The multi-instance feature requires the Gateway Server to have knowledge of the specific instance it belongs to. The Gateway Server is not a member of Active Directory, and thus cannot learn anything from the instance information there. You will need to supply this information in an xml-file, which you can either create yourself, or more preferably create on the Device Management Server and transfer to the GW Server.
Run the Export-MDMGatewayConfig cmdlet on the DM server to create a file.
If you decide to open it up, it will look something like this:

Second thing you need to do is create certificates and install these on your GW Server. This is covered in my previous post,
(http://mobilitydojo.net/2008/09/24/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-3/), or you could go with the TechNet documentation:
Creating the MDM Gateway Certificate Request and Certificate
Exporting the Certification Authority Certificates
Create and Import Certification Authority Certificates onto the MDM Gateway Server

You should run the Best Practice Analyzer before deployment on this server as well. I had to enable ASP.Net web extensions as this was disabled by default, but that’s about it. There is also an error because I do not have a public IP address assigned to one of the network interfaces, but this is a lab with no public access so it does not matter.

After these steps are in place this is also one of your average “Click Next”-installs Screenshots below, that I hope are self-explanatory.

Installing the Gateway Server

After this procedure has finished you’ll want to login to your Admin Console, and add the Gateway Server by following the Wizard.

Looks like everything is in order:
 

And if you also want the device to be able to locate the Gateway when enrolling you’ll want to run the following cmdlet in the MDM Shell:
Set-EnrollmentConfig –GatewayUri md-gw-eu.eu.mobilitydojo.net substituting your own Gateway Server FQDN instead of mine.

I always have to verify that things are working like they should, so I’ll also enroll a device just for the sake of it. I’ve created a pre-enrollment request on the Enrollment/DM Server, and have fired up a device. I’m using a Windows Mobile 6.1 Standard this time, although I’m not a big fan of those devices for testing due less utilities available, less typing-friendly form factor (even though newer devices have an actual keyboard they are more phone-type devices than email-type devices). Nonetheless, we should be able to enroll it at least

Enrolling a device





 

And that concludes the scenario basically.

Ok, there are some questions left unanswered Yes, it’s all nice and dandy to have one server located at .eu.mobilitydojo.net, and another at .na.mobilitydojo.net, and so forth. But our email addresses are mobilitydojo.net – how does the device know which server to hit? The device has limited ability to guess which server is the right one, and bases itself on the address the user specifies (looking at the right hand side of the @). It will work if the user specifies the enrollment server manually, but we can agree that is not ideal either. I don’t know if it could be solved by using ISA Server (or a similar product) to publish multiple enrollment servers, and direct the user to the correct one. This is a scenario I will be testing closer though.

I haven’t really touched any specifics regarding firewall, internally or externally, either and solved this in a “hackish” way here by having all servers connected to the same two networks. Conveniently this also reduces the need to configure routing – but you still need to define a route to and from the device subnet mind you.

If you also install a Gateway for the SCMDM-NA instance you should now have a fully working lab with multiple domains, multiple CAs, and multiple instances.

Remember to install the following components on your server before proceeding:
- WSUS 3.0 SP1
- PowerShell
- MBCA
- Report Viewer Redistributable

Before installing – run the Best Practice Analyzer. This tool is always your friend when dealing with SCMDM installs. It has been slightly revamped for the SP1 release, and I find it a positive touch that it also reports on what was found to be right about your current setup

I passed most of the checks, and ignored the rest. Not something I would recommend usually, but I’ll accept that SQL Server should not be installed on any SCMDM Server unless in a lab, and the errors I get regarding the DC and CA does not make sense. Apparently Windows Server 2008 is still a no-no as far as the BPA is concerned.

