The Mobile Device Manager Support Team Blog : CM

Solution: The Group Policy setting “Block unsigned theme installation” for System Center Mobile Device Manager 2008 is not correctly applied to Windows Mobile 6.1 mobile devices

jchornbe — Wed, 11 Mar 2009 18:06:01 GMT

Just a quick FYI on an issue we came across recently. This should be a Knowledge Base article soon but I figured I’d post it here first to give all you faithful readers first notice. If you’re trying to use the Group Policy setting “Block unsigned theme installation” for System Center Mobile Device Manager 2008 and it’s not working correctly then this one’s for you:

Issue: When you Enable the Group Policy setting Block unsigned theme installation by using Microsoft System Center Mobile Device Manger (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may not allow the installation of default built-in themes.

When you Disable the Group Policy setting Block unsigned theme installation by using Microsoft System Center Mobile Device Manger (MDM) 2008 Group Policy management functionality, some Windows Mobile 6.1 mobile devices may continue to block the installation of unsigned themes.

Cause: This group policy setting affects Windows Mobile Security Policy 4103 SECPOLICY_UNSIGNEDTHEMES when applied to the device. The default value for this policy is SECROLE_USER_UNAUTH, however when the group policy setting is set to Disable the value SECROLE_USER_AUTH is applied.

When this policy is set to Enable the value SECROLE_NONE is applied. Theme files as well as other cab files do not receive special permissions as executable files do, even if they are placed in-rom, so this policy continues to affect these default theme files and blocks their installation.

Note: SECROLE_USER_UNAUTH corresponds to the decimal value 64, and SECROLE_USER_AUTH corresponds to 16.

Workaround: To work around the behavior when set to Enable, you must sign the default theme files you want to enable users to install. To work around the behavior when set to Disable follow the procedures below:

Important: The following workaround applies only to the English version of Microsoft System Center Mobile Device Manger 2008. There are no workarounds for other language versions of the product at this time.

Warning: Serious problems might occur if you modify system files incorrectly. These problems might require that you reinstall server software or components of server software. Microsoft cannot guarantee that these problems can be solved. Modify the system files at your own risk.

Important: The following workaround requires you to modify an important system file. Make sure that you back up the referenced file before you modify it. Make sure that you know how to restore the system file if a problem occurs. Do not proceed with the following procedure if you do not know how to back up and restore a file. Revert to the original file if you encounter any problems with the workaround.

The following steps modify the ADM template file that includes the Block unsigned theme installation Group Policy setting. When you have successfully modified the file, you can use the Block unsigned theme installation Group Policy setting to correctly update managed devices.

1. On the computer on which you have installed the MDM Administrator Tools, navigate to the %windir%\INF folder.
2. Type the following at a command prompt to make a backup copy of the mobile.adm file:

copy mobile.adm mobile.adm.bak

3. In a text editor, such as Notepad, edit the mobile.adm file to change the VALUEOFF setting for Policy_BlockUnsignedThemes

Replace this:

        POLICY !!Policy_BlockUnsignedThemes
        EXPLAIN !!Explain_BlockUnsignedThemes
        VALUENAME "4103"
        VALUEON NUMERIC 0
        VALUEOFF NUMERIC 16
END POLICY

with this:

        POLICY !!Policy_BlockUnsignedThemes
        EXPLAIN !!Explain_BlockUnsignedThemes
        VALUENAME "4103"
        VALUEON NUMERIC 0
        VALUEOFF NUMERIC 64
END POLICY

4. Save the file and exit the text editor.

To apply the new setting to managed devices, you must update the Block unsigned theme installation Group Policy setting in MDM. To refresh the setting in MDM, in the MDM Console run the following cmdlet:

Update-MobilePolicyCalculation <device>

Where <device> is the managed device on which you want to update the Group Policy setting. New settings are pushed down to managed devices during the next synchronization with MDM.

This information applies to:

• Microsoft System Center Mobile Device Manager 2008
• Microsoft Windows Mobile 6.1 mobile devices

Hope this helps,

J.C. Hornbeck | Manageability Knowledge Engineer

Collecting large amount of device inventory information during OMA session causes MDM server to timeout

jchornbe — Thu, 08 Jan 2009 16:38:50 GMT

Here's an issue we run into every now and then so I thought it might be worth a mention here. If you're noticing GP and software distribution delivery failures then this may be your issue:

========

Issue: Collecting large amount of device inventory information during an Open Mobile Alliance (OMA) session may cause the System Center Mobile Device Manager server to timeout.

Cause: During the first OMA session on some devices, if the device is instructed by the server to collect a large amount of inventory information it might result in the session taking up to 20 minutes to complete or it may timeout completely depending on the timeout settings on the server. This delay results from the time taken by the device to retrieve and process inventory information that the server requested.

Resolution: To resolve this problem, restore the default inventory collection set using the Restore-MDMInventoryDefaults cmdlet or remove items from the inventory collection using Set-MDMInventoryItem cmdlet.

Additional Information: In this scenario the device user will notice Group Policy and software distribution delivery failure. The server administrator may also notice two messages in system logs:

The management session with device xxx (device SID is displayed here not device ID) was not completed. The connection may have been lost, or the session timed out due to inactivity.

and

Erroneous OMA DM message received from device xxx (device SID is displayed here not device ID) during management session.

========

J.C. Hornbeck | Manageability Knowledge Engineer

SCMDM: Enrollment fails with "Unknown error in Enrollment service: System.ArgumentNullException: Value cannot be null"

jchornbe — Mon, 05 Jan 2009 17:29:00 GMT

Here's another MDM enrollment failure issue we ran across recently that's caused by the CA not being available when the SCMDM Enrollment Service starts. Fortunately the solution to this one is pretty easy:

========

Issue: Enrollment fails and the following event is logged on the Enrollment Server:

Unknown error in Enrollment service:
System.ArgumentNullException: Value cannot be null.
Parameter name: data
   at Microsoft.Mobile.ManagementServices.EnrollmentServer.CryptoService.ComputeHmac(Byte[] data, Byte[] sessionKey)
   at Microsoft.Mobile.ManagementServices.EnrollmentServer.Authentication.AuthenticateServer(BootstrappingRequest rc)
   at Microsoft.Mobile.ManagementServices.EnrollmentServer.Authentication.Authenticate(RequestContext rc)

Cause: This can occur if the Certificate Authority (CA) was not running when the SCMDM Enrollment Service started.

Resolution: Restart the SCMDM Enrollment Service.

========

J.C. Hornbeck | Manageability Knowledge Engineer

SCMDM: Mobile Device Manager setup error: "Failed to determine status of MDM databases on SQL instance"

jchornbe — Thu, 18 Dec 2008 19:28:00 GMT

Here's one more MDM Service Pack 1 issue for you, this one involving a setup error you might run into when upgrading:

========

Issue: Upgrading to System Center Mobile Device Manager 2008 SP1 fails with the following message:

Failed to determine status of MDM databases on SQL instance '<instance_name>'. Setup will now roll back all changes

Cause: During the upgrade, System Center Mobile Device Manager 2008 SP1 does not have access to the DB_USER and DB_PWD properties provided in previous installations of Device Management Servers or Enrollment Servers. It will instead default to using the current windows user's credentials.

Resolution: There are two ways to work around this issue:

1. Use Windows integrated authentication instead of the SQL username and password. The user who performs the upgrade must have sufficient privileges on the SQL Server where the MDM databases reside.

2. Uninstall your existing version of MDM prior to installing the SP1 version. Do not remove the existing databases during the uninstall process or your data will be lost. Once MDM is uninstalled, install System Center Mobile Device Manager 2008 SP1. It will give you the option to use the databases from your previous installation of MDM.

========

J.C. Hornbeck | Manageability Knowledge Engineer

SCMDM: Enrollment fails if a port other than 443 is used for the Enrollment Service

jchornbe — Wed, 17 Dec 2008 16:45:01 GMT

Here's another SP1 issue that we came across. If your server and client logs indicate that Enrollment failed because it could not resolve the Enrollment server URL and you changed the port then this may be your issue:

========

Issue: The server and client logs indicate that enrollment failed because it could not resolve the enrollment server URL.

Cause: Enrollment can fail if PAT (Port Address Translation) is used or if an alternate port other than 443 is used for the Enrollment Service.

Setup itself does not allow you to specify an alternate port number for the enrollment server when it is installed, so if an alternate port is specified in IIS after installation, and the SCP value for the enrollment server is not changed, then client auto discovery breaks. What happens is that the client is sent back a request to switch to the URI of an enrollment server without the alternate port causing the enrollment to fail.

Resolution: If the port number in IIS is changed to a port other than 443, the SCP value must also be changed.

