Integrating MDM 2008 SP1 with Office Communications Server

2/9/2009

This guide helps you address the decisions and activities that are critical to successfully implement Microsoft System Center Mobile Device Manager (MDM) 2008 with Microsoft Office Communications Server 2007. It is written for information technology (IT) specialists, generalists, consultants, partners, or anyone who seeks technical information to plan, deploy, and support the infrastructure required to integrate MDM with Microsoft Office Communications Server 2007.

The document includes information about the following:

• Common global Microsoft Office Communications Server 2007 scenarios
• Prescriptive guidance on how to integrate an MDM deployment into each scenario for Office Communicator Mobile 2007.
• Name resolution.
• Network considerations
• Common areas of interest, such as user authentication, software distribution, troubleshooting, monitoring, and reporting.

This document does not provide step-by-step examples of deploying or operating an MDM infrastructure. Supplemental material is referred to throughout the document and the Supporting Documents for MDM section provides a generous list of supporting references the reader may find helpful.

This document has the following section:

• Microsoft Office Communicator Mobile 2007 Features
• MDM and Office Communicator Mobile Topologies
• Deploying and Configuring Communicator Mobile with MDM
• Recommendations for Integrating MDM and Office Communications Server
• Deployment Tools
• MDM Monitoring
• Reporting
• Troubleshooting MDM
• MDM Tools and Utilities
• Supporting Documents for MDM

Microsoft Office Communicator Mobile 2007 Features

Communicator Mobile 2007 is an enterprise messaging client for mobile devices that integrates IM (instant messaging), presence, and telephony. For a complete overview of Office Communicator Mobile 2007 features, see https://go.microsoft.com/fwlink/?LinkID=116556.

MDM provides a means to deploy the Communicator Mobile client to Windows Mobile 6.1 devices, as well as establish a more secure communication channel between the mobile client and Office Communications Server 2007 infrastructure. In this document Office Communications Server 2007 components such as Front End Servers, Web Conferencing, SQL services, Telephony, and PBX services, will be referred to as an Enterprise Microsoft Office Communications Server 2007 Deployment.

MDM and Office Communicator Mobile Topologies

The scenarios discussed in this document focus on mobile MDM integration scenarios for Microsoft Office Communications Server 2007 with Microsoft Office Communicator Mobile 2007. Although the information is comprehensive, not every large enterprise Microsoft Office Communications Server 2007 scenario is discussed. The enterprise topologies considered for the document include centralized, decentralized, and decentralized topologies with branch offices. The following sections discuss each topology scenario.

Centralized Office Communicator Server Topology

In the centralized topology, the implementation of an enterprise consists of multiple domains where all Microsoft Office Communicator Server 2007 components are hosted at the central site. Users access Microsoft Communicator Mobile 2007 services across the LAN or WAN from local or regional company sites. The centralized topology is preferred by organizations that want to minimize the IT footprint and rely on relatively few groups in the organization to manage and monitor the web or portal environment. For more information on planning and deploying Microsoft Office Communicator Mobile 2007, see to the “Microsoft Office Communicator Mobile (2007 Release): Planning and Deployment Guide” at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=116561.

MDM establishes an Internet Protocol Security (IPsec) Virtual Private Network (VPN) tunnel on the Internet between a domain-joined Windows Mobile 6.1 device and the company perimeter network. After a mobile device is connected to the Mobile VPN, the MDM Gateway Server role provides an Internet Protocol (IP) address from a VPN IP address pool for mobile devices. This allows mobile users to connect to Office Communications Server 2007 servers that are hosted in the company network at the central site.

Network Routing Considerations

You should consider the network routing implications when deploying Communicator Mobile clients to mobile devices. The Communicator Mobile 2007 client can connect to the Office Communications Server 2007 Edge Servers in the perimeter network or, after establishing the VPN tunnel to the MDM Gateway Servers, can connect directly to the Office Communications Server 2007 pools in the company network. The Communicator Mobile client must be able to establish Session Initiation Protocol (SIP) communications to the Office Communications Server Roles.

The Communicator Mobile client uses Transport Layer Security (TLS) over TCP port 443 when directing network communications to the Office Communications Server Edge Servers.

The Communicator Mobile client can connect to the server using HTTPS/TLS or TCP. The preferred mode of connection is TLS, and it is required when the client connects to the server while using an external Wi-Fi or mobile wireless network. It uses TLS over TCP port 5061 when directing SIP communications directly to the Office Communications Server server pools on the company network.