As stated previously the following roles/services are all installed on the same box, but as this test scenario does not focus on splitting them up I will have to live with this limitation. I’ll be installing the following roles:
- Enrollment Server
- Device Management Server
- Administrator Tools
- Self Service Portal

If you have installed SCMDM RTM before you’ll notice that there are few changes this time around. The only thing really is choosing which instance you want to add this server to. So the extra work is basically done when running ADConfig, and is an Active Directory thing. You’ll notice that I only have one available instance, even though I configured two instances only one of them is in this domain. But if you wanted to there is nothing preventing you from having multiple instances in the same domain. I don’t think I’ll be exploring that scenario at the moment, as it’s not that different from this scenario. If you figure this one out, you will be able to do the other as well

And although I’m only showing the installation on the EU instance, you’ll just have to trust me when I say I perform the same steps on the NA instance.

Remember to create the necessary DNS records, (for enrollment and self service portal), before proceeding to install.

Enrollment Server Install

No stopping here, just move along to the next install wizard.

Device Management Server

We’ll also need something to administrate our servers with.

Admin Tools

You’re probably getting tired of screenshots; just a few more and we’ll be finished for now.

Self Service Portal

And there we are. If you are happy with using your devices without a Gateway Server you can go ahead and enroll devices. If you want a Gateway as well that will be covered in the next part.

There is one more thing to do after all this is done before proceeding. Run the BPA and perform a Post-Deployment Scan. You may get different results, but I’m seeing the following:
- Warnings about being installed with other servers and roles.
- On the Device Management and Enrollment Server it is reported that the web sites/services are not reachable, and I’m advised to check the certificates. I do not know at the present time why I get these errors as I can reach the sites, and do not see any errors with the certificates either. Will post an update if I learn why I’m getting this.
- The Certification Authority reports an error about a missing group in Active Directory. (CERTSRV_DCOM_ACCESS) I think this might be related to the fact that I’m running all the CAs on Windows Server 2008, (as I know there has been some changes to the CA role in W2K8), but wouldn’t know for sure. I have tried following this KB article (http://support.microsoft.com/kb/927066), but it does not seem to remove the error in BPA.

In spite of these errors everything seems to work like it should though. But I thought I’d give you a heads-up in case you run into strange problems later on in your testing. I’ll try to investigate further what the causes are.

You can read more about SP1 here: What’s New in Mobile Device Manager 2008 SP1
Download an evaluation version here:
System Center Mobile Device Manager 2008 Service Pack 1 – Evaluation
And you can read my previous exploration of the install process here:
http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/

If you’re entirely new to what SCMDM is all about you might want to give this link a look:
http://technet.microsoft.com/en-us/scmdm/default.aspx

One of the new features in System Center Mobile Device Manager 2008 Service Pack 1 is the ability to deploy multiple SCMDM instances in a single forest. Although my lab was working nicely with just one SCMDM deployment it was a feature I couldn’t resist testing, and documenting

Another new feature of SP1 is support for Windows Server 2008 Domain Functional Level, and Certificate Authority running on Windows Server 2008. I had to include this in my new lab as well.

So before installing SCMDM I have setup a new forest with a root domain, and two sub-domains. I installed this using three Virtual Machines all running Windows Server 2008 SP2 (Beta) Enterprise Edition.

As you can see MobilityDojo.net has expanded geographically for the sake of this article and we now have a presence both in EU and North-America:

The Domain Controllers are all connected to the same subnet, and in the same IP range. Both Forest and Domain are at the 2008 Functional Level.

And to match this domain structure we have a corresponding PKI infrastructure configured:

Root CA is running on the Root DC, EU Sub CA on the EU DC. You get the picture.

You might be thinking this is a strange PKI setup, or that it should have been designed in another way, or something. There isn’t really a single correct answer that stands out as to how you should implement the PKI infrastructure for SCMDM, and this is just one example. I could have opted for a stand-alone offline Root CA, I could have had two separate Enterprise Root CAs in each domain. I might reflect further on this at another time, but not for now.

We are then planning to install two SCMDM servers in each of the sub-domains. One server for the Gateway, and one for Device Management and Enrollment in each domain. These servers still need to be running Windows Server 2003 x64 though since there is no support for running SCMDM itself on Windows Server 2008.

