System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 2

We are now ready to do the fun part which is installing SCMDM. There are a few main areas covered in this part:
– Configuring Active Directory for MDM
– Installing the Enrollment Server
– Installing the Device Management Server
– Running a Post-Deployment scan with SCMDM BPA to make sure everything went smooth.

There’s plenty of screen shots, and maybe that’s not your cup of tea, but I believe a picture’s worth a thousand words.

Configuring Active Directory
Active Directory needs to be configured for including mobile devices in your domain. This includes creating groups/OUs, preparing the CA, etc.
Logon to “md-scmdm” as the domain admin. (You need domain admin, and schema admin to perform these actions.) I’m not detailing everything in this section, it can be found in the reference material from Microsoft (TechNet Library).
Fire up a command line and execute the commands as shown below: 
adconfig /domain:mobilitydojo.net
image

image 

adconfig /createtemplates
 image

adconfig /enabletemplates /ca:”md-dc-ca.mobilitydojo.net\MobilityDojo Root CA”
image

image

adconfig /gpsecurity:all
image

adconfig /gpsecurity:default
image

Ok, it’s been smooth sailing so far. On to the actual SCMDM components. We’ll start installing the enrollment server, followed by the device management server.

Installing the Enrollment Server
After prepping AD, you need to logoff and logon again. This is because some new security groups have been created, and membership is applied when you logon to the domain. (And you need to be a member of one of these new groups to be able to install.)

First we have to provide the SQL Server location. Do type in the full FQDN. Do not type localhost even if this is the case as in our lab. (This will give errors later on in the process.)

image

For some reason I could not get it working when I provided the instance name (like above). Even if BPA said ok, and everything. I don’t know why, but it worked when I just provided the FQDN (see below). (Maybe because it’s running on the local host with only the one default instance?)

image

Next you provide the DNS addresses for external and internal access. The external one has to be mobileenroll.yourdomain.com, but the internal can be a different one. The internal DNS name does not have to match the host name (SSL requires a match between the certificate common name and the address DNS provides). In our lab environment the two addresses are the same. DNS resolution will also be verified (unless you check “Skip Enrollment FQDN validation). I logged on to the Domain Controller,  and created an A record for mobileenroll.mobilitydojo.net. If you’ve already tried pressing “Next” and got an error you probably have to do an “ipconfig /flushdns” on the command line.

image

You can accept the default port for the administration web site.

image 

We use the same CA for both devices and servers.

image

image

And then we are ready to hit the install button.

image

Hopefully it will end like this:
image

No point in waiting, so we’ll just move right along to installing the Device Management Server.

Installing the Device Management Server

The SQL Server location has already been filled in for us this time (and you can’t change it).
image

With the DM server we can choose the actual FQDN of the server. (It will not be exposed externally.)

image

Accept the default ports suggested.

image

Same CA.

image

Also ending with the “Install” button.

image

And hopefully you’ll get this screen here as well 🙂

image

Maybe it’s just me, but I like a fresh reboot after installing servers, so while it’s probably not necessary it is nonetheless my next action.
Next item on the menu is running SCMDM BPA again, this time choosing the Post-Deployment Scan. What we are looking for here are errors, and hints on how to correct them. If you get an error on the DM server saying something about .NET Framework Language – ignore it, it’s a bug in the BPA. You’ll probably get a number of warnings as well, but this is expected since we haven’t configured our servers yet. (BPA will give you helpful hints what you should do – after all that is why it’s called “Best Practices”.)

All of this will be covered in the next part, but before moving on to the configuration part you should install the last SCMDM component for now; the “Administrator Tools”. Don’t check the “Group Policy Extensions” item – we’ll install these on our Domain Controller later on. (GPMC which is required for using these extensions only runs on 32-bit, so it will not install on the SCMDM server.)

image 

You may find it very tempting to boot up a device at this point, and start pressing it’s buttons. Please resist the urge – it is better to make sure the server is correctly configured than pulling your hair afterwards when you’re not getting the device to work 🙂

Ok, on to the part where we smooth out the edges of our installation, and try to test with a device.