To integrate MDM with a centralized Office Communications Server 2007 enterprise topology, you must configure IP routing between the MDM Gateway Servers and the Office Communications Server 2007 edge servers or Office Communications Server server pools to enable Communicator Mobile client access from the Internet to the internal company network. Managed Windows Mobile 6.1 devices will use the IPsec protocol between the mobile VPN client and the MDM Gateway Servers to enhance the security of the TLS session to the edge servers or server pools. You may need to open additional ports on the external and internal firewalls to support services such as file transfer and audio/visual services, if not already supported by the Office Communications Server Edge servers.

For more information on the full range of ports required by the various Office Communications Server 2007 Server and client roles, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121384.

For additional information about the configuration of firewalls in front of or behind the MDM Gateway servers, see the MDM Planning Guide at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=130854.

Note

The Communicator Mobile client does not use SRV record to locate Office Communications Server Access Edge servers.

For external access to succeed, Communicator Mobile must use TLS transport. By default, it uses port 5061, but it can use other ports, such as port 443, for external access. You must configure Communicator Mobile clients to include the port information in the server address. The correct format is <fully qualified domain name address>:<port number>. For example, you should configure the client to use sip.contoso.com:443 as the external server address if the Access Edge Server in Office Communications Server 2007 is configured to use the default remote client access settings. For more information about this port configuration on the Edge Server, see “Microsoft Office Communications Server 2007 Edge Server Deployment Guide” at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121386.

For more information about Office Communications Server 2007 planning and to determine if you need Office Communications Server Edge Servers, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121387.

The following illustration shows a managed device with the Communicator Mobile client establishing a VPN tunnel to the MDM Gateway Servers, then communicating to the Office Communications Server 2007 Edge Servers in the perimeter network. A solid line shows this communication. The dashed line shows how managed devices communicate directly to the Office Communications Server 2007 Server pool after terminating the IPsec VPN connection at the MDM Gateway Servers.

Decentralized Office Communications Server Topology

The decentralized topology supports larger enterprises with multiple domains, multiple locations, that have a decentralized management of Microsoft Office Communications Server 2007. This topology differs from an MDM infrastructure designed for a central Microsoft Office Communications Server 2007 topology in that the design places emphasis on establishing the shortest, and hopefully quickest, route to the Microsoft Office Communications Server 2007 server infrastructure. Under most scenarios, we recommend that you direct traffic to the nearest Microsoft Office Communications Server 2007 edge servers to let the default proxy mechanisms operate as designed. In the scenario where Microsoft Office Communications Server 2007 infrastructure is dispersed between geographic sites, you must provide a localized network route to the nearest well-connected company perimeter network.

The following illustration shows an example of a decentralized deployment of the Communicator Mobile client. The solid lines show the potential network communications based client communications to Office Communications Server Edge Servers. The dashed lines show the communications directly to the Office Communications Server server pools.

Network Routing Considerations

Similar to the centralized topology, you must consider network routing for mobile device IP traffic flow between the MDM Gateway and Microsoft Office Communications Server 2007 edge server in the perimeter network such that communication from mobile device to Microsoft Office Communications Server 2007 SIP traverses physical network boundaries and locations. Office Communications Server 2007 pools can span sites, or each site can have its own Office Communications Server 2007 pool. To allow Communicator Mobile clients to connect to the appropriate Office Communications Server 2007 pool as defined in Active Directory, you must understand the network routes that roaming requires.

Note

You must deploy Office Communications Server Access Edge Servers in a single site. In a decentralized MDM deployment, we recommend that you provide network connectivity directly to the Office Communications Server 2007 pools to minimize the number of jumps in the network route. If a managed device connects to an MDM Gateway Server in a secondary site, the Communicator Mobile traffic can traverse numerous network segments to route to the Office Communications Server 2007 Access Edge Servers in the central site’s perimeter network.

Decentralized Office Communications Server 2007 with Branch Offices

The decentralized Office Communications Server 2007 deployment with branch office scenario is similar to the decentralized scenario but requires support for remote locations. The branch office scenario supports a small office or retail site that has less than 100 workstations and little or no server infrastructure. Typically, branch offices have no web server components or MDM server roles deployed locally. Therefore, the branch office scenario is similar to the centralized topology where mobile devices use the operator network to establish the shortest path to an MDM Gateway Server and route Communicator Mobile network traffic to the Office Communications Server 2007 server pool, or connects directly to the Microsoft Office Communications Server 2007 edge server in the perimeter network at the central site.

