Troubleshooting MDM Group Policy Issues

10/3/2008

This section lists common issues encountered with System Center Mobile Device Manager (MDM) Group Policy.

GPMC Not Supported on 64-bit Platforms

If you try to install MDM Group Policy extensions on a 64-bit platform, you will receive an error message that states that the operation is not possible. You must deploy the Group Policy extensions on a 32-bit platform that has the Group Policy Management Console (GPMC) already installed.

Install GPMC Before SCMDM Group Policy Extensions

You must first install GPMC before you install MDM Group Policy extensions.

Windows Vista SP1 Removes the GPMC

Windows Vista Service Pack 1 (SP1) automatically removes the GPMC, which means that the MDM Group Policy extensions will stop working when users install Windows Vista SP1. To resolve this issue, install the Remote Server Administrator Tools from the following Microsoft Web sites:

Force an Immediate Group Policy Update

After you configure a new policy, it can take one to eight hours to update the policy settings on MDM Device Management Server, after which a device can connect and obtain the policy. The minimum time for the update to MDM Device Management Server is one hour.

To avoid this delay, such as when you troubleshoot a policy, you can start an immediate policy update on MDM Device Management Server if you run the Update-MobilePolicyCalculation cmdlet in MDM Shell:

Update-MobilePolicyCalculation <device name>

This cmdlet retrieves the latest policy set from Active Directory for a given device, and caches it in the server for the next time that the device connects. After you update policy settings by using the Update-MobilePolicyCalculation cmdlet, you can also start a client connection by running the MDM Connect Now Tool. Install and run this application on the device to force an immediate synchronization with MDM Device Management Server. To download and install the MDM Connect Now Tool, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=108953.

Initial Policy Period to Download and Apply is Long

Typically, this issue is because of problems with proxy server policies. Check the proxy server connectivity and configuration settings.

Device Restarts Multiple Times After a VPN Session

Typically, the cause is applying policies that require a restart. The following policies require a device restart:

  • Turn off Wi-Fi
  • Turn off Bluetooth
  • Turn off infrared
  • Turn off camera
  • Enable Bluetooth profiles
  • Remove unmanaged SPC certificates
  • Remove unmanaged privileged certificates
  • Remove unmanaged ordinary certificates
  • Remove unmanaged root certificates
  • Remove unmanaged intermediate certificates
  • Turn off removable storage
  • Enable remote API access to ActiveSync
  • Block in-ROM applications
  • Enable specified unsigned applications to run as privileged
  • Enable specified unsigned applications to run as usual
  • Turn on device encryption

Device Receives Initial Policy and Becomes Unusable

This issue occurs if you configure the proxy server policy incorrectly. To resolve this issue, update the proxy policy with the correct settings, or wipe the device and then re-enroll the user.

Error 2147467259 When Synchronizing Policy

This behavior occurs if you use the company proxy server setting in the applied Group Policy and the proxy server does not allow HTTPS over port 8443. After successful enrollment and policy synchronization, all later policy synchronization requests have the error message Fail (-2147467259). In this case, the following symptoms may occur:

  • The new policy is not applied to the device
  • Remote wipe is not possible
  • Device management data is not updated

HTTP and HTTPS communications use the company proxy server Mobile virtual private network (VPN) setting both internally and externally (to the Internet). With this proxy setting applied, the device connects to the proxy over port 8080. Communication between the proxy and MDM Device Management Server occurs over port 8443. To enable this communication, the proxy server must allow port 8443 as a valid HTTPS port. By default, most firewalls are not configured to allow port 8443 for HTTPS.

To resolve this issue, do the following:

  • Make sure that the proxy can resolve the Domain Name System (DNS) name for MDM Device Management Server, and that this server can be accessed from the proxy
  • Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling port 8443 with ISA Server as the proxy, follow these steps:
    • Use the AddTPRange.vbs script as described in Managing Tunnel Port Ranges at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=113972
    • In Mobile VPN Settings, under Corporate Proxy Server policy, configure <ProxyIPaddress>:8080 in the policy setting

Policies do not Apply to Devices in an Organizational Unit

One possible cause for this issue is if MDM Device Management Server cannot access the Group Policy object (GPO) because of security hardening. See the Applying Group Policies to Devices Through Security Filtering topic in MDM Help.

If you did not run the ADConfig /GPSecurity command during installation, and if you removed Authenticated Users from the Security Filtering list for the GPO, you must add the SCMDM2008DeviceManagementServers security group to the list. This additional group makes sure that instances of MDM Device Management Server will have the necessary permissions to access the GPO.

Policy is Repeatedly Sent to Device

If a policy is sent to a device and the device does not support the specified setting, the policy will not be cached and will be sent to the device repeatedly. For example, if you send the Allowed Bluetooth Profiles policy to a device that does not have Bluetooth, the device will respond with a 405 'Not Supported' error. The MDM Device Management Server will assume that the setting has not been configured correctly on the device and will attempt to resend the policy.

This can be prevented by targeting only those devices that support the setting. You do this by using filtering tools such as security groups, Organization Unit (OU) location, or WMI filters.

Policies do not Apply When Special Characters are Used

Enabling a policy that contains special characters might result in the policy not being applied. Do not use special characters in the policy. Special characters include the following: !@#$%^&*()_{}|:"<>?.