This guide helps you address the decisions and activities that are critical to successfully implement Microsoft System Center Mobile Device Manager (MDM) 2008 with Microsoft Office Communications Server 2007. It is written for information technology (IT) specialists, generalists, consultants, partners, or anyone who seeks technical information to plan, deploy, and support the infrastructure required to integrate MDM with Microsoft Office Communications Server 2007.
The document includes information about the following:
- Common global Microsoft Office Communications Server 2007
- Prescriptive guidance on how to integrate an MDM deployment
into each scenario for Office Communicator Mobile 2007.
- Name resolution.
- Network considerations
- Common areas of interest, such as user authentication, software
distribution, troubleshooting, monitoring, and reporting.
This document does not provide step-by-step examples of deploying or operating an MDM infrastructure. Supplemental material is referred to throughout the document and the Supporting Documents for MDMsection provides a generous list of supporting references the reader may find helpful.
This document has the following section:
Microsoft Office Communicator Mobile 2007
MDM and Office Communicator Mobile
Deploying and Configuring
Communicator Mobile with MDM
Recommendations for Integrating MDM and
Office Communications Server
MDM Tools and Utilities
Supporting Documents for MDM
Microsoft Office Communicator Mobile 2007 Features
Communicator Mobile 2007 is an enterprise messaging
client for mobile devices that integrates IM (instant messaging),
presence, and telephony. For a complete overview of Office
Communicator Mobile 2007 features, see
MDM provides a means to deploy the Communicator Mobile client to Windows Mobile 6.1 devices, as well as establish a more secure communication channel between the mobile client and Office Communications Server 2007 infrastructure. In this document Office Communications Server 2007 components such as Front End Servers, Web Conferencing, SQL services, Telephony, and PBX services, will be referred to as an Enterprise Microsoft Office Communications Server 2007 Deployment.
MDM and Office Communicator Mobile Topologies
The scenarios discussed in this document focus on mobile MDM integration scenarios for Microsoft Office Communications Server 2007 with Microsoft Office Communicator Mobile 2007. Although the information is comprehensive, not every large enterprise Microsoft Office Communications Server 2007 scenario is discussed. The enterprise topologies considered for the document include centralized, decentralized, and decentralized topologies with branch offices. The following sections discuss each topology scenario.
Centralized Office Communicator Server Topology
In the centralized topology, the implementation of an
enterprise consists of multiple domains where all Microsoft Office
Communicator Server 2007 components are hosted at the central site.
Users access Microsoft Communicator Mobile 2007 services across the
LAN or WAN from local or regional company sites. The centralized
topology is preferred by organizations that want to minimize the IT
footprint and rely on relatively few groups in the organization to
manage and monitor the web or portal environment. For more
information on planning and deploying Microsoft Office Communicator
Mobile 2007, see to the “Microsoft Office Communicator Mobile (2007
Release): Planning and Deployment Guide” at this Microsoft Web
MDM establishes an Internet Protocol Security (IPsec) Virtual Private Network (VPN) tunnel on the Internet between a domain-joined Windows Mobile 6.1 device and the company perimeter network. After a mobile device is connected to the Mobile VPN, the MDM Gateway Server role provides an Internet Protocol (IP) address from a VPN IP address pool for mobile devices. This allows mobile users to connect to Office Communications Server 2007 servers that are hosted in the company network at the central site.
Network Routing Considerations
You should consider the network routing implications when deploying Communicator Mobile clients to mobile devices. The Communicator Mobile 2007 client can connect to the Office Communications Server 2007 Edge Servers in the perimeter network or, after establishing the VPN tunnel to the MDM Gateway Servers, can connect directly to the Office Communications Server 2007 pools in the company network. The Communicator Mobile client must be able to establish Session Initiation Protocol (SIP) communications to the Office Communications Server Roles.
The Communicator Mobile client uses Transport Layer Security (TLS) over TCP port 443 when directing network communications to the Office Communications Server Edge Servers.
The Communicator Mobile client can connect to the server using HTTPS/TLS or TCP. The preferred mode of connection is TLS, and it is required when the client connects to the server while using an external Wi-Fi or mobile wireless network. It uses TLS over TCP port 5061 when directing SIP communications directly to the Office Communications Server server pools on the company network.