I’ll skip running through the details of the pre-requisites for the W2K3 servers, as this has been covered previously: SCMDM 2008 (RTM) Install Guide
One thing to take note of though is that you need the newer versions of some of these, so a quick summary goes like this:
Device Management Server
IIS 6.0
.NET Framework 2.0 SP1
WSUS 3.0 SP1
Enrollment Server
IIS 6.0
.NET Framework 2.0 SP1
Gateway Server
IIS 6.0
.NET Framework 2.0 SP1

I’ll never be able to keep track later when configuring the servers, so here’s a summary of what we will have of servers and IP addresses:
Domain Controllers (and CAs):
MD-DC
Internal IP: 192.168.10.10
MD-DC-EU
Internal IP: 192.168.10.15
MD-DC-NA
Internal IP: 192.168.10.20

Enrollment & Device Management Servers:
MD-MDM-EU
Internal IP: 192.168.10.30
MD-MDM-NA
Internal IP: 192.168.10.31

Gateway Servers:
MD-GW-EU
External IP: 172.16.x.y
Internal IP: 192.168.10.40
MD-GW-NA
External IP: 172.16.x.y
Internal IP: 192.168.10.41

We’ll start by running ADConfig to prepare our forest and domains before installing. As we will be running two instances the first thing to do is coming up with names for these. Let’s go crazy in the naming department and call them “SCMDM-EU” and “SCMDM-NA”. To make it clear, you can have multiple instances in a single domain as well as far as I know. You do not need different domains, but it was the route I felt like going down for this lab.

I’ll be running ADConfig both on the root domain controller and on the two sub-domain DCs. This is because some tasks require you to be domain admin, and some enterprise admin. I could have just added admin accounts to the corresponding admin groups, but I decided to keep it clean. I have indicated what the task requires, and on which Domain Controller I am running it on.

Here’s what it looks like setting up the EU instance. (I’ll be performing the same steps for the NA instance, but you only need the screenshots once:) )

ADConfig /createInstance:SCMDM-EU /domain:eu.MobilityDojo.net
Requires Domain Admin
Run on EU Sub DC

ADConfig /enableInstance:SCMDM-EU /domain:eu.MobilityDojo.net
Requires Domain Admin
Run on EU Sub DC

ADConfig /createTemplates:SCMDM-EU
Requires Enterprise Admin
Run on Root DC

ADConfig /enableTemplates:SCMDM-EU /ca:”MD-DC-EU.eu.MobilityDojo.net\EU Sub CA”
Requires Enterprise Admin
Run on Root DC

ADConfig /enableGPSecurity:SCMDM-EU /gpo:default
Requires Schema Admin
Run on Root DC

ADConfig /enableGPSecurity:SCMDM-EU /gpo:all /domain:eu.MobilityDojo.net
Requires Domain Admin
Run on EU Sub DC

After performing these steps we run ADConfig /listInstance on the Root DC to verify that we have the following two instances:

You should also run ADConfig /validateInstance on the two sub domain controllers. (ADConfig /validateInstance:InstanceName /domain:FQDN).
This will give you info if there are any errors in your AD relating to your instances. You will need to pay attention to what the warnings/errors actually say though. When I had it validate SCMDM-EU it said there was something wrong with the SCMDM-NA instance, (like I actually told it to check this), and the other way around on my SCMDM-NA instance. I don’t consider this an error in my deployment, but rather the ADConfig tool not fully taking to my multi-instance lab environment

Then we’re off to the next stage – installing all the good bits and bytes.

My girlfriend wants a new laptop. The one she’s using now is an HP Pavilion I used before. A few years old, but ok specs for her needs – only problem is the flex cable, (connecting the LCD to the graphics card), is almost worn out (flickering display), and there’s some other sporadic hardware issues as well. Time for a replacement. Now I’m not giving her a laptop, but I can help her along the way. She actually said to me that she wanted a gift certificate at our preferred online retailer. (How great is that – no chasing through stores looking for stuff I have no interest in:) )

So I could have just purchased a gift certificate, and printed it out on a piece of paper. Let’s make it more sexy I have an HTC Diamond I’m not using at the moment, so I decided to turn it into a delivery tool. No, she doesn’t get to keep it. She gets to boot it up and learn what her gift is. First thing I did was create a png file with the logo of the retailer, the words “Gift Certificate” in a fancy font, and some Christmassy looking trees. You’ll either want to make it 640×640 or 480×640. Save it as “welcomehead.96.png”.

