MDM Administrative Control in Multidomain Environments

  • Article

2/9/2009

The System Center Mobile Device Manager system can operate as a single instance within one Active Directory forest, or as multiple instances in a forest. An MDM instance is a collection of MDM servers that connect to a single set of MDM databases. A Windows Mobile device that is managed by MDM can belong to only one MDM instance. However, a managed device can be part of a different Active Directory domain than the MDM instance that manages it. All MDM servers within an instance and related components — except for managed devices — must reside within a single Active Directory domain and site that you can access throughout the forest. When an instance of MDM manages devices from multiple domains, there must be at least one domain controller from every domain within which mobile devices in the MDM instance will be managed.

A single MDM instance enables you to centrally manage Windows Mobile devices throughout the forest. You can delegate Group Policy settings and administratively control them based on the default Active Directory container, also known as the organizational unit (OU). However, other MDM tasks — such as wiping devices, blocking devices, enrolling devices, server management, and server configuration — cannot be managed by using OUs. Instead, these tasks span the MDM instance. This means that if you have permissions to perform a wipe in the MDM instance, then you can perform wipes for all managed devices in the instance.

For example, your company might have two domains, such as the following: domain1.contoso.com and domain2.contoso.com. If you install an MDM instance in domain1.contoso.com and there are MDM users in domain1.contoso.com and domain2.contoso.com, MDM administrators will be able to issue wipe requests for managed devices for both domain1 and domain2. Additionally, server configuration settings reside centrally and administrators can set them globally. This affects managed devices in the MDM instance in both domain1 and domain2. Global configuration also affects all servers in the instance.

By using MDM Administrator Tools, you can manage and administer the MDM system in the Active Directory forest. Grant permissions cautiously because a user assigned to the SCMDMDeviceAdministrators group, the SCMDMDeviceSupport group, or SCMDMServerAdmins group for an MDM instance can wipe all devices managed by the instance in the forest.