MDM Deployment Checklists
10/3/2008
The following checklists in this section help you make sure that pre-deployment requirements, installations, and configuration are complete before you follow the steps to deploy MDM by using the MDM deployment wizards.
Note
As you configure your environment to deploy MDM, use the MDM Deployment Worksheets to compile information about IP addresses, server names, port configurations, and so on.
To complete the pre-deployment tasks in the checklist, see System Requirements for MDM Servers and Managed Devices.
After you complete the pre-deployment tasks, complete the deployment and post-deployment tasks by following the instructions described in the MDM Deployment Guide.
Note
MDM Best Practices Analyzer PreReq Tool helps you analyze a group of servers to determine if prerequisites for deploying MDM are met. The tool also lets you analyze servers post-deployment to verify port settings, etc. To download MDM Best Practices Analyzer PreReq Tool, see MDM Client Tools at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=108953.
| Requirement | Owner | Complete |
|---|---|---|
Make sure that every server that is running MDM has the required hardware. Hardware requirements can vary, depending on how you set up your company MDM infrastructure. |
MDM Server Administrator |
[ ] |
Install the prerequisite software for each server that is running MDM Enrollment Server. |
MDM Server Administrator |
[ ] |
If you install WSUS on an MDM Enrollment Server, make sure that you install it on a separate Web site instead of the default Web site to avoid service conflicts between IIS and MDM Enrollment Web services. |
MDM Server Administrator |
[ ] |
Install the prerequisite software for each server that is running MDM Gateway Server. |
MDM Server Administrator |
[ ] |
Install the prerequisite software for each server that is running MDM Device Management Server. |
MDM Server Administrator |
[ ] |
Install the prerequisite software before you install MDM Console. |
MDM Server Administrator |
[ ] |
Make sure that you can successfully connect through MDM Device Management Server to the server that is running Microsoft SQL Server®. |
MDM Server Administrator |
[ ] |
Configure IIS to enable x64-bit applications on all servers that are running MDM. See Install and Configure IIS for MDM. |
MDM Server Administrator |
[ ] |
Your firewall, ports, IP address, and FQDN configuration will depend on the MDM deployment topology that you select. For more information about the different topologies, see MDM System Topologies.
To view the correct port settings and for more information about how to configure and track settings for firewall and network configuration, see MDM Deployment Worksheets.
| Requirement | Owner | Complete |
|---|---|---|
Allocate required number of IP addresses for MDM Gateway Server to support the maximum number of concurrent managed device connections. Make sure that each server that is running MDM Gateway Server has a discrete, nonoverlapping IP address pool and that the IP address pool subnet does not intersect with the internal subnet on MDM Gateway Server. |
Network Administrator |
[ ] |
Configure the network to route each IP address pool for Windows Mobile powered devices to the appropriate server that is running MDM Gateway Server. |
Network Administrator |
[ ] |
Configure the network components that are in charge of network address translation (NAT) or proxy traffic to the Internet, if it is necessary, to perform network address translation or proxy traffic for the IP address pools of Windows Mobile powered devices. Since the address pool is private, you must use NAT for the address pool in order for managed devices to access the Internet. |
Network Administrator |
[ ] |
Make sure that you open the required ports in the internal company firewall for Gateway Management Console (GCM) to reach each server that is running MDM Gateway Server. |
Network Administrator |
[ ] |
Make sure that you open the required ports in the external firewall for Windows Mobile devices to reach each server that is running MDM Enrollment Server or MDM Gateway Server. |
Network Administrator |
[ ] |
Make sure that you open the required ports in the internal company firewall so that Windows Mobile powered devices can access servers running MDM Device Management Server—or the Virtual IP address on the load balancer for the pool of servers running MDM Device Management Server—and any other enabled company resources. |
Network Administrator |
[ ] |
Define in your internal DNS server the internal FQDNs for each server that is running MDM Gateway Server. These FQDNs are not published externally. |
MDM Server Administrator Network Administrator |
[ ] |
Configure your external DNS server that publishes DNS IP access for MDM Gateway Server. Publish the external interfaces (IP addresses) for each server that is running MDM Gateway Server in the Public DNS and map each IP address to the external DNS name. |
Network Administrator |
[ ] |
Define in your internal DNS server the internal FQDN for MDM Enrollment Server or MDM Enrollment Server load balancer. |
MDM Server Administrator Network Administrator |
[ ] |
Define in your external DNS server the external FQDN for MDM Enrollment Server or MDM Enrollment Server load balancer. |
MDM Server Administrator Network Administrator |
[ ] |
Install and configure load balancing for MDM Device Management Server. See MDM System Topologies. |
MDM Server Administrator Network Administrator |
[ ] |
Define in your internal DNS server the internal FQDNs for MDM Device Management Server or MDM Device Management Server load balancer. |
MDM Server Administrator Network Administrators |
[ ] |
Make sure that you can obtain certificates and certificate requests on and off MDM Gateway Server. |
MDM Server Administrator Network Administrator Perimeter Network Administrator |
[ ] |
Validate the internal and external IP addresses on each server that is running MDM Gateway Server. |
MDM Server Administrator |
[ ] |
| Requirement | Owner | Complete |
|---|---|---|
Make sure that Active Directory® meets MDM system requirements. See System Requirements for MDM Servers and Managed Devices. |
Active Directory Administrator |
[ ] |
Active Directory is in Windows Server 2003 Forest Functional mode. |
Active Directory Administrator |
[ ] |
Make sure that a certification authority server is available that meets MDM requirements. See System Requirements for MDM Servers and Managed Devices. |
Certificate Administrator |
[ ] |
Make sure that you have administrator credentials on the certification authority server. The certification authority server can be located in another domain as long as it is in the same Active Directory site and you have administrator credentials to the server. |
Certificate Administrator Enterprise Administrator |
[ ] |
Make sure that an SQL database is available that meets MDM requirements. See System Requirements for MDM Servers and Managed Devices. |
Database Administrator MDM Server Administrator |
[ ] |
Make sure that you have administrator credentials on the server that is running SQL Server for MDM. If you are using an SQL database instance, you must have administrator credentials on the SQL database instance. |
Database Administrator MDM Server Administrator |
[ ] |
After you complete the pre-deployment configuration, use the following checklists to deploy and configure the servers.