I made a second png with a picture of a laptop I recommend as good value for money (Lenovo N500), and the amount/value of the certificate written below. Save it with whatever name you like and transfer to the Diamond. I disabled the TouchFlo plugin from the today screen, but kept the HTC Black theme. Chose the png I just created as the background image, and I’m done with part one.

Now on to part two which is transferring the first png to the \Windows folder on the device (replacing the file currently there). HTC has been clever on the Diamond, so all the files in this folder are write-protected system files. Which means you can’t just overwrite/delete files. This means it’s workaround time. I created a cab with WinCE Cab Manager, (you can download a trial, it’s a great utility), and added the png file to this cab. By setting the system and read-only properties you can install this on your device even though you can’t do it through file explorer. You’ll need to soft-reset, but that’s hardly a problem.

What you get now is a device that displays a custom boot splash screen, (resembling a gift certificate), instead of the green Windows Mobile logo, followed by a background image displaying the gift the certificate helps acquire. Since there was a test SIM-card in the device that I didn’t bother to remove, I rounded it out with setting the PIN to 2412

I don’t think she reads this blog, so hopefully she will be impressed tomorrow night Maybe your guys out there are already finished with your shopping – then you can keep this trick, and use it on another occasion instead. Oh, and I’ll be bubble wrapping the device along with some nice Valrhona chocolate which probably won’t hurt either.

I don’t know what the correct technical term is, but when looking at the virtual directory you’ll see there are a number of “sub services”:

Probably the more correct term is that there are actually several distinct web services grouped under a common virtual directory.

They are available at https://FQDN:8446/MDM/x/Admin.asmx where FQDN is your Device Management Server, and x is the service you want. (Replace x with a value from the list in the screenshot above.)

I’ve listed them all below here for your convenience, but as you can see from the available options not all of them are relevant for your “average” usage scenario.

AdgpService

AdminService

GatewayService

InventoryService

SoftwareDistributionService

TaskExecutionEngine

WipeService

We will not go into all of these operations. The functionality we are interested in right now (relating back to our sample application) is Wipe.

We want something like this in our utility:

Looking into the Wipe operation in our web browser we find the following:

This deviceID is the SID (Security Identifier) that can be found as a property of the device object in Active Directory. Given the device name we should be able to look up the SID so for the sake of our user interface this does not matter.

WipeOut
So we just pass the SID on to the Wipe operation, and we’re done right? Ah, if it only were that easy. If you have been following my trail of screenshots you’ll have noticed other operations that might seem to be related to the wipe operation namely the following:
- UnEnroll (EnrollmentAdmin – shown in previous web service article)
- RemoveDevice (AdminService)
- AddBlockedDevice (GatewayService)

You see, there are different kinds of wipes depending on what you are trying to achieve. A wipe deletes the contents of a device, a block prevents the device from establishing the VPN tunnel (thus only reaching as far as the Gateway server), remove device will remove it from the managed devices list, and unenroll presumably removes the Active Directory object. But I’ll admit that I am not entirely sure of the details these operations perform, in which sequence you should execute them, etc. “Wipe” and “Block Device” are both available as options in the MDM console, and has different purposes (a blocked device can be unlocked and allowed to connect again). Let’s just it leave it there for now

In the spirit of keeping things simple I’ll only use the “simple” wipe operation here since this will get rid of everything on the device. The code used to wipe looks like this:

Few things to keep in mind here. Since the SID of the device can only be found through Active Directory I perform an LDAP lookup that should return the SID given the device name as input. Make sure the ldapPath is searching the right OU for devices. Make sure you use the correct objectCategory and objectClass in the LDAP filter. (The values I use should work for you as well if you haven’t modified anything regarding device objects.)

