System Center Mobile Device Manager 2008 Resource Kit - Server Tools
[Work in progress posting - I'm still adding tidbits!]
As described a few days ago in the Client Tools blog posting I did, another excellent collection of SCMDM tools are available in the Resource Kit Server Tools.
Direct download link: http://www.microsoft.com/downloads/details.aspx?FamilyId=E898BF6D-325F-43E7-98A6-40149FDF2C2D
These tools are meant to assist SCMDM administrators with server related tasks on the SCMDM server(s). Each comes with a little text file with instructions for their usage and their requirements.
I will step through them and highlight scenarios where they would be useful. All of them require that you run them with either MDM Server Administrator or local Administrator permissions.
It is not advised to run the tools from non-writeable media such as CD/DVD as the automatic log files can not be created in that case.
MDM Application Hash Code Tool
This tool is a command line utility that assists with creating a SHA-1/MD5 hash code file. This has code file can then be used in a Group Policy Object (GPO) to create a software restriction policy so specific applications can or can not be run on your managed Windows Mobile devices.
Supported file-types are .cab, .exe or .dll files.
MDM Bulk Pre-Enrollment Tool
This tool provides you with a method to mass enroll devices for your production SCMDM 2008 implementation. Instead of adding them manually through the MDM Console or through the Self Service Portal (SSP).
The installation of this tool is a little tricky as it is a PowerShell snap-on.
1. First you need to run the .NET Framework InstallUtil, which I had to find in the .NET Framework installation directory, and then give the full path to the .DLL we want to install:
2. Then you must open the PowerShell window and execute two more commands. After-which the new cmdlet is activated and it's usage can be displayed:
[To do: More information on how to use the New-BulkEnrollmentRequest cmdlet]
MDM Certificate Tool
This tool is a super-duper certificate fix-it-up tool that could be handy if you fear you have issues with expired certificates after your initial SCMDM installation or if an ACL is out of whack. These could show up as Event ID 12105 and 12503 on the Gateway Server.
This tool is probably the most complex of the 5 tools in the Resource Kit, but it gives you 4 high-level functions:
/validate - Validate the ACL on the Gateway Central Management (GCM) certificate or existing certs.
/set - Set the ACL on the Gateway Central Management (GCM) certificate.
/install - Install one of the 6 certificates used on various SCMDM roles.
/alert - Notification by log, console, e-mail on when specified web site certs will expire.
The usage text output is quite complete and helpful to get the syntax right:
if you execute "MDMCert /validate" or one of other operational arguments the tool will give you further useful usage text. In the case of the /validate and /set it will even detect the proper certificate authority names available and display them!
[To do: How does the MDMCert.exe.config file work with the SMTPhost value?]
[To do: How does the alert messages look like?]
MDM Cleanup Tool
This is a tool for the purely paranoid at heart. :-) No, actually, this is a powerful tool for remote administrators who may have the need to quickly and remotely uninstall one or more SCMDM components. Also handy for lab work, when you need to clean things up or script training environments..
This tool is an .exe file and requires it's companion .DLL file to be in the same directory to execute.
The arguments are straightforward and dictate which server roles you wish to remove as seen in it's usage text:
BTW, This tool can be run in a regular Command prompt window.
MDM Device Enrollment Cleanup Tool
This PowerShell script can quickly be a lifesaver to clean up orphaned and obsolete device objects in the Active Directory and MDM databases.
Some examples where this could occur that you might run into and want to tidy things up:
- A device is manually hard-reset/wiped due to another issue.
- A device is hasn't connected for a duration of time.
When you run the .\RemoveDevice.ps1 script without any arguments a helpful usage text will appear and you can also see where it creates a useful .LOG file for the output:
The key arguments let you prune the Active Directory and MDM Database for device objects by name or by different date methods. Days since last connected or last connected before. You can use wildcards ("*") in the names as a suffix or prefix.
As listed in the usage text you can also use the PowerShell Get-Date function, so for example you can make it handy and automated like this to prune any orphaned devices that are more than 1 year old from the first day in the current month:
.\RemoveDevice(Get-Date -year ((Get-Date -uformat "%Y")-1) -day 1)
Remember that you will need to run the RemoveDevice.ps1 file from the Mobile Device Manager Shell window!
Also the script is signed, so you don't need to execute the "Set-ExecutionPolicy Unrestricted", "Set-ExecutionPolicy RemoteSigned" will do which should already be set on the server you are running the SCMDM Administrator Tools from..
|\\arco..