MDM Deployment Checklists

MDM Deployment Checklists

Collapse All

2/9/2009

The following checklists in this section help you make sure that pre-deployment requirements, installations, and configuration are complete before you follow the steps to deploy MDM 2008 SP1 by using the MDM 2008 SP1 deployment wizards.

Note:
As you configure your environment to deploy MDM 2008 SP1, use the MDM Deployment Worksheets to compile information about IP addresses, server names, port configurations, and so on.

Pre-Deployment Checklists

To complete the pre-deployment tasks in the checklist, see System Requirements for MDM Servers and Managed Devices.

After you complete the pre-deployment tasks, complete the deployment and post-deployment tasks by following the instructions described in the MDM Deployment Guide.

Note:
You can use MDM Best Practices Analyzer Tool to analyze a group of servers to determine if prerequisites for deploying MDM 2008 SP1 are met. You can also use the tool to analyze servers post-deployment to verify things such as port settings. To download the tool, see MDM Best Practices Analyzer Tool at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=127030.

MDM Server Infrastructure

Requirement	Owner	Complete
Make sure that every server that is running MDM 2008 SP1 has the required hardware. Hardware requirements can vary, depending on how you set up your company MDM infrastructure.	MDM Server Administrator	[ ]
Install the prerequisite software for each server that is running MDM Enrollment Server.	MDM Server Administrator	[ ]
If you install Windows Server Update Services (WSUS) on an MDM Enrollment Server, make sure that you install it on a separate Web site instead of the default Web site to avoid service conflicts between IIS and MDM Enrollment Web services.	MDM Server Administrator	[ ]
Install the prerequisite software for each server that is running MDM Gateway Server.	MDM Server Administrator	[ ]
Install the prerequisite software for each server that is running MDM Device Management Server.	MDM Server Administrator	[ ]
Install the prerequisite software before you install MDM Console.	MDM Server Administrator	[ ]
Make sure that you can successfully connect through MDM Device Management Server to the server that is running Microsoft SQL Server.	MDM Server Administrator	[ ]
Configure IIS to enable x64-bit applications on all servers that are running MDM. See Install and Configure IIS for MDM.	MDM Server Administrator	[ ]

Firewall and Network Configuration

Your firewall, ports, IP address, and FQDN configuration will depend on the MDM deployment topology that you select. For more information about the different topologies, see MDM System Topologies.

For port settings and information about how to configure and track settings for firewall and network configuration, see MDM Deployment Worksheets.

Requirement	Owner	Complete
Allocate required number of IP addresses for MDM Gateway Server to support the maximum number of concurrent managed device connections. Make sure that each server that is running MDM Gateway Server has a discrete, non-overlapping IP address pool and that the IP address pool subnet does not intersect with the internal subnet on MDM Gateway Server.	Network Administrator	[ ]
Configure the network to route each IP address pool for Windows Mobile devices to the appropriate server that is running MDM Gateway Server.	Network Administrator	[ ]
Configure the network components that are in charge of network address translation (NAT) or proxy traffic to the Internet, if it is necessary, to perform network address translation or proxy traffic for the IP address pools of Windows Mobile devices. Because the address pool is private, you must use NAT for the address pool in order for managed devices to access the Internet.	Network Administrator	[ ]
Make sure that you open the required ports in the internal company firewall so that Mobile Device Manager Gateway Central Management can reach each server that is running MDM Gateway Server.	Network Administrator	[ ]
Make sure that you open the required ports in the external firewall for Windows Mobile devices to reach each server that is running MDM Enrollment Server or MDM Gateway Server.	Network Administrator	[ ]
Make sure that you open the required ports in the internal company firewall so that Windows Mobile devices can access servers running MDM Device Management Server—or the Virtual IP address on the load balancer for the pool of servers running MDM Device Management Server—and any other enabled company resources.	Network Administrator	[ ]
Define in your internal Domain Name System server the internal FQDNs for each server that is running MDM Gateway Server. These FQDNs are not published externally.	MDM Server Administrator Network Administrator	[ ]
Configure your external DNS server that publishes DNS IP access for MDM Gateway Server. Publish the external interfaces (IP addresses) for each server that is running MDM Gateway Server in the Public DNS and map each IP address to the external DNS name.	Network Administrator	[ ]
Define in your internal DNS server the internal FQDN for MDM Enrollment Server or MDM Enrollment Server load balancer.	MDM Server Administrator Network Administrator	[ ]
Define in your external DNS server the external FQDN for MDM Enrollment Server or MDM Enrollment Server load balancer.	MDM Server Administrator Network Administrator	[ ]
Install and configure load balancing for MDM Device Management Server. See MDM Scaled-Out Distributed Configuration Topology.	MDM Server Administrator Network Administrator	[ ]
Define in your internal DNS server the internal FQDNs for MDM Device Management Server or MDM Device Management Server load balancer.	MDM Server Administrator Network Administrators	[ ]
Make sure that you can obtain certificates and certificate requests on and off MDM Gateway Server.	MDM Server Administrator Network Administrator Perimeter Network Administrator	[ ]
Validate the internal and external IP addresses on each server that is running MDM Gateway Server.	MDM Server Administrator	[ ]

