, select the Delete selected objects in this folderbox, and then choose Next.

  28. On the Permissionspage, select the General, Property-specific, and Creation/deletion of specific child objectsboxes.

  29. On the Permissionspage, select the following boxes:

    • Read

    • Write

    • Create All Child Objects

    • Delete All Child Objects

    • Read All Properties

    • Write All Properties

  30. Choose Next.

  31. On the Completing the Delegation of Control Wizardpage, choose Finish.

You must grant the Network Service and Local Service accounts Full Control to the Temp folders.

To grant permissions to the Temp folders

  1. On the Start menu, choose Run, type explorer, and then choose OK.

  2. In Windows Explorer, browse to the %SystemDrive%\Windows folder. Typically, the system drive is [ C:].

  3. Right-click Temp, and then choose Properties.

  4. In the Temp Propertiesdialog box, on the Securitytab, choose Add.

  5. In the Select Users, Computers, or Groupsdialog box, in the Enter the object name to selectbox, type network service, and then choose Check Names.

  6. After Active Directory verifies the computer name, choose OK.

  7. In the Permissions for NETWORK SERVICEbox, in the Allowcolumn, select the Full Controlbox, and then choose Add.

  8. In the Select Users, Computers, or Groupsdialog box, in the Enter the object name to selectbox, type local service, and then choose Check Names.

  9. After Active Directory verifies the computer name, choose OK.

  10. In the Permissions for LOCAL SERVICEbox, in the Allowcolumn, select the Full Controlbox, and then choose OK.

  11. Repeat steps 1 through 10 to grant the Network Service and Local Service accounts Full Control permissions to the %SystemDrive%\Documents and Settings\ <username>\Local Settings\Temp folder.

Enable Certificate Templates on a Certification Authority Server

Generally, you enable certificate templates by running the ADConfig /enabletemplatescommand. If you want to enable certificate templates on a certification authority (CA) manually, follow these steps on the certification authority server.

To enable certificate templates on a certification authority server

  1. On the Start menu, choose All Programs, choose Administrative Tools, and then choose Certification Authority.

  2. In Certification Authority, right-click <CA server name>, and then choose Properties.

  3. In the <CA server name> Propertiesdialog box, on the Securitytab, in the Group or user namesbox, select SCMDM2008ServerAdministrators.

  4. In the Permissions for SCMDM2008ServerAdministratorsbox, in the Allowcolumn, select the Request Certificatesbox.

  5. In the <CA server name> Propertiesdialog box, on the Securitytab, in the Group or user namesbox, select SCMDM2008EnrolledDevices.

  6. In the Permissions for SCMDM2008EnrolledDevicesbox, in the Allowcolumn, select the Request Certificatesbox.

  7. In the <CA server name> Propertiesdialog box, on the Securitytab, in the Group or user namesbox, select SCMDM2008EnrollmentServers.

  8. In the Permissions for SCMDM2008EnrollmentServersbox, in the Allowcolumn, select the Issue and Manage Certificatesbox.

  9. In the <CA server name> Propertiesdialog box, on the Certificate Managers Restrictionstab, select Restrict certificate managers.

  10. In the Available certificate managersdrop-down list, select <domain> \SCMDM2008EnrollmentServers.

  11. In the Groups, users, or computers to managebox, make sure that the SCMDM2008EnrolledDevicesgroup has its Accessset to Allow. If this group does not appear in the box, choose Add.

    This setting restricts the SCMDM2008EnrollmentServers group to manage certificates for the SCMDM2008EnrolledDevices group only.

  12. Choose OK.

  13. In certification authority, expand <CA server name>, and then choose Certificate Templates.

  14. In the details pane, make sure that the following MDM templates are listed:

    • SCMDM2008GCM

    • SCMDM2008WebServer

    • SCMDM2008MobileDevice