Install MDM on a Certification Authority or Domain Controller

  • Article

2/9/2009

To install Mobile Device Manager Enrollment Server on a certification authority or an Active Directory domain controller, follow these steps.

Note

This is not a recommended configuration. This configuration is not supported in production environments; it is only documented for small-scale testing and lab environment purposes. This configuration is not a secure or scalable solution, and may cause performance degradation.

To put MDM Enrollment Server on a certification authority or domain controller

  1. On the Active Directory domain controller, choose Start, choose All Programs, choose Administrative Tools, and then choose Active Directory Users and Computers.

  2. In Active Directory Users and Computers, choose View, and then choose Advanced Features.

  3. Expand the domain and then choose SCMDM Infrastructure Groups.

  4. Right-click SCMDMEnrolledDevices (<Instance Name>) and then select Properties.

  5. In the SCMDMEnrolledDevices Properties dialog box, on the Security tab, choose Advanced.

  6. In the Advanced Security Settings for SCMDMEnrolledDevices (<Instance Name>) dialog box, choose Add.

  7. In the Select User, Computer, or Group dialog box, choose Object Types.

  8. In the Object Types dialog box, select the Computer box, and then choose OK.

  9. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type the computer name of the certification authority or domain controller, and then choose Check Names.

  10. After Active Directory verifies the computer name, choose OK.

  11. In the Permission Entry for SCMDMEnrolledDevices (<Instance Name>) dialog box, on the Object tab, in the Applies to box, select the This object only box.

  12. In the Permissions box, in the Allow column, select the Read Permissions box.

  13. On the Properties tab, in the Apply onto list, select This object only.

  14. In the Permissions box, in the Allow column, select the Read Members and Write Members boxes, and then choose OK.

  15. In the Advanced Security Settings for SCMDMEnrolledDevices (<Instance Name>) dialog box, choose Add.

  16. In the Select User, Computer, or Group dialog box, choose Object Types.

  17. In the Object Types dialog box, select the Built-in security principles box, and then choose OK.

  18. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type NETWORK SERVICE, and then choose Check Names.

  19. After Active Directory verifies the computer name, choose OK.

  20. In the Permission Entry for SCMDMEnrolledDevices (<Instance Name>) dialog box, on the Object tab, in the Applies to list, select the This object only box.

  21. In the Permissions box, in the Allow column, select the Read Permissions box.

  22. On the Properties tab, in the Apply onto list, select This object only.

  23. In the Permissions box, in the Allow column, select the Read Members and Write Members boxes, and then choose OK.

  24. In the Advanced Security Settings for SCMDMEnrolledDevices dialog box, choose Apply, and then choose OK.

  25. In the SCMDMEnrolledDevices Properties dialog box, choose OK.

Delegating Control of an OU to an Enrollment Server

You should delegate control of the SCMDM Managed Devices OU to the server running MDM Enrollment Server.

To delegate control to MDM Enrollment Server

  1. In Active Directory Users and Computers, expand the domain, right-click SCMDM Managed Devices, and then choose Delegate Control.

  2. On the Welcome to the Delegation of Control Wizard page, choose Next.

  3. On the Users or Groups page, choose Add.

  4. In the Select Users, Computers, or Groups dialog box, choose Object Types.

  5. In the Object Types dialog box, select the Computer box, and then choose OK.

  6. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type the server name of the server running MDM Enrollment Server, and then choose Check Names.

  7. After Active Directory verifies the computer name, choose OK.

  8. On the Users or Groups page, choose Next.

  9. On the Tasks to Delegate page, select Create a custom task to delegate, and then choose Next.

  10. On the Active Directory Object Type page, select the Only the following objects in the folder box, select the Computer objects box, select the Create selected objects in this folder box, select the Delete selected objects in this folder box, and then choose Next.

  11. On the Permissions page, select the General, Property-specific, and Creation/deletion of specific child objects boxes.

