System Center Mobile Device Manager TechCenter >
Mobility Forums
>
System Center Mobile Device Manager
>
Step-by-step guide for installing SCMDM
Step-by-step guide for installing SCMDM
- Maybe I have to much time on my hands, but I decided to post some tutorials/step-by-step guides for installing SCMDM in different scenarios. I don't know if anyone who has found their way to this forum needs them, but hopefully they are a quick way for people to start evaluating SCMDM. By all means, there's nothing wrong with the official documentation, but the more docs the merrier :)
The first part is online, with the next parts following the upcoming days. (Will update this post.)
Link:
http://mobilitydojo.net/2008/09/22/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-1/
http://mobilitydojo.net/2008/09/23/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-2/
http://mobilitydojo.net/2008/09/24/system-center-mobile-device-manager-2008-install-guide-no-gateway-part-3/
And adding the Gateway Server:
http://mobilitydojo.net/2008/10/01/system-center-mobile-device-manager-2008-installing-a-gateway-server/
I'm open for suggestions on how to improve the guides, and obviously if there's any errors in what I've written do let me know.- Edited byAndreas Helland Tuesday, September 23, 2008 11:03 AMAdded link to Part 2
- Edited byAndreas Helland Wednesday, October 01, 2008 9:38 PMAdded link to Gateway Server Install Guide
- Edited byAndreas Helland Wednesday, September 24, 2008 11:04 AMAdded link to Part 3
All Replies
- Great post, Andreas. Thanks for taking the time to share.
BTW, it's important to note that this configuration loses 'wipe now' (which may, or may not, be a very bad thing depending on your viewpoint), but otherwise is basically fully functional, works great and is fully supported.
best, Pat.
Mobility Architect, Enterprise Mobile - Yes, it is a good point that you lose "wipe now" - though I don't know how important it is in a LAN-based scenario. Still, don't know why I didn't include it... I'll probably update the guide with a few lines about this point.
- Hello,
Why do we loose wipe feature with this configuration?
Thanks.
Franck - Quoting http://technet.microsoft.com/en-us/library/cc664626.aspx:
The Alerter service on MDM Gateway Server receives alerts from MDM Device Management Server for urgent commands, such as a managed device wipe. The Alerter service verifies that the managed device is connected to the network. Without an MDM Gateway Server you cannot use the Alerter service and will lose the ability to perform a Wipe Now request on a managed device. You will still be able to initiate a wipe immediately upon the next connection.
For a wipe now to work, needless to say, we must have an active connection to the device. This is the responsibility of the Gateway server, which maintains all VPN connections, has a table with NAT mappings of the devices, and keep track of the communication between devices and the DM server (also sitting in between as a proxy). This makes sense because all devices should ideally connect through the gateway and never directly to the DM server.
The DM server was never intended to perform these tasks, and therefore do not have the necessary components to do this. So if the DM server were to send out a request it wouldn't have any guarantees it would reach the device. This means it's "safer" to execute on the next schedule and be sure it's executed. - And, expanding a tad on Andreas' excellent post, it's important to note that you lose "wipe now" only. Device wipe still works fine.
The difference b/w the two is the alerter capability on the GW which will process the 'wipe now'. A vanilla 'device wipe' will be sitting on the DM until the device checks in at its regularly scheduled time (default is every 8hrs, but this is Administrator configurable to whatever you want - note, though, that this is a global setting that affects all devices, not just one, and a higher interval is better).
One reason why this can't safely be done from the DM is that the device is protected against wipe now being spoofed. The DM will almost certainly have an RFC1918 (10.x.x.x, 172.16-31.x.x, 192.168.x.x) non-publicly-routable address whereas the GW shoud have a public address which is a match against the DNS <A> record. The device checks the source address and by design will discard a 'wipe now' that comes from any address other than the one it knows to correspond to the <A> record.
Device wipe on checkin will still work because the security risk (spoofing) isn't there owing to the device being the session-initiator.
best, Pat.
Mobility Architect, Enterprise Mobile - Moderator: It's now a feature complete guide - should it be made a sticky thread? If anyone else has guides that are on topic in line with the subject they can be included here.
- Makes sense to me. I'm not a moderator here, but play one on TV <g>. I'll ping Gabe.
best, Pat.
Mobility Architect, Enterprise Mobile - Stickiness applied.
Best Regards, Gabe- Edited byGabe StormModeratorFriday, October 03, 2008 12:09 AMFix Typo
- Hi guys. Some questions to ask, firstly, do i have to do anything else other then adding the host(A) record for mobileenroll on the domain controller?. Do i have to do anything else (ie enabling stuff) in order to install the mdm enrollment server?.
Currently I'm up to the guide part 3 where I'm supposed to enroll my mobile image but they can't seem to find my server.
The IP address that i've assigned to my mobileenroll."domain.com"- is the same as the ip address assigned to my SCMDM server name
While running BPA, everything seems to be successful
Regards, Ken - Are you using a device emulator or a real device? My scenario assumes you're either connected through ActiveSync, or WLAN enabling you to use the domain controller for DNS lookups. Is the device/emulator able to reach any other sites?
- Hi Andreas sorry for the late reply, was busy with some work, I'm using a device emulator and for my set up, my whole configuration just consists of 2 CPUs connected via a switch (LAN), I think I am unable to connect to any sites as there are no internet connectivity within my set-up
Best Regards, Kenny - When using the emulator there's different ways to achieve connectivity depending on different factors.
- If you are running the emulator on a desktop with Virtual PC installed you can use a virtual network card so the device is "properly" on the LAN.
- If you can't emulate the NIC you can cradle it through ActiveSync/WMDC.
I won't go into the details here, as there are a number of possible ways to achieve connectivity. And obviously the emulator needs to be able to send/receive traffic out of it's virtual "existense" before you'll get lucky.
I have however come up with a utility that will let you fix/troubleshoot DNS-related problems :) An editor for manually adding DNS entries locally to the device can be found here:
http://mobilitydojo.net/2008/10/09/using-a-hosts-file-on-windows-mobile/ - Hi Andreas, Managed to get it to connect. Thanks for the tips =). Cheers
- Andreas, I'm trying a new installation with no Gateway... mainly because I don't want to use the VPN feature and I don't care about the ability to wipe the device. In your walkthrough you state that the Device Management Server's FQDN will not be accessable to the Internet. I was a little confused about this, in order for the devices to connect without the VPN, won't they need to be able to see the DM Server externally?
- In the lab I build there is no internet access, and this is what I mean by not being accessable externally. Often the internal FQDN, and the external FQDN will be different, and you need to select the correct FQDN for the certificates. It is not a problem however if you want to try it out to expose the DM server to the internet as long as you then input the external FQDN in the setup wizard.
- Gotcha, thanks for clarifying, Andreas!
