David Bottomley Mobility Solution Architect Microsoft Corporation WMB310.
Transcript of David Bottomley Mobility Solution Architect Microsoft Corporation WMB310.
Microsoft System Center Mobile Device Manager: Lessons from the Field
David BottomleyMobility Solution ArchitectMicrosoft CorporationWMB310
SCMDM Lessons LearnedWhat we’ve learned from our experiences
Strategies to Speed Deployment Tips for deploying rapidly and soundly
How to be SuccessfulRecommendations that lead to designing and deploying on schedule and on budget
Agenda
Lessons LearnedThe road that leads us from documentation to deployment
Prerequisite Discussions and Clarifications:What SCMDM does very well
Mobile VPN Device Management
Software Distribution
DMZ Corporate Intranet
Exchange, SharePoint, Intranet
and LOB Servers
SSL User Authentication
ActiveDirectory
MicrosoftCertificateAuthority
SQLServer
Internet
Internet
SCMDM 08 Deployment TopologySystem Center Mobile Device Manager 2008 End to End
Firewall
Firewall
Firewall
Optional ISA orReverse Proxy
Firewall
SCMDM 08Gateway
SCMDM 08 DM Server
SCMDM 08Enrollment
Server
Lessons LearnedSetting the stage for deployment
Understand Deployment PrerequisitesMissing components?
What does a supported deployment look like?http://technet.microsoft.com/en-us/library/dd261866.aspx
How do I know if I’m ready to deploy? SCMDM Best Practice Analyzerhttp://www.microsoft.com/downloads/details.aspx?FamilyID=E233F84F-9D96-4B33-80B1-FD563C4FB241
Best Practices AnalyzerDave BottomleyMobility Solution ArchitectMicrosoft Corporation
demo
What It's Really All About…
Point-To-Point Planning (Ports, Protocols, Interfaces)
Name Resolution Routing Ports Protocols
A Simple Example...MDM
Enrollment ServerMDMDevice Management Server
MDMGateway Server
ISA Server 2006 SP1
Internet
Mobile VPN Address10.0.0.1
192.168.10.150 192.168.10.140
192.168.10.510.0.0.0 255.255.0.0 192.168.10.12
192.168.10.12 192.168.10.50
131.107.128.12 131.107.128.17
Mobile VPN Pool
10.0.0.0/16
Point to Point Communications/ Real World Customer Examples
InitiatingIP Address/s
DestinationIP Address/s
FirewallInterface
Protocol & Port Comment
192.168.10.140 192.168.10.12 Internal TCP 443 MDM Device Management Server for MDM Gateway Configuration Tasks
10.0.0.0/16 DNS Internal UDP 53 Mobile VPN Client DNS Query to Corporate DNS
192.168.10.12 DNS Internal UDP 53 MDM Gateway DNS Query to Corporate DNS
10.0.0.0/16 192.168.10.140 Internal TCP 8443Mobile VPN Client to MDM Device Management Server for Policy Updates and Inventory
10.0.0.0/16 192.168.10.140 Internal TCP 8530 Mobile VPN Client to MDM Device Management Server for Software Distribution
192.168.10.140 10.0.0.0/16 Internal TCP 8530 MDM Device Management Server to Mobile VPN Client for Software Distribution
Mobile Operator Assigned 131.107.128.12 ExternalUDP 500
UDP 4500ESP 50
Mobile Device on Operator network to MDM Gateway Server for IPsec communications
204.136.7.150 Mobile Operator Assigned ExternalUDP 500
UDP 4500ESP 50
Mobile Device on Operator network to MDM Gateway Server for IPsec communications
10.0.0.0/16 10.79.2.103 InternalTCP 80
TCP 443Other
Mobile VPN Client to Corporate Resources via ISA Server (Proxy)
Mobile Operator Assigned 131.107.128.12 External UDP 8901 Keep Alive support for Mobile Operator NAT
131.107.128.12 Mobile Operator Assigned External UDP 8901 Keep Alive support for Mobile Operator NAT
Web Services (Enrollment, DM, Gateway)demo
Native Forest & Domain Mode Required
Workaround to Blocking Prerequisites
contoso.comcontosomob.com
Users SCMDMManagedDevices
Routing
Name Resolution
Standalone Forest
SCMDM Gateway FailoverHow SCMDM Gateway failover works
Corporate Intranet
Exchange, SharePoint, Intranet and LOB Servers
SSL User Authentication
ActiveDirectory
MicrosoftCertificateAuthority
SQLServer
SCMDM 08 DM Server
SCMDM 08Enrollment
Server
DMZ
MDM Gateway C
Internet
DNS FWD Lookup ZoneMobilevpn.contoso.comGTWY A 10.15.5.3
GTWY IP = 10.15.5.4
GTWY C 10.15.5.5
GTWY B 10.15.5.4
GTWY IP= 10.15.5.3
MDM Gateway A
Firewall
MDM Gateway B
Firewall
Real World FactsMDM Gateway Server role
You can use AD Group Policy to direct managed devices to use the MDM Gateway Server array in the region where they are located, such as Americas, EMEA or APAC
Take two primary approaches to addressing MDM Gateway scalability
Use Group Policy to direct devices to the closest MDM Gateway ServerMobile roaming scenarios can get costly
Use one namespace with content delivery platform (CDP) to locate the nearest MDM Gateway Server
MDM and Active Directory Integration
A WMI script can be developed to detect when a change occurs to this OU & can be used move a device object into another OU for Group Policy to be correctly applied
Most large companies will choose to move device objects out of the SCMDM2008ManagedMobileDevices OU
The MDM SSP can be customized to enable multi-domain selection
