Configure MDM Self Service Portal

  • Article

2/9/2009

You can configure the actions that you will let users can make on managed Windows Mobile devices by using System Center Mobile Device Manager Self Service Portal. You can use the Portal Administration page on MDM Self Service Portal to configure some settings. You can configure other settings by using the MDM Self Service Portal configuration file.

MDM Self Service Portal Pages

By default, you can access the MDM Self Service Portal at: https://servername:port, where servername and port are the FQDN and port number you provide when you install the Portal. The following describes the pages on the MDM Self Service Portal Web site.

Page Description

My Devices

This page lets users manage their Windows Mobile devices. Based on system administrator settings, users can monitor device enrollment status and wipe managed devices that they no longer want or that are no longer in their possession.

Choices that you make on the Portal Administration page determine the contents of this site.

The URL for this page is: https://servername:port/pages/devicelist.aspx

New Enrollment

This page lets users enroll their Windows Mobile devices and manage them on the My Devices page.

The URL for this page is: https://servername:port/pages/startenrollment.aspx

Portal Administration

This page lets you or another MDM administrator, customize what users can do by using the portal.

The URL for this page is: https://servername:port/pages/adminconfig.aspx

The following shows the My Devices page.

Dd252813.7d5fc027-3b3a-4dba-9844-854950ba586b(en-us,TechNet.10).gif

The following shows the Portal Administration page where you can configure the portal.

Dd252813.81ea25ec-376f-4e56-adc6-1b2eeb0286fa(en-us,TechNet.10).gif

Configuring the Settings for MDM Self Service Portal

You can use the Portal Administration page to configure portal settings for the following:

  • Let users request device enrollment from MDM Enrollment Server.
  • Let users wipe devices that they no longer want or that are no longer in their possession.
  • Let users request a recovery password so they can reset their Windows Mobile device password.

To configure MDM Self Service Portal for users

  • On the Portal Administration page, make the changes that you want, and then choose Apply.

    Note

    You can cancel a change that you made before you apply it to the Web site. To do this, choose Cancel.

The following tables describe the settings you can configure on the portal. The settings are grouped as they appear on the Portal Administration page.

Note

You can change these settings or configure additional settings in the MDM Self Service Portal configuration file. For more information about the configuration file, see Appendix A: MDM Self Service Portal Configuration File.

Available Portal Features

Setting Description

Device Enrollment

Allows users to create a new enrollment request that goes to MDM Enrollment Server or cancel existing enrollment requests. This is the default setting.

If you do not select the Device Enrollment option, the user can view pending enrollments in the My Devices and receive enrollment details. However, the user cannot enroll a new device or cancel a pending enrollment. This means that users can view what you do on their behalf through the MDM Console. However, the user cannot change device status.

You can also change this setting by changing the enableSelfEnrollment value in the configuration file.

Device Wipe

Allows users to wipe a device. This is the default setting.

When you clear the Device Wipe option, the user can still view recently wiped devices but cannot wipe a device or cancel a pending wipe. You can wipe a device on behalf of the user by using the MDM Console.

You can also change this setting by changing the enableWipe value in the configuration file.

Device Recovery Password

Enables users who have forgotten their Windows Mobile device passwords to retrieve a recovery password, stored on MDM Device Management Server, to reset the password. Password reset must be enabled in MDM by the MDM administrator. In addition, in order for users to retrieve the recovery password, the password reset option must be available on the device.

Note

MDM Password Reset Client, which is part of the MDM Resource Kit Tools, provides a .cab file that you install on Windows Mobile devices so that users can use the password reset feature in MDM. More information about installing the .cab file is included in the guide that is packaged with the tool download. To download the tool, see MDM Password Reset Client at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=127030.

Enrollment Settings

Setting Description

Default OU

Identifies the Default Active Directory container, also known as the organizational unit (OU), for devices that you enroll through this Web site. MDM Self Service Portal discovers this information when you run Setup. You can change this information to specify another OU.

You can also change this setting by changing the defaultOU value in the configuration file.

Enrollment Request Limit

Identifies the maximum number of devices that can be pending enrollment for each user at the same time. The default value, specified in the Limited to: box, is 100. Selecting Unlimited means that a maximum number of devices is not enforced and unlimited devices can be pending enrollment at the same time.

You can also change this setting by changing the pendingEnrollmentLimit value in the configuration file. Setting the value to zero (0) represents Unlimited.

Password Delivery Method

Indicates how to send the password to the user. You can send a password through e-mail message, display it on the MDM Self Service Portal, or use neither method. By default, MDM Self Service Portal selects both the e-mail message and the Web site delivery methods.

Dd252813.note(en-us,TechNet.10).gifImportant:
The user needs an enrollment password to complete the enrollment process. If you disable both e-mail message and Web site delivery, you must use another method to communicate the password to the user, for example in person or by voice-mail.
  • If you select E-mail as the password delivery method, MDM Enrollment Server sends the user an e-mail message that contains the enrollment password. MDM Enrollment Server sends the enrollment password to the e-mail account listed in Active Directory for that user. If you do not select the E-mail option, MDM Enrollment Server does not send an e-mail message to the user.
  • If you select Portal as the password delivery method, the Pending Enrollment Details page displays the enrollment password to the user. If you do not select the Portal option, the Pending Enrollment Details page does not display the enrollment password.

You can also change this setting by changing the enableEmailDelivery and enableWebsiteDelivery values in the configuration file.

