[Work in progress posting - I'm still adding tidbits!]
As described a few days ago in the Client Tools blog posting I did, another excellent collection of SCMDM tools are available in the Resource Kit Server Tools.
Direct download link: http://www.microsoft.com/downloads/details.aspx?FamilyId=E898BF6D-325F-43E7-98A6-40149FDF2C2D
These tools are meant to assist SCMDM administrators with server related tasks on the SCMDM server(s). Each comes with a little text file with instructions for their usage and their requirements.
I will step through them and highlight scenarios where they would be useful. All of them require that you run them with either MDM Server Administrator or local Administrator permissions.
It is not advised to run the tools from non-writeable media such as CD/DVD as the automatic log files can not be created in that case.
MDM Application Hash Code Tool
This tool is a command line utility that assists with creating a SHA-1/MD5 hash code file. This has code file can then be used in a Group Policy Object (GPO) to create a software restriction policy so specific applications can or can not be run on your managed Windows Mobile devices.
Supported file-types are .cab, .exe or .dll files.
MDM Bulk Pre-Enrollment Tool
This tool provides you with a method to mass enroll devices for your production SCMDM 2008 implementation. Instead of adding them manually through the MDM Console or through the Self Service Portal (SSP).
The installation of this tool is a little tricky as it is a PowerShell snap-on.
1. First you need to run the .NET Framework InstallUtil, which I had to find in the .NET Framework installation directory, and then give the full path to the .DLL we want to install:
2. Then you must open the PowerShell window and execute two more commands. After-which the new cmdlet is activated and it's usage can be displayed:
[To do: More information on how to use the New-BulkEnrollmentRequest cmdlet]
MDM Certificate Tool
This tool is a super-duper certificate fix-it-up tool that could be handy if you fear you have issues with expired certificates after your initial SCMDM installation or if an ACL is out of whack. These could show up as Event ID 12105 and 12503 on the Gateway Server.
This tool is probably the most complex of the 5 tools in the Resource Kit, but it gives you 4 high-level functions:
/validate - Validate the ACL on the Gateway Central Management (GCM) certificate or existing certs.
/set - Set the ACL on the Gateway Central Management (GCM) certificate.
/install - Install one of the 6 certificates used on various SCMDM roles.
/alert - Notification by log, console, e-mail on when specified web site certs will expire.
The usage text output is quite complete and helpful to get the syntax right:
if you execute "MDMCert /validate" or one of other operational arguments the tool will give you further useful usage text. In the case of the /validate and /set it will even detect the proper certificate authority names available and display them!
[To do: How does the MDMCert.exe.config file work with the SMTPhost value?]
[To do: How does the alert messages look like?]
MDM Cleanup Tool
This is a tool for the purely paranoid at heart. :-) No, actually, this is a powerful tool for remote administrators who may have the need to quickly and remotely uninstall one or more SCMDM components. Also handy for lab work, when you need to clean things up or script training environments..
This tool is an .exe file and requires it's companion .DLL file to be in the same directory to execute.
The arguments are straightforward and dictate which server roles you wish to remove as seen in it's usage text:
BTW, This tool can be run in a regular Command prompt window.
MDM Device Enrollment Cleanup Tool
This PowerShell script can quickly be a lifesaver to clean up orphaned and obsolete device objects in the Active Directory and MDM databases.
Some examples where this could occur that you might run into and want to tidy things up:
- A device is manually hard-reset/wiped due to another issue.
- A device is hasn't connected for a duration of time.
When you run the .\RemoveDevice.ps1 script without any arguments a helpful usage text will appear and you can also see where it creates a useful .LOG file for the output:
The key arguments let you prune the Active Directory and MDM Database for device objects by name or by different date methods. Days since last connected or last connected before. You can use wildcards ("*") in the names as a suffix or prefix.
As listed in the usage text you can also use the PowerShell Get-Date function, so for example you can make it handy and automated like this to prune any orphaned devices that are more than 1 year old from the first day in the current month:
.\RemoveDevice(Get-Date -year ((Get-Date -uformat "%Y")-1) -day 1)
Remember that you will need to run the RemoveDevice.ps1 file from the Mobile Device Manager Shell window!
