MobileMike @ Microsoft

SCMDM Roadmap

At both MMS and Tech Ed US 2009, the Configuration Manager team revealed some important news regarding the future of device management. Here are a few of the key messages that were shared: •The next major release of Configuration Manager will have the major MDM functionality for device management including SW Dist, Inventory, Settings Management, reporting, etc; •Both desktops and mobile devices can be managed by a "single pane of glass"; •Device Management will not require the use of a VPN server; •Corporate network access can be obtained by "then current" solutions supported by the mobile devic client and server infrastructure; •Mobile device management will embrace the same "user centric" model as recently announced (more here); •Product roadmaps for both Configuration Manager 2007 (DM) and Mobile Device Manager both converge on this next version of Config Manager. While there are surely more details that everyone would like to hear, this should be great news for those wanting to hear a confirmation that Microsoft is committed to continuing and improving mobile device management.

Introducing Bing & Bing for Mobile

In case you've been living under a rock, we have released a new search engine called Bing.  Bing is a search engine that finds and organizes the answers you need so you can make faster, more informed decisions.  Bing is very cool and not only will find the info that you are looking for but Bing will also do things such as provide video previews from other videos sites, show relevant search results, to name a few. 

This post would not be complete if we didn't mention Bing for mobile.  With Bing for Mobile you can:

Quickly find great local shops and restaurants, complete with ratings, reviews, hours, and directions.

See movie show times and call to buy your ticket.

Get the latest local weather forecasts.

Shopping? Do a product search to see if you’re getting a fair price.

Get interactive maps with turn-by-turn driving directions.

Help save time with maps that show current traffic conditions.

On foot? Get point-to-point walking directions.

Get quick, relevant answers to your questions about local listings, celebrities, and weather.

Create a mobile dashboard with stocks, traffic, weather, and movies.

Remember to ask your friends and family if they "Bing" yet :)

Checking SCMDM/Windows Mobile Policies with GPMC

Question from a customer: We want to verify if all the policies are applied to a device. Is there any way to check policy-application state of each device with SCMDM?

Answer: Yes, you can run the Resultant Set of Policy (RSOP) from within the Group Policy Managment Console. 

Creating a Group Policy Report for a Device

 :)

SCMDM SP1 Support for Virtualization

As you may know, with the Service Pack 1 release of SCMDM we introduced support for virtualization of our server roles.  This allows you to run the Windows Server 2003 x64 guest OS in a Hyper-V environment.  We wanted to clarify that this applies to the virtualization of the Device Management and Enrollment Server SCMDM roles, but does not apply to the Gateway Server role.

The architecture of the Gateway server requires two network cards, one for the internet and one for the internal network, which the SCMDM VPN monitors traffic on.  We recommend that this should not be implemented on a virtual machine due to the complications that this introduces.  Therefore the supported setup is to use a physical server with 2 network interfaces for your SCMDM Gateway Servers.  For more information about the Gateway Server role and its requirements, please see http://technet.microsoft.com/en-us/library/dd252779.aspx.

System Center Mobile Device Manager support for Windows Server 2008 Certificate Authority

We are happy to announce that we now support System Center Mobile Device Manager 2008 SP1 with use with a Windows Server 2008 Enterprise Edition Certificate Authority.  We’ll be documenting this on TechNet in the near future, but we wanted to let you all know that this is now fully tested and supported.

For this to work on the device side, we require Windows Mobile build 6.1.4 or later.  For earlier Windows Mobile 6.1 builds, you can install update KB951840 from http://support.microsoft.com/kb/951840/.

 

So now you can deploy SCMDM with Server 2008 issuing CA in a Server 2008 functional level domain.  For the complete list of system requirements for SCMDM please see http://technet.microsoft.com/en-gb/library/dd261866.aspx.

 

Upcoming Microsoft Management Summit 2009 SCMDM Presentations

http://www.mms-2009.com/default.aspx

The Microsoft Management Summit (MMS) is the premier event of the year for IT Professionals seeking deep technical information and training on the latest IT Management solutions from Microsoft, Partners and Industry Experts.

