System Center Mobile Device Manager (MDM) consists of the following four main system components:
- One or more computers that are running MDM Gateway Server
- One or more computers that are running MDM Device Management
- One computer that is running MDM Enrollment Server
- Microsoft® SQL Server® 2005 databases
Except for Microsoft SQL Server 2005, these components require 64-bit editions of Windows Server® 2003 with Service Pack 2. You can run Microsoft SQL Server 2005 on a 32-bit platform. However, Microsoft SQL Server 2005 SP2 or a later version is required.
The following illustration shows a high-level overview of how these components work with existing IT infrastructure to provide an authenticated connection to LOB applications, managed Group Policy, and application packages.
The following list describes these components:
MDM Gateway Server: Typically, MDM Gateway Server is located
in the perimeter network, also known as the DMZ or screened subnet.
This server provides the ingress for managed device sessions, and
forwards network and device management communications between the
company network and the device. MDM Gateway Server provides the
endpoint for the device network connection that includes the
- Authenticates incoming connections for authorized devices
- Allocates a stable IP address for the device to enable Direct
Push updates and support application persistence
- Enables fast resume and reconnect features for devices and
- Negotiates keys to encrypt traffic over the Internet
- Authenticates incoming connections for authorized devices
MDM Device Management Server: MDM Device Management Server
is the primary administration and management service for all
managed devices. MDM Device Management Server is the functional hub
for device Group Policy application, device software packages, and
device data wipes. This server communicates with existing
infrastructure servers, such as domain controllers, and manages the
translation of information and commands between the MDM system and
managed devices. MDM Device Management Server may exist as
multiple, identically configured load balance servers.
MDM Enrollment Server: This server manages the requests for
and retrieving of certificates for devices and for creating the
Active Directory® Domain Service objects that will represent these
devices. By using these objects, you can manage the devices as if
they were members of a domain. The process uses a one-time password
to perform secure enrollment over untrusted connections, such as
the Internet and mobile data networks. This role enables users to
enroll their devices from anywhere without connecting the devices
to a computer or having physical access to the company network. For
more information about device enrollment, see the section,
Enrollment with MDM.
MDM Enrollment Server makes sure that both the device and the server authenticate mutually before it accepts or issues enrollment certificates. MDM Enrollment Server uses Active Directory to provide the identity store.
Databases: The services on MDM Device Management Server and
MDM Enrollment Server maintain databases to manage device
configuration, tasks, and status settings. These SQL databases are
pivotal to configure and update managed devices.
With MDM in place, protected network access is available from managed devices to your company LOB applications. Additionally, you can use Group Policy and software packages to manage the enrolled Windows Mobile devices.
To manage a Windows Mobile device from the MDM system, the device must be running Windows Mobile 6.1. This version of the operating system contains the application that is required to manage the device from the MDM system, and supports the standards that enable the device to establish an authenticated and encrypted communications channel to MDM Gateway Server.
MDM is based on several open industry standards for mobile devices. By using these standards, MDM extends a company infrastructure with features to manage devices by using familiar tools and capabilities.
MDM is based on the following standards:
- Open Mobile Alliance Device Management (OMA DM)
- IPsec and Internet Key Exchange Protocol Version 2 (IKEv2)
- IKEv2 Mobility and Multihoming (MOBIKE) protocol
- Software Component Management Object (SCOMO)
MDM components work with key IT services to give managed devices access to selected business data. The following shows the primary IT services that work with MDM:
Active Directory Domain Service: The Windows-based operating
system directory service stores credentials for virtual private
network (VPN) and 802.1X-based connections and the Group Policy
settings that configure the required settings on each managed
device. Examples include configuring ActiveSync® settings or
enabling a “password required” policy.
MDM software distribution: MDM software distribution uses
Windows Software Update Server (WSUS) to allow for the distribution
of applications to managed devices. The administrator uses MDM
software distribution to create, monitor, and push application
packages to managed devices.
Certificate services: The MDM client and server security
model requires X.509 certificates. MDM works directly with your
existing Public Key Infrastructure (PKI) for client and server
certificate signing. If no current PKI is in place, or if you want
to maintain a separate certification authority for device
authentication, you can add a Microsoft enterprise certification
authority. The Windows Server® 2003 Enterprise Edition operating
system certification authority is the only fully supported issuing
certification authority for MDM.
LOB application servers: Windows Mobile devices managed by
MDM can gain more secure access to your company LOB application
servers. This includes the following:
Exchange servers: Outlook Mobile grants direct access to
your company Exchange servers. This provides Windows Mobile devices
access to calendar and e-mail services.
Custom application servers: You can make any custom-built
applications for your organization that provide Web services to
mobile clients, available to managed devices.
- Exchange servers: Outlook Mobile grants direct access to your company Exchange servers. This provides Windows Mobile devices access to calendar and e-mail services.
- For information about OMA DM, see this OMA Web site:
- For information about SCOMO, see
OMA specification for installing, uninstalling, launching, and
terminating software on mobile devicesat this OMA Web site:
IKEv2 and MOBIKE
- For the Internet Engineering Task Force (IETF) specification,
Mobile IPv6 Operation with IKEv2 and the revised IPsec
Architecture, at this IETF Web site: