Microsoft System Center Mobile Device Manager: Lessons from the Field

David BottomleyMobility Solution ArchitectMicrosoft CorporationWMB310

SCMDM Lessons LearnedWhat we’ve learned from our experiences

Strategies to Speed Deployment Tips for deploying rapidly and soundly

How to be SuccessfulRecommendations that lead to designing and deploying on schedule and on budget

Agenda

Lessons LearnedThe road that leads us from documentation to deployment

Prerequisite Discussions and Clarifications:What SCMDM does very well

Mobile VPN Device Management

Software Distribution

DMZ Corporate Intranet

Exchange, SharePoint, Intranet

and LOB Servers

SSL User Authentication

ActiveDirectory

MicrosoftCertificateAuthority

SQLServer

Internet

Internet

SCMDM 08 Deployment TopologySystem Center Mobile Device Manager 2008 End to End

Firewall

Firewall

Firewall

Optional ISA orReverse Proxy

Firewall

SCMDM 08Gateway

SCMDM 08 DM Server

SCMDM 08Enrollment

Server

Lessons LearnedSetting the stage for deployment

Understand Deployment PrerequisitesMissing components?

What does a supported deployment look like?http://technet.microsoft.com/en-us/library/dd261866.aspx

How do I know if I’m ready to deploy? SCMDM Best Practice Analyzerhttp://www.microsoft.com/downloads/details.aspx?FamilyID=E233F84F-9D96-4B33-80B1-FD563C4FB241

Best Practices AnalyzerDave BottomleyMobility Solution ArchitectMicrosoft Corporation

demo

What It's Really All About…

Point-To-Point Planning (Ports, Protocols, Interfaces)

Name Resolution Routing Ports Protocols

A Simple Example...MDM

Enrollment ServerMDMDevice Management Server

MDMGateway Server

ISA Server 2006 SP1

Internet

Mobile VPN Address10.0.0.1

192.168.10.150 192.168.10.140

192.168.10.510.0.0.0 255.255.0.0 192.168.10.12

192.168.10.12 192.168.10.50

131.107.128.12 131.107.128.17

Mobile VPN Pool

10.0.0.0/16

Point to Point Communications/ Real World Customer Examples

InitiatingIP Address/s

DestinationIP Address/s

FirewallInterface

Protocol & Port Comment

192.168.10.140 192.168.10.12 Internal TCP 443 MDM Device Management Server for MDM Gateway Configuration Tasks

10.0.0.0/16 DNS Internal UDP 53 Mobile VPN Client DNS Query to Corporate DNS

192.168.10.12 DNS Internal UDP 53 MDM Gateway DNS Query to Corporate DNS

10.0.0.0/16 192.168.10.140 Internal TCP 8443Mobile VPN Client to MDM Device Management Server for Policy Updates and Inventory

10.0.0.0/16 192.168.10.140 Internal TCP 8530 Mobile VPN Client to MDM Device Management Server for Software Distribution

192.168.10.140 10.0.0.0/16 Internal TCP 8530 MDM Device Management Server to Mobile VPN Client for Software Distribution

Mobile Operator Assigned 131.107.128.12 ExternalUDP 500

UDP 4500ESP 50

Mobile Device on Operator network to MDM Gateway Server for IPsec communications

204.136.7.150 Mobile Operator Assigned ExternalUDP 500

UDP 4500ESP 50

Mobile Device on Operator network to MDM Gateway Server for IPsec communications

10.0.0.0/16 10.79.2.103 InternalTCP 80

TCP 443Other

Mobile VPN Client to Corporate Resources via ISA Server (Proxy)

Mobile Operator Assigned 131.107.128.12 External UDP 8901 Keep Alive support for Mobile Operator NAT

131.107.128.12 Mobile Operator Assigned External UDP 8901 Keep Alive support for Mobile Operator NAT

Web Services (Enrollment, DM, Gateway)demo

Native Forest & Domain Mode Required

Workaround to Blocking Prerequisites

contoso.comcontosomob.com

Users SCMDMManagedDevices

Routing

Name Resolution

Standalone Forest

SCMDM Gateway FailoverHow SCMDM Gateway failover works

Corporate Intranet

Exchange, SharePoint, Intranet and LOB Servers

SSL User Authentication

ActiveDirectory

MicrosoftCertificateAuthority

SQLServer

SCMDM 08 DM Server

SCMDM 08Enrollment

Server

DMZ

MDM Gateway C

Internet

DNS FWD Lookup ZoneMobilevpn.contoso.comGTWY A 10.15.5.3

GTWY IP = 10.15.5.4

GTWY C 10.15.5.5

GTWY B 10.15.5.4

GTWY IP= 10.15.5.3

MDM Gateway A

Firewall

MDM Gateway B

Firewall

Real World FactsMDM Gateway Server role

You can use AD Group Policy to direct managed devices to use the MDM Gateway Server array in the region where they are located, such as Americas, EMEA or APAC

Take two primary approaches to addressing MDM Gateway scalability

Use Group Policy to direct devices to the closest MDM Gateway ServerMobile roaming scenarios can get costly

Use one namespace with content delivery platform (CDP) to locate the nearest MDM Gateway Server