MMS 2009

Dates:                   Monday, April 27 – Friday, May 1

Location:             The Venetian Resort – Las Vegas, NV

Agenda:               The current agenda is available on the MMS website at

                                http://www.mms-2009.com/public/agendast.aspx

This year I will be presenting/co-presenting three SCMDM related sessions, come and check them out:

The Road to Successful System Center Deployments: Lessons from Microsoft Consulting Services, 4/27/2009 1:30PM-2:45PM, Bellini 2105 

Microsoft System Center Mobile Device Manager 2008 SP1: Overview,  4/29/2009 10:15AM-11:30AM , San Polo 3401A

System Center Mobile Device Manager Best Practices & Deployment Lessons Learned, 4/30/2009 11:45AM-1:00PM, San Polo 3401A  

Using a Special MDM Gateway to Assist IT Security Teams with MDM Device Quarantine

In MDM, Windows Mobile 6.1  devices must enroll to a Windows 2003 Active Directory domain to become managed by IT. In the "How MDM Works" technical documentation located at http://technet.microsoft.com/en-us/library/cc135573.aspx our documentation on MDM describes how the MDM device enrollment process works.  I've pasted the steps here to provide a context for this article.  At a high level, the steps for enrollment of  Windows Mobile 6.1 devices to MDM are as follows:

MDM Enrollment Server creates an Active Directory Domain Service computer account for the device, and the device certificate is issued based on the certificate request received from the device. MDM Enrollment Server also links the computer account to the Active Directory account for that user.

System Center Mobile Device Manager 2008 Service Pack 1 Features

The Mobile Information Worker Product team within Microsoft have posted information detailing the new features of SCMDM SP1 on their blog.  At a high level the new features are as follows:

– Multiple-instance: allows large organizations with distributed IT control points to independently manage devices within the area of their control. This applies to instances within a single forest. Today when SCMDM is deployed at a company, that deployment will manage all devices in an organization; there is no ability to have multiple SCMDM installation.  With SP1, if your company has offices or divisions that have their own IT departments, these offices will be able to install an instance of MDM that does allows devices to managed separately from other offices in the company. 

– PIN reset. This feature is the same as what is currently available with Exchange 2007.  It will allow device PIN reset either by the SCMDM administrator for a specific device or self-service via the MDM Self-Service portal. This feature requires an update to the client as well.  Consequently, client support for this feature will be made available as a downloadable CAB file for WM 6.1 phones.

– Windows Server 2008 support.  Support for Windows Server 2008 including Domain functional mode, Forest functional mode. If you are running AD with functional levels raised to WinServer 2008, MDM SP1 will support that architecture. In addition, Hyper-V (virtualization) will be supported for using hosted Windows Server 2003 for testing purposes.

– Performance and scalability enhancement. The release criteria for SP1 is to increase system coverage to 40,000 users in a single instance versus the 30,000 user single instance limitation in MDM 2008. If you require large scale, but want to keep your deployment within a single instance without acquiring additional hardware, this will be very helpful.

To read more visit http://blogs.technet.com/scmdm/archive/2008/09/02/what-s-coming-in-scmdm-sp1.aspx

System Center Mobile Device Manager 2008 On Technet Edge

The Technet Edge team have posted a video of me discussing our upcoming mobile device management product called "System Center Mobile Device Manager 2008".  You can check it out here http://edge.technet.com/Media/Intro-to-System-Center-Mobile-Device-Manager-scmdm-2008/. 

How Do I Programmatically Disable/Enable Microsoft Exchange Active Sync For All Of My Mobile Users?

While working with a customer recently, I created a VBScript that leverages ADO to programmatically disable/enable Microsoft Exchange Active Sync for ALL users in Active Directory.  The key to this script is the msExchOmaAdminWirelessEnable attribute.  If you know VBScript, the code below is very easy to use.  You will need to copy and paste this code into your favorite text editor and save as a .VBS file.  Also, this script needs to run on a domain controller and you will need the appropriate privledges to run it.  As always, you should never run this script in a production enviornment without proper testing in a lab first.  I've only tested this on Exchagne 2003, BTW.  Disclaimer: This sample script is not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Start of the script: 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''
'' DISABLEEAS.VBS
''
'' Disables Exchange Server 2003 Active Sync for the specified OU in the default domain
''
'' usage: cscript disableeas
''
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Below are the values for the msExchOmaAdminWirelessEnable Exchange attribute that can be modified.
' 5 = disable EAS and keep OMA enabled.(default)
' 7 = disable all mobile features.
' 0 = enable all mobile features. (not recommended)