Deploying and Configuring Communicator Mobile with MDM

You can use MDM to deploy software to managed Windows Mobile 6.1 devices. You do this by using Software Distribution and Windows Server Update Server 3.0 (WSUS). To deploy cabinet (.cab) files that have Office Communicator Mobile settings to mobile devices, MDM Software Distribution targets groups in WSUS and Active Directory Group Policy. Additionally, MDM can deploy the required root certificates for Microsoft Office Communicator Mobile 2007.

For a comprehensive description of the software distribution process in MDM, see Distributing Software to Managed Devices in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=11241.

The following steps summarize the MDM client process for software distribution:

1. The mobile device connects through MDM Gateway Server at its scheduled connection time.
2. The device connects to the Device Management Service on MDM Device Management Server. Communication is established between the device and the Device Management Service by using an OMA DM session.
3. MDM Device Management Server checks its database to obtain the OMA DM commands for the device.
4. MDM Device Management Server offers the software packages applicable to the device.
5. The device downloads and automatically installs the software packages.
6. The device reports the result of the installation back to MDM Device Management Server.

The following sections provide high level steps for preparing for deployment of Microsoft Office Communicator Mobile 2007 to managed mobile devices by using MDM Software Distribution.

Configuring the Communicator Mobile Client

The Communicator Mobile client requires additional configuration to successfully connect to the Office Communications Server 2007 infrastructure and provide presence information on the mobile device. For information about how to use an .inf file to configure a Communicator Mobile client by using ActiveSync, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121406.

When deploying the Communicator Mobile client with MDM Software Distribution, you may need to provide Communicator Mobile client registry settings. In this way, you can reduce the amount of manual configuration experienced by the users. Users may still need to manually configure their sign-in name, username (in the form of <domain>\<username>), and password, but you can configure the registry with other information before you distribute packages.

Note

Registry values may be overwritten during program installation. You can apply group policy to persist registry settings, but the registry values may be temporarily replaced with default values immediately after program installation. When group policy is refreshed, the values are replaced by those specified by group policy.

The default policy calculation is 8 hours. However, you can change this value by using the Set-MobilePolicyServiceConfig cmdlet in the MDM Command Shell on the MDM Device Management Server. You can also force policy refresh on an individual device basis by using the Update-MobilePolicyCalculation cmdlet from the MDM Device Management Server.

To configure the registry, you can change the following values in HKCU\Software\Microsoft\Communicator\System Settings on the device:

• Server
  The server address to display in the External server name box in Communicator Mobile Options.

• ServerInternal
  The server address to display in the Internal server name box in Communicator Mobile Options.

• RememberPassword
  If set to 1, the Remember my password check box in Communicator Mobile Options is selected. If set to 0, the check box is cleared.

• DisableCertCheck
  If set to 1, certificate revocation list (CRL) checking is disabled for the Communicator Mobile client. If set to 0, CRL checking is enabled.

• AutoLogon
  If set to 1, the Automatically Sign in check box in Communicator Mobile options is selected. If set to 0, the check box is cleared. This setting is applied only if RememberPassword is set to 1.

You should manage the registry values required by the Communicator Mobile client through Group Policy. To do this, you would create a custom Group Policy Administration template (.adm) to manage the Communicator Mobile specific registry settings. For more information, see “Writing Custom ADM Files for System Policy Editor” at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=109295.

The following example is a custom .adm template that you can use to define registry settings. You can use this example to create a new Administrative Template for managing registry settings on mobile clients. For example, you can use this template to include a group of policies for defining the server names for the internal and external Office Communications Servers.

;======================================================================
; Custom Registry Administrative Template File
; _version="1.0"
;======================================================================
CLASS MACHINE
CATEGORY "Custom Registry Settings"
   CATEGORY "Communicator Mobile"
   POLICY "Communicator Mobile" 
      EXPLAIN !!ExplainCoMo
      KEYNAME "SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKCU\Software\Microsoft\Communicator\System Settings"
      PART "Server"
         EDITTEXT
         VALUENAME "Server"
      END PART
      PART "ServerInternal"
         EDITTEXT
         VALUENAME "ServerInternal"
      END PART
   END POLICY 
   End CATEGORY 
END CATEGORY 
[STRINGS]

For ExplainCoMo, the Server value indicates the public FQDN of the OCS services. The ServerInternal value indicates the internal FQDN of the services. For example, sip.contoso.com. For more information about configuring registry values for Communicator Mobile, see https://go.microsoft.com/fwlink/?LinkID=121406.