To integrate MDM with a centralized Office
Communications Server 2007 enterprise topology, you must configure
IP routing between the MDM Gateway Servers and the Office
Communications Server 2007 edge servers or Office Communications
Server server pools to enable Communicator Mobile client access
from the Internet to the internal company network. Managed Windows
Mobile 6.1 devices will use the IPsec protocol between the mobile
VPN client and the MDM Gateway Servers to enhance the security of
the TLS session to the edge servers or server pools. You may need
to open additional ports on the external and internal firewalls to
support services such as file transfer and audio/visual services,
if not already supported by the Office Communications Server Edge
servers. For more information on the full range of ports required
by the various Office Communications Server 2007 Server and client
roles, see this Microsoft Web site:
|The Communicator Mobile client does not use SRV record to locate Office Communications Server Access Edge servers.|
For external access to succeed, Communicator Mobile
must use TLS transport. By default, it uses port 5061, but it can
use other ports, such as port 443, for external access. You must
configure Communicator Mobile clients to include the port
information in the server address. The correct format is <fully
qualified domain name address>:<port number>. For example,
you should configure the client to use sip.contoso.com:443 as the
external server address if the Access Edge Server in Office
Communications Server 2007 is configured to use the default remote
client access settings. For more information about this port
configuration on the Edge Server, see “Microsoft Office
Communications Server 2007 Edge Server Deployment Guide” at this
Microsoft Web site:
For more information about Office Communications Server
2007 planning to determine if you need Office Communications Server
Edge Servers, see this Microsoft Web site:
The following illustration shows a managed device with the Communicator Mobile client establishing a VPN tunnel to the MDM Gateway Servers, then communicating to the Office Communications Server 2007 Edge Servers in the perimeter network. A solid line shows this communication. The dashed line shows how managed devices communicate directly to the Office Communications Server 2007 Server pool after terminating the IPsec VPN connection at the MDM Gateway Servers.
Decentralized Office Communications Server Topology
The decentralized topology supports larger enterprises with multiple domains, multiple locations, that have a decentralized management of Microsoft Office Communications Server 2007. This topology differs from an MDM infrastructure designed for a central Microsoft Office Communications Server 2007 topology in that the design places emphasis on establishing the shortest, and hopefully quickest, route to the Microsoft Office Communications Server 2007 server infrastructure. Under most scenarios, we recommend that you direct traffic to the nearest Microsoft Office Communications Server 2007 edge servers to let the default proxy mechanisms operate as designed. In the scenario where Microsoft Office Communications Server 2007 infrastructure is dispersed between geographic sites, you must provide a localized network route to the nearest well-connected company perimeter network.
The following illustration shows an example of a decentralized deployment of the Communicator Mobile client. The solid lines show the potential network communications based client communications to Office Communications Server Edge Servers. The dashed lines show the communications directly to the Office Communications Server server pools.
Network Routing Considerations
Similar to the centralized topology, you must consider network routing for mobile device IP traffic flow between the MDM Gateway and Microsoft Office Communications Server 2007 edge server in the perimeter network such that communication from mobile device to Microsoft Office Communications Server 2007 SIP traverses physical network boundaries and locations. Office Communications Server 2007 pools can span sites, or each site can have its own Office Communications Server 2007 pool. To allow Communicator Mobile clients to connect to the appropriate Office Communications Server 2007 pool as defined in Active Directory, you must understand the network routes that roaming requires.
|You must deploy Office Communications Server Access Edge Servers in a single site. In a decentralized MDM deployment, we recommend that you provide network connectivity directly to the Office Communications Server 2007 pools to minimize the number of jumps in the network route. If a managed device connects to an MDM Gateway Server in a secondary site, the Communicator Mobile traffic can traverse numerous network segments to route to the Office Communications Server 2007 Access Edge Servers in the central site’s perimeter network.|
Decentralized Office Communications Server 2007 with Branch Offices
The decentralized Office Communications Server 2007 deployment with branch office scenario is similar to the decentralized scenario but requires support for remote locations. The branch office scenario supports a small office or retail site that has less than 100 workstations and little or no server infrastructure. Typically, branch offices have no web server components or MDM server roles deployed locally. Therefore, the branch office scenario is similar to the centralized topology where mobile devices use the operator network to establish the shortest path to an MDM Gateway Server and route Communicator Mobile network traffic to the Office Communications Server 2007 server pool, or connects directly to the Microsoft Office Communications Server 2007 edge server in the perimeter network at the central site.
