Microsoft System Center: Manage Mobile Devices with System Center

More mobile devices creep onto the network every day, but the Microsoft System Center management tools can help you get a handle on them.

Brien Posey

There’s no denying mobile devices are reshaping the enterprise. Practically everyone has a smartphone these days, and tablets were by far the biggest story at this year’s Consumer Electronics Show. Although mobile devices have gone completely mainstream, enterprise networks still have to do a bit of catching up. One of your biggest challenges is effectively managing the increasing quantity and variety of mobile devices on your network.

A few organizations have deployed Microsoft Exchange Server for the sole purpose of using ActiveSync policies to manage mobile devices. While this works, Microsoft does have a solution tailored more specifically for managing mobile devices in an enterprise environment: System Center Mobile Device Manager (MDM) 2008.

The primary goal of MDM 2008 is to help you manage mobile devices in the same way you’re used to managing desktops and laptops. Of course, mobile devices don’t offer all of the capabilities of desktops and laptops. Therefore, MDM 2008 is focused on a few key areas. Specifically, it helps you perform the following functions:

• Application Deployment
• Group Policy Management
• Device Inventory
• Remote Wipes of Lost or Stolen Devices

MDM Architecture

MDM 2008 SP1 offers three server roles: the Gateway Server, the Enrollment Server and the Management Server. Here’s a brief overview of those roles:

The Gateway Server: The Gateway Server links your mobile devices to your internal network. This is designed to sit at the network perimeter in the DMZ and act as a “gateway” between mobile devices and the back-end network. Because this server is exposed to the Internet, Microsoft advises against joining it to a domain. Because it’s not a domain member, that also means it can’t use Windows NT Lan Manager (NTLM), Kerberos or the Active Directory Domain Services to authenticate mobile devices. Instead, the authentication process is based on certificates, which is why you’ll need an enterprise certificate authority.

The Management Server: The job of the Management Server is to translate the protocols already in use on your network into a protocol known as Open Mobile Alliance Device Management, or OMA DM. This essentially means the management server is what lets you manage mobile devices in a similar manner to how you currently manage your PCs.

The Enrollment Server: To manage PCs in an enterprise environment, they have to be domain members. Mobile devices can’t join a Windows domain in the same way that PCs can, but they can be enrolled into the domain. The enrollment server makes this possible.

Deployment Considerations

When MDM 2008 was first released, the installation process was extremely simple. Once the domain was prepared, all you really had to do was run the Setup Wizard. The Setup Wizards are still easy to follow, but a lot has changed since 2008. Complying with some of the prerequisites can be a challenge.

During a recent deployment, there were several issues related to the MDM 2008 Setup Wizard not recognizing the various prerequisites on the server. Here are some of the deployment issues you may encounter and steps you can take to mitigate them.

MDM 2008 is not compatible with Windows Server 2008. You must install MDM 2008 on either Windows Server 2003 or Windows Server 2003 R2. It supports both the x86 and the x64 architectures, but you’ll have an easier time deploying the administrative tools if you use the x86 architecture.

Whether you choose to install Windows Server 2003 R2 onto physical or virtual hardware, you could potentially encounter installation issues. Occasionally, when attempting to install Windows Server 2008 R2 onto newer servers, Setup will blue-screen unless you go into the server’s BIOS and disable the server’s virtualization support, and support for the No Execute function. There have also been situations in which Setup will go to a blue-screen error unless the server’s BIOS has been configured to operate the SATA controller in IDE mode.

Using a virtual server may also cause problems. On some (but not all) Hyper-V servers, rebooting a virtual machine (VM) running any flavor of Windows Server 2003 or Windows Server 2003 R2 will consistently result in the registry’s software hive corruption. However, this bug does not occur on all Hyper-V servers.

The prerequisites state that you need SQL Server 2005 SP2 or higher. You must also use a full-blown version of SQL Server (it doesn’t support Express Edition). It’s also worth noting that it doesn’t support SQL Server 2008.

One of the prerequisites for the MDM Device Management Server is that you must install Windows Server Update Services (WSUS) SP1 (it seems that WSUS 3.0 SP2 is not supported). Upon trying to deploy using WSUS 3.0 SP2, setup would not even recognize that WSUS was installed.

The Administrative Tools require your server to run Windows PowerShell 1.0. Be careful of performing an automatic update of your MDM 2008 server. Windows PowerShell 2.0 is automatically installed as part of the Windows Management Framework Core Package.

If you’ve already installed this package, you can remove it with the Control Panel Add/Remove Programs applet. When you do, you’ll receive a message telling you removing the package will break several applications, including WSUS and IIS. However, it seems you can safely remove this in spite of the warning message.

