System Center Configuration Manager (SCCM) manages assets on the internal network with Inventory, Software Distribution, and Reporting capabilities. These assets include laptops, desktops, Windows Embedded CE devices, and other computing devices.

MDM offers external mobile devices security-enhanced VPN access to applications and services on the internal network, and requires no additional client installation. MDM also pushes control policies and software application packages targeted to mobile devices and collects inventory from devices over VPN.

MDM Setup restarts IIS without notification. This could affect Web sites within your organization. Installing MDM Device Management Server on an existing Windows Server Update Services (WSUS) server causes some MDM objects to appear in the WSUS console.

Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 does not support installation of MDM server roles on Windows Server 2008. Installation of MDM server roles is supported on Windows Server 2003 only.

However, MDM 2008 SP1 supports Windows Server 2003 and Windows Server 2008 Active Directory domain and functional levels. MDM 2008 SP1 supports installation in Active Directory domains at the following domain and forest functional levels:

For more information about supported software versions, see System Requirements for MDM Servers and Managed Devices.

Yes, though MDM has no dependency on any line-of-business (LOB) applications, including Microsoft Exchange Server. MDM is a mobile device management solution that provides security-enhanced network access to any LOB application.

No, the MDM platform does not require a proxy from any specific vendor.

You do not need a load balancer because gateway load balancing does not rely on network load balancing services (NLBS) technology. NLBS does not work properly with MDM, which uses a Domain Name System (DNS) scheme for load balancing the servers running MDM Gateway Server.

Typically, you issue static IP addresses to several servers running MDM Gateway Server, which are then bound to a single fully qualified domain name (FQDN). For example, gateway.contoso.com is bound to IP addresses 74.92.226.130 and 74.92.226.131, which are the IP addresses of servers Gateway1 and Gateway2.

Configure each server running MDM Gateway Server with a pool of virtual IP addresses, which the devices use in the Mobile VPN sessions.

The managed device gets the two IP addresses from DNS and connects to one at random. If the connection fails, the device tries the next IP address and gets the next server.

If the managed device has a previously-issued IP address from the pool and contacts the server running MDM Gateway Server with that IP address pool, then the device continues to use that IP address. If the device connects to a different server running MDM Gateway Server, then it receives a new virtual IP address.

Yes, except for MDM Gateway Server. For information on configuring the MDM servers, see the MDM Planning Guide.

MDM requires a standard load balancer, with the ability to enable Affinity. MDM requires no specific characteristics beyond a standard load balancer.

Yes, you may have more than one MDM Device Management Server per domain forest in a load-balanced topology. This topology supports scale-out and redundancy. However, MDM supports up to 100 instances per domain forest. Administrative rights are not delegated per MDM Device Management Server, but by MDM instance, as all MDM Device Management Server computers share a single SQL Server infrastructure.

Yes, but this configuration may have performance impact considerations, depending on the number of devices supported and how software distribution is managed.

No, while MDM does make changes in Active Directory, it does not make changes to the schema.

Yes, devices can exist in multiple groups of multiple organizational units (OUs). MDM supports up to 100 instances per domain forest. When you create a custom OU, you must run the Set-EnrollmentPermissions cmdlet in MDM Shell to delegate the appropriate permissions to the Enrollment server to access the new OU. You do not need to run this cmdlet for the default OU.

If you replaced the MDM Gateway Server computer certificate or certification authority, and imported the new certificate to the Gateway Web site, then you must uninstall and re-install the MDM Gateway Server component.

No, MDM requires two network adapters: one for communicating with external client devices, and one for communicating with internal servers. MDM does not support binding internal and external IP addresses to a single network adapter.

Yes, if you want tighter security than SSL access, you can use the MDM Mobile VPN connection to transport SSL-encrypted messages within an IPsec tunnel. MDM supports DirectPush in this VPN to Exchange ActiveSync scenario.

The device generates the certificate request and passes the request to the enrollment server, which impersonates the device account just long enough to submit the certificate request to the certification authority. The enrollment server does not have permissions to the device-specific certificates and templates on the certification authority, only the device account has permissions. The private key never leaves the device.

You can perform bulk enrollments using MDM Shell. Users can also provision their own Windows Mobile devices by using MDM Self Service Portal. However, MDM Self Service Portal only provisions devices into a single organizational unit (OU) that you designate as the MDM administrator. For information about MDM Self Service Portal, see the Deployment Guide for MDM Self Service Portal. To download MDM Bulk Pre-enrollment Tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

MDM has no administrative tools for unenrolling a device. You should submit a wipe request for the device to remove all of the appropriate objects, such as the objects in Active Directory and SQL Server. Wiping also adds the device to the Blocked Devices list. The enrollment record remains in the database so that MDM can block the device. When re-enrolling a device, you should specify a new device name. To download MDM Enrollment Cleanup Tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

By default, MDM uses localhost@EnrollmentServer.com to send the e-mail message containing the one-time enrollment password. To specify an SMTP server for sending these messages, run the following command in MDM Shell:

set-EnrollmentConfig -SmtpServer smtp.yourdomain.com 

You can modify the other parameters similarly by running the following commands:

set-EnrollmentConfig  -SmtpServer
set-EnrollmentConfig  -EmailSubject
set-EnrollmentConfig  -EmailBodyTemplate
set-EnrollmentConfig  -EmailSender

On the device, select Settings, select Connections, and then select Domain Enroll. The Device Status field indicates if the device is enrolled or not.

Yes, if allowed by MDM Group Policy. To disable the Mobile VPN connection, on the device, select Settings, select Connections, select Mobile VPN, and then select Disable. You can also enable or disable the Mobile VPN connection using the MDM VPN Diagnostics Tool. For information about this tool, see MDM Server Tools in the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

The device is not protected because without the Mobile VPN connection, it connects to a public Internet connection. Therefore, it is exposed to all of the threats on the Internet.