Deploying and Configuring Communicator Mobile with MDM
You can use MDM to deploy software to managed Windows Mobile 6.1 devices. You do this by using Software Distribution and Windows Server Update Server 3.0 (WSUS). To deploy cabinet (.cab) files that have Office Communicator Mobile settings to mobile devices, MDM Software Distribution targets groups in WSUS and Active Directory Group Policy. Additionally, MDM can deploy the required root certificates for Microsoft Office Communicator Mobile 2007.
For a comprehensive description of the software
distribution process in MDM, see Distributing Software to Managed
Devices in MDM Operations at this Microsoft Web site:
The following steps summarize the MDM client process for software distribution:
- The mobile device connects through MDM Gateway Server at its
scheduled connection time.
- The device connects to the Device Management Service on MDM
Device Management Server. Communication is established between the
device and the Device Management Service by using an OMA DM
- MDM Device Management Server checks its database to obtain the
OMA DM commands for the device.
- MDM Device Management Server offers the software packages
applicable to the device.
- The device downloads and automatically installs the software
- The device reports the result of the installation back to MDM
Device Management Server.
The following sections provide high level steps for preparing for deployment of Microsoft Office Communicator Mobile 2007 to managed mobile devices by using MDM Software Distribution.
Configuring the Communicator Mobile Client
The Communicator Mobile client requires additional
configuration to successfully connect to the Office Communications
Server 2007 infrastructure and provide presence information on the
mobile device. For information about how to use an .inf file to
configure a Communicator Mobile client by using ActiveSync, see
this Microsoft Web site:
When deploying the Communicator Mobile client with MDM Software Distribution, you may need to provide Communicator Mobile client registry settings. In this way, you can reduce the amount of manual configuration experienced by the users. Users may still need to manually configure their sign-in name, username (in the form of <domain>\<username>), and password, but you can configure the registry with other information before you distribute packages.
|Registry values may be overwritten during program installation. You can apply group policy to persist registry settings, but the registry values may be temporarily replaced with default values immediately after program installation. When group policy is refreshed, the values are replaced by those specified by group policy.|
The default policy calculation is 8 hours. However, you can change this value by using the Set-MobilePolicyServiceConfig cmdlet in the MDM Command Shell on the MDM Device Management Server. You can also force policy refresh on an individual device basis by using the Update-MobilePolicyCalculation cmdlet from the MDM Device Management Server.
To configure the registry, you can change the following values in HKCU\Software\Microsoft\Communicator\System Settingson the device:
The server address to display in the External server name box in Communicator Mobile Options.
The server address to display in the Internal server name box in Communicator Mobile Options.
If set to 1, the Remember my password check box in Communicator Mobile Options is selected. If set to 0, the check box is cleared.
If set to 1, certificate revocation list (CRL) checking is disabled for the Communicator Mobile client. If set to 0, CRL checking is enabled.
If set to 1, the Automatically Sign in check box in Communicator Mobile options is selected. If set to 0, the check box is cleared. This setting is applied only if RememberPasswordis set to 1.
You should manage the registry values required by the
Communicator Mobile client through Group Policy. To do this, you
would create a custom Group Policy Administration template (.adm)
to manage the Communicator Mobile specific registry settings. For
more information, see “Writing Custom ADM Files for System Policy
Editor” at this Microsoft Web site:
The following example is a custom .adm template that you can use to define registry settings. You can use this example to create a new Administrative Template for managing registry settings on mobile clients. For example, you can use this template to include a group of policies for defining the server names for the internal and external Office Communications Servers.
;====================================================================== ; Custom Registry Administrative Template File ; _version="1.0" ;====================================================================== CLASS MACHINE CATEGORY "Custom Registry Settings" CATEGORY "Communicator Mobile" POLICY "Communicator Mobile" EXPLAIN !!ExplainCoMo KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKCU\Software\Microsoft\Communicator\System Settings" PART "Server" EDITTEXT VALUENAME "Server" END PART PART "ServerInternal" EDITTEXT VALUENAME "ServerInternal" END PART END POLICY End CATEGORY END CATEGORY [STRINGS]
For ExplainCoMo, the Server value indicates the public
FQDN of the OCS services. The ServerInternal value indicates the
internal FQDN of the services. For example, sip.contoso.com. For
more information about configuring registry values for Communicator
You can use Group Policy to set these values, and then
use the existence of these values as a dependency to install the
Communicator Mobile client package. The dependency is defined
during package creation. For more information, see “Creating a New
Package” in MDM Operations at this Microsoft Web site:
|You can use third-party tools to modify .cab files to include the required registry settings and preconfigure portions of the Communicator Mobile client.|
Preparing the Environment for Software Distribution
- Configure Active Directory Group Policies to deploy the
required root certificates to the Software Publisher Certificate
(SPC) and Unprivileged Execution Trust Authorities stores on the
The SPC store governs cab installation on a Windows Mobile Device. The Unprivileged Execution Trust Authorities store is used by Windows Mobile security to control code execution. If an executable can be chained up to a certificate in this store, it is considered signed and is assigned a trust level based on the device security policies. For more information about this process, see “Importing Certification Authority (CA) Certificates” in MDM Operations at this Microsoft Web site:
- Create a Personal Security Certificate (PFX) and code signing
template for signing the Microsoft Office Communicator Mobile 2007
cab files. For more information, see “Creating the Personal
Information Exchange (PFX) Certificate” in MDM Operations at this
Microsoft Web site:
Note: It is advantageous to use the same certificate chain to create the code signing clients as that used to issue the MDM client certificates. The certificate chain is automatically deployed to the MDM mobile client Root Certificate store during device enrollment. You must still install the Root Certificate in the SPC and Unprivileged Execution Trust store.
- Export the PFX file generated in the previous step, and then
copy it to the trusted publishers and enterprise root certificate
stores on the machine that you will use to sign the Microsoft
Office Communicator Mobile 2007 cab files.
- Download Microsoft Office Communicator Mobile from Microsoft
Downloads, and then run the .msi to extract the .cab files for
mobile clients. Microsoft Downloads is at this Microsoft Web site:
Note: There are two .cab files; one for the Windows Mobile Professional (Communicator.PPC.cab) and one for Windows Mobile Standard (Communicator.SP.cab). You must package each .cab separately for the appropriate device.
- Using CabSignTool, sign the Microsoft Office Communicator
Mobile 2007 cab files. For more information, see “Scripted Signing
of .Cab files using the CabSignTool Utility” in MDM Operations at
this Microsoft Web site:
Note: The CabSignTool is available as a download at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkID=116086. It includes the three files required to successfully sign .cab files for distribution. The three files include: Cabsigntool.exe; CAPICOM.dll (version 188.8.131.52); and Signtool.exe.
- Install the Code Signing Certificate to the Trusted Root
Certification Authorities store and the Trusted Publishers store
for the machine that will be used to sign .cab files. If you run
MDM Software Distribution Console on a separate computer, follow
these steps on both the computer that has the console and the
computer that has the WSUS server. For more information, see
“Publishing .Cab Files” in MDM Operations at this Microsoft Web
Software Distribution Steps
- In the MDM Software Distribution Console, create a Software
Distribution Device Group for targeting the Microsoft Office
Communicator Mobile 2007 cab files to mobile devices. To organize a
set of mobile devices into a managed collection, you must create a
device group into which you can add the mobile device accounts.
- Configure Software Distribution to either use client-side or
By default, MDM Software Distribution uses server-side targeting, meaning the MDM Software Distribution Console is used to manage device group membership. Client side targeting uses either group policy or registry values on the mobile devices to associate devices to the groups defined in the console. To enable client-side targeting, you would change the Targeting Options on the Devices node in the console and then configure client side targeting with group policy. For more information, see MDM Operations at this Microsoft Web site:
- Use the Create Package Wizard to create a .cab package for
deployment to mobile devices.
