Appendix A: MDM Self Service Portal Configuration File

2/9/2009

You can configure MDM Self Service Portal for Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 by using the Portal Administration page in the portal. You can configure additional settings by changing the MDM Self Service Portal configuration file.

The configuration file, Selfservice.Config, is located in the MDM Self Service Portal installation folder. By default, the installation location is: D:\ProgramFiles\Microsoft System Center Mobile Device Manager\SelfService.

The configuration file contains the settings for MDM Self Service Portal. The following example shows the default settings where Instance1 is the name of the MDM 2008 SP1 instance.

<?xml version="1.0"?>
<selfService xmlns:xsi="https://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="https://www.w3.org/2001/XMLSchema" xmlns="https://schemas.microsoft.com/mobilemgmt/selfservice/v1.0">
  <userFeatures enableWipe="true" enableSelfEnrollment="true" enableDeviceReports="true" enablePinRecovery="true"/>
     <enrollmentServer serverURL="" defaultOU="OU=SCMDM Managed Devices (Instance1),DC=VDomain,DC=com" pendingEnrollmentLimit="100">
    <passwordDelivery enableEmailDelivery="true" enableWebsiteDelivery="true" />
    <deviceNameRegEx />
  </enrollmentServer>
  <logging enableActivityLog="true" enableTraceLog="true" />
</selfService>

The following sections describe the settings for MDM Self Service Portal.

User Features

• enableDeviceReports
  This setting is reserved for future use.

• enableWipe
  Enables or disables the wipe functionality on the portal:

  • When this value is set to True, the user can wipe a device. This is the default setting.
  • When this value is set to False, the user can see recently wiped devices. However, the user cannot wipe a device or cancel a pending wipe.
    When this value is set to False, you can wipe a device by using the MDM Console.

• enablePinRecovery
  Enables or disables the recovery password feature in the portal. This feature retrieves and displays a recovery password on the portal so users who have forgotten their device password can reset their passwords.

  • When this value is set to True, a user who has forgotten his or her device password can request that the portal display the recovery password for the device.
  • When this value is set to False, the user does not have the option to request the portal to display the recovery password. If password reset is enabled for MDM, you can instead display the recovery password for a device by using MDM Console.

• enableSelfEnrollment
  Enables or disables the enrollment functionality on the portal:

  • When this value is set to True, the user can create a new enrollment request that goes to MDM Enrollment Server, or cancel existing enrollment requests. This is the default setting.
  • When this value is set to False, the user can view pending enrollments in My Devices, and receive enrollment details. However, the user cannot enroll a new device, or cancel a pending enrollment. This means that users can see what you do on their behalf through MDM Console.

Device Name Validation

• deviceNameRegEx
  Specifies the rules for valid device names that users can specify when they enroll Windows Mobile devices in MDM.

  • When this element has no contents, the device name must follow standard computer naming conventions, listed on the New Enrollment page in the portal.
  • When this element contains a valid .NET Framework regular expression—such as <deviceNameRegEx><user>[0-9][0-9]</deviceNameRegEx>—the device name must match the regular expression to be considered valid. In addition, device name validation in MDM Self Service Portal understands two tokens, user name and domain name, which represent the portal user’s account name and domain name, respectively. For more information about configuring device name validation, see Configure MDM Self Service Portal.

MDM Enrollment Server

• serverURL
  This setting is reserved for future use.

• defaultOU
  The default Active Directory container for devices enrolled through the MDM Self Service Portal Web site, also known as the organizational unit (OU). MDM Self Service Portal discovers this information when you run Setup. You can change this information to specify another OU.

• pendingEnrollmentLimit
  The maximum number of devices that can be pending enrollment for each user at the same time. The default value is 100. If you change this value to zero (0), a maximum is not enforced and an unlimited number of devices can have the status of pending enrollment.

Password Delivery

• enableEmailDelivery
  Specifies whether to send the password to the e-mail account listed for the user in Active Directory.

  • When this value is set to True, MDM Enrollment Server sends the user an e-mail message that contains the enrollment password. This is the default setting.
  • When this value is set to False, MDM Enrollment Server does not send an e-mail message that contains the enrollment password.

• enableWebsiteDelivery
  Specifies whether to display the password to the user on the MDM Self Service Portal Web site.

  • When this value is set to True, the Enrollment Confirmation page displays the enrollment password for the user. This is the default setting.
  • When this value is set to False, the Enrollment Confirmation page does not display the enrollment password for the user.

Logging

• enableActivityLog
  Enables or disables activity logging so that you can view user activity. Examples of logged activities are enrollment, cancel enrollment, and device wipe requests. Puts logged information in the SelfServiceLog.txt file in the App_Data\Logs folder under the installation folder.

  The following list shows the possible settings for activity logging:

  • When this value is set to True, you can monitor user activity by using log files. Activity logging shows user activity on the site. This includes the cmdlets that execute. This is the default setting.
  • The portal does not log user activity when this value is set to False.

• enableTraceLog
  Enables or disables tracing. Tracing lets you monitor deeper activity at the code level. The following list shows examples of tracing information that is logged:

  • Errors and exceptions
  • Expected and unexpected events
  • Identifies points of execution to support instrumentation

  The following list shows the possible values for trace logging:

  • When this value is set to True, you can monitor a deeper level of activity through the log files. This is the default setting.
  • The portal does not log messages when this value is set to False.

Two settings in the Web.config file control the maximum size of the log files.

• logFileMaxSizeMb: This is the maximum size, in MB, of the log file. When the log file reaches this size, the portal saves the file under a time-stamped name and creates a new log file.
• logFilesMaxSizeMb: This is the maximum size, in MB, for the sum of all log files. When the total of all the log files reaches this size, the portal deletes the oldest log file.

Logging settings control the types of events that are recorded in the XML-based log file that MDM Self Service Portal creates. The log file is called SelfServiceLog.txt, and it is located in the App_Data folder of the MDM Self Service Portal root installation folder. By default, the installation folder for MDM Self Service Portal is C:\Program Files\Microsoft System Center Mobile Device Manager\SelfService. Logging settings do not control the types of events that are recorded in the Windows Event Log or Performance Log.