Device wipes will not function because MDM sends the wipe notification through the alerting mechanism provided by MDM Gateway Server. If you disable the Mobile VPN connection, MDM Gateway Server cannot address the device.

If your company only has MDM enrolled devices and Microsoft Exchange Server ActiveSync is not exposed to the Internet, then devices cannot connect to Microsoft Exchange Server ActiveSync if you disable the Mobile VPN connection.

No. MDM client devices and device emulators cannot establish Mobile VPN connections using Windows Mobile Device Center/ActiveSync Desktop Pass-Through connections.

The following table summarizes how network traffic is routed when you connect the device to a desktop computer.

Use MDM Cleanup Tool to clean up any remnant device objects. For information about MDM Cleanup Tool, see MDM Server Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

Yes, MDM has the Configure device management when roaming Group Policy with the following options:

• Allow device management
  
• Check frequency multiplier
  
• Allow software downloads and Windows Update
  

No, MDM uses Windows Server Update Services (WSUS) instead of Windows Update.

Yes. Before you distribute installation packages, you must approve the packages for specific managed devices, or groups of managed devices. You can also approve a package for removal, which uninstalls the package from the device. The software distribution component can remove and un-install software that was installed through MDM, or some other means such as Active Sync or external storage media. If you install software using other means, then you must publish the packages in MDM, and make sure that the inventory on the device is aware of the software.

When a device enrolls with MDM, it no longer has Exchange Server policies applied to it. Exchange Server 2007 SP1 includes a new cmdlet that allows administrators to block or allow specific devices to be managed by MDM.

MDM uses VPN to connect devices to MDM Gateway Server. After the VPN connection is active, the device can connect to internal resources that are available from MDM Gateway Server. For example, if MDM Gateway Server is in the perimeter network, then the internal resources need publishing to this perimeter network. The port from the perimeter network to the internal network depends on the particular application.

In MDM console, right-click the device, and then select Wipe Now. You can also run the New-WipeRequest cmdlet in MDM Shell.

MDM sends the request to the device over the Mobile VPN connection. The device then connects to MDM Device Management Server and retrieves its wipe request task.

No. If you want to wipe a managed device, do not block it.

Yes, but only after the managed device is successfully wiped or un-enrolled.

All wipes are immediate in the sense that MDM sends an alert. If the device is offline, then MDM cannot issue the wipe request until the device establishes a Mobile VPN connection and receives the alert, or when it connects at a regularly-scheduled time and receives the wipe request.

Yes. If the session fails, the managed device reconnects to complete that session when it is powered up. It retries until the session successfully completes.

Yes, the default communication port for SQL Server is port 1433, and MDM does not modify this port configuration.

No, you cannot change MDM database names.

No, but you should deploy SQL Server for MDM on a dedicated computer unless you have relatively few devices. You might encounter memory consumption issues if you install MDM Device Management Server and SQL Server on the same computer.

Browse to the following URL: https://<servername>:port/pages/devicelist. To get the SSL port number, check the Web service for the portal in IIS.

Not for Microsoft System Center Mobile Device Manager (MDM) 2008. This version only manages devices deployed with Windows Mobile versions 6.1 and later.

No, Internet Connection Sharing does not function when a device establishes a Mobile VPN connection with MDM.

You need Microsoft .NET Framework 2.0 to run the Microsoft Device Emulator on Windows XP SP2.

For Windows Mobile 6 Standard, select Settings, and then select About. For Windows Mobile 6 Professional, select Settings, select System, select About, and then select the Version tab.

From the Home screen, select Settings, select System, select About, and then select the Device ID tab.

In Windows Mobile 6 Professional, first check to see if you have network connectivity by starting Internet Explorer and browsing to a public Web site. If so, skip the steps below. If you cannot browse to any Web sites, then follow these steps:

• From the Home screen, select Start, and then select Settings.
  
• On the Connections tab, select the Connections application.
  
• In the My ISP section, configure the Mobile Operator (MO) data connectivity settings. If you see a Manage existing connections option under My ISP, select it. Otherwise, skip the next two points.
  
• Select and hold each item in the list, and then select Delete.
  
• Select OK to return to the main Connections window.
  
• Under My ISP, select Add a new modem connection.
  
• Select and enter your Mobile Operator data connection information.
  

In Windows Mobile 6 Standard, first check to see if you have network connectivity by starting Internet Explorer and browsing to a public Web site. If so, skip the steps below. If you cannot browse to any Web sites, then follow these steps:

• From the Home screen, select Start, select Settings, select Connections, and then select GPRS.
  
• To remove any and all existing connections, select each connection, select Menu, and then select Delete.
  
• Select Menu, and then select Add.
  
• Select and enter your Mobile Operator data connection information.
  

To view the certificates installed in the personal, Intermediate, and Root stores, select Settings, select System, and then select the Certificates application. When a device enrolls, MDM installs a computer certificate on the device. You cannot see this certificate using the Certificates application, but you can see this certificate using the VPN Diagnostics Tool in diagnosis mode. Select Certificates, and then select Validate certificate chain.

You can also query all of the certificates installed on a device by using the CertificateStore configuration service provider. For information about this configuration service provider, see CertificateStore at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=115659.

For an example on how to query the certificate store, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=115660.

To view device certificates using external methods:

• In MDM Console, select Managed Devices, select the device, and then select the Certificates tab.
  

Note:
After you deploy certificates to a device using group policy, it may take one policy refresh cycle (up to 8 hours) for the certificate to appear in MDM Console.

• Use the Security Configuration Manager Powertoy for Windows Mobile, which is a remote configuration tool that runs on a host computer. For information about this tool, please visit the following Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=132126.