Troubleshooting MDM Software Distribution Issues

2/9/2009

This section lists common issues encountered with Mobile Device Manager software distribution. You use MDM Software Distribution Console to view the status of software distribution on individual managed devices and run reports. To enable logging on software distribution, use MDM Connect Now Tool. In this tool, select Menu, select Logging, select Enable Alerter Log, and then select any of the following options:

  • Alerter
  • Nodemon
  • InitSession
  • Nodemon CSP
  • Software Distribution
  • TDET

The DeviceUpdate.log file is located in the root directory.

For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.

File Signature Verification Failed when You Create a Signed .Cab File

This error indicates that the computer that is running the console does not have the required public certificate to sign the .cab file in the root certificate store. The certificate that you use to sign the .cab file must be trusted by the following:

  • The computer that is running MDM Software Distribution Console
  • MDM Device Management Server

Therefore, the public certificate must be in the root store of these computers.

To publish updates, make sure that the system (and not just the logged-on user) trusts the signature on the .cab files. If you run the software distribution console on a separate computer, then follow these steps on both computers: the one with the console and the Device Management/WSUS server.

  1. Install the root certificate into the Trusted Root Certificate Authorities store on the Device Management/WSUS server and the computer running the software distribution console, if different.
  2. Install the public certificate used to sign the .cab file into the Trusted Publishers certificate store on the Device Management/WSUS server and the computer running the software distribution console, if different.

For more information about signing .cab files, see Signing .Cab Files in Packages.

Distributed Application Does Not Appear Under Installed Software

After distributing an application, if it does not appear in MDM Software Distribution Console on the Installed Software tab on the device, it is likely because you must update the inventory collection.

To view the distributed packages on the Installed Software tab quickly, run the following MDM Shell cmdlet to view a list of objects for which you can set the collection frequency:

Get-InventoryItem | format-list

To set the collection frequency of the device inventory collection item to EveryConnect, run the following command:

Set-InventoryItem -identity "InstalledApplications" -collectionfrequency "EveryConnect"

Package Installation Fails

If the device is physically accessible, check the failure code in the Managed Programs UI on the device.

  1. Verify that the device can contact MDM Device Management Server:
    • Start Internet Explorer on the device, and type the URL to MDM Device Management Server (including ":8530", where 8530 is the port number assigned to WSUS). For example: https://<DeviceManagementServer FQDN>:8530.
    • If the device can contact the Device Management/WSUS server, then the browser should respond with the Directory Listing Denied message.
  2. If the device cannot resolve the page, check the following:
    • The Windows Server Update Services Web site cannot be installed under the Default Web site unless MDM Device Management Server and MDM Enrollment Server are running on separate servers.
    • If MDM Device Management Server and MDM Enrollment Server are running on the same server, the HTTP Web site for WSUS must be configured to use port 8530.
    • If MDM Device Management Server and MDM Enrollment Server are running on the same server, the HTTPS Web site for WSUS must be configured to use port 8531.
  3. Verify that the file is located on the server.
    • Open the Software Distribution console, select Packages, and then select the specific package. Or, locate the share that holds the files, and browse to the specific .cab file.
    • The console shows the package status, including the number of devices with the package installed. If you receive a text box stating that the credentials need to be verified, then the file is no longer present on the server. To resolve this issue, add the public root and signing certificate that belong with the package to the Device Management Server (and console computer, if different), and then re-publish the package.
    • Install the root certificate into the Trusted Root Certificate Authorities store on the Device Management/WSUS server and the computer running the software distribution console, if different.
    • Install the public certificate used to sign the .cab file into the Trusted Publishers certificate store on the Device Management/WSUS server and the computer running the software distribution console, if different.
  4. Verify that the device can reach and download the .cab file, and that the .cab file is correctly signed.
    • The device should prompt the user to download or open the .cab file.
    • When the user selects Open, the .cab file should install.
    • If the device cannot find the .cab file, then it probably does not exist on the Device Management Server. Follow step 3 to verify the file.
    • If the device successfully downloads the .cab file but does not install it, then the .cab file is either broken, not meant for the device type (standard, professional, or classic), or the Windows Mobile version on the device does not have the public root and public code signing certificates installed in the appropriate stores. You must import and install the .cer file for the managed Windows Mobile device in the SPC store and in the Privileged Execution Trust Authorities store. You can perform this import through the Group Policy Management Console (GPMC) on a computer or server that has the Group Policy Extensions installed.