Finally, if you want to regulate mobile devices via Group Policy settings, then you’ll have to deploy the Group Policy Extensions portion of the Administrative Tools component. This is a bit tricky. Doing so requires installation of the Group Policy Management Console (GPMC). Unfortunately, the console won’t run on 64-bit versions of Windows Server 2003.

There’s a workaround that lets you install the GPMC on a 64-bit server, but even after doing so, the MDM 2008 Setup Wizard refuses to acknowledge the console installation. As such, your only option is to set up a machine that’s running a 32-bit OS and install the console onto it.

MDM 2008 requires your organization to have deployed an enterprise root certification authority. That certification authority can run on either Windows 2003 or Windows 2008.

Enrolling a Device

Once you have MDM 2008 up and running, it’s relatively easy to begin enrolling mobile devices. To start the pre-enrollment process and enroll a device, open the System Center Mobile Device Manager Console. Navigate through the console tree to Mobile Device Manager | (your MDM 2008 instance) | Device Management | All Managed Devices. Click the Create Pre-Enrollment link. This will launch the Pre-Enrollment Wizard.

Begin the wizard by clicking Next to bypass the Welcome screen. Next, you’ll see a screen asking you to name the device you want to enroll. You can use any name that helps you to identify the device, but it must be less than 15 characters long and cannot contain spaces. This screen also lets you change the organizational unit in which the device is created, although the default usually works fine.

When you click Next, you’ll be asked to select the Active Directory user to whom the device will be assigned. After making your selection, click Next. You should now see a configuration summary for the pre-enrollment. Assuming that everything appears to be correct, click the Create button. You’ll be notified when the creation process is complete (see Figure 1).

Figure 1 After the pre-enrollment process, you’ll be ready to add mobile devices

This screen contains an e-mail address and enrollment password with which the user must enroll their device. Make note of the e-mail address and password included in the pre-enrollment summary.

The procedure for enrolling a device varies depending on the version of Windows Mobile. This outlined process assumes we’re using Windows Mobile 6.5. It’s worth noting that Windows Phone 7 does not offer the device-enrollment feature.

To enroll a Windows Mobile 6.5 device, click the device’s Start button. Go to Settings | Connections. Then tap the Domain Enroll icon. The device should now display an overview of the enrollment process. Click the Enroll button, and you’ll be prompted for the e-mail address and password generated by the Pre-Enrollment Wizard (see Figure 2).

Figure 2 Windows Mobile will ask for enrollment credentials

Enter these credentials, and the device will attempt to locate your enrollment server. If the device is unable to locate the enrollment server, it may ask you for its name on the following screen. When the process is complete, you’ll see a message on the device informing you that enrollment was successful (see Figure 3).

Figure 3 Windows Mobile will confirm successful device enrollment

The device should also be listed in the System Center Mobile Device Manager All Managed Devices container (see Figure 4), although you may have to refresh the display.

Figure 4 The newly enrolled device will be listed in the System Center Mobile Device Manager All Managed Devices container

Application Deployment

The System Center Mobile Device Manager Software Distribution console (see Figure 5) lets you distribute applications to mobile devices. To do so, the mobile application must be wrapped into a package. You can create a package by navigating through the console tree to Software Distribution | MDM | Packages | Software Packages, and clicking on the Create link. This will launch the Create Package Wizard.

Figure 5 The System Center Mobile Device Manager Software Distribution console lets you package and deploy mobile apps

The wizard walks you through a few easy steps so you can package your application. After doing so, you can use the console to deploy the package. The console even provides a mechanism for keeping track of package deployment.

Group Policy Management

Once your device is enrolled in a Windows domain, you can manage it through Group Policies. When you install the Group Policy Extensions, the Group Policy Editor will give you numerous Group Policy settings specific to mobile devices. These settings let you enforce passwords on the devices and enable or disable various device features.

These user-specific Group Policy settings are located at User Configuration/Administrative Templates/Windows Mobile Settings. The device-specific settings are at Computer Configuration/Administrative Templates/Windows Mobile Settings.

If a mobile device enrolled in a domain on your network is ever lost or stolen, MDM 2008 lets you perform a remote wipe. To do so, simply go to the System Center Mobile Device Manager All Managed Devices container, right-click on a device and choose the Wipe Now command from the shortcut menu. There’s also a self-service portal that lets users wipe mobile devices themselves.

With the growing amount and ever-increasing variety of mobile devices, managing them can seem overwhelming. As with anything, though, you just need the right tools for the job.

Brien Posey*, MVP, is a freelance technical author with thousands of articles and dozens of books to his credit. You can visit his Web site at brienposey.com.*

Related Content

• System Requirements for MDM and Managed Devices
• Security Policies in MDM
• Architecture in Mobile Device Manager