You can use Group Policy to set these values, and then use the existence of these values as a dependency to install the Communicator Mobile client package. The dependency is defined during package creation. For more information, see “Creating a New Package” in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=11241.

Note

You can use third-party tools to modify .cab files to include the required registry settings and preconfigure portions of the Communicator Mobile client.

Preparing the Environment for Software Distribution

1. Configure Active Directory Group Policies to deploy the required root certificates to the Software Publisher Certificate (SPC) and Unprivileged Execution Trust Authorities stores on the mobile devices.
   The SPC store governs cab installation on a Windows Mobile Device. The Unprivileged Execution Trust Authorities store is used by Windows Mobile security to control code execution. If an executable can be chained up to a certificate in this store, it is considered signed and is assigned a trust level based on the device security policies. For more information about this process, see “Importing Certification Authority (CA) Certificates” in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=11241.

2. Create a Personal Security Certificate (PFX) and code signing template for signing the Microsoft Office Communicator Mobile 2007 cab files. For more information, see “Creating the Personal Information Exchange (PFX) Certificate” in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=112415.

   Note

   It is advantageous to use the same certificate chain to create the code signing clients as that used to issue the MDM client certificates. The certificate chain is automatically deployed to the MDM mobile client Root Certificate store during device enrollment. You must still install the Root Certificate in the SPC and Unprivileged Execution Trust store.

3. Export the PFX file generated in the previous step, and then copy it to the trusted publishers and enterprise root certificate stores on the machine that you will use to sign the Microsoft Office Communicator Mobile 2007 cab files.

4. Download Microsoft Office Communicator Mobile from Microsoft Downloads, and then run the .msi to extract the .cab files for mobile clients. Microsoft Downloads is at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121409.

   Note

   There are two .cab files; one for the Windows Mobile Professional (Communicator.PPC.cab) and one for Windows Mobile Standard (Communicator.SP.cab). You must package each .cab separately for the appropriate device.

5. Install the Code Signing Certificate to the Trusted Root Certification Authorities store and the Trusted Publishers store for the machine that will be used to sign .cab files. If you run MDM Software Distribution Console on a separate computer, follow these steps on both the computer that has the console and the computer that has the WSUS server. For more information, see “Publishing .Cab Files” in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=11241.

Note

In MDM 2008 SP1,you can sign .cab files as part of the package creation process before you distribute the files instead of using a separate tool to sign the files. The PFX file created in this procedure is still required and must be referenced when you create the package if you want to distribute signed .cab files. Packages can be created without signing the .cab files but it is considered a best practice for packages to be signed to help make sure that packages are trusted and originate from an authorized publisher.

Software Distribution Steps

1. In the MDM Software Distribution Console, create a Software Distribution Device Group for targeting the Microsoft Office Communicator Mobile 2007 cab files to mobile devices. To organize a set of mobile devices into a managed collection, you must create a device group into which you can add the mobile device accounts.
2. Configure Software Distribution to either use client-side or server-side targeting.
   By default, MDM Software Distribution uses server-side targeting, meaning the MDM Software Distribution Console is used to manage device group membership. Client side targeting uses either group policy or registry values on the mobile devices to associate devices to the groups defined in the console. To enable client-side targeting, you would change the Targeting Options on the Devices node in the console and then configure client side targeting with group policy. For more information, see MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=112415.
3. Use the Create Package Wizard to create a .cab package for deployment to mobile devices.
   This tool lets an administrator create a software package, sign the .cab files, choose the devices that will receive the package, set specific dependencies, and control the installation. After a software package is created in the MDM Software Distribution Console, the package must be approved by IT administrators for deployment to managed devices. For more information about creating packages for MDM software distribution, see Distributing Software to Managed Devices in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=112415.

To determine if the application installed on the mobile devices that had the software distribution policy applied, select Start, and then choose Programs. If the application installed successfully, Microsoft Office Communicator Mobile 2007 application will display under Programs.

Validating Functionality

Like many applications designed to support Internet based clients, you should make sure that there is end-to-end functionality from the company network, through the perimeter, and ultimately to the mobile device client. Once installed and configured with the appropriate server sources, credentials, and password, the Communicator Mobile client should successfully sign in. The presence of users online should then be visible and the presence of users logged in should change between online, away, busy, and so forth.