I have also hard-coded username/password for authentication, and included the FQDN of the web service which means you can run it from other computers in the LAN than the server, and without using the credentials of the logged-on user. This is purely for the purpose of illustration! Do not actually take this approach for a solution you will be using. (I like to show different techniques which is why I do it here, but I will change it later when tidying up the internals of my application.)

I guess we can check off another item on my “feature list” for the simple helpdesk utility. There’s still a few steps that remains before we have a working application, but most of those aren’t relevant for you to go through. So I’ll perform those by myself, and present you with the result instead

We have scratched the surface of the web services interface in SCMDM, and showed some very simple things you can do with it. There are obviously some limitations to this interface to the servers, but you can probably still come up with other use cases than the ones I have. I might revisit the web service topic at a later time though. I’ll post a wrap-up of the helpdesk utility as soon as I have it compiled and performed an initial beta test.

The following operations are available:

We’ll have a closer look at the following operations:
- GetConfiguration
- SetConfiguration
- NewEnrollmentRequest
- RemoveEnrollmentRequest

The other operations also serve a purpose, but not necessarily in this context. (Do you perform traces daily?) GetEnrollmentServiceLog is useful, but is also easy to do in Powershell.

GetConfiguration
Testing this in the browser we see that no parameters are required.

Resulting XML (excerpt):

It’s basically a more verbose version of the cmdlet Get-EnrollmentConfig:

SetConfiguration
Browsing to this operation we see another scenario:

This basically means – you cannot test this in your browser.

NewEnrollmentRequest
This operation cannot be tested in the browser either, but we can learn something from the SOAP definitions:

These are the fields we need to provided to create an enrollment, and yes, they are the same fields needed for running the Powershell cmdlet New-EnrollmentRequest:

RemoveEnrollmentRequest
Just as easily as we can create enrollments, we can remove them. This only applies to enrollments requests (not enrolled devices), and is another name for canceling an enrollment. (Maybe you made a typo or something when creating the original request.)

You may invoke this operation from the web browser provided you have all the necessary details available (I don’t perform base64-encoding as a mental exercise):

Monkey see, monkey code
Ok. Let’s have a look at how this will work out in our own program. I adjusted some design elements from the mock-up, and I have also filled in sample values:

I have not implemented the two “Browse”-buttons yet, so no screenshots, but the first one should let you browse for users, and the second for OUs/CNs. The Device OU field should ideally be populated with the default OU for devices. Enrollment Password and Enrollment Expires could actually be labels as they are read-only.

Here’s the code snippet for the “Create Pre-Enrollment Request”-button:

Hard-coding the url to the enrollment server is not very flexible, but it makes the sample shorter (as do the omission of a try-catch block). If you are wondering where the AdminEnrollService class came from I added the web service as a web reference. (I haven’t shown any details regarding creating the Visual Studio project, but I don’t know if there’s a demand for it, or if people will figure it out themselves.)

I did an additional “cheat” as well here. I am not authenticating in any way. But I am running on the server, as administrator, and therefore it will work anyway.

So, does this work? Well, here’s what it looks like after clicking the “Create…”-button:

Guess it worked then! (Will get around to using the status bar later to output “OK” or something.)

Let’s try removing the request as well. First through the web browser:

Resulting XML:

It does seem easy doesn’t it? But where did that base64 string come from? Well, when creating the pre-enrollment request a property called requestId is returned, so I catched this value in debug mode when creating the pre-enrollment and I pasted it into the web page.

Doing it in code would look like this:

GetConfiguration and SetConfiguration that I showed above aren’t really relevant to implement in coding. It’s easy to work it through Powershell, and I’ll leave it at that.

No, I didn’t include the code as images instead of providing text you can copy-paste just to be cruel. It looks better, and is easier for me, since I have some problems with the plug-in for syntax highlighting. It’s not large amounts of code to type though, and I might attach some source files later.