Active Directory, Certification Authority, and SQL Server

Requirement	Owner	Complete
Make sure that Active Directory meets MDM 2008 SP1 system requirements. See System Requirements for MDM Servers and Managed Devices.	Active Directory Administrator	[ ]
Active Directory is in Windows Server 2003 or Windows Server 2008 Forest Functional mode.	Active Directory Administrator	[ ]
Make sure that a certification authority server is available that meets MDM 2008 SP1 requirements. See System Requirements for MDM Servers and Managed Devices.	Certificate Administrator	[ ]
Make sure that you have administrator credentials on the certification authority server. The certification authority server can be located in another domain as long as it is in the same Active Directory site and you have administrator credentials to the server.	Certificate Administrator Enterprise Administrator	[ ]
Make sure that an SQL database is available that meets MDM requirements. See System Requirements for MDM Servers and Managed Devices.	Database Administrator MDM Server Administrator	[ ]
Make sure that you have administrator credentials on the server that is running SQL Server for MDM. If you are using an SQL database instance, you must have administrator credentials on the SQL database instance.	Database Administrator MDM Server Administrator	[ ]

Deployment and Post-Deployment Checklists

After you complete the pre-deployment configuration, use the following checklists to deploy and configure the servers.

Important:
To complete the deployment and post-deployment tasks, you must follow the instructions in the MDM Deployment Guide.

