MobileMike @ Microsoft

Porting the Amplitude Application from the iPhone to a Windows Mobile Device – a Case Study

mjimenez — Mon, 17 Aug 2009 22:54:00 GMT

This case study documents the efforts and experiences of an iPhone application developer in porting the iPhone application Amplitude to a phone running Windows Mobile 6.5. Definitely worth the read!

http://msdn.microsoft.com/en-us/library/ee355030.aspx

Update Rollup 9 for Exchange Server 2007 Service Pack 1

mjimenez — Sun, 19 Jul 2009 14:44:00 GMT

The Exchange folks have released Update Rollup 9 for Exchange Server 2007 SP1 which includes fixes for Exchange Active Sync. More info here http://msexchangeteam.com/archive/2009/07/17/451835.aspx and KB 970162 has specific details about this release as well as a complete list of all fixes included in this rollup.

SCMDM Roadmap

mjimenez — Thu, 25 Jun 2009 18:00:00 GMT

At both MMS and Tech Ed US 2009, the Configuration Manager team revealed some important news regarding the future of device management. Here are a few of the key messages that were shared: •The next major release of Configuration Manager will have the major MDM functionality for device management including SW Dist, Inventory, Settings Management, reporting, etc; •Both desktops and mobile devices can be managed by a "single pane of glass"; •Device Management will not require the use of a VPN server; •Corporate network access can be obtained by "then current" solutions supported by the mobile devic client and server infrastructure; •Mobile device management will embrace the same "user centric" model as recently announced (more here); •Product roadmaps for both Configuration Manager 2007 (DM) and Mobile Device Manager both converge on this next version of Config Manager. While there are surely more details that everyone would like to hear, this should be great news for those wanting to hear a confirmation that Microsoft is committed to continuing and improving mobile device management.

Introducing Bing & Bing for Mobile

mjimenez — Tue, 02 Jun 2009 06:48:00 GMT

In case you've been living under a rock, we have released a new search engine called Bing. Bing is a search engine that finds and organizes the answers you need so you can make faster, more informed decisions. Bing is very cool and not only will find the info that you are looking for but Bing will also do things such as provide video previews from other videos sites, show relevant search results, to name a few.

This post would not be complete if we didn't mention Bing for mobile. With Bing for Mobile you can:

Quickly find great local shops and restaurants, complete with ratings, reviews, hours, and directions.

See movie show times and call to buy your ticket.

Get the latest local weather forecasts.

Shopping? Do a product search to see if you’re getting a fair price.

Get interactive maps with turn-by-turn driving directions.

Help save time with maps that show current traffic conditions.

On foot? Get point-to-point walking directions.

Get quick, relevant answers to your questions about local listings, celebrities, and weather.

Create a mobile dashboard with stocks, traffic, weather, and movies.

Remember to ask your friends and family if they "Bing" yet :)

Checking SCMDM/Windows Mobile Policies with GPMC

mjimenez — Fri, 29 May 2009 17:04:00 GMT

Question from a customer: We want to verify if all the policies are applied to a device. Is there any way to check policy-application state of each device with SCMDM?

Answer: Yes, you can run the Resultant Set of Policy (RSOP) from within the Group Policy Managment Console.

Creating a Group Policy Report for a Device

http://technet.microsoft.com/en-us/library/dd261937.aspx

SCMDM SP1 Support for Virtualization

mjimenez — Wed, 27 May 2009 18:11:00 GMT

As you may know, with the Service Pack 1 release of SCMDM we introduced support for virtualization of our server roles. This allows you to run the Windows Server 2003 x64 guest OS in a Hyper-V environment. We wanted to clarify that this applies to the virtualization of the Device Management and Enrollment Server SCMDM roles, but does not apply to the Gateway Server role.

The architecture of the Gateway server requires two network cards, one for the internet and one for the internal network, which the SCMDM VPN monitors traffic on. We recommend that this should not be implemented on a virtual machine due to the complications that this introduces. Therefore the supported setup is to use a physical server with 2 network interfaces for your SCMDM Gateway Servers. For more information about the Gateway Server role and its requirements, please see http://technet.microsoft.com/en-us/library/dd252779.aspx.

System Center Mobile Device Manager support for Windows Server 2008 Certificate Authority

mjimenez — Thu, 21 May 2009 00:39:00 GMT

We are happy to announce that we now support System Center Mobile Device Manager 2008 SP1 with use with a Windows Server 2008 Enterprise Edition Certificate Authority. We’ll be documenting this on TechNet in the near future, but we wanted to let you all know that this is now fully tested and supported.

For this to work on the device side, we require Windows Mobile build 6.1.4 or later. For earlier Windows Mobile 6.1 builds, you can install update KB951840 from http://support.microsoft.com/kb/951840/.