I hope you’re still following me (and enjoying the ride) – there’s still more web services to come

I’ve been doing some experimentation in my lab recently performing enrollments, and when I was going through the pre-enrollment wizard yet again I thought – “This doesn’t make sense – it’s got to be a better way!” Yes, I know, I could resort to PowerShell, but I was thinking something that was really easy

And a couple of other things occurred to me at the same time… We’re not going to have the poor SCMDM admin guy create all enrollment requests in a real environment are we? Yes, there is the self service page, but picture this: User is traveling, loses phone, calls helpdesk to wipe/block device, buys new phone, calls helpdesk again to enroll the device.

There’s bound to be a few of those calls. So I decided to create a small helpdesk application to solve these small issues. Ok, to be honest, the motivation that made me actually create this application was learning more about the web services in SCMDM 2008. If it was just annoying I could have lived with it If someone ends up using it for actual helpdesk purposes that’s just an added bonus.

At this point maybe you’re thinking “what about customizing the self service portal from the resource kit?”. Good point. I have looked at the self service portal, and tested using it. I have not however tried customizing it yet. Maybe that is a better solution than what I’m trying to do here. I don’t know yet…Maybe we’ll try that avenue later.

Still being a sucker for the learning-by-doing approach I thought combining the web service walkthrough with creating this utility might make for interesting reading.

So what should this tool be able to do? I’m having the following features in mind to start with:
- Create Pre-Enrollment Requests.
- List current Pre-Enrollment Requests.
- Cancel Pre-Enrollment Requests.
- Wipe device.

So I did a quick mock-up of the UI, and I’m thinking something like this (I’ll work on the design elements later):

This could obviously be created as a web app instead of a stand-alone app, but as a personal preference I like creating prototypes as stand-alone.

To answer a question up-front right away; you will notice that there are no downloads at the end of this article. There are a couple of reasons for this:
- I have not written all the code yet that is needed behind this “sophisticated” GUI.
- Service Pack 1 for SCMDM is right around the corner, and I will not make a release available of this tool until I have tested it with SP1.
- Since I have only performed some simple tests so far I might run run into problems later that needs some extra work to solve

Maybe you’re also thinking “I’m not a programmer so I’ll just skip this until the tool is released”. Well, obviously everything I type on to this little site of mine is voluntary reading But I will try to both show some of the code required, and show some of the details that could be of interest to those who just wants to get to know SCMDM a little better. (Let me know if I’m failing these objectives.)

The first thing we need to understand is what we mean by web services in this context, and what it means to SCMDM. A web service is a way to expose methods/functions in a program publicly through an HTTP interface. This means that you can interact with whatever language you choose across different platforms, and if implemented properly (by those providing the web service), you can extend the functionality of a program with very little fuss. Hit http://en.wikipedia.org/wiki/Web_service for a more detailed (and possibly more understandable) explanation.

SCMDM 2008 follows a trend Microsoft has showed the past couple of years where interaction between different components are exposed as web services, and the bits and bytes are based on managed code (C#). So when you are enrolling your device – you’re using a web service. When creating a new enrollment – you’re using a web service. Wiping a device? Yes, there’s a web service for that as well.

Obviously there are some background processes not exposed publicly – interacting with the SQL database, doing some work that needs to be done in C++, doing “secret” things. But that’s the great thing; if I execute a device wipe I don’t need to know the details, I just want to have this available to me as an option.

When you are using the SCMDM Admin Console you are essentially viewing a GUI interacting with the SCMDM web services in the background. So what web services do we have access to? Here’s a screenshot of IIS Manager on an SCMDM server running the Enrollment and Device Management roles.

The SCMDM web services are EnrollmentAdmin, Enrollment, MobileDeviceManagerAdmin, and MobileDeviceManager.

