System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 1

I mentioned it only briefly in my last post, but Microsoft has a product in the System Center family that let you take control of your Windows Mobile devices, and make the mobile devices part of the domain just like any other computer in your LAN (and WAN). And obviously once they are part of your network you can distribute software, configure settings on the device, etc. This product has the tongue-twisting name of System Center Mobile Device Manager 2008, or SCMDM2008 for short. (Some refer to it as MDM, but since this acronym can also mean Mobile Device Management in general, it’s better to use it only in a given context where it’s implied there’s an SC in front. Apologies for being a nit-picker 🙂 )

I’m not going into all the features and sales “fluff” here however, and intend to provide a practical and technical hands-on approach instead. If you have no knowledge of what it’s all about I advice you have a few looks on the product page (and then return here):

If you look into the TechNet Library you’ll find lots of documentation on the product, how to plan for implementation, architecture, deploying, reference materials, etc. And the documentation is good, but there’s a lot of it, and if you just want to test drive it for yourself you might not be interested in reading 200 pages of architectural considerations. Participating in the TechNet forums I see a lot of people are having problems evaluating this product since it is a pretty complex solution, with a lot of steps that need to be performed in specific orders. With this in mind I decided to write some how-to’s hopefully helping someone along the way. I don’t claim to have all the answers myself, and I have also struggled with some issues, but I’ll try to produce a guide that will let you set it up in your own lab and actually get it to work 🙂

I’ll probably divide this into several guides, detailing different scenarios, and maybe going in depth regarding some aspects of the solution. In this first scenario I’ll try a very basic scenario:
– All devices connect through LAN. No GPRS, or other external access.
– No gateway or VPN tunnel. All devices connect directly to the Enrollment and Device Management server.
– “Everything” installed on one server. This includes Enrollment Server, Device Management Server, SQL Server and WSUS Server. The exception is the Domain Controller which is a separate server (also hosting a Certificate Authority).
I call this the “SCMDM – No Gateway”-scenario.

One caveat with this scenario is that you will not be able to use the “Wipe now”-feature. Your devices will be wiped on the next scheduled connection to the server. This is because this feature is dependent on the Gateway server. (I will not go into further details, the technical reasoning behind this is explained in the TechNet Library.)

I know there are a lot of different network setups out there, with different firewalls, routers, etc. And this makes writing generic guides difficult. The scenario I walk through here should however be fully reproducible in your lab since it is a very stripped down setup. No firewalls, no routers, no Internet – just two virtual servers and a few innocent mobile devices.

This would be how our tiny little infrastructure looks like 🙂


Some technical details regarding how I configure these “boxes”:
– Everything is virtualized on a single physical computer with one physical NIC, running Windows Server 2008 with Hyper-V. As far as I know it’s not supported in a production environment to do this, but it’s not a problem for lab work. System Center will install with less than the recommended/required 4GB, but obviously the more the better. I’m using a quad-core Xeon with 8GB RAM as the host machine, but I’ve done some testing previously on a Core 2 with 4GB which also works albeit somewhat more “sluggish”.
– The Domain Controller is Windows Server 2003 R2 32-bit Enterprise Edition with 512MB RAM. 32-bit is required to use the Group Policy tools, so unless you have any other compelling reasons to go 64-bit stick with 32-bit for this scenario.
– SCMDM Server is Windows Server 2003 x64 Enterprise Edition with 2GB RAM. 64-bit is a requirement, which means Hyper-V is the only option if you’re using virtualization from Microsoft.

The domain controller has to be Enterprise Edition because of the Enterprise CA we are running. You can install an Enterprise CA on Standard Edition as well, but you will not be able to define your own certificate templates, which is something we need for SCMDM. (The certificates for the mobile devices are based on a custom template generated by the SCMDM install process.)

I’m using the English version of Windows Server 2003, and SCMDM. You can use other languages, but keep in mind that you can’t mix language components. So if you have another language of Windows Server you need to check you are installing the same version of ASP.NET, etc. Since English is the default in a Microsoft world I stick with that all the way through.

The servers have the following network setup:
Domain Name:
Domain Controller name: md-dc-ca
Domain Controller address:
SCMDM Server name: md-scmdm
SCMDM address:
Since it’s all on a LAN without routing you don’t need a default gateway defined.

Getting your Domain Controller ready
– Make sure your domain is at “2003 Functional Level”. (If you installed a new domain it will be at “2000 Functional Level” by default.) Update: Make sure it’s 2003 Native level, not 2003 interim (which is used for support Windows NT 4 servers). Also make sure your Forest Functional level also matches and is running 2000 or 2003 functional level. (If you installed a domain from scratch like I have done in my lab you don’t need to touch the Forest Functional Level.)
– Install IIS.
– Install Certificate Services choosing “Enterprise Root CA” as the type. If you don’t want to get some extra configuration hassle afterwards make sure the previous step is performed before this step – the order of these two steps is not random.
– You’ll need the name of your CA later, so make a note of it – I use “MobilityDojo Root CA”.