  12. On the Permissions page, select the following boxes:

    • Read
    • Write
    • Create All Child Objects
    • Delete All Child Objects
    • Read All Properties
    • Write All Properties

  13. Choose Next.

  14. On the Completing the Delegation of Control Wizard page, choose Finish.

Configuring the Network Service Account to Manage Computer Accounts

In this step, you configure the network service account to create or delete computer object permissions.

To let the network service account create or delete computer objects

  1. On the Active Directory domain controller, choose Start, choose All Programs, choose Administrative Tools, and then choose Active Directory Users and Computers.

  2. In Active Directory Users and Computers, choose View, and then choose Advanced Features.

  3. Right-click SCMDM Managed Devices (<Instance Name>), and then select Properties.

  4. On the Security tab, choose Advanced.

  5. In the Advanced Security Settings for SCMDM Managed Devices (<Instance Name>) dialog box, choose Add.

  6. In the Select User, Computer, or Group dialog box, choose Object Types.

  7. In the Object Types dialog box, select the Computer box, and then choose OK.

  8. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type NETWORK SERVICES, and then choose Check Names.

  9. After Active Directory verifies the computer name, continue with these steps, and then choose OK.

  10. In the Permission Entries box, choose NETWORK SERVICE, and then choose EDIT.

  11. In the Permission Entry for SCMDM Managed Devices (<Instance Name>) dialog box, on the Object tab, in the Applies to box, select the This object only box.

  12. In the Permissions box, in the Allow column, select the Create Computer Objects box and the Delete Computer Objects box.

  13. In the Advanced Security Settings for SCMDM Managed Devices dialog box, choose Apply, and then choose OK.

  14. In the SCMDM Managed Devices Properties dialog box, choose OK.

Configuring the Network Service Account to Manage Certificates

In this step, you configure the network service to manage certificates.

To let the network service issue and manage certificates

  1. On the certification authority, choose Start, choose Programs, choose Administrative Tools, and then choose Certification Authority.

  2. In the Certification Authority window, right-click the instance name of the certification authority, and then choose Properties.

  3. On the Security tab, choose Add.

  4. In the Select User, Computer, or Group dialog box, choose Object Types.

  5. In the Object Types dialog box, select the Built-in security principles box, and then choose OK.

  6. In the Select User, Computer, or Group dialog box, in the Enter the object name to select box, type NETWORK SERVICE, and then choose Check Names.

  7. After Active Directory verifies the service name, choose OK.

  8. In the <Certification authority instance name> Properties dialog box, in the Groups or user names box, choose NETWORK SERVICE.

  9. In the Permissions for NETWORK SERVICE box, in the Allow column, select the Issue and Manage Certificates box.

  10. In the <Certification authority instance name> Properties dialog box, choose OK.

Granting Permissions to the Temp Folders

You must grant the Network Service and Local Service accounts Full Control to the Temp folders.

To grant permissions to the Temp folders

  1. On the Start menu, choose Run, type explorer, and then choose OK.

  2. In Windows Explorer, browse to the %SystemDrive%\Windows folder. Typically, the system drive is [C:].

  3. Right-click Temp, and then choose Properties.

  4. In the Temp Properties dialog box, on the Security tab, choose Add.

  5. In the Select Users, Computers, or Groups dialog box, in the Enter the object name to select box, type network service, and then choose Check Names.

  6. After Active Directory verifies the computer name, choose OK.

  7. In the Permissions for NETWORK SERVICE box, in the Allow column, select the Full Control box, and then choose Add.

  8. In the Select Users, Computers, or Groups dialog box, in the Enter the object name to select box, type local service, and then choose Check Names.

  9. After Active Directory verifies the computer name, choose OK.

  10. In the Permissions for LOCAL SERVICE box, in the Allow column, select the Full Control box, and then choose OK.

  11. Repeat steps 1 through 10 to grant the Network Service and Local Service accounts Full Control permissions to the %SystemDrive%\Documents and Settings\<username>\Local Settings\Temp folder.