Troubleshooting MDM Group Policy Issues
2/9/2009
This section lists common issues encountered with System Center Mobile Device Manager Group Policy.
GPMC Not Supported on 64-bit Platforms
If you try to install MDM Group Policy extensions on a 64-bit platform, you will receive an error message stating that the operation is not possible. You must deploy the Group Policy extensions on a 32-bit platform that has the Group Policy Management Console (GPMC) already installed.
GPMC Not Supported on Windows Vista
If you try to install MDM Group Policy extensions on a Windows Vista platform (either 32-bit or 64-bit), you will receive an error message stating that the operation is not possible.
Install GPMC Before MDM Group Policy Extensions
You must first install GPMC before you install MDM Group Policy extensions.
Force an Immediate Group Policy Update
After you configure a new Group Policy setting, it can take one to eight hours to update the Group Policy settings on MDM Device Management Server, after which a device can connect and obtain the setting. The minimum time for the update to MDM Device Management Server is one hour.
To avoid this delay, such as when you troubleshoot a Group Policy setting, you can start an immediate Group Policy settings update on MDM Device Management Server if you run the Update-MobilePolicyCalculation cmdlet in MDM Shell:
Update-MobilePolicyCalculation <device name>
This cmdlet retrieves the latest Group Policy set from Active Directory for a given device, and caches it in the server for the next time that the device connects. After you update policy settings by using the Update-MobilePolicyCalculation cmdlet, you can also start a client connection by running MDM Connect Now Tool.
Install and run this application on the device to force an immediate synchronization with MDM Device Management Server. To download and install MDM Connect Now Tool, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=127030.
Initial Policy Period to Download and Apply Is Long
Typically, this issue is because of problems with proxy server policies. Check the proxy server connectivity and configuration settings.
Device Restarts Multiple Times After a VPN Session
Typically, the cause is applying Group Policy settings that require a restart. The following Group Policy settings require a device restart:
- Turn off Wi-Fi
- Turn off Bluetooth
- Turn off infrared
- Turn off camera
- Enable Bluetooth profiles
- Remove unmanaged SPC certificates
- Remove unmanaged privileged certificates
- Remove unmanaged ordinary certificates
- Remove unmanaged root certificates
- Remove unmanaged intermediate certificates
- Turn off removable storage
- Enable remote API access to ActiveSync
- Block in-ROM applications
- Enable specified unsigned applications to run as privileged
- Enable specified unsigned applications to run as usual
- Turn on device encryption
Device Receives Initial Policy and Becomes Unusable
This issue occurs if you configure the corporate proxy server policy incorrectly. To resolve this issue, update the corporate proxy server policy with the correct settings, or wipe the device and then re-enroll the user.
Error 2147467259 When Synchronizing Policy
This behavior occurs if you use the company proxy server setting in the applied Group Policy setting and the proxy server does not allow HTTPS over port 8443. After successful enrollment and Group Policy synchronization, all later Group Policy synchronization requests have the error message Fail (-2147467259). In this case, the following symptoms may occur:
- The new Group Policy setting is not applied to the device
- Remote wipe is not possible
- Device management data is not updated
HTTP and HTTPS communications use the company proxy server Mobile virtual private network (VPN) setting both internally and externally (to the Internet). With this proxy setting applied, the device connects to the proxy over port 8080. Communication between the proxy and MDM Device Management Server occurs over port 8443. To enable this communication, the proxy server must allow port 8443 as a valid HTTPS port. By default, most firewalls are not configured to allow port 8443 for HTTPS.
To resolve this issue, do the following:
- Make sure that the proxy can resolve the Domain Name System (DNS) name for MDM Device Management Server, and that this server can be accessed from the proxy
- Configure the proxy server to tunnel HTTPS packets on port 8443. To allow tunneling port 8443 with Internet Security and Acceleration (ISA) Server as the proxy, follow these steps:
- Use the AddTPRange.vbs script as described in Managing Tunnel Port Ranges at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=113972
- In Mobile VPN Settings, under Corporate Proxy Server policy, configure <ProxyIPaddress>:8080 in the policy setting
Policies Do Not Apply to Devices in an Organizational Unit
One possible cause for this issue is if MDM Device Management Server cannot access the Group Policy object (GPO) because of security hardening. See the Applying Group Policies to Devices Through Security Filtering topic in MDM Help.
If you did not run the ADConfig /enableGPSecurity command during installation, and if you removed Authenticated Users from the Security Filtering list for the GPO, you must add the SCMDMDeviceManagementServers security group to the list. This additional group makes sure that instances of MDM Device Management Server will have the necessary permissions to access the GPO.
Policy Is Repeatedly Sent to Device
If a policy is sent to a device and the device does not support the specified setting, the policy will not be cached and will be sent to the device repeatedly. For example, if you send the Allowed Bluetooth Profiles policy to a device that does not have Bluetooth, the device will respond with a 405 'Not Supported' error. The MDM Device Management Server will assume that the setting has not been configured correctly on the device and will attempt to resend the policy.
This can be prevented by targeting only those devices that support the setting. You do this by using filtering tools such as security groups, Organization Unit (OU) location, or WMI filters.
Policies Do Not Apply When Special Characters Are Used
Enabling a Group Policy setting that contains special characters might result in the policy not being applied. Do not use special characters in the policy. Special characters include the following: !@#$%^&*()_{}|:"<>?.
Cannot Disable a Bluetooth Profile
If you use MDM to modify the Allowed Bluetooth profiles Group Policy setting, you may encounter the following issues:
- Some Bluetooth profiles are not deleted.
- When you enable a Bluetooth profile for the first time, and then later use the setting to disable the same Bluetooth profile, the profile is not disabled.
To resolve these issues, modify the ADM template file that includes the Allowed Bluetooth profiles Group Policy setting as described at the following page: