Getting Started with System Center Mobile Device Manager

Executive Summary: Microsoft's System Center Mobile Device Manager (SCMDM) is for enterprise customers who want to bring their mobile devices under the same kinds of management control that they apply to desktop and laptop PCs and servers. This article examines SCMDM's features, dives into its setup process, and shows you how it can benefit your environment.

Mobile devices are getting more and more powerful. Just a few short years ago, the idea of a smart phone running a Windows-like OS on a 500MHz CPU and 2GB of RAM would have been laughable, but now those specs would identify a low-end device! As mobile devices have gotten smarter and more robust, their value to users and companies has also increased—but so has the associated risk. Having on-the-go access to corporate documents, contacts, email, and calendar data can be a productivity and flexibility boon, but it can also be a major problem if devices with sensitive data are lost or stolen—something that happens all too often.

Microsoft first started offering mobile-device synchronization with its Microsoft Mobile Information Server, the functionality of which was integrated into Exchange Server 2003. Subsequent releases of Exchange have added improved functionality for mobile-device management, but there were still some device-management and security requirements that Exchange alone couldn’t meet. In 2008, Microsoft introduced System Center Mobile Device Manager (SCMDM) to provide enterprise functionality for mobile-device management, security, and monitoring. Let's take a look at SCMDM's features, dive into its setup process, and see how it can benefit your environment.

SCMDM Features
SCMDM promises to bring to mobile devices the kinds of management tools and behavior that we’re accustomed to on the desktop. To that end, SCMDM offers four primary capabilities: network connectivity, security, device management, and connectivity optimization.

Network connectivity. SCMDM includes its own VPN implementation that’s optimized for mobile devices. Mobile devices frequently disconnect and reconnect without the user’s knowledge, potentially changing their IP addresses (and thus confusing enterprise applications that expect a more stable connection). SCMDM handles network address translation (NAT) so that applications on the intranet don’t have to deal with the device’s connection behavior.

Security. With SCMDM, mobile devices can be joined to Active Directory (AD) domains, giving you many of the same management capabilities that typical computers have. For example, you can use users’ AD credentials to control network access, and you can apply AD Group Policies to mobile devices. SCMDM provides its own remote-wipe implementation, and it includes tools for inventorying devices and checking them for policy compliance.

Device management. Device management in SCMDM involves the concept of device enrollment. When you enroll a device, you sign it up to receive policy and management settings from SCMDM. Enrolled devices can receive Group Policy settings, and you can use SCMDM to publish software to devices in a manner similar to the existing AD publishing tools for Windows computers.

Connectivity optimization. SCMDM acts as a gateway between managed mobile devices and your internal network. As such, SCMDM can cache data (in both directions), aggregate network traffic, and better control how the device and your network talk to each other.

SCMDM and Other Microsoft Solutions
You might be wondering how SCMDM integrates with some of Microsoft’s other products. The answer is fairly simple: It can act as a replacement. For example, when you enroll a mobile device in SCMDM, the policies you define in SCMDM replace any policies you’ve defined for that device in Exchange 2010 or Exchange 2007. If you’re using System Center Configuration Manager (SCCM) for inventory and software distribution, you’ll find that SCMDM replaces its functionality, too. Likewise, the mobile VPN functionality in SCMDM takes the place of VPN connectivity through Internet and Security Acceleration (ISA) Server or Internet Application Gateway (IAG). Think of SCMDM as a complement to these products, replacing their desktop-, laptop-, and server-focused functionality with functionality that’s tailored specifically for the constraints of small, mobile, battery-powered devices.

SCMDM Components
SCMDM includes three major server roles that you’ll have to install on your network.

MDM Gateway Server. The MDM Gateway Server lives on your perimeter network. Mobile devices connect to the gateway server through its mobile VPN; the gateway provides a static IP address on the internal network for each device so that internal applications don’t have to know when the mobile device’s address changes. The gateway is also responsible for pushing Group Policy changes and software updates to the device.

MDM Device Management Server. The MDM Device Management Server is the intermediary between AD and the mobile device. It’s responsible for converting Group Policy information into a format usable by the SCMDM client on the mobile device, and it tracks and schedules software updates for transmission to enrolled devices. It’s also the central point of inventory and reporting data.

MDM Enrollment Server. The MDM enrollment server handles the work of enrolling mobile devices for use with SCMDM. In this role, it shares a database of device information with the MDM Device Management Server.