Mobile Device Manager Multiple Instance Overview

2/9/2009

In MDM, an instance specifies a separate, independent installation of MDM in a forest or in a domain. Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 can support multiple instances in a single domain or across a forest, which provides flexibility and increased manageability for companies that deploy MDM in an enterprise-wide topology. This architecture provides a security-enhanced boundary between each MDM instance; therefore, managed devices will not have access to MDM servers in other instances.

To plan your MDM multiple instance topology, see Planning for Mobile Device Manager.

MDM Multiple Instance Functionality

The MDM multiple instance functionality is summarized by the following:

• Single forest, multiple instances

  • MDM allows an administrator to set up one or more instances and manage the devices that are associated with each instance. Each instance runs independently from any other instance in the forest. Also, an administrator may create multiple instances within a single domain.

• Security-enhanced access

  • An MDM Gateway Server in any geographical location will only accept traffic from managed devices that are permitted to connect to its instance. The MDM Gateway Server inspects managed device traffic and either allows or blocks the Internet Protocol security (IPsec) session based on whether the device is authorized for that particular instance.

• Help Desk support and management

  • Help Desk administrators can manage devices and servers in one or more specific instances. Also, other MDM management roles—such as MDM server administrators, device administrators, security administrators, and device support personnel—can be restricted to manage servers and devices in one or more specific instances.

• Administration of an instance

  • MDM IT administrators can easily detect the instance to which they are attaching in MDM Console or in MDM Shell. Their management actions are only permitted in instances for which they have the authority to manage.

The following illustration shows a multiple instance environment for MDM.

MDM Gateway Server in either instance will block communication from managed devices that are not authorized to access its instance. MDM Gateway Server will also not establish a trusted connection with an MDM Device Management Server from another instance.

In MDM 2008 SP1, all instances are separate and independent from other instances. Also the MDM Gateway Server is tied to a specific instance. For more information about separating MDM instances, see Validating Communications within an MDM Instance in the MDM Planning Guide.

MDM server, group, and, service components provide instance authorization at different points in the MDM architecture. The following illustration shows points of instance authorization in an MDM topology.

The following are highlighted by number in the diagram:

• 1: Managed device to the MDM Gateway Server. The MDM Gateway Server authenticates managed device communication by referencing a list of approved device certificate object identifiers.
• 2: Managed device to the MDM Device Management Server. The MDM Device Management Server authenticates managed device communication by referencing the SCMDMEnrollDevices (<instance>) group. Only devices that are enrolled into this instance and are members of this group are authorized to contact the MDM Device Management Server.
• 3: Gateway Central Management (GCM) service to the MDM Gateway Server. The MDM Gateway Server validates that the MDM Device Management Server can connect to it by referencing a list of authorized GCM certificate object identifiers (as known as OIDs). The GCM service validates that it is contacting an MDM Gateway Server of the same instance by referencing a list of authorized Web server certificate object identifiers.
• 4: MDM Administrator Tools. Administrators are authorized against an instance based on their MDM group membership in the Active Directory directory service.

To read more on multiple instances with the MDM Enrollment Server, see Device Enrollment with Mobile Device Manager.