This tool lets an administrator create a software package, choose the devices that will receive the package, set specific dependencies, and control the installation. After a software package is created in the MDM Software Distribution Console, the package must be approved by IT administrators for deployment to managed devices. For more information about creating packages for MDM software distribution, see this “Creating a New Package” in MDM Operations at this Microsoft Web site:
To determine if the application installed on the mobile devices that had the software distribution policy applied, select Start, and then choose Programs. If the application installed successfully, Microsoft Office Communicator Mobile 2007 application will display under Programs.
Like many applications designed to support Internet based clients, you should make sure that there is end-to-end functionality from the company network, through the perimeter, and ultimately to the mobile device client. Once installed and configured with the appropriate server sources, credentials, and password, the Communicator Mobile client should successfully sign in. The presence of users online should then be visible and the presence of users logged in should change between online, away, busy, and so forth.
Communicator Mobile Deployment Troubleshooting
Two common errors may occur when creating packages for Communicator Mobile deployment:
Verification of the file signature failed for the file <path
to .cab file>. This error occurs during the initial steps of
defining the package. It indicates that the code signing
certificate is not found in the Trusted Publishers store of the
host that is creating the package using the MDM Software
Distribution Console. Make sure that the code signing certificate,
with the private key, has been imported into the local machine’s
Trusted Publisher container.
The file for this package failed to download. Please check the
file credentials and recreate package using the create package
wizard.This error occurs during the final phase of package
creation when certificate validation errors prohibit the package
from being sent successfully to WSUS. Make sure that the code
signing certificate, with private key, is imported to the local
machine’s Trusted Publisher container on the host system where WSUS
You may need to determine which group policies settings have been applied to mobile devices. You can use the Group Policy Management console to view the applied denied GPO status and the effective settings for a user and device, or for a device for machine settings. To query a device for the GPO status and effective settings, you use the container named Windows Mobile Group Policy Results in the console to query a device.
Performing a right-mouse-click on the container reveals a popup menu with an option to start the Windows Mobile Group Policy Results Wizard. The wizard then steps you through various options to select a device from Active Directory or a user name and device associated with that user. This results in a report with three tabs that provides a Summary (Applied GPOs, Denied GPOs, etc.), Settings, and Policy Events.
You can use the Group Policy Modeling container in the Group Policy Management Console to start the Group Policy Modeling Wizard. This wizard simulates the effective application of group policies and their settings by targeting users and containers in Active Directory.
The Windows Mobile Group Policy Results query retrieves the policy settings that are currently are applied to the specific device.
If software distribution fails to publish, the most likely cause is that the required certificates are not present in the certificate stores on the publishing machine and/or the MDM Device Management Server.
If software distribution fails to install software on the mobile device, the most likely cause is that the software distribution publishing certificates are not in the correct certificate stores on the device. The following list shows ways that you can resolve this issue:
- Run the powershell cmdlet
UpdateMobilePolicyCalculation –DEVICENAMEon the MDM Device
Management Server, where DEVICENAME is the name of the device that
- Before targeting software for installation, use the MDM
ConnectNow tool to force an OMA-DM session with the MDM Device
Management Server. This ensures that the software publishing
certificates have been pushed to the device before MDM Software
Distribution offers software to the device.
Overall, if software distribution fails for any reason, Mobile Device Manager retries the distribution in seven days by default. The seven day count starts when the device notifies the MDM Device Management Server of the installation failure. You can change the default retry interval by running a MDM Powershell cmdlet Set-SoftwareDistributionConfig –ReofferPeriodDays, where 0 is a value to reoffer the software package immediately at the next OMA-DM session.
|We recommend that you only set the Set-SoftwareDistributionConfigvalue to 0 in test MDM environments.|
The following illustration shows the simple installation flow for new devices in MDM:
The following illustration shows the simple MDM software distribution package flow for software distribution failures.
The following illustration shows the different package reporting conditions in the MDM Software Distribution Console. This information helps you understand the meaning of software package status in MDM.