Communicator Mobile Deployment Troubleshooting

Package Creation

Two common errors may occur when creating packages for Communicator Mobile deployment:

• Verification of the file signature failed for the file <path to .cab file>. This error occurs during the initial steps of defining the package. It indicates that the code signing certificate is not found in the Trusted Publishers store of the host that is creating the package using the MDM Software Distribution Console. Make sure that the code signing certificate, with the private key, has been imported into the local machine’s Trusted Publisher container.
• The file for this package failed to download. Please check the file credentials and recreate package using the create package wizard. This error occurs during the final phase of package creation when certificate validation errors prohibit the package from being sent successfully to WSUS. Make sure that the code signing certificate, with private key, is imported to the local machine’s Trusted Publisher container on the host system where WSUS is installed.

Group Policy

You may need to determine which group policies settings have been applied to mobile devices. You can use the Group Policy Management console to view the applied denied GPO status and the effective settings for a user and device, or for a device for machine settings. To query a device for the GPO status and effective settings, you use the container named Windows Mobile Group Policy Results in the console to query a device.

Performing a right-mouse-click on the container reveals a popup menu with an option to start the Windows Mobile Group Policy Results Wizard. The wizard then steps you through various options to select a device from Active Directory or a user name and device associated with that user. This results in a report with three tabs that provides a Summary (Applied GPOs, Denied GPOs, etc.), Settings, and Policy Events.

You can use the Group Policy Modeling container in the Group Policy Management Console to start the Group Policy Modeling Wizard. This wizard simulates the effective application of group policies and their settings by targeting users and containers in Active Directory.

The Windows Mobile Group Policy Results query retrieves the policy settings that are currently are applied to the specific device.

Software Distribution

If software distribution fails to publish, the most likely cause is that the required certificates are not present in the certificate stores on the publishing machine and/or the MDM Device Management Server.

If software distribution fails to install software on the mobile device, the most likely cause is that the software distribution publishing certificates are not in the correct certificate stores on the device. The following list shows ways that you can resolve this issue:

• Run the powershell cmdlet UpdateMobilePolicyCalculation –DEVICENAME on the MDM Device Management Server, where DEVICENAME is the name of the device that is failing
• Before targeting software for installation, use the MDM ConnectNow tool to force an OMA-DM session with the MDM Device Management Server. This ensures that the software publishing certificates have been pushed to the device before MDM Software Distribution offers software to the device.

Overall, if software distribution fails for any reason, Mobile Device Manager retries the distribution in seven days by default. The seven day count starts when the device notifies the MDM Device Management Server of the installation failure. You can change the default retry interval by running a MDM Powershell cmdlet Set-SoftwareDistributionConfig –ReofferPeriodDays, where 0 is a value to reoffer the software package immediately at the next OMA-DM session.

Note

We recommend that you only set the Set-SoftwareDistributionConfig value to 0 in test MDM environments.

The following illustration shows the simple installation flow for new devices in MDM:

The following illustration shows the simple MDM software distribution package flow for software distribution failures.

The following illustration shows the different package reporting conditions in the MDM Software Distribution Console. This information helps you understand the meaning of software package status in MDM.

Troubleshooting Office Communicator Mobile 2007

You can download the Microsoft Office Communicator Mobile (2007 Release): Troubleshooting Guide from this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=121478.

Recommendations for Integrating MDM and Office Communications Server

MDM Co-existing with Legacy Devices Connecting to Office Communications Server 2007

If legacy mobile device support is currently available, it is likely that Office Communications Server Edge servers are deployed in the perimeter network and the incoming communication traffic is published. The Communicator Mobile client installed and configured on MDM managed devices can use the existing perimeter servers. This eliminates the need to open additional network ports to provide a route to the Office Communications Server servers on the company network. Both earlier versions of mobile devices and MDM managed mobile devices can connect to the same Office Communications Server edge servers over TCP port 443. The edge servers direct traffic to the appropriate Office Communications Server server pools in the company network.

MDM Introduced to a New Office Communications Server Environment

If there is no pre-existing support for Internet-based Communicator Mobile clients prior to MDM deployment, you can direct incoming traffic directly to the Office Communications Server server pools in the company network. This requires that you establish the appropriate network ports and routes between the MDM Gateways and the Office Communications Server servers in the company network.

Deployment Tools

The following tool is described in the Planning Guide for MDM 2008 SP1 which provides prescriptive deployment guidance.

ADConfig

The Active Directory Configuration Tool (ADConfig) is a configuration tool that you must use to configure Active Directory for MDM 2008 SP1. ADConfig lets you do the following:

• Create the Active Directory Universal Security Groups and containers for MDM 2008 SP1
• Add the service connection point (SCP) for MDM 2008 SP1
• Create the Mobile Device Templates in the enterprise certification authority

For more information about ADConfig, see Configure Active Directory for MDM.