So now you can deploy SCMDM with Server 2008 issuing CA in a Server 2008 functional level domain. For the complete list of system requirements for SCMDM please see http://technet.microsoft.com/en-gb/library/dd261866.aspx.

Upcoming Microsoft Management Summit 2009 SCMDM Presentations

mjimenez — Tue, 21 Apr 2009 19:43:00 GMT

http://www.mms-2009.com/default.aspx

The Microsoft Management Summit (MMS) is the premier event of the year for IT Professionals seeking deep technical information and training on the latest IT Management solutions from Microsoft, Partners and Industry Experts.

MMS 2009

Dates: Monday, April 27 – Friday, May 1

Location: The Venetian Resort – Las Vegas, NV

Agenda: The current agenda is available on the MMS website at

http://www.mms-2009.com/public/agendast.aspx

This year I will be presenting/co-presenting three SCMDM related sessions, come and check them out:

The Road to Successful System Center Deployments: Lessons from Microsoft Consulting Services, 4/27/2009 1:30PM-2:45PM, Bellini 2105

Microsoft System Center Mobile Device Manager 2008 SP1: Overview, 4/29/2009 10:15AM-11:30AM , San Polo 3401A

System Center Mobile Device Manager Best Practices & Deployment Lessons Learned, 4/30/2009 11:45AM-1:00PM, San Polo 3401A

Using a Special MDM Gateway to Assist IT Security Teams with MDM Device Quarantine

mjimenez — Mon, 06 Oct 2008 22:01:00 GMT

In MDM, Windows Mobile 6.1 devices must enroll to a Windows 2003 Active Directory domain to become managed by IT. In the "How MDM Works" technical documentation located at http://technet.microsoft.com/en-us/library/cc135573.aspx our documentation on MDM describes how the MDM device enrollment process works. I've pasted the steps here to provide a context for this article. At a high level, the steps for enrollment of Windows Mobile 6.1 devices to MDM are as follows:

The administrator uses a wizard to create a new device enrollment request.

This process generates a one-time enrollment password that the administrator shares with the user of the device in a secure manner.

The user starts an enrollment wizard on the device and provides the e-mail address that the wizard will use to connect to MDM Enrollment Server. If the enrollment process cannot discover the address for MDM Enrollment Server, it prompts the user for the URL.

The enrollment wizard on the Windows Mobile powered device contacts MDM Enrollment Server and requests the Enterprise Trust Root Certificate.

The enrollment wizard authenticates the server response by verifying that the returned data was derived from the one-time enrollment password and the Enterprise Trust Root Certificate.

The enrollment wizard generates a certificate request and sends it to MDM Enrollment Server together with a hash that is generated from the one-time enrollment password and the certificate request.

MDM Enrollment Server creates an Active Directory Domain Service computer account for the device, and the device certificate is issued based on the certificate request received from the device. MDM Enrollment Server also links the computer account to the Active Directory account for that user.

The machine certificate is returned to the device, completing the process.

The device disconnects from MDM Enrollment Server and prompts the user to reset the device.

In lieu of this, some customers have asked the following question:

Assuming we don't have a load balanced MDM Device Management server configuration or our main datacenter goes down, if we have MDM gateways deployed in other datacenters will the MDM enrollment still work or complete successfully?

The answer to this question is that the MDM Device Management server does not need to be up and running at all times for devices to enroll to MDM. It is important to note that if the MDM Device Management Server(s) is down or unreachable after the device has completed its enrollment sequence and has restarted as described above, there may be a window of time in which specified corporate mobile policies may not yet be applied to the device but the mobile user will still be connected to the MDM VPN Gateway Server. In this scenario, the mobile user could access corporate resources but not yet have the required mobile policies applied such as PIN lock, require a password, etc.

Breaking this down even further: After the first device reboot when enrollment completes, the mobile device tries it's first MDM Device Management server (OMA) session at 3 minutes, and if failed for whatever reason, the next session DM will start at minutes 15 and keep retrying 192 times (cover 48 hours) or until success.

An expected response from customers is: How can we ensure that corporate policies are enforced BEFORE users can connect to our internal corporate assets?

One way to mitigate this would be to have a centralized enrollment model where all corporate devices would be enrolled internally by IT first then sent to users once policies have been applied and confirmed. If companies wish to permit over the air (OTA) enrollment for user, this may not be a desirable solution.