Getting your MDM server ready
– Install IIS.
– At this time you should make sure that IIS/.NET is running in 64-bit.
Run the following command (from command prompt):
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
Change to C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727
Run: aspnet_regiis –i
Run iisreset

– Install SQL Server 2005. Not SQL Server 2008, and not SQL Server Express. Standard Edition should be ok, as well as Enterprise and Developer. Default settings should be good, if you don’t have any preferences stating otherwise.
A few extra steps must be performed on your SQL Server install to enable use for SCMDM.
– Set the “SQL Server Agent” service to “Automatic”.
– Set the “SQL Server Browser” to “Automatic”.
– Enable Remote Connections for TCP/IP. You can do this via “SQL Server Configuration Manager” or “SQL Server Surface Area Configuration”. MS has a good explanation here:

Then there’s some small applications you need in addition (remember to get the 64-bit versions where applicable):
– Install PowerShell 1.0:…/powershell/download.mspx
– Install MMC 3.0 (if necessary – if you’re running 2003 R2 it’s already installed):
– Install Report Viewer 2005 SP1:
– Install MBCA (Microsoft Baseline Configuration Analyzer):

We then proceed to installing WSUS 3.0 SP1. There is an important step in the install wizard – you should create a separate web site for WSUS. If you don’t there’s a chance it will interfere with the enrollment web site we’re creating later. Accept the default port the wizard suggests for the new web site.

All should be good with regards to the software you need before installing SCMDM, but you should run SCMDM BPA, (Best Practice Analyzer), to make sure everything is in order before you start installing. Actually you should go ahead and download all the Resource Kit Tools (only install BPA for the moment):
The type of scan you’ll want is the “Pre-Deployment Scan”. You might get an error stating “Scan failed”. This means you have to change a policy in Powershell. Run the following cmdlet in the Powershell console: “Set-ExecutionPolicy RemoteSigned”.

Make sure you get green lights on the Enrollment and Device Management role. (If you get warnings about CPU and/or RAM ignore this.) In this scenario you might get an error on the SQL role as we are installing SQL on the same box as SCMDM. Also make BPA check that AD and the CA is good to go.

I would have loved to have a screen shot with no warnings, but seems there’s a bug in the RAM detection scheme. I tried upgrading to both 4 and 5 GB temporarily and it still complained I didn’t have 4 GB…

As for SCMDM itself, it’s available on TechNet & MSDN, and as an evaluation version here:

Now that everything is in place we can proceed to the next step – actually installing SCMDM 🙂
This is covered in Part 2:
Part 3:

10 thoughts on “System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 1”

  1. Great guild and great site, In the guild you might want to specify “Native” Domain Functional Level. As “2003 Mixed Functional Level” will not work. You can use “2000 Native” and “2003 Native”. mdm uses lots of universal groups which require “Native”. I’m sure it will not be long before we can use “2008 Native” as well.
    Cheers Wayne

  2. You are of course correct Wayne, that mixed/interim would not be a good choice. I’ll update the post.
    Interestingly Microsoft are not consistent in their naming scheme – if you press “Help” in the dialog box where you raise the functional level the following four levels are listed in the explanation article:
    Windows 2000 Mixed
    Windows 2000 Native
    Windows Server 2003 Interim
    Windows Server 2003
    As far as I know support for 2008 Domain Functional Level will be included in Service Pack 1 for SCMDM.

  3. I forgot to mention the Forest Functional Level also needs to be right. You can either have :

    Forest Level = Windows 2000 &
    Domain Level = Windows 2000 Native
    Forest Level = Windows 2000 &
    Domain Level = Windows 2003
    Forest Level = Windows Server 2003 &
    Domain Level = Windows Server 2003

    Clear as Mud! So you might want to recommend using the last option, so that people don’t get confused.

    Cheers – Wayne

  4. In the configuration above, why is Windows Ent Ed required for OS of the virtual MDM server? I only thought Ent Ed was needed on the DC/CA.

  5. Enterprise Edition is not required for the MDM server, but the base image I use in my lab is Enterprise. Call it laziness if you will not having multiple base images 🙂 For a simple lab you should be good with Standard as well, and for production use – well it depends on whether you need any of the other features in Enterprise 🙂

  6. You should also install SQL Server 2005 SP2, if you want WSUS to use the local SQL Server instead of maintaining it’s own database.

  7. I must have forgotten to include that step, Dave 🙂
    Not being very fluent with WSUS and SQL I did not know this was required. However I always run Windows Update after installing servers/apps from Microsoft, so I already had SP2 in place when installing WSUS, and thus I did not encounter an issue with this.

  8. What is the absolute smallest infrastructure needed for this kind of a lab? Could you have combined both the DC and SCMDM servers? The technet articles indicate steps to be done if MDM roles are running on a DC or CA. Yet this walkthrough as well as their “Integrated configuration” in the technet article do not use this design. I am asking since that was my goal, and I am running into trouble with it. I have done all steps indicated here:
    yet I still get the error indicated under “General Access Denied Error When You Enroll a Device” at

    Any help would be appreciated.

  9. The gateway server is optional (though highly recommended) so you can get away with one server for the Enrollment and Device Management roles. And if you install a domain controller on the same box you can technically get away with only one server in your test lab. You’ll have another challenge though if you are using GPMC for managing group policies as this will not run on 64-bit.

    You have already found the correct docs on TechNet regarding the extra steps you need to take if you want to co-locate SCMDM and a DC. I have not attempted this myself, but I have heard reports from others that it can be done if the steps are followed closely. So I don’t know why it would be failing in your lab – maybe there is another issue that is not related to the co-location of roles. Have you run the Best Practice Analyzer to see if it reports nay other issues?

    I don’t know if you are using physical boxes, or virtual servers, but I would highly recommend having a separate DC. You can get away with almost no CPU, and only 256MB RAM on a domain controller running W2K3 32-bit. (My DC at home is an old HP Pavilion – probably at least 6 years old, don’t remember.)

Leave a Reply

Your email address will not be published. Required fields are marked *