MDM Administrator Tools

The following administrative tools are further described in Operations for Mobile Device Manager.

MDM Console

MDM Console is the core MDM management MMC snap-in tool that is included with MDM Shell. This console lets you perform the following:

• Start pre-enrollment requests
• Manage all Windows Mobile powered devices attached to the domain
• Configure the MDM system infrastructure
• Configure MDM Gateway Server
• Perform tasks, such as a device wipe

Group Policy Extensions

With the Group Policy Management Console (GPMC), you can push MDM group policies to Windows Mobile powered devices and enforce these policies. 64-bit software, except for the Windows Vista operating system, does not support GPMC. For more information, see Enforce Group Policy Settings on Managed Devices in Planning for MDM at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=130854.

MDM Software Distribution Management Console

The MDM Software Distribution Console is a custom MDM WSUS console that provides software distribution capabilities and the ability to push software .cab files to a Windows Mobile powered device. For more information, see “Overview of MDM Software Distribution” in MDM Operations at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=112415.

MDM Shell

The MDM Shell offers more than 40 cmdlets you can use to automate administrative tasks for MDM servers. For more information, see the section Supporting Documents for MDM in this document, and “MDM Shell Cmdlets” in MDM Operations at this Microsoft Web site:https://go.microsoft.com/fwlink/?LinkId=112415.

MDM Monitoring

We recommend that you monitor the health of the MDM infrastructure and services by deploying System Center Operations Manager (SCOM) along with the MDM 2008 SP1 management pack. For additional information about planning and deploying SCOM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=116245.

The SCOM management pack for MDM monitors the health of the following server roles and activities:

• MDM Setup
• Device Management Server Health
• MDM Device Management Server Health
• MDM Gateway Server Health
• MDM Self Service Portal Health

After the SCOM agent is installed, registry values identify the various MDM server roles and automatically deploy the appropriate role-oriented rules to MDM hosts. The first release of the MDM management pack interrogates the Windows event logs to distinguish between successful and unsuccessful health states as well as the results of key operations such as MDM setup.

The MDM management pack evaluates the following actions:

• MDM Device Management Server Setup, Uninstall, and Cleanup
• MDM Gateway Server Setup, Uninstall, and Cleanup
• MDM Administrator Tools Setup, Uninstall, and Cleanup
• MDM Device Management Server Setup, Uninstall, and Cleanup

The MDM management pack evaluates the health of the following MDM Device Management Server services:

• Device Management Engine
• AD/GP Driver
• Wipe Driver
• Software Distribution Driver
• Alerter Service
• Gateway Central Management Service
• Admin Service Core

The MDM management pack evaluates the health of the following MDM Enrollment Server services:

• Enrollment System Service
• Enrollment Web Service
• Enrollment Administration Services

The MDM management pack evaluates the health of the following MDM Gateway Server services:

• MDM Mobile VPN Driver
• MDM Mobile VPN Policy Engine
• VPN Agent
• Timeout Detection
• Alerter Agent

MDM Self Service Portal is monitored for the following areas relative to configuration and capacity:

• MDM Self Service Portal Web site configuration properly loaded
• Disk free space for MDM Self Service Portal log files
• Proper permissions applied to App_Data folder
• Corrupt MDM Self Service Portal log files
• MDM Self Service Portal log file size

Note

MDM Gateway Servers are deployed in workgroup mode. Therefore, communications between the MDM Gateway Servers in the perimeter network and the SCOM infrastructure requires mutual authentication. For more information, see "About Gateway Server in Operations Manager 2007" at this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=116246.

MDM Reporting Services

MDM Reporting Services provides a reporting and data access service across all feature areas of MDM. MDM Reporting Services is based on and integrated with SQL Server Reporting Services 2005 (SSRS).

To download the tool, see MDM Reporting Services at the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=108953. The MDM Reporting Services User's Guide, included in the download, provides information to help you understand and run MDM reports. For more information about MDM Reporting Services, see Reporting Services User's Guide for MDM 2008 SP1.

The Device Asset Report is a useful report to use with Exchange Server integration. This report provides a history of each managed device, including the system identifier (ID) that the managed device has been assigned based upon the hardware ID — that is, the IMEI, MEID, or ESN number. The report also lists the people to whom the managed device has been assigned, based on their system ID and the device hardware ID.