Important
To complete the deployment and post-deployment tasks, you must follow the instructions in the MDM Deployment Guide.
| Requirement | Owner | Complete |
|---|---|---|
Configure the MDM Active Directory domain by running |
Domain Administrator |
[ ] |
Create the MDM certificate templates by running |
Enterprise Administrator |
[ ] |
Enable the MDM certificate templates by running |
Certification Authority Credentials Enterprise Administrator Credentials |
[ ] |
Configure the MDM Group Policy security settings by running |
Domain Administrator or Schema Administrator (depends on options chosen) |
[ ] |
Add administrator users to the SCMDM2008ServerAdministrators group. This enables MDM Server Administrators to install MDM components and administer the installation for other users. |
Domain Administrator |
[ ] |
Create additional organizational units (OUs) for managed devices and delegate MDM Enrollment Server permissions to the OUs. (This step is optional.) |
Domain Administrator |
[ ] Optional |
Make sure that you grant permissions on the domain certification authority to revoke a managed device enrollment. If you configured it manually, you must do this by using the server that is running the certification authority. |
Certification Authority Administrator |
[ ] |
If you have Exchange Server 2007 with SP1 installed, run the Set-ActiveSyncMailboxPolicy cmdlet to enable managed devices to access the Exchange Client Access Server. |
Exchange Administrator |
[ ] |
Back up the IIS metabase for every server in which you are installing MDM. This includes MDM Device Management Server, MDM Enrollment Server, and MDM Gateway Server. For more information, see "Back Up and Restore the IIS Metabase (IIS 6.0)" at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkId=103605. |
MDM Server Administrator |
[ ] |
Set IIS to allow x64-bit applications to run on every server that is running MDM Device Management Server, MDM Enrollment Server, and MDM Gateway Server. For more information, see "Set IIS to Allow x64-bit Applications" in Install and Configure IIS for MDM. |
MDM Server Administrator |
[ ] |
Install MDM Enrollment Server. On the MDM installation CD, on the Setup menu, select Install and then select Enrollment Server. Make sure that you specify the load balancer FQDNs if you are using a load balancer. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required. |
MDM Server Administrator. Must be a member of local Administrators group on the server. |
[ ] |
Install MDM Device Management Server. On the installation disc for MDM, on the Setup menu, select Install and then select Mobile Device Management Server. Make sure that you specify the load balancer FQDNs if you are using a load balancer. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required. |
MDM Server Administrator. Must be a member of local Administrators group on the server. |
[ ] |
Install Administrator Tools. On the installation disc for MDM, select Administrator Tools. You can install MDM Administrator Tools on any domain-joined server that meets MDM prerequisites. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required. |
Member of local Administrators group on the server. MDM Server Administrator not required |
[ ] |
Obtain the MDM Gateway Server certificate MDM Gateway Server before installation. See the MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
The certificate chain and the root certificate for the certification authorities in your MDM system is securely transferred and imported to the appropriate store on the server that is running MDM Gateway Server. See the MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Install MDM Gateway Server. On the installation disc for MDM, on the Setup menu, select Install and then select Gateway Server. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required. |
Member of local Administrators group on the server. MDM Server Administrator recommended. |
[ ] |
Back up the IIS metabase for every server in which you want to install MDM. This includes MDM Device Management Server, MDM Enrollment Server, and MDM Gateway Server. For more information, see Back Up and Restore the IIS Metabase (IIS 6.0) at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkId=103605 |
MDM Server Administrator |
[ ] |
| Requirement | Owner | Complete |
|---|---|---|
Make sure that the certificate for the newly created Enrollment Administration Web site for MDM Enrollment Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Make sure that the certificate for the newly created Enrollment Web site for MDM Enrollment Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Make sure that the certificate for the newly created Device Management Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Make sure that the certificate for the newly created Device Management Administration Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Make sure that the certificate for the newly created Gateway Central Management (GCM) Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Make sure that the certificate for the newly created Gateway Web site for MDM Gateway Server is valid. Use the IIS MMC to change the certificate, if it is necessary. |
MDM Server Administrator |
[ ] |
Make sure that the private key is associated with the certificate on the IIS instance of MDM Gateway Server. See Step 5e: Validating the Gateway Certificate in MDM Deployment Guide. |
MDM Server Administrator |
[ ] |
Set up enrollment configuration for the Gateway URI by running the Set-EnrollmentConfig cmdlet from Mobile Device Manager (MDM) Shell. This provides the public DNS entry of MDM Gateway Server to the managed devices. You must run this cmdlet from a server on which MDM Shell is installed. |
MDM Server Administrator |
[ ] |
From MDM Console, run the Add New Gateway Wizard for every server for which you want to install MDM Gateway Server. This creates an address pool to connect managed devices, configures DNS and WINS server settings, and enables remote MDM Gateway Server management. |
MDM Server Administrator |
[ ] |