System Center Mobile Device Manager TechCenter >
Mobility Forums
>
System Center Mobile Device Manager
>
General access denied error - mdm2008 sp1 software deployment
General access denied error - mdm2008 sp1 software deployment
- Hi,
I see this error in managed programs on the device itself when deploying MDMDeviceStatusViewer to a Samsung Mobile i780 with Mobile version 6.1.3. . This works fine on a HTC Mobile with version 6.1.4 . I am using MDM2008 SP1. I am using excactly the same method for both devices using group policy and mdm wsus.
any ideas,
Thanks Stjani
Answers
- To make it easy for future user to search to forum, it might be better to open a "extracting more device information" thread.
Cheers
Wayne- Marked As Answer byStjani Wednesday, June 24, 2009 9:46 AM
All Replies
- You are able to install the cab manually on the Samsung without any warnings/prompts? Have you signed it with your own software cert, that you have also deployed to the devices, or is the cab signed with the Microsoft certificate it came with? For instance if the Samsung for some reason has a different list of trusted CAs installed this could be an issue.
I don't know if there are any firmware updates available for the Samsung - some of their devices have been known to have bugs related to SCMDM. Some Device (Especially carrier modified ones) have the security nailed down. While testing this device, use the Security Configuration Manger to manage the device security. It’s included in certain versions of Visual Studio, so check if you have VS installed. Check out the Windows Mobile 5.0 Application Security whitepaper.
Cheers WayneAirloom
- Hi,
when I try to install MDMDeviceStatusViewer manually I get this error "This program is from an unknown publisher...." So I guess I need either change security settings on the Mobile og sign the program.
I tried using Security Configuration Manager version 1.0.0.0 but I can not get a connection to my Mobile. I can connect it to Active sync 4.5.0 OK.
I just installed Visio Studio 2008 on my PC but Security Configuration Manager wanted Visual Studio 2005 so I installed Visual Studio 2005 (team edition for software developers) on my PC.
I cannot connect to my Mobile using Visual Studio. I have not done any configuration or installed any updates on Visual Studio, and I have not used this product a lot.
I read the "Step by Step: Understanding Windows Mobile Security Using the Device Security Manager" which was written in februar 2007 and updated 6/4/2009.
It is the same there I cannot get the Device Emulatur to connect i.e. ActiveSync should start after I "Cradle" but nothing.
I am doing this on two PC's and get the same on both.
Any Ideas'
Thanks
Stjani. - Configure Active Directory Group Policies to deploy the required root certificates to the Software Publisher Certificate (SPC) and Unprivileged Execution Trust Authorities stores on the mobile devices. The SPC store governs cab installation on a Windows Mobile Device. The Unprivileged Execution Trust Authorities store is used by Windows Mobile security to control code execution. If an executable can be chained up to a certificate in this store, it is considered signed and is assigned a trust level based on the device security policies.
Cheers Wayne
Airloom- Edited byWayne Phillips.MVP, ModeratorWednesday, June 24, 2009 2:04 AM
- OK,
when I use the security configuration manager to check if the cab file is sign I get
Certificate issued by: Microsoft Code Signin PCA
Autehntication : Unsigned
Permission : It appers that this file will be prevented from executing on your device.
: the certificate that was used to sign this file was not found on the SPC store.
I am running the security manager from the PC which created the cab files.
I am trying to use security manager to sign the cab files, but no changes.
thanks,
Stjani - Can you make sure you are doing the following for testing:
1. Sign your cab files with your Internal CA, the one you've used for SCMDM to keep things simple
2. As Wayne Phillips said above, make sure the Internal CA's certificate is deployed to the device, not just in the Root store, but also the SPC and Unprivileged Execution Trust authorities store.
You can sign your CAB files with your internal CAs certificate when creating the software packages via the Software Deployment console on MDM, just select your .pfx store when you add the cab file. - OK,
thanks it is working now. I guess I need to take a look at the HTC mobiles and check if security is ok.
Now I would like to know if I can get more info about the mobiles in System Center Mobile Manager Console. The only info I am getting is Device Status and Device History.
Thanks,
Stjani - To make it easy for future user to search to forum, it might be better to open a "extracting more device information" thread.
Cheers
Wayne- Marked As Answer byStjani Wednesday, June 24, 2009 9:46 AM