The Group Policy Objects Report describes MDM Group Policy information for groups of items, such as the number of managed devices to which a specific Group Policy setting has been applied. The report also lists the success and failure of specific Group Policy actions that MDM Group Policy has attempted to apply to each managed device. The report rolls up Group Policy information based upon the following aspects:

• The number of devices affected by a specific Group Policy
• The success rate of Group Policy objects
• The failure rate of Group Policy objects

For each line in the report, you can drill down to view the details for each managed device.

You can use the following parameters to filter the results of the report:

• Device Domain
• Device OU
• Policy Name
• Status

The Group Policy Settings Report describes MDM Group Policy information for groups of items, such as the number of managed devices to which a specific Group Policy has been applied. You can also list the success and failure rates of specific Group Policy settings performed on each managed device. This report rolls up Group Policy information based upon the following aspects:

• The number of devices affected by a specific Group Policy
• The success rate of Group Policy settings
• The percentage failure rate of Group Policy settings

For each line of the report, users can drill down through the report details to view the details of each device.

You can use the following parameters to filter the results of the report:

• Device Domain
• Device OU
• Device Name
• Category
• Policy
• Status

To create custom reports, you can use the SQL Server Report Builder tool together with the report models provided with MDM Reporting Services. Report Builder has a report layout template that contains predefined data regions. You can select a predefined report model, which contains report items such as data fields; then drag-and-drop the report items onto the data regions in the template. You can apply filters to the report to refine the data to be displayed. The MDM report model contains all of the information required for Report Builder to automatically generate a query to retrieve the requested data.

Troubleshooting MDM

You can find online documentation to assist with troubleshooting MDM at the following Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=130855.

This documentation provides the following to help you address troubleshooting issues:

• Overview of Troubleshooting MDM Setup
• MDM Gateway Server Issues
• MDM Enrollment Issues
• MDM Device Management Issues
• MDM Software Distribution Issues
• MDM Group Policy Issues.

In addition, the following logs and utilities are commonly used to troubleshoot MDM related issues.

Event Viewer

MDM populates Application, System, and Security events in the Event Log. Use Event Viewer to obtain information and details when a specific issue occurs.

MDM Logging

The SCMDMsetup.log file contains information that is collected from MDM component .msi installation logs. However, it does not contain verbose installer data, and does not report return values for custom actions. You can get more comprehensive information, including return values, from the .msi logs for each MDM component installation.

Windows Installer version 3.1 .msi logs provide details about the installation of server roles and components in the DM.log, Enrollment.log, and AdminTools.log.

The Verbose Windows Installer Logging (WILogUtl.exe) produces a verbose log file that you can use to find the source of an error.

An MDM Event Viewer node is created when MDM system components install. This provides information on application and installation errors.

The VPNGateway.log file is created in the Temp directory during the MDM Gateway Server Setup process.

Windows Software Trace Preprocessor (WPP)

Creating logs by using MDM Shell cmdlets to enable WPP produces log files that you can analyze for debugging and troubleshooting issues.

Services Snap-In

Use the Services MMC snap-in to start, stop, and verify that certain services are running.

MDM Console

Use the MDM Console for device status information or package installations.

MDM Command Shell

Use MDM Shell to run cmdlets that retrieve data or set configurations.

ADSIEDIT

Use ADSIEdit.msc to view and change Active Directory. This tool is a low-level editor for Active Directory that provides a graphical user interface (GUI). It is useful to add, delete, and move objects in a directory service.

Report Viewer

Use the Report Viewer tool to collect data from Active Directory and the MDM databases. MDM Reporting Services uploads data to a reporting database for comprehensive and detailed reporting capabilities.

Logman

Use Logman.exe when Windows Event Logs are insufficient for troubleshooting a problem. You can start WPP tracing for the VPN server to obtain detailed trace logs.

MDM Tools and Utilities

The MDM Resource Kit Tools provides server tools and client tools.

MDM Server Tools

The MDM 2008 SP1 Resource Kit Tools are available to download and include the MDM Server Tools. To download the tools, see MDM Server Tools at the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030.

MDM Server Tools includes a number of tools, such as the following:

• MDM Bulk Pre-Enrollment Tool
• MDM Application Hash Code Tool
• MDM Cleanup Tool
• MDM Device Enrollment Cleanup Tool
• MDM Certificate Tool

MDM Bulk Pre-Enrollment Tool

This command line tool enables administrators to pre-enroll groups of Windows Mobile powered devices in MDM . Bulk pre-enrollment can be simpler and more efficient than pre-enrolling a large number of devices individually. As part of pre-enrollment, the tool generates passwords that administrators can share with users so users can enroll their devices.