Device Name Validator

Defines the rules for valid device names that users can specify when they enroll devices in MDM. The rule can be any .NET Framework regular expression. Additionally, MDM Self Service Portal accepts two tokens, user name and domain name, which represent the portal user’s account name and domain name, respectively. The rule that you specify is displayed on the New Enrollment tab, after the following bullet item: has to follow this rule:. For more information, see the section later in this topic, Custom Device Name Validation Rules.

Logging Settings

Setting Description

Enable User Activity Logging

Indicates whether to log user activities. When you select Enable User Activity Logging, you can monitor user activity through log files. Activity logging records user activity on the site. This includes the cmdlets that run. This is the default setting.

If you do not select this setting, MDM Self Service Portal does not log user activity.

Enable Trace Logging

Indicates whether to log tracing activity. This lets you monitor code execution details for later reference. When you select Enable Trace Logging, you can monitor tracing through log files. This is the default setting.

The following shows examples of tracing information that is logged:

  • Errors and exceptions
  • Expected and unexpected events
  • Identifies points of execution to support instrumentation

If you do not select Enable Trace Logging, MDM Self Service Portal does not log trace messages. 

You can configure logging settings, including the maximum size of the log files, by using the configuration file. For more information, see the Logging section in Appendix A: MDM Self Service Portal Configuration File.

Logging settings control the types of events that are recorded in the XML-based log that MDM Self Service Portal creates. The log file is called SelfServiceLog.txt, and it is located in the App_Data folder of the MDM Self Service Portal root installation folder. By default, the installation folder for MDM Self Service Portal is C:\Program Files\Microsoft System Center Mobile Device Manager\SelfService. Logging settings do not control the types of events that are recorded in the Windows Event Log or Performance Log.

Additional Settings

In addition to the user interface, MDM Self Service Portal installs several other settings. Typically, you do not have to change these settings.

Setting Description

Web site name

SelfServicePortal is the default.

Application pool name

SelfServicePortalAppPool is the default.

Application name

SlfSrvWebSiteApp is the default.

Virtual directory name

SelfServicePortal is the default.

IIS settings

Use IIS Manager to configure IIS settings.

ASP.Net settings

Use the ASP.Net Administration tool to change the ASP.Net settings for MDM Self Service Portal. For more information about how to configure .NET Framework applications, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=105959.

Creating a Custom Device Name Validation Rule

MDM Self Service Portal lets you define rules for the device names that users can specify when they enroll devices in MDM. The device name rule can be any .NET Framework regular expression. In addition, MDM Self Service Portal accepts two tokens, user name and domain name, which represent the portal user’s account name and domain name, respectively.

The custom rule that you specify for users is displayed on the New Enrollment tab, after the following bullet item: has to follow this rule:. Because regular expression rules can be confusing to users, you can create a custom explanation of the rule to display to users instead of displaying the regular expression itself. For more information about creating a custom explanation, see the last section in this topic, Display a Custom Explanation for a Device Name Rule.

Define a Custom Rule for Device Names

To define a custom rule for device names, you create an entry for the rule in the resources files of MDM Self Service Portal. The default language resource file is Resource.resx and is located in the App_GlobalResources folder of the MDM Self Service Portal root installation folder. By default, the installation folder is C:\Program Files\Microsoft System Center Mobile Device Manager\SelfService.

Note

Each language and culture supported by MDM Self Service Portal has a separate resource file. You can add a localized version of the description for the rule to any of these files by changing the contents of the <value> element to suit the language and culture of the resource file. If you do not edit a resource file, MDM Self Service Portal uses the description included in Resource.resx.

In the resource file, add a new <data> element as the child of the <root> element with an attribute named name whose value is StartEnrollmentPageDeviceNameShortHelpAdminRuleSpecified. We recommend that you include the xml:space="preserve" attribute because the other <data> elements include this attribute.

You can also add a <value> element as a child of the <data> element. The <value> element contains the description of the rule, as described in the next section, Display a Custom Explanation for a Device Name Rule.

Display a Custom Explanation for a Device Name Rule

A custom explanation for a device name rule can make it easier for users to enter valid device names. If you do not create an explanation for the rule, the regular expression is displayed on the MDM Self Service Portal page.

For example, following the steps described earlier, you could create the following rule for device names: <user>[0-9][0-9]. After you set this validation rule for device names, a user could enter a device name such as joe01, joe02, and so on. For example, Marco Santos, with the account name contoso\marcos, could enter a device name such as marcos01.

If you do not customize the resource file for MDM Self Service Portal, the portal displays the following for the device name rule on the New Enrollment page under the Naming requirements heading:

has to follow this rule: "<name>[0-9][0-9]".

You could instead describe the rule more clearly on the portal by providing a description, such as the following:

"Provide your account name, followed by a two-digit number. Spaces or other characters are not permitted."

To display a custom description instead of the regular expression rule, you add the following lines, for example, to the Resource.resx file, under the opening <root> tag:

  <data name="StartEnrollmentPageDeviceNameShortHelpAdminRuleSpecified" xml:space="preserve">
    <value>Provide your account name, followed by a two-digit number. Spaces or other characters are not permitted.</value>
 </data>

After you update the Resource.resx file with the description, save the file. To see the new description, open MDM Self Service Portal, and then navigate to the New Enrollment page.

Optionally, you can also change the device name validation setting by modifying the contents of the deviceNameRegEx element in the configuration file.