FAQ for System Center Mobile Device Manager 2008

We will update these FAQ as new issues arise, so check back frequently.

 

General

Q: What is the level of integration between SCCM and SCMDM?

A: There is currently no direct integration between SCMDM and SCCM, SCMDM is run standalone.

 

Q: What is Microsoft's support policy on running SCMDM on VMWare?

A: These articles are structured to provide a quick answer on supportability. 

<https://go.microsoft.com/fwlink/?LinkId=125767> points to 897615 Support policy for Microsoft software running in non-Microsoft hardware virtualization software

<https://go.microsoft.com/fwlink/?LinkId=125818> points to 957006 Microsoft server software and supported virtualization environments

Note: Running SCMDM on Hyper-V and Virtual Server will be supported in SP1.

 

Q: Is there a maximum number of users supported by MDM and how many servers would you need to support this?

A:

An MDM Instance can support up to 30,000 devices.

There may be up to 16 servers running MDM Gateway Server in an MDM instance

There may be up to six computers that are running MDM Device Management Server in an MDM instance

You can have up to two computers that are running MDM Enrollment Server in an MDM instance

 

Certificates

Q: Is there any easy way to renew the device certificate when it expires?

A: Certificate renewal is automated, as long as the device can connect to the issuing CA via mobile VPN.  For CS server configuration for MDM see Configure Certification Authority for MDM in the SCMDM documentation.

 

Q: How does a device know when and how to renew its certificate? Is this done directly from the device or handled by the DM server and then passed to the device?

A: The renewal request is handled by the certificate CSP on device and is uses the path to the CA that is specified in the certificate. This is done over HTTPS using mutual SSL authentication. You can see the certificate renewal information for the device by viewing the XML the device gets provisioned with during enrollment. To do this, open the MDM shell and run Get-EnrollmentServiceLog. Locate the enrollment record for the device and search for RenewalInfo. The section will look something like:

<characteristic type="RenewalInfo">

<parm name="ServerName" value="MDMCA.mdmtestdomain.com" />

<parm name="Template" value="SCMDM2008MobileDevice" />

<parm name="RequestPage" value=" /certsrv/certfnsh.asp" />

<parm name="PickupPage" value=" /certsrv/certnew.cer" />

<parm name="NoSSL" value="1" datatype="boolean" />

</characteristic>

 

Q: What happens when a server needs to renew its certificate?

A:  SCMDM 2008 servers do not renew their web certificates automatically. However, you can use the MDM Certificate tool located in the Resource Kit to check expiration dates and even send e-mail when a certificate is nearing its expiration date.  The tool can be also used to create new certificates for the SCMDM server's web sites.

You can also manually create the certificates - see https://technet.microsoft.com/en-us/library/cc135742.aspx

You will need to create the following certificates:

  • DM
    • GCM
    • DM Web Service
    • DM Admin Web Service
  • Enrollment
    • Enrollment Web Service
    • Enrollment Admin Web Service
  • Gateway
    • Gateway management web site

Note: You cannot simply import a new certificate into the Gateway management web site. To replace the Gateway certificate:

1. Remove the existing certificate.
2. In Control Panel run Setup for the Gateway from Add/Remove Programs > Change.
3. Select the Change option and enter the new certificate information on the appropriate page in the wizard.

 

Q: If the firmware is upgraded on a device, it can't use the previously assigned certificate. Is this normal?

The existing certificate in AD cannot be reused when a device is re-flashed because the private key associated with the certificate is lost, so the certificate can no longer be used by the device to perform encryption or assert the device identity.

 

Q: Is there a supported way to change the CA that SCMDM uses after SCMDM was installed?

A: If the devices use a different CA than the servers, you can change the device CA by running the following cmdlet in the MDM Shell:

Set-EnrollmentConfig -CertificationAuthority caserver\cainstance

Note: this may cause enrolled clients to not renew their certificates when they expire, as they will be pointing to a different CA for renewal than the one that issued the certificate.