Deployment

Requirement	Owner	Complete
Configure the MDM Active Directory domain by running `ADConfig /createinstance:<instance name> /Domain:<domain name>` for the domain in which you will install MDM 2008 SP1. You must first run this configuration in the domain in which you will install MDM 2008 SP1. This step requires administrator domain and network credentials.	Domain Administrator	[ ]
Create the MDM 2008 SP1 certificate templates by running `ADConfig /createtemplates:<instance name>`. This requires elevated domain and network credentials.	Enterprise Administrator	[ ]
Enable the MDM 2008 SP1 certificate templates by running `ADConfig.exe /enableTemplates:<instance name> /ca:<ca_server_fqdn>\<ca_instance_name>`. This requires elevated domain and network credentials.	Certification Authority Credentials Enterprise Administrator Credentials	[ ]
Configure the MDM Group Policy security settings by running `ADConfig /enablegpsecurity:<instance name>` with the appropriate options. This requires elevated domain and network credentials, or you must grant appropriate credentials to every server that is running MDM in Group Policy objects.	Domain Administrator or Schema Administrator (depends on options chosen)	[ ]
Add administrator users to the SCMDMServerAdministrators group. This enables MDM 2008 SP1 Server Administrators to install MDM components and administer the installation for other users.	Domain Administrator	[ ]
Create additional organizational units (OUs) for managed devices and delegate MDM Enrollment Server permissions to the OUs. (This step is optional.)	Domain Administrator	[ ] Optional
Make sure that you grant permissions on the domain certification authority to revoke a managed device enrollment. If you configured it manually, you must do this by using the server that is running the certification authority.	Certification Authority Administrator	[ ]
If you have Exchange Server 2007 with SP1 installed, run the Set-ActiveSyncMailboxPolicy cmdlet to enable managed devices to access the Exchange Client Access Server.	Exchange Administrator	[ ]
Back up the IIS metabase for every server in which you are installing MDM. This includes MDM Device Management Server, MDM Enrollment Server, and MDM Gateway Server. For more information, see "Back Up and Restore the IIS Metabase (IIS 6.0)" at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkId=103605.	MDM Server Administrator	[ ]
Set IIS to allow x64-bit applications to run on every server that is running MDM Device Management Server, MDM Enrollment Server, and MDM Gateway Server. For more information, see "Set IIS to Allow x64-bit Applications" in Install and Configure IIS for MDM.	MDM Server Administrator	[ ]
Install MDM Enrollment Server. On the MDM 2008 SP1 installation CD, on the Setup menu, select Install and then select Enrollment Server. Make sure that you specify the load balancer FQDNs if you are using a load balancer. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required.	MDM Server Administrator. Must be a member of local Administrators group on the server.	[ ]
Install MDM Device Management Server. On the installation disk for MDM 2008 SP1, on the Setup menu, select Install and then select Mobile Device Management Server. Make sure that you specify the load balancer FQDNs if you are using a load balancer. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required.	MDM Server Administrator. Must be a member of local Administrators group on the server.	[ ]
Install Administrator Tools. On the installation disk for MDM 2008 SP1, select Administrator Tools. You can install MDM Administrator Tools on any domain-joined server that meets MDM prerequisites. Important You must follow the steps in the MDM Deployment Guide to complete this task. This is required.	Member of local Administrators group on the server. MDM Server Administrator not required	[ ]
Obtain the MDM Gateway Server certificate for MDM Gateway Server before installation. See the MDM Deployment Guide.	MDM Server Administrator	[ ]
The certificate chain and root certificate for the certification authorities in your MDM system are transferred in a security-enhanced way and imported to the appropriate store on the server that is running MDM Gateway Server. See Step 5: Installing MDM Gateway Server in the MDM Deployment Guide.	MDM Server Administrator	[ ]
Install MDM Gateway Server. Important You must follow the steps in Step 5: Installing MDM Gateway Server to complete this task. This is required.	Member of local Administrators group on the server. MDM Server Administrator recommended.	[ ]

Post-Deployment

Requirement	Owner	Complete
Make sure that the certificate for the newly created Enrollment Administration Web site for MDM Enrollment Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide.	MDM Server Administrator	[ ]
Make sure that the certificate for the newly created Enrollment Web site for MDM Enrollment Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide.	MDM Server Administrator	[ ]
Make sure that the certificate for the newly created Device Management Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide.	MDM Server Administrator	[ ]
Make sure that the certificate for the newly created Device Management Administration Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide.	MDM Server Administrator	[ ]
Make sure that the certificate for the newly created Gateway Central Management (GCM) Web site for MDM Device Management Server is valid. Obtain certificates for the site if it is necessary. See MDM Deployment Guide.	MDM Server Administrator	[ ]
Make sure that the certificate for the newly created Gateway Web site for MDM Gateway Server is valid. Use the IIS MMC to change the certificate, if it is necessary.	MDM Server Administrator	[ ]
Make sure that the private key is associated with the certificate on the IIS instance of MDM Gateway Server. See Step 5f: Validating the Gateway Certificate in MDM Deployment Guide.	MDM Server Administrator	[ ]
Set up enrollment configuration for the Gateway URI by running the Set-EnrollmentConfig cmdlet from Mobile Device Manager (MDM) Shell. This provides the public DNS entry of MDM Gateway Server to the managed devices. You must run this cmdlet from a server on which MDM Shell is installed.	MDM Server Administrator	[ ]
From MDM Console, run the Add New Gateway Wizard for every server for which you want to install MDM Gateway Server. This creates an address pool to connect managed devices, configures DNS and WINS server settings, and enables remote MDM Gateway Server management.	MDM Server Administrator	[ ]

Site Feedback