Part 3: http://mobilitydojo.net/2008/09/24/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-3/

System Center Mobile Device Manager 2008 – Install Guide (No Gateway) – Part 1

I mentioned it only briefly in my last post, but Microsoft has a product in the System Center family that let you take control of your Windows Mobile devices, and make the mobile devices part of the domain just like any other computer in your LAN (and WAN). And obviously once they are part of your network you can distribute software, configure settings on the device, etc. This product has the tongue-twisting name of System Center Mobile Device Manager 2008, or SCMDM2008 for short. (Some refer to it as MDM, but since this acronym can also mean Mobile Device Management in general, it’s better to use it only in a given context where it’s implied there’s an SC in front. Apologies for being a nit-picker 🙂 )

I’m not going into all the features and sales “fluff” here however, and intend to provide a practical and technical hands-on approach instead. If you have no knowledge of what it’s all about I advice you have a few looks on the product page (and then return here):
http://technet.microsoft.com/en-us/scmdm/default.aspx

If you look into the TechNet Library you’ll find lots of documentation on the product, how to plan for implementation, architecture, deploying, reference materials, etc. And the documentation is good, but there’s a lot of it, and if you just want to test drive it for yourself you might not be interested in reading 200 pages of architectural considerations. Participating in the TechNet forums I see a lot of people are having problems evaluating this product since it is a pretty complex solution, with a lot of steps that need to be performed in specific orders. With this in mind I decided to write some how-to’s hopefully helping someone along the way. I don’t claim to have all the answers myself, and I have also struggled with some issues, but I’ll try to produce a guide that will let you set it up in your own lab and actually get it to work 🙂

I’ll probably divide this into several guides, detailing different scenarios, and maybe going in depth regarding some aspects of the solution. In this first scenario I’ll try a very basic scenario:
– All devices connect through LAN. No GPRS, or other external access.
– No gateway or VPN tunnel. All devices connect directly to the Enrollment and Device Management server.
– “Everything” installed on one server. This includes Enrollment Server, Device Management Server, SQL Server and WSUS Server. The exception is the Domain Controller which is a separate server (also hosting a Certificate Authority).
I call this the “SCMDM – No Gateway”-scenario.

One caveat with this scenario is that you will not be able to use the “Wipe now”-feature. Your devices will be wiped on the next scheduled connection to the server. This is because this feature is dependent on the Gateway server. (I will not go into further details, the technical reasoning behind this is explained in the TechNet Library.)

I know there are a lot of different network setups out there, with different firewalls, routers, etc. And this makes writing generic guides difficult. The scenario I walk through here should however be fully reproducible in your lab since it is a very stripped down setup. No firewalls, no routers, no Internet – just two virtual servers and a few innocent mobile devices.

This would be how our tiny little infrastructure looks like 🙂

SCMDM_NoGW

Some technical details regarding how I configure these “boxes”:
– Everything is virtualized on a single physical computer with one physical NIC, running Windows Server 2008 with Hyper-V. As far as I know it’s not supported in a production environment to do this, but it’s not a problem for lab work. System Center will install with less than the recommended/required 4GB, but obviously the more the better. I’m using a quad-core Xeon with 8GB RAM as the host machine, but I’ve done some testing previously on a Core 2 with 4GB which also works albeit somewhat more “sluggish”.
– The Domain Controller is Windows Server 2003 R2 32-bit Enterprise Edition with 512MB RAM. 32-bit is required to use the Group Policy tools, so unless you have any other compelling reasons to go 64-bit stick with 32-bit for this scenario.
– SCMDM Server is Windows Server 2003 x64 Enterprise Edition with 2GB RAM. 64-bit is a requirement, which means Hyper-V is the only option if you’re using virtualization from Microsoft.

The domain controller has to be Enterprise Edition because of the Enterprise CA we are running. You can install an Enterprise CA on Standard Edition as well, but you will not be able to define your own certificate templates, which is something we need for SCMDM. (The certificates for the mobile devices are based on a custom template generated by the SCMDM install process.)

I’m using the English version of Windows Server 2003, and SCMDM. You can use other languages, but keep in mind that you can’t mix language components. So if you have another language of Windows Server you need to check you are installing the same version of ASP.NET, etc. Since English is the default in a Microsoft world I stick with that all the way through.

The servers have the following network setup:
Domain Name: MobilityDojo.net
Network: 192.168.10.0/24
Domain Controller name: md-dc-ca
Domain Controller address: 192.168.10.20
SCMDM Server name: md-scmdm
SCMDM address: 192.168.10.30
Since it’s all on a LAN without routing you don’t need a default gateway defined.

Getting your Domain Controller ready
– Make sure your domain is at “2003 Functional Level”. (If you installed a new domain it will be at “2000 Functional Level” by default.) Update: Make sure it’s 2003 Native level, not 2003 interim (which is used for support Windows NT 4 servers). Also make sure your Forest Functional level also matches and is running 2000 or 2003 functional level. (If you installed a domain from scratch like I have done in my lab you don’t need to touch the Forest Functional Level.)
– Install IIS.
– Install Certificate Services choosing “Enterprise Root CA” as the type. If you don’t want to get some extra configuration hassle afterwards make sure the previous step is performed before this step – the order of these two steps is not random.
– You’ll need the name of your CA later, so make a note of it – I use “MobilityDojo Root CA”.