Troubleshooting Office Communicator Mobile 2007
You can download the Microsoft Office Communicator
Mobile (2007 Release): Troubleshooting Guide from this Microsoft
Recommendations for Integrating MDM and Office Communications Server
MDM Co-existing with Legacy Devices Connecting to Office Communications Server 2007
If legacy mobile device support is currently available, it is likely that Office Communications Server Edge servers are deployed in the perimeter network and the incoming communication traffic is published. The Communicator Mobile client installed and configured on MDM managed devices can use the existing perimeter servers. This eliminates the need to open additional network ports to provide a route to the Office Communications Server servers on the company network. Both earlier versions of mobile devices and MDM managed mobile devices can connect to the same Office Communications Server edge servers over TCP port 443. The edge servers direct traffic to the appropriate Office Communications Server server pools in the company network.
MDM Introduced to a New Office Communications Server Environment
If there is no pre-existing support for Internet-based Communicator Mobile clients prior to MDM deployment, you can direct incoming traffic directly to the Office Communications Server server pools in the company network. This requires that you establish the appropriate network ports and routes between the MDM Gateways and the Office Communications Server servers in the company network.
The following tools are described in the MDM Deployment
Guide which provides prescriptive deployment guidance. You can view
MDM Deployment at this Microsoft Web site:
The ADConfig tool, ADConfig.exe, is a configuration tool that you must use to configure Active Directory for MDM. ADConfig lets you do the following:
- Create the Active Directory Universal Security Groups and
containers for MDM
- Add the service connection points (SCP) for MDM
- Create the Mobile Device Templates in the enterprise
For more information about ADConfig, see this Microsoft
MDM Administrator Tools
MDM Console is the core MDM management MMC snap-in tool that is included with MDM Shell. This console lets you perform the following:
- Start pre-enrollment requests
- Manage all Windows Mobile powered devices attached to the
- Configure the MDM system infrastructure
- Configure MDM Gateway Server
- Perform tasks, such as a device wipe
For more information, see “Overview of MDM Management
Console” in MDM Operations at this Microsoft Web site:
Group Policy Extensions
With the GPMC, you can push MDM group policies to
Windows Mobile powered devices and enforce these policies. 64-bit
software, except for the Windows Vista operating system, does not
support GPMC. For more information, see “Configuring Managed
Devices with Group Policy” in MDM Operations at this Microsoft Web
MDM Software Distribution Management Console
The MDM Software Distribution Console is a custom MDM
WSUS console that provides software distribution capabilities and
the ability to push software .cab files to a Windows Mobile powered
device. For more information, see “Overview of MDM Software
Distribution” in MDM Operations at this Microsoft Web site:
The MDM Shell offers over 40 cmdlets you can use to
automate of administrative tasks for MDM servers. For more
information, see the section Supporting Documents for MDM in this
document, and “MDM Shell Cmdlets” in MDM Operations at this
Microsoft Web site:
The recommended means of monitoring the health of the
MDM infrastructure and services is accomplished by deploying System
Center Operations Manager (SCOM) along with the MDM 2008 management
pack. For additional information about planning and deploying SCOM
please refer to this Microsoft Web site:
The SCOM management pack for MDM 2008 is designed to the monitor the health of the following server roles and activities:
- MDM Device Management Server Health
- MDM Enrollment Server Health
- VPN Gateway Server Health
- MDM Self Service Portal Health
After the SCOM agent is installed, registry values identify the various MDM server roles and automatically deploy the appropriate role-oriented rules to MDM hosts. The first release of the MDM management pack interrogates the Windows event logs to distinguish between successful and unsuccessful health states as well as the results of key operations such as MDM setup.
The MDM management pack evaluates the health of the following Device Management Server services:
- Device Management Engine
- AD/GP Driver
- Wipe Driver
- Software Distribution Driver
- Alerter Service
- Gateway Central Management Service
- Admin Service Core
The MDM management pack evaluates the health of the following MDM Enrollment Server services:
- Enrollment System Service
- Enrollment Web Service
- Enrollment Administration Services
- The MDM management evaluates the health of the following VPN
Gateway Server services:
- MDM Mobile VPN Driver
- MDM Mobile VPN Policy Engine
- VPN Agent
- Timeout Detection
- Alerter Agent
The MDM Self Service Portal is monitored for the following areas relative to configuration and capacity:
- MDM Self Service Portal Web site configuration properly loaded
- Disk free space for MDM Self Service Portal log files
- Proper permissions applied to App_Data folder
- Corrupt MDM Self Service Portal log files
- MDM Self Service Portal log file size
|MDM Gateway Servers are deployed in workgroup mode. Therefore,
communications between the MDM Gateway Servers in the perimeter
network and the SCOM infrastructure requires mutual authentication.