And there’s a web service on the Gateway Server as well:

If we browse to the “Enrollment” web service it might look like this:

We see from this that there are three operations exposed in this web service. Let’s look at “ShouldEnroll”:

This one is easy to test in the web browser, and does not need any programming. When you try to enroll a device this is the first thing the device checks to see if it is eligible for enrollment. (After you have entered your e-mail address, and the server is located, e-mail is provided as ownerIdentity. See my previous article The Enrollment Process in SCMDM2008 – A Closer Look for further details regarding enrollment.)

So we provide “1.0.0.0”, (applies to SCMDM 2008 RTM), in the version field, and “andreas@mobilitydojo.net” in the ownerIdentity field.

XML is returned indicating a true or false value (located in the hr tag element):

The other web services work in a similar way, but some of them you will only be able to use programmatically.

An important detail that might not be clear from the screen shots above is that there are access controls in place. Most of the web services requires you to authenticate, and be a member of a specific security group (the Enrollment service is a special case). And through IIS restrictions most of them are not accessible outside of the LAN.

The title of this post included the word “Introduction”. I had a “worklog posting” sequence in mind, and I’ll delve into more of the details in upcoming posts. Stay tuned for more web service adventures

People are often surprised when they ask a question regarding the push functionality of an MDM solution, and I tell them it’s not push-based. It’s pull-based, and every 4 hours or what have you, the device connects to the server. And I say to them that I don’t consider that to be an issue either. Now why is that? Well, an MDM solution is somewhat more static than a PIM solution. You may very well be receiving e-mails every five minutes, but you are most likely not changing your security policies or distributing new applications every hour. And if you have changed something most likely it’s not a problem if it takes another hour to apply to the devices.

Ok, we can buy into that. But wouldn’t it be nice to have anyway? Well, there are a few technicalities involved in providing push functionality.
- You can keep an HTTP session open all the time. You may run into the same problem both ActiveSync, OneBridge, Intellisync, etc have struggled with; battery life. (Side note: they have all improved drastically, but it took a few iterations. BlackBerry are really good at this game.)
- You can “ping” the device over IP to wake up. Which works nice on a LAN where all IP addresses are registered in DNS/DHCP and routable. And works less nice over a NATed GPRS network with ever changing IP addresses…
- You can send an SMS/WAP push to the device to wake it up. (This is what Exchange 2003 pre-SP2 used and it was called Always-Up-To-Date.) You can either have SMTP-to-SMS if your operator provides this service. (Where I live all operators have discontinued this offering.) Or you can use an SMS gateway or SMS modem. Let’s just hope you pay a really low rate for your SMS’s if you choose that route.

All of the above may work well for your scenario. And indeed there are MDM solutions offering push based on these alternatives. But here’s a quick tip: ask the vendor how well this scales.
How many devices can an Exchange 2007 Client Access Server provide push for? Let’s just say it requires more than one server to reach five digits. And how do you think your average SMS modem handles a queue sending out “pings” to a couple of thousand devices. If you don’t need to have all devices being able to apply a policy within seconds, wouldn’t you rather reduce the number of servers and improve the number of clients one server can handle?

Now I can’t read Microsoft’s minds, but I’m guessing some of these thoughts crossed their minds when designing System Center Mobile Device Manager (SCMDM). And this is also the mindset you are working with in Afaria from Sybase (which is most definitely made for Enterprise, and not limited to your average small business). Now I’m a big fan of Afaria for other reasons, but we will see if that’s something we will explore in greater detail at another opportunity as it’s not the topic for the day.

It sure would come in handy though if you could work out a compromise. Not necessarily true push, but being able to reach a given device “now” instead of waiting for the next schedule to occur. Once again – Afaria delivers on this premise. You can use SMTP-to-SMS, IP-based trigger, or SMS gateway/modem.

But I want this in SCMDM as well! How can I fix that? I like a thorough background explanation which I believe I have provided here, but let’s get down to the bits and bytes folks. At PDC a few weeks back Microsoft announced their cloud offering dubbed Azure. I applied for an invite, and what do you know, I received an e-mail some time later with the code I needed to gain access to the cloud.

