This section provides an overview of the three primary System Center Mobile Device Manager (MDM) server configurations. This section also describes scale considerations and provides an explanation of administrative control in multidomain environments.
Primary MDM Server Topologies
The following illustration shows an overview of the three primary server configurations:
The following describes the primary implementation options for the MDM system:
Integrated configuration: For the minimal MDM configuration,
install the components on two physical 64-bit servers: MDM Gateway
Server on a stand-alone or workgroup server in the perimeter
network and MDM Enrollment Server, MDM Device Management Server,
and Microsoft SQL Server® on a domain-joined server in the company
network. Although the integrated option provides a simple
implementation, it is not the most secure configuration and because
it is not scalable, can restrict an organization that has many
Windows Mobile devices to manage.
Distributed configuration: Deploy each MDM component: MDM
Gateway Server, MDM Device Management Server, MDM Enrollment
Server, and SQL Server, on separate, dedicated physical 64-bit
servers. This configuration provides better scalability than the
integrated configuration. However, this configuration offers no
redundancy nor can you easily add more servers to scale out when
the number of managed devices increases and you must add more
Scaled-out configuration (recommended): Configure MDM
Gateway Server and MDM Device Management Server in load-balanced
arrays. At first, an array might consist of only one server, but
when the initial installation is set up as a scaled-out
configuration, you can add more servers easily. We recommend that
you have a dedicated computer that is running SQL Server to make
software distribution on a larger scale easier. This is the
recommended configuration for a production enterprise environment.
The scaled-out configuration allows for the greatest scalability
and the highest levels of availability for managed mobile devices.
|To scale out the MDM Device Management Server or MDM Enrollment Server, you can deploy either hardware or software load balancers. Review the product technical documentation for features and limitations of load balancers. With either software or hardware balancers, affinity must be enabled in the load balancer configuration.|
Capacity and Scale Considerations
As you consider your options to implement MDM, you should forecast your future requirements for managing Windows Mobile devices. For more information about Hardware Requirements for all MDM servers, see System Requirements for MDM Servers and Managed Devicesin this document. The following shows the capacities achieved in laboratory installations under the indicated test scenarios.
Basic Server Capacities
- An MDM Instance can support up to 30,000 devices.
- An MDM Device Management Server can support up to 10,000
- An MDM Gateway Server can support up to 5,000 devices.
- An MDM Enrollment Server can support up to 25 concurrent device
On an MDM Gateway Server That Has 5,000 Managed Devices
You can manage up to 5,000 devices per MDM Gateway Server:
- 100 percent of the managed devices can have an active virtual
private network (VPN) connection
- Up to 60 percent of the devices can have active network
sessions through VPN
- Each MDM Gateway Server can support traffic volumes up to 100
megabits per second (Mb/s)
- There may be up to 16 servers running MDM Gateway Server in an
On an MDM Device Management Server That Has 10,000 Managed Devices
You can manage up to 10,000 devices per MDM Device Management Server:
- Each managed device contacts MDM Device Management Server up to
one time every eight hours
- Policy updates are made daily on all devices
- There may be up to six computers that are running MDM Device
Management Server in an MDM instance
|The total number of managed devices should not exceed the total capacity for an MDM installation. Therefore, even with more than three computers running MDM Device Management Server, the total capacity for the MDM installation remains at 30,000 devices.|
- Use a fast data network for best load reduction results
On a single MDM Enrollment Server
One MDM Enrollment Server may support an entire MDM Instance, because it actively supports devices only during the enrollment process.
- Up to 25 concurrent enrollments can be in progress
- You can have up to two computers that are running MDM
Enrollment Server in an MDM instance
Server capacities will vary per installation and are highly dependent on the frequency of device monitoring sessions, software distribution, policy changes, and installed hardware. The following list provides a summary of the most common variables.
- Server Hardware: processor speed, number of processors, cache,
memory, disk I/O subsystem, or network
- SQL Server Hardware: Adherence to SQL Server scalability best
practices, particularly around the disk I/O and memory management.
- Frequency of configured device polling
- Frequency, scope, and types of policy changes
- Frequency of sending and detection rules for software
- Inventory items which are collected and the frequency of these
- Number of managed device containers against which Group Policy
settings are managed. The most MDM resource-intensive model is one
in which all the devices are contained within a single root
container and all Group Policy settings are applied to this root
- Number of distinct software distribution groups and scheduling
of distribution to each of these groups. Multiple WSUS-targeted
groups on independent schedules create less load than if you
include all managed devices in a single targeted group.
- Device wireless network data speeds: faster network speeds
lessen the burden on the MDM system.
MDM Administrative Control in Multidomain Environments
The MDM system is to operate as a single instance within one Active Directory® forest. An MDM instance is a collection of MDM servers that connect to a single set of MDM databases. All MDM servers and related components must reside within a single Active Directory domain and site that you can access throughout the forest. When MDM manages devices from multiple domains, there must be at least one domain controller from every domain within MDM.
A single MDM instance enables you to centrally manage Windows Mobile devices throughout the forest. You can delegate Group Policy settings and administratively control them based on the default Active Directory container, also known as the organizational unit (OU). However, other MDM tasks, such as wiping devices, blocking devices, enrolling devices, server management, and server configuration, cannot be managed by using OUs.
For example, say you have the following domains: domain1.contoso.com and domain2.contoso.com. If you install MDM servers onto domain1.contoso.com and there are MDM users in domain1.contoso.com and domain2.contoso.com, MDM administrators will be able to issue wipe requests for managed devices for both domain1 and domain2. Additionally, server configuration resides centrally and administrators can set them globally. This affects managed devices in both domain1 and domain2.
By using MDM Administrator Tools, you can manage and administer the MDM system in the Active Directory forest. Grant permissions cautiously because a user assigned to the SCMDM2008DeviceAdministrators group and the SCMDM2008DeviceSupport group can wipe all devices in the forest that MDM manages.