Validating Communications within an MDM Instance

2/9/2009

In Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1, an instance specifies a separate, independent installation of MDM 2008 SP1. MDM 2008 SP1 can support multiple instances in a single domain and multiple instances in a single forest. MDM 2008 SP1 uses certificate template object identifiers and Active Directory User Security Groups (USGs) to help make sure that communications between MDM 2008 SP1 components within a single instance do not interact with components in another MDM 2008 SP1 instance.

This topic describes the methods MDM 2008 SP1 uses to validate the communication within a single instance, and lists the steps you take as part of the MDM 2008 SP1 deployment process to set up the validation process.

Methods MDM Uses to Validate Communication within an Instance

MDM 2008 SP1 uses the following two methods to validate that communication takes place within a single MDM 2008 SP1 instance:

• Universal Security Groups (USGs) in Active Directory
• Certificate template object identifiers (also known as OIDs) stamped on MDM certificates

For MDM 2008 SP1 components that are on servers that are required to be domain-joined for MDM 2008 SP1, MDM 2008 SP1 uses USGs to validate that components are part of the same instance. MDM 2008 SP1 USGs include the MDM 2008 SP1 instance name so that MDM 2008 SP1 can make sure that components on domain-joined servers communicate with each other within a single instance.

If a domain-joined MDM 2008 SP1 component in one instance attempts to communicate with a domain-joined MDM 2008 SP1 component in another instance, the calling component is not a member of the USG that is authorized for communication by the component in the other instance. Therefore, MDM 2008 SP1 denies the communication.

Examples of communications that use USGs to validate the MDM instance are the following:

• MDM Administrator Tools to MDM 2008 SP1 servers
• Managed devices to MDM Device Management Server
• MDM Enrollment Server to MDM Device Management Server

Some MDM 2008 SP1 components cannot access Active Directory to determine if they are a member of the USG that is authorized for communication within an instance. In this scenario, MDM 2008 SP1 uses object identifiers together with an XML-based object identifier list to validate that the communication takes place within a single instance.

Communications that use object identifiers to validate the MDM instance are the following:

• Mobile Device Manager Gateway Central Management to MDM Gateway Server
• MDM Gateway Server to MDM GCM
• Managed devices to MDM Gateway Server

The following illustration shows how MDM 2008 SP1 components validate communication within a single instance.

MDM components can only communicate with MDM components in the same instance. For example:

• MDM Gateway Server in one instance does not accept network traffic from managed devices enrolled in another instance.
• MDM GCM does not communicate with MDM Gateway Server in another instance.
• MDM Gateway Server does not communicate with MDM GCM in another instance.
• MDM Device Management Server does not communicate with managed devices in a different instance.

When you run the Active Directory Configuration Tool (ADConfig), you create a service connection point (SCP) for the MDM 2008 SP1 instance. The SCP includes MDM 2008 SP1 certificate templates that define the certificate template object identifiers unique to the MDM 2008 SP1 instance. These object identifiers are stamped onto all certificates produced by each template. An example of a certificate template object identifier is the following:

1.3.6.1.4.1.311.21.8.16439976.14234590.4625808.14464817.6316223.183.703628407.1092272531

ADConfig creates the following certificate templates and stores the corresponding certificate template object identifiers in the instance SCP:

• General MDM 2008 SP1 Web Server Template, SCMDMWebServer (<InstanceName>)
• Mobile Devices Template, SCMDMMobileDevice (<InstanceName>)
• MDM 2008 SP1 Gateway Central Management Template, SCMDMGCM (<InstanceName>)

ADConfig also enables certificate templates on the specified enterprise certification authority. The certification authority can then issue the certificate templates when they are requested by MDM components.

Establishing the Validation Process for an MDM Instance

You establish the process for validating an MDM 2008 SP1 instance as part of MDM 2008 SP1 deployment. This overview provides a summary list of the steps you take to configure MDM 2008 SP1 so that components validate that communication is within a single instance. For step-by-step procedures for deploying MDM, including the steps outlined here, see the MDM 2008 SP1 Deployment Guide.

The steps you take are highlighted by number in the following illustration and then explained by number in the list that follows the illustration.

You first run ADConfig to create USGs, organizational units (OUs), and the service connection point (SCP) for the MDM 2008 SP1 instance, and to create and enable the certificate templates.

The following shows the next steps. The numbers correspond with those in the illustration.

1. Run MDM 2008 SP1 Setup to install MDM Enrollment Server, MDM Device Management Server, and MDM Administrator Tools.
2. Generate and install the MDM Gateway Server certificates on each computer that is running MDM Gateway Server.
3. Run a Windows PowerShell script that creates the MDMGatewayConfig.xml file, and then install the file on each computer that is running MDM Gateway Server.
4. Enroll a Windows Mobile device in an MDM 2008 SP1 instance. When a device enrolls, it receives a certificate from MDM Enrollment Server with the correct object identifier for the instance.
5. An enrolled device contacts MDM Gateway Server. The connection attempt is successful if the device has a device certificate that includes the object identifier for the MDM 2008 SP1 instance for this MDM Gateway Server.