What's New in Mobile Device Manager 2008 SP1

What's New in MDM 2008 SP1

2/9/2009

Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1, the latest release of the MDM system, includes a number of new features and changes.

What's New in MDM 2008 SP1

New features in MDM 2008 SP1 include multiple-instance deployment. In MDM, an instance specifies a separate, independent installation of MDM in a forest or in a domain. MDM 2008 SP1 can support multiple instances in a single domain or across a forest, which provides flexibility and increased manageability for companies that deploy MDM in an enterprise-wide topology. This architecture provides a security-enhanced boundary between each MDM instance. Therefore, users have access only to MDM servers in their instance. Managed devices do not have access to other instances.

MDM 2008 SP1 supports multiple MDM instances running in each Active Directory forest. As an administrator, you can set up one or more instances and individually manage the devices associated with each instance. This differs from MDM 2008, which supports only one instance in each forest. The following list shows the new functionality that was added to support multiple instances:

Each instance runs independently from any other instance in the forest. Instances can span multiple domains.
IT administrators can limit the actions of the MDM administrator to specific instances throughout the forest. This lets Help Desk administrators, Server administrators, and Device administrators manage devices in assigned instances only.
IT administrators can use MDM Console or MDM Shell to detect the instance to which they are attaching. Commands are denied at the MDM Shell level if an administrator tries to run commands against an instance to which he or she has no permissions. Administrators can only access consoles of instances that they have authority to manage.
Enrollment autodiscovery finds a specific MDM Enrollment Server from an e-mail address that the user enters in the device enrollment tool.

The following list shows changes that were made to MDM Self Service Portal:

MDM Self Service Portal is now part of MDM. In previous versions, it was part of the MDM Resource Kit Tools.
You now install MDM Self Service Portal by running MDM 2008 SP1 Setup instead of by manually running a separate MDM Self Service Portal Setup .msi file.
By default, you must be a member of SCMDMAuthorizedUsers, SCMDMServerAdmins, or a domain administrator group to access MDM 2008 SP1 Self Service Portal. In MDM 2008 SP1, access to the portal is enabled by default for domain-authenticated users in the SCMDMAuthorizedUsers group.

The following shows other changes that were made in MDM 2008 SP1:

Password reset was added to let a user who has forgotten his or her device password reset the password. The user can access MDM Self Service Portal or contact the IT Help Desk to request a one-time recovery password that is stored on MDM Device Management Server. The user can use this password to reset the password on the device.
.NET Framework 2.0 Service Pack 1, instead of .NET Framework 2.0, must be installed before you can install MDM 2008 SP1 servers.
You can now install MDM in Active Directory domains at the Windows Server 2008 domain and forest functional level. In previous versions, you could only install MDM at the Windows Server 2003 domain and forest functional level.

MDM can now run on virtual computers that are running on a host computer that uses Windows Server 2008 Hyper-V technology. The virtual machine on which MDM is installed is subject to the same requirements, dependencies, and restrictions as a physical computer. In particular, the guest operating system of the virtual machine must be Windows Server 2003.

Note:
Because of unavoidable variations in deployment options, physical hardware variances, and support for virtualization, we make no claims regarding the performance of MDM 2008 SP1 running on guest operating systems that use Hyper-V, though we tested MDM 2008 SP1 with 500 devices in such an environment.

What's New in MDM Documentation

The following table shows some of the new and updated topics in MDM 2008 SP1.