MDM Application Hash Code Tool

This tool lets administrators create an XML file that includes an SHA-1/MD5 hash code file. An administrator can use the file together with a Group Policy Object (GPO) to allow or prevent an application from running on managed devices.

MDM Cleanup Tool

This command-line tool enables administrators to completely uninstall MDM from servers. This tool is helpful when other removal options, such as the MDM un-installation wizard and Add/Remove Programs, have not fully removed MDM components and settings.

MDM Device Enrollment Cleanup Tool

This PowerShell script–based tool helps administrators remove older or no-longer-needed managed devices from the MDM system. The tool removes entries for the devices that still exist in Active Directory and the MDM databases.

MDM Certificate Tool

A command line tool which is used helps administrators to request certificates for MDM components. Administrators can also set Access Control Lists (ACLs) on certificates, place requested certificates in a specific folder, and invalidate Global Certification Manager (GCM) certificates.

MDM Best Practices Analyzer Tool

MDM Best Practice Analyzer (BPA) Tool helps you to analyze the prerequisites for MDM setup and deployment. Because each MDM server component has different prerequisites, the tool helps you to plan and build a successful deployment environment by assessing each server's readiness for MDM before you run MDM Setup.

In addition to analyzing the readiness of each server, BPA Tool helps you to verify the firewall configuration that MDM requires between servers running MDM Device Management Server and servers running MDM Gateway Server. After you deploy MDM, you can then run a post-deployment scan to help make sure your installation works properly and follows MDM best practices.

To download BPA Tool, see MDM Best Practices Analyzer Tool at the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030.

MDM Client Tools

The MDM 2008 SP1 Resource Kit Tools are available to download and include the MDM Client Tools. To download the tools, see MDM Client Tools at the following Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=127030..

The following tools are included in MDM Client Tools, along with MDM Managed Device Status Viewer.

MDM Connect Now Tool

MDM Connect Now Tool enables managed devices users to download new software updates queued since the managed device last synchronized with MDM. The tool initiates a session between MDM Device Management Server and a managed device. Once the tool establishes a connection, new software updates are downloaded to the managed device.

MDM VPN Diagnostics Tool

MDM VPN Diagnostics Tools helps users diagnose VPN issues between MDM and the devices it manages. The tool lets users see the VPN configuration and status on the managed device and to diagnose any VPN-related problems. The tool also lets the user collect logs from their device and send them to a diagnostics team for further analysis.

Supporting Documents

The following Microsoft Web sites and technical articles provide background information that may be useful for planning and deploying MDM 2008 SP1.

Designing a Group Policy Infrastructure—provides an overview of Group Policy, describes how you can plan and design your Group Policy model, and how to deploy and maintain Group Policies. To view Designing a Group Policy Infrastructure, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=75201.

Best Practices for Active Directory Delegation—describes how delegation works in Active Directory, and provides best practices. To view Best Practices for Active Directory Delegation, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkId=120179.

Getting Started with MDM—provides information to help you understand MDM and the available tools and resources. To view Getting Started for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=108949.

MDM Architecture Guide—describes the standards-based solution for integrating mobile and handheld devices as trusted and fully managed members of the enterprise with minimal affect on existing infrastructure. To view Architecture for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=116397.

MDM Planning Guide—helps administrators design and plan an MDM 2008 deployment in an Enterprise environment. It provides detailed information and recommendations to help you make accurate design decisions while planning your organization's deployment. To view Planning for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=130854.

MDM Deployment Guide—describes the steps to deploy the MDM system. To view Deployment for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=10895.

MDM Operations—provides information on how to manage MDM devices, distribute software to managed devices, manage MDM Servers, and configure MDM Services. To view Operations for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=112415.

Security and Protection for MDM—provides prescriptive guidance for configuring security-related features in MDM. It also provides guidance for reducing the attack surface of the MDM infrastructure security features such as:

• Encrypted access to e-mail and line-of-business (LOB) applications from the Internet
• Certificate based authentication for virtual private network (VPN)
• Device Inventory and Health inspection
• Application approval and blocking
• Remote device wipe to remove sensitive data from lost, stolen, or compromised devices
• Security policies to help protect devices

Follow the guidelines provided here to help protect company data and communications when you implement MDM in your organization.

To view Security and Protection for MDM, see this Microsoft Web site: https://go.microsoft.com/fwlink/?LinkID=130987.