For more information, see "About Gateway Server in Operations
Manager 2007" at this Microsoft Web site:
MDM Reporting Services provides a reporting and data access service across all feature areas of MDM. MDM Reporting Services is based on and integrated with SQL Server Reporting Services 2005 (SSRS).
You can download the MDM Reporting Services from this
Microsoft Web site:
The Group Policy Settings Reportdescribes MDM Group Policy information for groups of items, such as the number of managed devices to which a specific Group Policy has been applied. You can also list the success and failure rates of specific Group Policy settings performed on each managed device. This report rolls up Group Policy information based upon the following aspects:
- The number of devices affected by a specific Group Policy
- The success rate of Group Policy settings
- The percentage failure rate of Group Policy settings
For each line of the report, users can drill down through the report details to view the details of each device.
You can use the following parameters to filter the results of the report:
- Device Domain
- Device OU
- Device Name
To create custom reports, you can use the SQL Server Report Builder tool together with the report models provided with MDM Reporting Services. Report Builder has a report layout template that contains predefined data regions. You can select a predefined report model, which contains report items such as data fields; then drag-and-drop the report items onto the data regions in the template. You can apply filters to the report to refine the data to be displayed. The MDM report model contains all of the information required for Report Builder to automatically generate a query to retrieve the requested data.
You can find online documentation to assist with
troubleshooting MDM at this Microsoft Web site:
This documentation provides the following to help you address troubleshooting issues:
- Overview of MDM Troubleshooting
- MDM Setup
- MDM Gateway Server Issues
- MDM Enrollment Issues
- MDM Device Management Issues
- MDM Software Distribution Issues
- MDM Group Policy Issues.
In addition, the following logs and utilities are commonly used to troubleshoot MDM related issues.
MDM populates Application, System, and Security events in the Event Log. Use Event Viewer to obtain information and details when a specific issue occurs.
The SCMDMsetup.logfile contains information that is collected from MDM component .msi installation logs. However, it does not contain verbose installer data, and does not report return values for custom actions. You can get more comprehensive information, including return values, from the .msi logs for each MDM component installation.
Windows Installer version 3.1 .msi logs provide details about the installation of server roles and components in the DM.log, Enrollment.log, and AdminTools.log.
The Verbose Windows Installer Logging(WILogUtl.exe) produces a verbose log file that you can use to find the source of an error.
An MDM Event Viewernode is created when MDM system components install. This provides information on application and installation errors.
The VPNGateway.logfile is created in the Temp directory during the MDM Gateway Server Setup process.
Windows Software Trace Preprocessor (WPP)
Creating logs by using MDM Shell cmdlets to enable WPP produces log files that you can analyze for debugging and troubleshooting issues.
Use the Services MMC snap-in to start, stop, and verify that certain services are running.
Use the MDM Console for device status information or package installations.
MDM Command Shell
Use MDM Shell to run cmdlets that retrieve data or set configurations.
Use ADSIEdit.msc to view and change Active Directory. This tool is a low-level editor for Active Directory that provides a graphical user interface (GUI). It is useful to add, delete, and move objects in a directory service.
Use the Report Viewer tool to collect data from Active Directory and the MDM databases. MDM Reporting Services uploads data to a reporting database for comprehensive and detailed reporting capabilities.
Use Logman.exe when Windows Event Logs are insufficient for troubleshooting a problem. You can start WPP tracing for the VPN server to obtain detailed trace logs.
MDM Tools and Utilities
The MDM 2008 Resource Kit provides server tools and client tools.
Microsoft System Center Mobile Device Manager 2008 Resource Kit - Server Tools
The MDM 2008 Resource Kit – Server Tools is available
as a download at
MDM Bulk Pre-Enrollment Tool
This command line tool enables administrators to pre-enroll in MDM groups of Windows Mobile devices in an organization. Bulk pre-enrollment can be simpler and more efficient than pre-enrolling a large number of devices individually. As part of pre-enrollment, the tool generates passwords that administrators can share with users so users can enroll their devices.