Getting your MDM server ready
– Install IIS.
– At this time you should make sure that IIS/.NET is running in 64-bit.
Run the following command (from command prompt):
cscript %SYSTEMDRIVE%\inetpub\adminscripts\adsutil.vbs SET W3SVC/AppPools/Enable32bitAppOnWin64 0
Change to C:\WINDOWS\Microsoft.NET\Framework64\v2.0.50727
Run: aspnet_regiis –i
Run iisreset
image 

– Install SQL Server 2005. Not SQL Server 2008, and not SQL Server Express. Standard Edition should be ok, as well as Enterprise and Developer. Default settings should be good, if you don’t have any preferences stating otherwise.
A few extra steps must be performed on your SQL Server install to enable use for SCMDM.
– Set the “SQL Server Agent” service to “Automatic”.
– Set the “SQL Server Browser” to “Automatic”.
– Enable Remote Connections for TCP/IP. You can do this via “SQL Server Configuration Manager” or “SQL Server Surface Area Configuration”. MS has a good explanation here:
http://support.microsoft.com/kb/914277

Then there’s some small applications you need in addition (remember to get the 64-bit versions where applicable):
– Install PowerShell 1.0:
http://www.microsoft.com/windowsserver2003/…/powershell/download.mspx
– Install MMC 3.0 (if necessary – if you’re running 2003 R2 it’s already installed):
http://www.microsoft.com/DownLoads/details.aspx?familyid=4C84F80B-908D-4B5D-8AA8-27B962566D9F&displaylang=en
– Install Report Viewer 2005 SP1:
http://www.microsoft.com/DownLoads/details.aspx?familyid=E7D661BA-DC95-4EB3-8916-3E31340DDC2C&displaylang=en
– Install MBCA (Microsoft Baseline Configuration Analyzer):
http://www.microsoft.com/downloads/details.aspx?FamilyId=DB70824D-ABAE-4A92-9AA2-1F43C0FA49B3&displaylang=en

We then proceed to installing WSUS 3.0 SP1. There is an important step in the install wizard – you should create a separate web site for WSUS. If you don’t there’s a chance it will interfere with the enrollment web site we’re creating later. Accept the default port the wizard suggests for the new web site.

All should be good with regards to the software you need before installing SCMDM, but you should run SCMDM BPA, (Best Practice Analyzer), to make sure everything is in order before you start installing. Actually you should go ahead and download all the Resource Kit Tools (only install BPA for the moment):
http://technet.microsoft.com/en-us/scmdm/cc304591.aspx
The type of scan you’ll want is the “Pre-Deployment Scan”. You might get an error stating “Scan failed”. This means you have to change a policy in Powershell. Run the following cmdlet in the Powershell console: “Set-ExecutionPolicy RemoteSigned”.

Make sure you get green lights on the Enrollment and Device Management role. (If you get warnings about CPU and/or RAM ignore this.) In this scenario you might get an error on the SQL role as we are installing SQL on the same box as SCMDM. Also make BPA check that AD and the CA is good to go.

image
I would have loved to have a screen shot with no warnings, but seems there’s a bug in the RAM detection scheme. I tried upgrading to both 4 and 5 GB temporarily and it still complained I didn’t have 4 GB…

As for SCMDM itself, it’s available on TechNet & MSDN, and as an evaluation version here:
http://technet.microsoft.com/en-us/evalcenter/cc339027.aspx

Now that everything is in place we can proceed to the next step – actually installing SCMDM 🙂
This is covered in Part 2: http://mobilitydojo.net/2008/09/23/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-2/
Part 3: http://mobilitydojo.net/2008/09/24/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-3/

Windows Mobile 6.1 – How do I encrypt my device?

You might have read in white papers and product sheets that Windows Mobile 6.1 supports local device encryption. (Windows Mobile 6.0 featured encryption of storage cards, which is still also supported.) And you might have wondered – where is the setting for enabling it? Well, unless the device manufacturer has provided an interface, you can’t enable it. At least not in an easily accessible way.

The reasoning behind this is probably that it’s considered an “Enterprise feature”. Many enterprises are requesting encryption, but you don’t hear that many concerned end-users requesting it. So to use this feature you may for instance use Exchange 2007 SP1 on the server side, and ActiveSync configured on your device.