MDM and Active Directory Integration

A WMI script can be developed to detect when a change occurs to this OU & can be used move a device object into another OU for Group Policy to be correctly applied

Most large companies will choose to move device objects out of the SCMDM2008ManagedMobileDevices OU

The MDM SSP can be customized to enable multi-domain selection

By default, the MDM Self Service Portal stores the newly created Active Directory Computer Objects in a single OU

MDM and Group Policy Granularity

Using Group Policy

Design OUs to reflect Applied Group Policy

Role-based. A Marketing OU would receive a group policy specific to its user community

Organization-based. Sales OU would receive a Group Policy, because those users may require different applications

Site-basis. All users located in a specific field office are subject to the same Group Policy

MDM and Group Policy Granularity (cont’d)

Using Group Policy

Extend the base OU by using Security Groups

Create a WMI script and use WMI filtering

Additional MDM and AD IntegrationSome LOB applications may need to authenticate user credentials

If locating MDM computer objects in other domains

Depending on the app, minimize the distance between the incoming MDM Gateway Server and the Domain Controller

An ADGC from each domain must also be located in the same Active Directory site as the MDM Enrollment Serve

This may not be as important for products such as Exchange

If this criteria is not met, enrollments may fail because of Active Directory replication latency

Traffic to DM server is stateful - Network affinity must be configured

MDM High AvailabilityMDM DM servers must be load balanced to scale to the 60,000 user limit

1 MDM Enrollment Server may be sufficient, or 2 + servers for redundancy or failover purposes

Use N+1 sizing guidance for MDM Gateway Servers

Enrollment Server must be in the same Active Directory site as the ADGC & Enterprise CA for enrollment

So for 30,000 mobile users, an org can do so with two or more MDM Gateway Servers

In this scenario, we recommend that

you add a third to permit failover

SCMDM Project Management Practices

Who Helps Me Along the Way?Cross Group Collaboration is Required!

Active Directory Team – objects, groups, OUs, SCPs

PKI Engineering and Administration – certificate chaining, issuing V3 Certificates, etc.

Network Engineering Team – fitting into the existing perimeter network

Messaging Team – supporting messaging services and co-existing with existing infrastructure

SQL DBAs – I need SQL services, Integration Services, and Reporting Services!

Before You Deploy MDM...Cross Group Collaboration is Required!

Have the MDM planning & deployment checklists been completed?

Are internal & external DNS A records for MDM enrollment & MDM Gateway configured?

Are the necessary ports opened for MDM on the edge firewall?

Are the necessary ports opened for MDM on the inner firewall

Are routes configured between each server for MDM? AD? SQL?

Run MDM BPA to verify that all prerequisites have been met?

How to Be Successful!Narrow the scope

Run a structured project

Documentation - simplify what’s available; there’s a lot to read!

Use common sense troubleshooting techniques

Use tools to validate connectivity

Read the Event Logs (MDM and Application)

MDM Resource Kit Server Tools

MDM Resource Kit Client Tools

Enterprise Mobile MDM Tools

Additional Third Party Tools

Additional Resources to Help You on Your Journey

Microsoft Consulting Services

Microsoft Certified Partners

Microsoft Premier Support

SCMDM Team Bloghttp://blogs.technet.com/mdm/default.aspxhttp://blogs.technet.com/vik/default.aspx

question & answer

www.microsoft.com/teched

Sessions On-Demand & Community

http://microsoft.com/technet

Resources for IT Professionals

http://microsoft.com/msdn

Resources for Developers

www.microsoft.com/learningMicrosoft Certification and Training Resources

www.microsoft.com/learning

Microsoft Certification & Training Resources

Resources

Related ContentBreakout Sessions

WMB202 Windows Mobile 6.5 Check out the recorded session!WMB201 New in Mobile Messaging: Outlook Mobile and Office CommunicatorWMB310 Microsoft System Center MDM: Lessons from the FieldMGT205 What Management Means for Mobility Customers

Interactive Theater Sessions (session codes and titles)WMB01-INT Management Lockdown of Windows Mobile Devices

Hands-on Labs (session codes and titles)WMB06-HOL Microsoft System Center Mobile Device Manager 2008 SP1 Deployment WMB07-HOL Microsoft System Center Mobile Device Manager 2008 SP1 Deployment, Self-Service Portal and Active Directory/Group Policy MGT05-HOL Device Management with Microsoft System Center Configuration Manager 2007

Track ResourcesMDM home pagehttp://www.microsoft.com/systemcenter/mobile/default.mspx

Windows Mobile Deviceshttp://www.microsoft.com/windowsmobile/mobiledevicemanager/devices.mspx

MDM TechCenterhttp://technet.microsoft.com/en-us/scmdm/default.aspx

Trial Softwarehttp://technet.microsoft.com/en-us/scmdm/bb986596.aspx

Resource Kit Toolshttp://technet.microsoft.com/en-us/scmdm/cc304591.aspx

TechNet MDM Forumhttp://forums.technet.microsoft.com/en-US/SCMDM/threads/

Complete an evaluation on CommNet and enter to win!

© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,

IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.