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Create log file instance
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.OpenTextFile("c:\disableeas.log", 2, True, 0)
If Err.Number <> 0 Then
  ' Attempt to create a log file failed. 
  On Error GoTo 0
  objLogFile.WriteLine "ERROR: Failed to create a log file.Program execution halted."
  WScript.Echo "ERROR: Failed to create a log file. Program execution halted."
  WScript.Quit
  objLogFile.Close
  Set objFSO = Nothing
Else
  ' Successfully Created Disableeas.log file. Restore normal error handling.
  On Error GoTo 0
  objLogFile.WriteLine "disableeas.log created successfully"
End If

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Determine DNS domain name
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objRootDSE = GetObject("LDAP://rootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBaseOU = "" 'SPECIFY AND ORGANIZATIONAL UNIT NAME HERE. FOR EXAMPLE 'OU=Production
If Err.Number <> 0 Then
  ' Attempt to bind to Active Directory Failed.
  On Error GoTo 0
  objLogFile.WriteLine "ERROR: Binding to Active Directory Failed. Program execution halted."
  WScript.Echo "ERROR: Binding to Active Directory Failed. Program execution halted."
  WScript.Quit
  objLogFile.Close
  Set objFSO = Nothing
Else
  ' Active Directory bind successful
  On Error GoTo 0
  objLogFile.WriteLine "Binding to Active Directory successful"
End If 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Setup ADO for Active Directory
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
If Err.Number <> 0 Then
  ' Attempt to search Active Directory Failed.
  On Error GoTo 0
  objLogFile.WriteLine "ERROR: ADO Setup for Active Directory Failed. Program execution halted."
  WScript.Echo "ERROR: ADO Setup for Active Directory Failed. Program execution halted."
  WScript.Quit
  objLogFile.Close
  Set objFSO = Nothing
Else
  ' ADO Active Directory setup successful
  On Error GoTo 0
  objLogFile.WriteLine "Active Directory setup successful"
End If 

' Test whether an OU is specified.
If strBaseOU <> "" Then
 strBase="<LDAP://" & strBaseOU & "," & strDNSDomain & ">"
Else strBase="<LDAP://" & strDNSDomain & ">"
End If
'strBase="<LDAP://" & strDNSDomain & ">"
wscript.echo strBase

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Search for users with defined filters
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

strFilter = "(&(objectCategory=person)(objectClass=user)(!msExchOmaAdminWirelessEnable=5)(mail=*)(userAccountControl=66048))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
  ' Attempt to search within defined parameters failed.
  On Error GoTo 0
  objLogFile.WriteLine "Attempt to search within defined parameters failed. Program execution halted."
  WScript.Echo "ERROR: Attempt to search within defined parameters failed. Program execution halted."
  WScript.Quit
  objLogFile.Close
  Set objFSO = Nothing
Else
  ' Active Directory bind successful
  On Error GoTo 0
  objLogFile.WriteLine "Search within defined parameters was successful"
End If 

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Enuerate all users
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Do Until objRecordSet.EOF
  strDN = objRecordSet.Fields("distinguishedName")
  Set objUser = GetObject("LDAP://" & strDN)
   On Error Resume Next
   objUser.Get("msExchOmaAdminWirelessEnable")
   On Error GoTo 0
    objUser.Put "msExchOmaAdminWirelessEnable", "5"
    objUser.SetInfo
       If Err.Number <> 0 Then
        On Error GoTo 0
 objLogFile.Writeline "ERROR: Unfortunately, the required mobile attribute generated an error can could not be set. Program execution halted."
        WScript.Echo "ERROR: Unfortunately, the required mobile attribute generated an error can could not be set. Program execution halted."
        Wscript.Quit
        objLogFile.Close
        Set objFSO = Nothing
       Else
        On Error GoTo 0
        objLogFile.Writeline "User mobile properties successfully modified: " & objUser.Name
     Wscript.Echo "User mobile properties successfully modified: " & objUser.Name
       End If
 '  End If
  objRecordSet.MoveNext
Loop

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Clean up
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

objLogFile.WriteLine "End Program"
Wscript.Echo "End Program"

objLogFile.Close

Office Communications Server 2007 and Office Communicator RTM Today

Office Communications Server 2007 and Office Communicator have officially released to manufacturing (RTM) today.  This is a big milestone and a big part of Microsoft's unified communications strategy because OCS 2007 improves on the great feature set already provided in LCS 2005.  As with the previous versions, Office Communicator 2007 will be available in desktop, browser-based and Windows Mobile^®-based versions.