The following is a screenshot from the Exchange Admin Console:

image

You’ll notice that it’s not very fine-grained – you either have encryption enabled or you have it disabled. (The encryption ties in with the password requirements though as you need to password protect your device to encrypt it.)

The other option from the Microsoft perspective is System Center Mobile Device Manager 2008, (or SCMDM for short), where you can also enable encryption on the device. This is specified through Group Policies:

image

You’ll notice that this also gives you the additional option to specify inclusions and exclusions which is handy if you have a few gigabytes of mp3 files you don’t want to waste cpu cycles encrypting.

So this is all nice and dandy. If you have servers installed that is. What if you want to use this without servers, or you want to perform some testing without connecting to the servers? The encryption functionality is a feature of Windows Mobile 6.1, and the server tools just enable it. It’s all on the device – you just need a front-end.

With this in mind I created a small utility/application for this purpose.

Note: This tool is not designed for deployment in Enterprise environments. I recommend that in a deployment either the server solutions above, or similar third-party products, are used. This utility is intended for lab purposes, and single users who don’t have the opportunity/possibility of using said server products.

Disclaimer:
This is not an implementation of encryption itself. It uses the encryption that is built into Windows Mobile 6.1, and merely provides an interface for controlling this feature. I take no responsibility for the actual implementation or the details thereof. Currently the encryption in Windows Mobile is based on AES-128.

The use is sort of self-explanatory;
– “Encryption On/Off” refers to whether the feature itself is enabled or disabled.
– “Exclusions” means you can exclude certain files/folders or file types from being encrypted. – “Inclusions” means you can include additional files for encryption. This does however bring up another question – isn’t the entire device encrypted already? No, it isn’t…

The following items are encrypted by default:
– User documents
– Email
– PIM data
– Email attachments and related data
– Internet cache
For more info: http://msdn.microsoft.com/en-us/library/bb964600.aspx

Now, there’s two ways around this: modify the system default (items that will be encrypted when encryption is enabled), or add inclusions after the device is encrypted. This application does not modify the system default, and thus relies on you to enable encryption first.

The exclusion list actually works the same way, you have a system default, and you have the exclusions you add later. I don’t recommend you exclude any of the items from the list above however, with the exception that you might be storing your mp3s under “\My Documents\”.

A few hints when it comes to exclude/include;
– Do not encrypt \…\* (entire device)! You’ll also encrypt the system files that are needed for booting…bad thing.
– Special formatting “…” = all subdirectories, “*” = all files, “*.ext” = all files with specified extension.
– All items must start with “\”; so to exclude all mp3s you would add “\…\*.mp3”. Adding a single file would be “\file.txt”.

So what does it look like?
image
“Encryption On/Off”-tab.
Either it’s enabled or it’s not. Please note – before you add inclusions/exclusions, encryption should be enabled first.

image
“Exclusion”-tab.
Either browse to select individual files or type in file/folder/extension. Remember to add the “\” in front.

image
“Inclusion”-tab.
Works pretty much the same way as the aforementioned tab.

Known issues:
– No icon and/or shortcut yet. Must be started from “\Program Files\DojoCrypt”.
– I do some simple error checking, but if you try you may be able to crash the app. It should however not be able to do any harm other than you having to start the program over again.
– No regexing or parsing checking that your inputs are correct when it comes to exclusions & inclusions. If you type it wrong, it will not work 🙂
– Applying an ExcludeList or IncludeList will require you to reboot the device between each list applied. (Technically you can choose “Later” to postpone it – results untested yet but probably no worries). So you can’t setup both lists and then be prompted to reboot. No biggie, but I am aware of it.
– No possibility to see what currently is on your lists – might implement this later on.
– It’s designed for portrait mode. It will work in landscape mode but does look kinda unoptimized. Fully aware of this, and considering a more slick solution (knowing that one often types with the qwerty keyboard in landscape mode).
– Only tested on Windows Mobile 6.1 Professional. Don’t know if it will work on Windows Mobile 6.1 Standard (probably not because of UI elements).
– Versions prior to Windows Mobile 6.1 is not, and will not be supported.
– While not an issue with this utility itself you may have problems on some devices if there’s a two-tier lock on the device, or some other security restrictions imposed that prevents this utility from working like designed.

I have not had the opportunity to do extensive bug testing, but I’ll replace the link in the download if I make any improvements/fixes.

If there’s any bugs you are welcome to post them in the comments section, but I make no guarantee when I will get around to fixing it 🙂

Download: http://mobilitydojo.net/files/DojoCrypt_090.cab

19.nov.2008 Update:
There’s a new version that fixes some of the known issues.
Download: http://mobilitydojo.net/files/DojoCrypt_10.cab