Another option is to a create an interim device quarantine solution by which a "special" MDM gateway server is deployed with a specific device address pool, and restrict that device address pool traffic to only route to the MDM Device Management server from the MDM device address pool. A mobile policy that specifies the fully qualified domain name of the "full service" gateways (device address pools that have full routing capabilities to internal corporate resources) would be pushed to the mobile device which would change the GatewayURI value that is assigned to enrolling mobile devices by default with the MDM Set-EnrollmentConfig Powershell cmdlet that is specified during MDM setup.

Note: This solution is NOT required for every MDM deployment but can work if IT security teams desire this addtional functionality. :)

System Center Mobile Device Manager 2008 Service Pack 1 Features

mjimenez — Mon, 08 Sep 2008 22:41:00 GMT

The Mobile Information Worker Product team within Microsoft have posted information detailing the new features of SCMDM SP1 on their blog. At a high level the new features are as follows:

– Multiple-instance: allows large organizations with distributed IT control points to independently manage devices within the area of their control. This applies to instances within a single forest. Today when SCMDM is deployed at a company, that deployment will manage all devices in an organization; there is no ability to have multiple SCMDM installation. With SP1, if your company has offices or divisions that have their own IT departments, these offices will be able to install an instance of MDM that does allows devices to managed separately from other offices in the company.

– PIN reset. This feature is the same as what is currently available with Exchange 2007. It will allow device PIN reset either by the SCMDM administrator for a specific device or self-service via the MDM Self-Service portal. This feature requires an update to the client as well. Consequently, client support for this feature will be made available as a downloadable CAB file for WM 6.1 phones.

– Windows Server 2008 support. Support for Windows Server 2008 including Domain functional mode, Forest functional mode. If you are running AD with functional levels raised to WinServer 2008, MDM SP1 will support that architecture. In addition, Hyper-V (virtualization) will be supported for using hosted Windows Server 2003 for testing purposes.

– Performance and scalability enhancement. The release criteria for SP1 is to increase system coverage to 40,000 users in a single instance versus the 30,000 user single instance limitation in MDM 2008. If you require large scale, but want to keep your deployment within a single instance without acquiring additional hardware, this will be very helpful.

System Center Mobile Device Manager 2008 On Technet Edge

mjimenez — Wed, 06 Feb 2008 22:59:00 GMT

The Technet Edge team have posted a video of me discussing our upcoming mobile device management product called "System Center Mobile Device Manager 2008". You can check it out here http://edge.technet.com/Media/Intro-to-System-Center-Mobile-Device-Manager-scmdm-2008/.

How Do I Programmatically Disable/Enable Microsoft Exchange Active Sync For All Of My Mobile Users?

mjimenez — Mon, 30 Jul 2007 22:23:00 GMT

While working with a customer recently, I created a VBScript that leverages ADO to programmatically disable/enable Microsoft Exchange Active Sync for ALL users in Active Directory. The key to this script is the msExchOmaAdminWirelessEnable attribute. If you know VBScript, the code below is very easy to use. You will need to copy and paste this code into your favorite text editor and save as a .VBS file. Also, this script needs to run on a domain controller and you will need the appropriate privledges to run it. As always, you should never run this script in a production enviornment without proper testing in a lab first. I've only tested this on Exchagne 2003, BTW. Disclaimer: This sample script is not supported under any Microsoft standard support program or service. The sample scripts are provided AS IS without warranty of any kind. Microsoft further disclaims all implied warranties including, without limitation, any implied warranties of merchantability or of fitness for a particular purpose. The entire risk arising out of the use or performance of the sample scripts and documentation remains with you. In no event shall Microsoft, its authors, or anyone else involved in the creation, production, or delivery of the scripts be liable for any damages whatsoever (including, without limitation, damages for loss of business profits, business interruption, loss of business information, or other pecuniary loss) arising out of the use of or inability to use the sample scripts or documentation, even if Microsoft has been advised of the possibility of such damages.

Start of the script:

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
''
'' DISABLEEAS.VBS
''
'' Disables Exchange Server 2003 Active Sync for the specified OU in the default domain
''
'' usage: cscript disableeas
''
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

' Below are the values for the msExchOmaAdminWirelessEnable Exchange attribute that can be modified.
' 5 = disable EAS and keep OMA enabled.(default)
' 7 = disable all mobile features.
' 0 = enable all mobile features. (not recommended)

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Create log file instance
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

On Error Resume Next
Set objFSO = CreateObject("Scripting.FileSystemObject")
Set objLogFile = objFSO.OpenTextFile("c:\disableeas.log", 2, True, 0)
If Err.Number <> 0 Then
' Attempt to create a log file failed.
On Error GoTo 0
objLogFile.WriteLine "ERROR: Failed to create a log file.Program execution halted."
WScript.Echo "ERROR: Failed to create a log file. Program execution halted."
WScript.Quit
objLogFile.Close
Set objFSO = Nothing
Else
' Successfully Created Disableeas.log file. Restore normal error handling.
On Error GoTo 0
objLogFile.WriteLine "disableeas.log created successfully"
End If