By default, the MDM Self Service Portal stores the newly created Active Directory Computer Objects in a single OU
MDM and Group Policy Granularity
Using Group Policy
Design OUs to reflect Applied Group Policy
Role-based. A Marketing OU would receive a group policy specific to its user community
Organization-based. Sales OU would receive a Group Policy, because those users may require different applications
Site-basis. All users located in a specific field office are subject to the same Group Policy
MDM and Group Policy Granularity (cont’d)
Using Group Policy
Extend the base OU by using Security Groups
Create a WMI script and use WMI filtering
Additional MDM and AD IntegrationSome LOB applications may need to authenticate user credentials
If locating MDM computer objects in other domains
Depending on the app, minimize the distance between the incoming MDM Gateway Server and the Domain Controller
An ADGC from each domain must also be located in the same Active Directory site as the MDM Enrollment Serve
This may not be as important for products such as Exchange
If this criteria is not met, enrollments may fail because of Active Directory replication latency
Traffic to DM server is stateful - Network affinity must be configured
MDM High AvailabilityMDM DM servers must be load balanced to scale to the 60,000 user limit
1 MDM Enrollment Server may be sufficient, or 2 + servers for redundancy or failover purposes
Use N+1 sizing guidance for MDM Gateway Servers
Enrollment Server must be in the same Active Directory site as the ADGC & Enterprise CA for enrollment
So for 30,000 mobile users, an org can do so with two or more MDM Gateway Servers
In this scenario, we recommend that
you add a third to permit failover
SCMDM Project Management Practices
Who Helps Me Along the Way?Cross Group Collaboration is Required!
Active Directory Team – objects, groups, OUs, SCPs
PKI Engineering and Administration – certificate chaining, issuing V3 Certificates, etc.
Network Engineering Team – fitting into the existing perimeter network
Messaging Team – supporting messaging services and co-existing with existing infrastructure
SQL DBAs – I need SQL services, Integration Services, and Reporting Services!
Before You Deploy MDM...Cross Group Collaboration is Required!
Have the MDM planning & deployment checklists been completed?
Are internal & external DNS A records for MDM enrollment & MDM Gateway configured?
Are the necessary ports opened for MDM on the edge firewall?
Are the necessary ports opened for MDM on the inner firewall
Are routes configured between each server for MDM? AD? SQL?
Run MDM BPA to verify that all prerequisites have been met?
How to Be Successful!Narrow the scope
Run a structured project
Documentation - simplify what’s available; there’s a lot to read!
Use common sense troubleshooting techniques
Use tools to validate connectivity
Read the Event Logs (MDM and Application)
MDM Resource Kit Server Tools
MDM Resource Kit Client Tools
Enterprise Mobile MDM Tools
Additional Third Party Tools
Additional Resources to Help You on Your Journey
Microsoft Consulting Services
Microsoft Certified Partners
Microsoft Premier Support
SCMDM Team Bloghttp://blogs.technet.com/mdm/default.aspxhttp://blogs.technet.com/vik/default.aspx
question & answer
www.microsoft.com/teched
Sessions On-Demand & Community
http://microsoft.com/technet
Resources for IT Professionals
http://microsoft.com/msdn
Resources for Developers
www.microsoft.com/learningMicrosoft Certification and Training Resources
www.microsoft.com/learning
Microsoft Certification & Training Resources
Resources
Related ContentBreakout Sessions
WMB202 Windows Mobile 6.5 Check out the recorded session!WMB201 New in Mobile Messaging: Outlook Mobile and Office CommunicatorWMB310 Microsoft System Center MDM: Lessons from the FieldMGT205 What Management Means for Mobility Customers
Interactive Theater Sessions (session codes and titles)WMB01-INT Management Lockdown of Windows Mobile Devices
Hands-on Labs (session codes and titles)WMB06-HOL Microsoft System Center Mobile Device Manager 2008 SP1 Deployment WMB07-HOL Microsoft System Center Mobile Device Manager 2008 SP1 Deployment, Self-Service Portal and Active Directory/Group Policy MGT05-HOL Device Management with Microsoft System Center Configuration Manager 2007
Track ResourcesMDM home pagehttp://www.microsoft.com/systemcenter/mobile/default.mspx
Windows Mobile Deviceshttp://www.microsoft.com/windowsmobile/mobiledevicemanager/devices.mspx
MDM TechCenterhttp://technet.microsoft.com/en-us/scmdm/default.aspx
Trial Softwarehttp://technet.microsoft.com/en-us/scmdm/bb986596.aspx
Resource Kit Toolshttp://technet.microsoft.com/en-us/scmdm/cc304591.aspx
TechNet MDM Forumhttp://forums.technet.microsoft.com/en-US/SCMDM/threads/
Complete an evaluation on CommNet and enter to win!
© 2009 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS,
IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.