Is there a point to this? Well, I’ve played around a little, read through some documents, and I am still working with understanding all the concepts. But I had an idea running through some of the training labs. Would it not be possible to have a component on your devices which has a connection open to the cloud at all times, and also have a component on your server. So on your server you have a list of devices, and even though you don’t know if it’s online or any connection details you can fire off a ping to the cloud. The device will pick up on the ping, and basically perform a “Connect Now”.

But Andreas, did you not state just a few moments ago that there were challenges to having this HTTP connection alive at all times? And are you buying into this whole “cloud computing” buzzword? Well, here’s the thing. As I said things have improved on this front, and even though I don’t know yet what the impact will be I’m willing to try it out. And although I know this could be implemented without any assistance from Microsoft I do like having someone providing a ready infrastructure for me, and components that are already implemented, giving me an shorter path to achieving something.

I haven’t implemented any code at this point in time, and haven’t gotten all the implementation details down either. So maybe I’ll actually find out that it simply doesn’t work. Maybe it’s a dead end, and I’m wasting time on something that’s not going to work as expected. For all I know, maybe it’s just a silly idea not worth pursuing. (We have all seen solutions in search of problems to fix.) Even if I do manage to get something to work Azure is still just a CTP at the moment. What business model Microsoft will adopt, and what the pricing structure for using the cloud will be is also vague at the time being. (There’s obviously a limit for what people will be willing to spend for this feature.)

But what do you think? Is this something you would like to see? I’d be interesting in hearing different takes on this subject. (If you have inside info about future releases of SCMDM, and know that this feature will be available in some form, point me in the direction of some other project I can keep myself occupied with ) I’ll keep you posted if I make any progress, and if you adapt it to a product before that time occurs I want royalties for providing the concept

This new version includes a “Check File”-tab where you can test the encryption status of a file. (This is functionality previously found in CheckEncryption.exe which I haven’t really published here, only linked to over at the SCMDM forums. But I have fixed file browsing this time.) This feature is “stand-alone” in the sense that you don’t need to use DojoCrypt’s encryption to test the file. This might come in handy if you are applying include/exclude filters from SCMDM, (or other MDM solutions using the built-in encryption in Windows Mobile), and want to check that you’ve set it correctly. Including folders, and excluding subfolders requires you to be very sure you’ve typed it correctly.

Also the program will now list your current inclusions/exclusions at startup as that was sort of a showstopper previously. There’s also some minor code changes. (And hey, I even made a shortcut on your “Programs”-menu.)

And here’s the interactive part of this post; I am still only releasing a version for WM Professional. I can probably produce a version for WM Standard as well, but I don’t know if there is a demand for it. If nobody is using this utility I’m ok with that, but then it would not make sense to put another version high up on my to-do list. So it’s up to you. Let me know if you are interested in a version for Standard, and I’ll see what I can do

Here’s the download link:
http://mobilitydojo.net/files/DojoCrypt_10.cab

Hosts File Editor PPC/Pro:
I noticed a small bug while testing on the Windows Mobile 6.1 Classic that made the app crash. I added a try-catch in the proper place, and I think it’s fixed now.
A commenter on the post said it was not possible to run on devices without a physical keyboard, so I added a checkbox to activate/deactivate the SIP. (Software Input Panel.)

Hosts File Editor Smartphone/Standard:
Marco (http://myitforum.com/cs2/blogs/mnielsen/) asked if I didn’t have a version for Windows Mobile Standard devices. I didn’t, but I decided to make an attempt at providing that So here you go – see if it works for those of you with that flavor of Windows Mobile.

As always – give me feedback if it doesn’t work, or if it’s lacking in any way. I’m not making promises that I can satisfy what you are asking for, but the Smartphone/Standard version would not have existed if there hadn’t been a request made for it

Download:
Windows Mobile Professional: http://mobilitydojo.net/files/HostsFileEditPro.exe
Windows Mobile Standard:http://mobilitydojo.net/files/HostsFileEditStd.exe