MDM Application Hash Code Tool
This tool allows administrators to create an XML file that includes an SHA-1/MD5 hash code file. An administrator can use the file together with a Group Policy Object (GPO) to allow or prevent an application from running on managed devices.
MDM Cleanup Tool
This command-line tool enables administrators to completely uninstall MDM from servers. This tool is helpful when other removal options, such as the MDM un-installation wizard and Add/Remove Programs, have not fully removed MDM components and settings.
MDM Device Enrollment Cleanup Tool
This PowerShell script–based tool helps administrators remove older or no-longer-needed managed devices from the MDM system. The tool removes entries for the devices that still exist in Active Directory and the MDM databases.
MDM Certificate Tool
This is a command line tool which helps administrators to request certificates for MDM components. Administrators can also set Access Control Lists (ACLs) on certificates, place requested certificates in a specific folder, and invalidate Global Certification Manager (GCM) certificates.
Microsoft System Center Mobile Device Manager 2008 Resource Kit - Best Practices Analyzer
The MDM Resource Kit Best Practice Analyzer (BPA) helps you to analyze the prerequisites for MDM setup and deployment. Because each MDM server component has different prerequisites, the tool helps you to plan and build a successful deployment environment by assessing each server's readiness for MDM before you run MDM Setup.
In addition to analyzing the readiness of each server, BPA Tool helps you to verify the firewall configuration that MDM requires between servers running MDM Device Management Server and servers running MDM Gateway Server. After you deploy MDM, you can then run a post-deployment scan to help make sure your installation works properly and follows MDM best practices.
You can download the BPA tool at this Microsoft Web
Microsoft System Center Mobile Device Manager 2008 Resource Kit - Client Tools
You can download the MDM Resource Kit Client Tools at
this Microsoft Web site:
MDM Connect Now Tool
This tool enables users of Windows Mobile 6.1 managed devices to download new software updates queued since the managed device last synchronized with MDM. The tool initiates a session between MDM Device Management Server and a managed device. Once the tool establishes a connection, new software updates are downloaded to the managed device.
VPN Diagnostics Tool
This tool helps users diagnose VPN issues between the MDM and the devices it manages. The tool allows users to see the VPN configuration and status on the managed device and to diagnose any VPN-related problems. The tool also allows the user to collect device logs from their device and send them to a diagnostics team for further analysis.
Supporting Documents for MDM
Getting Started with Mobile Device Manager- provides
information to help you understand MDM and the available tools and
resources. The Getting Started for MDM can be viewed online at this
Microsoft Web site:
MDM Architecture Guide– describes the standards-based
solution for integrating mobile and handheld devices as trusted and
fully managed members of the enterprise with minimal affect on
existing infrastructure. Architecture for MDM can be viewed online
at this Microsoft Web site:
MDM Planning Guide- helps administrators design and plan a
Microsoft System Center Mobile Device Manager 2008 deployment in an
Enterprise environment. It provides detailed information and
recommendations to help you make accurate design decisions while
planning your organization's deployment. The Planning for MDM can
be viewed online at this Microsoft Web site:
MDM Deployment Guide– describes the steps to deploy the
System Center Mobile Device Manager (MDM) system. Deployment for
MDM can be viewed online at this Microsoft Web site:
MDM Operations– provides information on how to manage MDM
devices, distribute software to managed devices, manage MDM
Servers, and configure MDM Services. The Operations for MDM can be
viewed online at this Microsoft Web site:
Security and Protection for Mobile Device Manager– provides prescriptive guidance for configuring security-related features in MDM. It also provides guidance for reducing the attack surface of the MDM infrastructure security features such as:
- Encrypted access to e-mail and line-of-business (LOB)
applications from the Internet
- Certificate based authentication for virtual private network
- Device Inventory and Health inspection
- Application approval and blocking
- Remote device wipe to remove sensitive data from lost, stolen,
or compromised devices
- Security policies to help protect devices
Follow the guidelines provided here to help protect company data and communications when you implement MDM in your organization.
Security and Protection for Mobile Device Manager is
available for download and can be viewed online at this Microsoft