To change the CA the servers will use, you can use the MDM Certificate tool   in the MDM Server Tools section of the Resource Kit.

Use the /ca parameter to specify the CA server.

 

AD Group Policy

Q: The GPO creates policies for both machine and user. How are these targeted? What are the criteria?

A: Some policies are under machine and should be targeted at the location of the computer account in AD.

Some policies are under user and should be targeted at the location of the user account in AD.

The split is based on whether the policy setting is considered a device or OS setting (i.e. most of them) or an application setting (e.g. Outlook Mobile).

This is a common cause of support calls - if a policy is not applying, make sure it is targeted to the correct machine or user container.

 

Q: Is it possible to generate a report of the current settings for all my MDM policies?

A: The MDM GPMC allows you to generate a Group policy report per device. This functionality is available out of the box. Instructions on how to do this can be found here.

https://technet.microsoft.com/en-us/library/cc135619.aspx

 

Q: Can SCMDM block the use of applications that come preinstalled on a device by the OEM?

A: There is a Group Policy setting to block in-ROM applications. Apps included in the device ROM by the OEM or operator could be added to this block list.

 

Q: What policies can be enabled for roaming?

A:

Device Management | Configure device management when roaming
Mobile VPN settings | Always connected when roaming
ActiveSync | Block sync when roaming

 

Software Distribution

Q : Is it possible to deploy Windows Mobile updates ?

The current release of SCMDM does not support patching WM devices with firmware updates. However, administrators can allow/disallow enterprise devices to talk to WMU services directly via group policy.

 

Q : Can I distribute software to user groups? Is it possible to script the creation of groups in WSUS ?

A : The current release of SCMDM does not support user-identity based targeting. We do realize the demand for this feature. It is possible to script the creation of WSUS groups via the public APIs.

 

Q : Does Software Distribution have a mechanism (like BITS for desktop) to resume transfer when the network connection has been temporally broken?

A: Yes, this mechanism is in place

 

Q: Is there in SCMDM a mechanism to control the bandwidth used for software distribution? Is it possible to specify a bandwidth percentage allowed for SD?

A: In the current release of SCMDM, we don't have the feature that gives users control over the bandwidth used for software distribution. People have expressed the need for this feature and the  team is well aware of it.

 

Q: Does SCMDM allow whitelist functionality for applications on the device?

A: You can use the functionality provided by two policies to control this behavior

  • - Allow specified unsigned applications to run as privileged
  • - Allow specified unsigned applications to run as normal

More info here: https://technet.microsoft.com/en-us/library/cc135661(TechNet.10).aspx

Q: What is the largest package size supported by MDM?

512 MB is the hard limit imposed by Software Distribution package creation wizard on the server.

Cab size limitation from client perspective is dependent mostly on following external factors.

·         Memory available on device.
·         Connection speed.
·         CPU speed of the device.

 During the test process we were successful in downloading cabs up to 25 Mb in size on the device.

 

 

Administration

Q : Is it possible to delegate the management of WM devices to different groups of admins based on their location ? For example, the UK admin would manage the UK devices ?

The current release of SCMDM does not support administering deployments based on geographical locations.

 

Q: What is the level of delegation with regards to administration? (e.g. Could someone at the help desk be granted permissions to do a remote wipe if a device is reported missing but not be permitted to change the software assigned to the device)

Currently for most admin activities role customization is not implemented.  Therefore admins in certain groups have the permissions to perform a set of activities (like wipe, block devices) while others have different set of permissions (like reading configuration).  These mappings are not customizable in current versions.  There are some exceptions to this:

-Group Policy
-Software Distribution

Group Policy permissions (setting policy on a device) are controlled via Group Policy and OU delegation.  Therefore you could have a user that only manages policy for devices and does not have any other permissions.  Software distribution is controlled via the WSUS Administrators group and through the WSUS permissions model.   

