Group Policy delivers and applies one or more desired configurations or policy settings to a set of targeted users and computers in an Active Directory environment. This mechanism consists of a Group Policy engine and multiple client-side extensions (CSEs) that are responsible for writing specific policy settings on target client computers. With System Center Mobile Device Manager (MDM), it is possible to use the Group Policy Management Console (GPMC) to push these policies to managed Windows Mobile devices that are outside your corporate IT infrastructure.
Overview of MDM Group Policy
Extensions
System Center Mobile Device Manager (MDM) extensions to the GPMC and Group Policy object (GPO) Editor enable network administrators to control managed Windows Mobile devices in a familiar environment and in a manner consistent with how they manage their networked desktop and portable computers. The extensions support existing GPMC functionality such as scripting, backup of GPOs, planning mode, and logging mode.
These extensions are not supported for the Resultant Set of Policies (RSoP) snap-in.
 Note: |
|---|
| You must install MDM Group Policy extensions on 32-bit versions of a Windows-based operating system, or a 64-bit version of Windows Vista, that has GPMC already installed. |
Device Settings
From the GPMC, you can configure managed devices by creating GPOs that contain the settings to push to the devices. When you apply the GPO to the Active Directory Domain Services object that represents the managed device that you want to target, the settings will be sent to the device the next time that it connects to MDM Device Management Server. You can configure groups of devices by linking the GPO to an Organization Unit (OU) that contains Active Directory objects for the managed devices that you want to target. Additionally, you can use familiar tools such as Security Groups and Windows Management Instrumentation (WMI) filters to apply a GPO to a group of managed devices that meet certain specified criteria.
Most device-related settings are defined in an MDM administrative template (ADM) file that you can access through the GPO Editor User Interface. You must add the Mobile.adm file to the list of ADM template files for the target GPO. For more information about how to add an ADM file to a GPO, see Creating a New Group Policy Object for Devices.
|
Note: |
|---|
| Enabling a policy that contains special characters might result in the policy not being applied. Do not use special characters in the policy. Special characters include the following: !@#$%^&*()_{}|:"<>?. |
After you add the ADM file, policies related to security, encryption and device management appear in the navigation pane in Computer Configuration/Administrative Templates/Windows Mobile Settings. User related settings are located in User Configuration/Administrative Templates/Windows Mobile Settings.
|
Note: |
|---|
| To obtain information about a managed device policy setting, locate the setting in the GPO Editor and then select it from the list in the details pane. The setting description is displayed with the setting in the details pane. |
Network and Certificate Management Settings
The settings for more complex tasks such as configuring new network connections, editing or deleting existing network connections, and managing certificate stores on the managed device, are provided through custom extensions to the GPO Editor. These settings are not defined in the Mobile.adm file. When you start the GPO Editor, they will appear in the navigation pane in Computer Configuration/Windows Mobile Settings.
|
Note: |
|---|
| To avoid potential conflicts between settings, Microsoft recommends that you configure all the Internet/Work domain settings in a single GPO. |