I recently went through the process of building a System Center Configuration Manager (SCCM) 2007 environment for mobile device management. Below are some very high level steps of the process. This is not meant to be all inclusive – just points out some of the issues I ran into.
High Level Steps:
1. Install Microsoft Certificate Authority on Domain – nothing special here (next, next, next)
a. IMPT: You must enable the client authentication template certificate on the CA (not enabled by default)
2. Generate Site Server Signing certificate according to http://technet.microsoft.com/en-us/library/bb694035.aspx
3. Create Group Policy to allow for automatic certificate enrollment for client systems (this will only help SCCM computers act as clients – not devices – http://technet.microsoft.com/en-us/library/bb694035.aspx
4. Install SCCM 2007 in Native Mode using the Site server signing certificate created in Step 2
5. Enable pertinent features in SCCM
1. Enable Mobile Device Client Agent
2. Enable Device Management Point
3. Enable Distribution Point
4. Enable Management Point
– Allow devices to use this Management Point
6. Generate & Install Web server cert on Public Facing MP/DP http://technet.microsoft.com/en-us/library/bb694035.aspx
a. IMPT – The subject name of this cert MUST MATCH the external DNS domain your internet connected devices will use to connect to the MP/DP. If this does not match your clients will not work.
7. Prepare installation files for mobile device client installations
a. Edit customsettings.ini to match your environment
b. Copy appropriate files for your mobile device to the install directory
IMPT:
You must place the following certificates in the client install folder for the mobile client:
1. SCCM Site Server Signing Cert
2. SCCM Web Server Cert
3. Trusted Root Cert for your CA
4. Any Intermediate Certs (If they exist in your environment)
EXAMPLE INSTALL FOLDER FOR MOBILE 5 SMARTPHONE:
8. Copy install files to device via SD card or ActiveSync
a. Execute dminstaller_*.exe
NOTE:
During the install the mobile device needs to contact the CA to get a unique ClientAuth certificate. Your device must have connectivity to the CA server during the install or it will fail with no visible errors (other than the log files in \Temp)
9. Install Logs are created in the /Temp directory of the client
10. A successful installation will create an icon under settings called device management
11. When your device gets and SMSID you can rest assured it is install and working
12. There are key logs on the SCCM server that you can use for troubleshooting:
Important Side Notes:
· The proxy server on Cingular devices must be disabled for the device to successfully communicate with the SCCM DMP/DP. This seems to be hit & miss I’ve seen it work on some devices without disabling.
· Network Access (Intranet or Internet) to the CA must be available at the time of the Mobile Device Client installation – the device needs to get a client authentication certificate from the Certificate Authority during the install process. If network access to the CA is not available during the install it will fail
Windows Mobile Device Emulator:
A great tool for testing this is the Windows Mobile Device Emulator. This is available as a standalone download here. If you have Visual Studio 2005 installed it should be already available under Tools -> Device Emulator Manager, you will to download emulator images though. You can get some Windows Mobile 6 emulator images from the Windows Mobile SDK.
Device Management Client:
Here is a screenshot of the Device Management client on a Windows Mobile 6 device.