For a listing of the role mappings to actions that roles can perform, see here:  https://technet.microsoft.com/en-us/library/cc135605(TechNet.10).aspx 

 

Inventory

Q: Is it possible to perform software inventory on a device and have the device send files to the DM server, similar to software inventory file collection in SMS/SCCM?

A: SCMDM does not support file inventory file collection.

 

Security

Q: Where can I find out what kinds of encryption MDM supports for things like WiFi, storage card, etc?

A: The documents Security Model For Windows Mobile 5.0 and Windows Mobile 6 contain this. For information on the Mobile VPN protocols for Windows 6.1 see https://msdn.microsoft.com/en-us/library/cc440249.aspx

 

MDM Client/Mobile VPN

Q: What SCMDM factors affect device battery life?

A: There are several factors that affect battery life:

  • Connection type - Typical APN settings have short timeouts. These force VPN reconnections at short time intervals and result in poor battery performance. This is the most common (but not the only) reason for poor battery performance. Check the APN (Start - Settings -GPRS ) . You may be able to change to another provided by the ISP that has longer timeouts.
  • NAT KeepAlive frquency - If NAT is detected by the Mobile VPN, keepalives will be sent periodically (45 seconds). The period between keepalives is configurable. Because sending too many keepalive signals may significantly impact the battery life of the mobile device, it is recommended to contact the Mobile Operator and use a cellular data connection that does not require NAT or ensure that NAT inactivity timeouts have been customized for UDP.

To get information about the NAT and keepalives, download and run this tool on your device:

https://technet.microsoft.com/en-us/scmdm/cc304591.aspx

MDM VPN Diagnostics Tool

1.    Install this tool on the device and run it.

2.    Go to Menu->Diagnosis, scroll down to the NAT Status Key portion of the diagnosis. It will tell you if NAT is detected, KeepAlive is needed, and the KeepAlive interval.

The NAT timeout can be adjusted via a registry key using the VPNDiag tool (see Menu->Configuration->NAT Keep Alive Interval). However, most devices use 45 seconds. If battery life is still a problem, check with the ISP and find out their NAT timeout interval.

  • Other possible causes: Application traffic, the device itself, characteristics of the Mobile Operator's network, shorter MDM sync times may have been configured (the default interval is 8 hours).

 

Q: Is data encrypted in memory (e.g. if end user opens a Word doc that is encrypted on the device) on the mobile device?

A: There are Exchange and SCMDM policies that can enforce encryption of data on the device in internal storage and also a storage card. This is actually a Windows Mobile 6 feature - from https://www.microsoft.com/technet/solutionaccelerators/mobile/maintain/SecEntMessaging/4ea10143-5661-45c7-a26b-d01070e3632b.mspx

Support for encryption of data stored in removable storage cards. Storage card encryption supports Advanced Encryption Standard (AES) in 128 bit cipher strength.

The following list shows the storage card encryption support:

Encrypt data written from the mobile device to removable media. The data will be encrypted for use on the encrypting device only. If unencrypted data is transferred to the storage card by another device (Phone, PC), the content is not encrypted by the device. ActiveSync file explorer provides desktop access to encrypted data files.

Enable over-the-air (OTA) provisioning of encryption by using Exchange or other OTA device management solution.

OEMs and Mobile Operators can provision the encryption policy during a cold boot of the device.

Encryption is transparent to applications and users, not including performance impacts.

Storage card encryption can be managed by Exchange 2007 policies [JR] or SCMDM policies. The user can also manage the mobile encryption configuration through the control panel [JR] if no policy is being applied.

For more detail, check the documentation for the Windows Mobile SDK.

 

Q: Is it possible to have a user use his GPRS connection and/or a home WiFi connection, but have them switched over to the corporate WiFi network when they access the company building?

A: The connection will not switch dynamically.The user can switch it manually. If the user is connected via GPRS, VPN will stay on GPRS until the GPRS connection is no longer available.  It will not automatically switch to WiFi when WiFi becomes available.