Also the script is signed, so you don't need to execute the "Set-ExecutionPolicy Unrestricted", "Set-ExecutionPolicy RemoteSigned" will do which should already be set on the server you are running the SCMDM Administrator Tools from..
|\\arco..
What is Yona? As stated in the Release Notes (or on http://technet.microsoft.com/en-us/library/cc161048.aspx):
The Beta software for Microsoft System Center Mobile Device Manager 2008, originally code named "Yona Server", expires on May 14, 2008. To continue to use System Center Mobile Device Manager (MDM), you have to update your company IT infrastructure with the official release version of MDM before this date.
So Yona was the codename for System Center Mobile Device Manager, and a little story behind that codename can be found here with an interesting audio clip: :-)
http://patricksalmon.blogspot.com/2008/04/yona-preserved-for-posterity.html
|\\arco..
To again discount the proverbial "can't teach an old dog new tricks", I happened to find this older blog entry on Christopher Fairbair's excellent development blog:
http://www.christec.co.nz/blog/archives/49/trackback
Not alone is there a shortcut to a Run command-box (hold down Action key while tapping and holding the stylus on the clock in the navigation bar), but also a trick to toggle from a digital to analog clock in the top navigation bar! Who knew??
|\\arco..
As I mentioned in my previous posting, the updated Windows Mobile 6.1 Emulator is almost a requirement to use until there is more physical devices available running the Windows Mobile 6.1 OS that you can feel and touch. :-)
I was going to start to write-up the installation and usage steps, but I found this recent article posted over on TechNet that does a fine job of going through all the details. Check it out if you want to know more!
http://technet.microsoft.com/en-us/library/cc461417.aspx
|\\arco..
If you are trying to get up to speed with System Center Mobile Device Manger (SCMDM) and having issues with the WM 6.1 clients, one of the key Resource Kit Tools now available is the Client Tools.
See the current listing of all the Resource Kit Tools here: http://technet.microsoft.com/en-us/scmdm/cc304591.aspx
The direct download link to the Client Tools is:
http://www.microsoft.com/downloads/details.aspx?FamilyID=d07e6997-836a-4abe-84f3-b563e976b131
The Client Tools v1.01 currently consists of two unique tools that are meant to run on the physical Windows Mobile 6.1 devices or one of the updated Windows mobile 6.1 Emulator images (located here: http://www.microsoft.com/downloads/details.aspx?FamilyID=3d6f581e-c093-4b15-ab0c-a2ce5bffdb47). The two are the MDM Connect Now and VPN Diagnostics tool. The .CAB installations have support for both Standard (Smartphone) and Professional (PocketPC) device editions.
I won't go into all the details of each tool, but highlight what I believe are most important..
MDM Connect Now Tool
This tool will force a device synchronization back to the Device Management (DM) server. This is useful to use when you have the IPSec VPN tunnel working on the device and want to accomplish several things:
- Quickly get a new/updated GPO down to the device for testing.
- Kick off the inventory cycle, which will piece-meal the data back to DM.
If the tool returns an error message you should check out the network routing you have from/to the Device Management server, the Gateway and device.
MDM VPN Diagnostics Tool
This is a great tool to understand and troubleshoot IPSec VPN connectivity issues. It can also be used to control some functionality of the IPSec VPN service that runs on the WM 6.1 device (enable/disable/shutdown). Quick run down of features:
- Status - Gives a one screen overview of connection details and uptime. Very useful in the IP addresses for the device and Gateway server.
- Configuration - Based upon the privilege level, by toggling the "Edit Mode" you can actually change the config entries on the fly! So here you could edit the Proxy name, NAT values, and WWAN Roaming Keepalive settings.
- Diagnosis - Check a nice checklist of the service, certificate, and other values. Anything marked red should definitely be checked out!
- Port Filtration Tests - Can assist to check if the UDP 500 and UDP 4500 ports necessary for the IPSec VPN tunnel are open going back to the Gateway server. This will not necessarily assist with testing if Protocol 50 has been published correctly.
- Report - You can save/e-mail a full report of the status, configuration and diagnosis screen as a .TXT file. Including details on the certificate chain..
- Logging - By enabling logging you can perhaps look more closely for connectivity issues to determine what is at fault.
- Edit Mode - Toggle this to edit the fields on the Configuration screen.
All-in-all some very handy tools that any SCMDM Admin needs to understand and use!
|\\arco..