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Determine DNS domain name
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objRootDSE = GetObject("LDAP://rootDSE")
strDNSDomain = objRootDSE.Get("defaultNamingContext")
strBaseOU = "" 'SPECIFY AND ORGANIZATIONAL UNIT NAME HERE. FOR EXAMPLE 'OU=Production
If Err.Number <> 0 Then
' Attempt to bind to Active Directory Failed.
On Error GoTo 0
objLogFile.WriteLine "ERROR: Binding to Active Directory Failed. Program execution halted."
WScript.Echo "ERROR: Binding to Active Directory Failed. Program execution halted."
WScript.Quit
objLogFile.Close
Set objFSO = Nothing
Else
' Active Directory bind successful
On Error GoTo 0
objLogFile.WriteLine "Binding to Active Directory successful"
End If

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Setup ADO for Active Directory
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Set objCommand = CreateObject("ADODB.Command")
Set objConnection = CreateObject("ADODB.Connection")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"
objCommand.ActiveConnection = objConnection
If Err.Number <> 0 Then
' Attempt to search Active Directory Failed.
On Error GoTo 0
objLogFile.WriteLine "ERROR: ADO Setup for Active Directory Failed. Program execution halted."
WScript.Echo "ERROR: ADO Setup for Active Directory Failed. Program execution halted."
WScript.Quit
objLogFile.Close
Set objFSO = Nothing
Else
' ADO Active Directory setup successful
On Error GoTo 0
objLogFile.WriteLine "Active Directory setup successful"
End If

' Test whether an OU is specified.
If strBaseOU <> "" Then
strBase="<LDAP://" & strBaseOU & "," & strDNSDomain & ">"
Else strBase="<LDAP://" & strDNSDomain & ">"
End If
'strBase="<LDAP://" & strDNSDomain & ">"
wscript.echo strBase

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Search for users with defined filters
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

strFilter = "(&(objectCategory=person)(objectClass=user)(!msExchOmaAdminWirelessEnable=5)(mail=*)(userAccountControl=66048))"
strAttributes = "distinguishedName"
strQuery = strBase & ";" & strFilter & ";" & strAttributes & ";subtree"
objCommand.CommandText = strQuery
objCommand.Properties("Page Size") = 100
objCommand.Properties("Timeout") = 30
objCommand.Properties("Cache Results") = False
Set objRecordSet = objCommand.Execute
If Err.Number <> 0 Then
' Attempt to search within defined parameters failed.
On Error GoTo 0
objLogFile.WriteLine "Attempt to search within defined parameters failed. Program execution halted."
WScript.Echo "ERROR: Attempt to search within defined parameters failed. Program execution halted."
WScript.Quit
objLogFile.Close
Set objFSO = Nothing
Else
' Active Directory bind successful
On Error GoTo 0
objLogFile.WriteLine "Search within defined parameters was successful"
End If

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Enuerate all users
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

Do Until objRecordSet.EOF
strDN = objRecordSet.Fields("distinguishedName")
Set objUser = GetObject("LDAP://" & strDN)
   On Error Resume Next
   objUser.Get("msExchOmaAdminWirelessEnable")
   On Error GoTo 0
    objUser.Put "msExchOmaAdminWirelessEnable", "5"
    objUser.SetInfo
       If Err.Number <> 0 Then
        On Error GoTo 0
objLogFile.Writeline "ERROR: Unfortunately, the required mobile attribute generated an error can could not be set. Program execution halted."
        WScript.Echo "ERROR: Unfortunately, the required mobile attribute generated an error can could not be set. Program execution halted."
        Wscript.Quit
        objLogFile.Close
        Set objFSO = Nothing
       Else
        On Error GoTo 0
        objLogFile.Writeline "User mobile properties successfully modified: " & objUser.Name
    Wscript.Echo "User mobile properties successfully modified: " & objUser.Name
       End If
' End If
objRecordSet.MoveNext
Loop

'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''
'' Clean up
'''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''''

objLogFile.WriteLine "End Program"
Wscript.Echo "End Program"

objLogFile.Close

Office Communications Server 2007 and Office Communicator RTM Today

mjimenez — Sat, 28 Jul 2007 04:51:00 GMT

Office Communications Server 2007 and Office Communicator have officially released to manufacturing (RTM) today. This is a big milestone and a big part of Microsoft's unified communications strategy because OCS 2007 improves on the great feature set already provided in LCS 2005. As with the previous versions, Office Communicator 2007 will be available in desktop, browser-based and Windows Mobile^®-based versions.