Topic	Description
ADConfig Tool (Changed)	Updated with the new groups, parameters, and operations that the MDM 2008 SP1 Active Directory Configuration Tool (ADConfig) supports.
Configure Password Reset in MDM(New)	Describes the new password reset feature in MDM 2008 SP1.
Configuring MDM Recovery Password Service (New)	Describes the MDM Shell cmdlets that you can run to perform various recovery password operations for MDM.
Device Enrollment with Mobile Device Manager (Changed)	Added information about device enrollment in a multiple-instance scenario.
Disabling Bluetooth and Infrared Beaming (New)	Describes how to disable file beaming over both IrDA and Bluetooth.
Enabling Password Reset in MDM (New)	Describes how to enable password reset for MDM.
Gateway Server Cmdlets (New)	Added a new cmdlet, Update-MDMGatewayServer, that updates each MDM Gateway Server in the MDM system by sending configuration and other information from the Mobile Device Manager Gateway Central Management component of MDM Device Management Server.
MDM Gateway Server Deployment Guidelines (Changed)	Added more information about when you should and should not use network address translation (NAT), and added a section about configuring the default gateway and outgoing proxy.
Install and Configure SQL Server for MDM (Changed)	Added examples to assist with scoping database size and growth needs, and updated the procedure for configuring Windows integrated security to work with SQL Server 2005.
Install MDM Self Service Portal (Changed)	Updated steps for installing MDM Self Service Portal.
Manual Certificate Procedures (Changed)	Added information about updating the Active Directory service connection point (SCP) with MDM 2008 SP1 certificate template object identifiers.
MDM and Microsoft Certification Authorities (Changed)	Changed template names to MDM 2008 SP1 templates.
MDM and Microsoft Certification Authorities (Changed)	Updated certificate template names with instance name.
MDM Backup and Recovery (Changed)	Updated to include the recovery of MDM dependencies and components, not just databases.
MDM Certificate Template Cmdlets (New)	Added new cmdlets to manage the certificate templates in the current MDM instance: Get-MDMCertificateTemplate Grant-MDMCertificateTemplate Revoke-MDMCertificateTemplate
MDM Instance Management Cmdlets (New)	Added new cmdlets to return information about MDM instances and specify the MDM instance you want to manage in the MDM Console: Get-MDMInstance Get-MDMCurrentInstance Set-MDMCurrentInstance
MDM Multidomain Multiple-Instance Configuration Topology (New)	Provides an illustration of multiple MDM 2008 SP1 instances in multiple domains.
Mobile Device Manager Multiple Instance Overview (New)	Provides a high-level description of the new multiple-instance functionality in MDM 2008 SP1.
MDM Multiple Instance Topologies (New)	Summarizes multiple-instance topology support in MDM 2008 SP1, and contains topics to help you plan for deploying multiple MDM 2008 SP1 instances.
MDM Multidomain Multiple-Instance Configuration Topology (New)	Includes an illustration of implementing a multiple-instance deployment of MDM 2008 SP1 in a multiple-domain environment.
Recovery Password Cmdlets (New)	Added new cmdlets to manage MDM device recovery passwords: Get-MDMDeviceRecoveryPassword Update-MDMDeviceRecoveryPassword Update-MDMDeviceRecoveryPasswordEncryptionKey
Remove an MDM Self Service Portal Installation (Changed)	Updated steps for removing MDM Self Service Portal.
Repair an MDM Self Service Portal Installation (Changed)	Updated steps for repairing MDM Self Service Portal.
Retrieving a Recovery Password in MDM (New)	Describes how to get the device recovery password by using the MDM Console.
Roadmap to Deploying Mobile Device Manager (New)	Helps you evaluate and deploy MDM 2008 SP1.
Security Best Practices in MDM (Changed)	Made the following changes: Changed best practice to say "Prevent unsigned code from executing" Under "Prevent unsigned code from executing": Added information about signing applications as Normal unless they need to run as Privileged. Under "Prevent unsigned code from executing," added information about MDM software distribution. Added "Harden the MDM Gateway Server before you install it in a potentially hazardous environment." Added "Apply the appropriate Group Policy models to devices."
Security Policies in MDM (Changed)	Documented a new Group Policy setting: User Reset of Password—Enables you to control whether users can reset device passwords by using password reset in MDM or Exchange PIN reset, which uses functionality provided by Microsoft Exchange Server 2007.
Security Considerations for MDM Self Service Portal (Changed)	Lists the new default requirements for users to access MDM Self Service Portal.
Server Administrator Roles in MDM (Changed)	Added server administrator role information for the new cmdlets: Update-MDMGatewayServer Set-MDMCurrentInstance Get-MDMInstance Get-MDMCurrentInstance
Setup Command-Line Options (Changed)	Updated MDM Enrollment Server and MDM Device Management Server command-line installation strings with an MDM 2008 SP1 instance parameter.
Signing .Cab Files in Packages (Changed)	Updated to reflect that MDM 2008 SP1 includes a wizard for signing .cab files. Previously in MDM 2008, signing a .cab file involved running the CabSignTool utility from the MDM 2008 Resource Kit Tools.
Step 1a: Configuring the Active Directory Domain for MDM (Changed)	Added new parameters for creating and enabling MDM 2008 SP1 instances.
Step 1b: Granting Permissions for Administrators to Install MDM (Changed)	Documented new procedures for adding members to the new group MDM Security Administrators (SCMDMSecurityAdmins) and delegating other MDM roles by using an account from this group.
Step 2: Installing MDM Enrollment Server (Changed)	Updated Setup procedures for MDM 2008 SP1 multiple-instance functionality.
Step 3: Installing MDM Device Management Server (Changed)	Updated Setup procedures for MDM 2008 SP1 multiple-instance functionality.
Step 5d: Creating and Importing the MDM Gateway Server Configuration File (New)	Provides procedures for creating the certificate template object identifier XML file and importing it onto MDM Gateway Server. This process is necessary for keeping MDM 2008 SP1 instances separate in a forest.
Upgrading an MDM Installation to MDM 2008 SP1 (New)	Provides Setup guidance for upgrading to MDM 2008 SP1.
Validating Communications within an MDM Instance (New)	Describes the methods MDM 2008 SP1 uses to validate the communication within a single instance—certificate template object identifiers (OIDs) and Active Directory User Security Groups (USGs)—and lists the steps that you take as part of the MDM 2008 SP1 deployment process to set up the validation process.