To change the SCP value follow these steps:

1. Launch ADSIEDIT.MSC.

2. Right click on “CN=Instance” to bring up the property dialog box.

3. Check the ‘Show only attributes that have values’ checkbox.

4. Double click on ‘keywords’ attribute.

5. Change the “enurl= …” value to the new port number.

========

J.C. Hornbeck | Manageability Knowledge Engineer

SCMDM: Set-EnrollmentPermissions returns "Error encountered when delegating container..."

jchornbe — Tue, 16 Dec 2008 18:51:00 GMT

Here's another MDM SP1 issue for you. This one involves the Set-EnrollmentPermissions command and an error you can receive if SCMDMEnrollmentServers has full permissions on the specified OU:

========

Issue: When running the Set-EnrollmentPermissions command you may receive the following error:

Set-EnrollmentPermissions : Error encountered when delegating container "OU=SCMDM Managed Devices (Instance1),DC=yonaloc,DC=nttest,DC=microsoft,DC=com" permission to Enrollment Server.
At line:1 char:26
+ Set-EnrollmentPermissions <<<< "SCMDM MAnaged Devices (Instance1)"

Cause: The Set-EnrollmentPermissions command verifies what permissions SCMDMEnrollmentServers has on the specified OU (i.e. the OU that is passed in the command). There is a known issue in this verification process where it will return false if Full Permissions are enabled.

Resolution: Do not enable full permission for SCMDMEnrollmentServers group on the device OU. To workaround this issue delete the SCMDMEnrollmentServers group from Security. To do this follow these steps:

Run DSA.MSC.
Find the OU where you were trying to set permissions.
Right click on the OU and select Properties.
On the Security tab, click on SCCMEnrollmentServers(<your instance name>) and remove it.

The last step is to run the Set-EnrollmentPermissions command again. This time it should succeed without error.

========

J.C. Hornbeck | Manageability Knowledge Engineer

The same software package may be installed every time a device connects to a System Center Mobile Device Manager 2008 server

jchornbe — Wed, 10 Dec 2008 18:53:49 GMT

Here's an interesting MDM issue I ran across the other day. If you're seeing the same package being installed again and again and again on your device then this may be what you're running up against:

========

Issue: A software package may be installed every time a device connects to a System Center Mobile Device Manager 2008 server. The user of the device may also notice multiple entries for a software package under Managed Programs.

Cause: If a managed Windows Mobile powered device is offered a software package through the MDM Software distribution console and the device installs the package, under certain conditions the status for the installation may not be received by the MDM server. If this occurs, the software package is re-offered to the device and the device reinstalls it. The result is that the user may see the package installed multiple times and multiple entries for the package may appear in the Managed Programs history on the device.

This issue can occur if the cab being installed reboots the device without prompting the user because the device goes offline after installing the software but before the next OMA session connection. The default OMA session connection interval (ConnectInterval value) is eight hours, so if the device then stays offline for longer than the software package re-offer period, MDM software distribution offers the package to the device again the next time that the device connects. The default setting for the re-offer period (ReofferPeriodInDays value) is seven days.

Resolution: To resolve this problem please work with provider to repackage the cab so that it will prompt the user before rebooting the device.

========

J.C. Hornbeck | Manageability Knowledge Engineer

SCMDM: The management console is no longer available after installing the MDM Reporting Services v1.1 reporting snap-in

jchornbe — Tue, 09 Dec 2008 17:00:19 GMT

Here's kind of a wacky issue we've seen a couple times so I thought I'd give you a heads up just in case you run into it. If you're trying to run the MDM Management console on the same box as the MDM Reporting console and seeing things disappear then this may be your issue:

========

Issue: The System Center Mobile Device Manager (MDM) management console is no longer available after installing the MDM Reporting Services v1.1 reporting snap-in. This only occurs on the system on which the MDM Reporting MMC was installed. Other MDM workstations that have installed the management console are unaffected.

Cause: This is caused because the MDM v1.1 Reporting snap-in is registered into the MMC catalog with the same name as the main management console.

Resolution: Until the complete fix for this problem has been made available, the MDM Reporting Services snap-in and the MDM Management Console snap-in cannot both function if installed on the same machine. To restore the MDM Management Console, run the SCMDM setup and re-install just the MDM Management Console.

========

Once an update for this becomes available an announcement should show up here on this blog or as part of a 'new KB' post. Stay tuned...

J.C. Hornbeck | Manageability Knowledge Engineer