November 2008 - Posts
Celio Corporation silently announced yesterday a few new exciting announcements around their Redfly smartphone terminal devices. Adding 2 new models to the line up and new accessories in time for Christmas. :-) Mainly a handy car charger and an extra power supply.
The C8N model has a larger screen and battery and a new media port, so you could view video or pictures from another device. The 8" screen size is the same as the older Redfly model (C8). The new C7 model has a smaller 7" screen, and smaller battery, making it even more light weight than the older C8 model.
The video on the new C8N is not driven from a smartphone but any other device that provides composite video output. The audio must be driven from the other device. So think of it as a larger display while on the go. So the smartphone doesn't have to connected to the Redfly to view the video. But you can view the video at the same time as working on your smartphone in a minimized overlay window! Also the new media port can also be used as a 3rd USB port with the media cable adaptor.
C7 available Nov 24, 2008 for USD $229.00 - Preorder here!
C8N available Dec 1, 2008 for USD $299.00 - Preorder here!
For more details please go to http://www.celiocorp.com/product/. I have listed the high-level specs below..
REDFLY Mobile Companion C7
At less than 1.5 lbs, the REDFLY C7 has power-saving, 7-inch display, sleek, black design, full qwerty keyboard and light-weight battery that provides up to 5-hour performance.
Size: 1 x 6 x 9 inches
Screen: 7-inches; 800 x 480 pixels
Weight: 1.46 lbs.
Battery: 2,000 mAh - 5 hour battery
USB (2 ports)
VGA Port (800 x 600 maximum resolution)
REDFLY Mobile Companion C8N
REDFLY C8N with its 8” display and 8 hr battery is designed to meet overwhelming customer demand to use the larger screen for an external video source such as an iPod, Zune, or digital camera. A new REDFLY Media Port and optional REDFLY Media Cable provide a connection for composite video input (NTSC/PAL compatible). REDFLY’s 800x480 screen can be used to view photos, show demos and even watch movies. The new Media Port can also be used as a 3rd USB port. (Requires REDFLY Media Cable and media player’s composite video cable.)
Size: 1 x 6 x 9 inches
Screen: 8-inches; 800 x 480 pixels
Weight: 2 lbs.
Battery: 4,500 mAh (lasts 8 hours with typical usage)
USB (2 ports)
VGA Port (800 x 600 maximum resolution)
External Media Port – View video media from external sources
A good colleague of mine noticed this morning that the SCMDM TechNet website has been modified with some friendly changes. It is located here: http://technet.microsoft.com/scmdm.
The changes include direct links to frequently referenced MDM documentation available online on TechNet. May be worth a stop if you are just now getting familiar with MDM and have questions about the product!
Just noticed these being updated and posted on TechNet tonight and replacing all the RTM documentation previously posted. Several updates in the various sections appear to have been made..
System Center Mobile Device Manager 2008 Service Pack 1
The technical library for Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1 contains resources that can help you deploy and operate MDM 2008 SP1 in your enterprise.
Note: You can view documentation for MDM 2008, predecessor to MDM 2008 SP1, at this Microsoft Website: http://go.microsoft.com/fwlink/?LinkID=18108.
The MDM 2008 SP1 library is organized into the following sections:
Getting Started for Mobile Device Manager
Overview of MDM • System Requirements • More…
Architecture for Mobile Device Manager
MDM System Architecture • How MDM Works • More…
Planning for Mobile Device Manager
Server Topologies • Checklists and Worksheets • More…
Deployment for Mobile Device Manager
Deployment Overview • Configuration and Installation Steps • More…
Operations for Mobile Device Manager
Device Management • Server Management • MDM Self Service Portal • More…
Security and Protection for Mobile Device Manager
Security Architecture • Recommended Group Policy Settings • More…
Technical Reference for Mobile Device Manager
Deployment Reference • Operations Reference • Group Policy Settings • More
Troubleshooting for Mobile Device Manager
Setup Issues • Enrollment Issues • Gateway Issues • More…
Technical Articles for Mobile Device Manager
Technical Articles • Upgrade Steps
A critical aspect of your SCMDM environment is the certificates that drive the security in the solution and the mission critical IPSec VPN connectivity to all of your managed devices. If this is broken you could end up loosing management of all your devices upon expiration of your CA certificates. I know this is probably not a concern for many of the current SCMDM installations, as most certificate expirations are far in the future. But I believe it should be taken seriously well in advance.
The solution blogged about here will monitor the certificates used on your CA servers, for example the root and all the intermediates in the chain.
It will not monitor the SCMDM web certificates used within the SCMDM infrastructure, but could probably be modified to do so. Instead for the web certificates I have detailed information below on how to use a SCMDM Resource Tool to perhaps automate the monitoring for those certificates so you have a complete monitoring solution.
The SCMDM device certificates are renewed automatically, 6 weeks before their 1 year expiration. I will discuss this in more detail in a separate section below..
This free solution involves using an older .VBS script made by Ian Hellen from Microsoft running on your CA server (must be online and running) that will monitor the specifics and give you a:
1) Warning if cert has less than 50% of validity remaining
2) Error if to see if is about to expire (1 month or more in advance)
3) Critical error if the cert has expired
It will write an Event Log entry for these events (so it could be picked up by MOM/SCOM) and/or an e-mail to your destination of choice. Further more the script can also verify CRL health and local CA RPC connectivity. Truly a killer monitoring and full featured script Ian and his co-writers have produced here!
Microsoft CAPICOM library
The script requires CAPICOM 2.0 or above. CAPICOM is a free Microsoft component which allows allows scripts to perform encryption and signing, as well as manage Windows' system key stores. The latest redistributable copy (v18.104.22.168) is available here for download here: http://www.microsoft.com/downloads/details.aspx?FamilyID=860EE43A-A843-462F-ABB5-FF88EA5896F6
By default the CAPICOM.DLL is installed here: <C:\Program Files\Microsoft CAPICOM 22.214.171.124 SDK\Lib\X86>.
It must be registered before you can use it. That can be accomplished by executing this command in the folder where the CAPICOM.DLL file is located:
No reboot of the machine is necessary. If you forget to register the .DLL file the script will give you a "CAPICOM is not registered" error and exit.
The Monitoring Script
The Certificate Authority Monitoring script is located here:
It can be copied and pasted directly into notepad on a server and saved to a camonitor.vbs filename. Then to execute it:
Example screen shot of the usage screen and two checks performed in a working SCMDM environment:
This is an example of the Event Log entries the script will generate:
The script has to be run locally on the CAs but will validate the entire chain from that point on. So running it on the lowest CA server in the chain would work if your Root CA server is offline. As Ian recommends on the script page, if you have MOM/SCOM or another agent based server monitoring system that the script is executed by the client agent in the proper security context. Windows Task Scheduler can of course also be used.
Since you can specify multiple monitoring actions it may be wise to run it frequently. Ian recommends at least once an hour. Here it will check the CA certificate chain, RPC connectivity and CRL health:
cscript camonitor.vbs /CACertOK /CAAlive /CACRLOK
I haven't yet tested it against a Windows 2008 CA to see if it works there, Ian states only supporting on Windows Server 2003. But I found it referenced in a Windows 2008 PKI book, so there is a good chance that is does.. :-)
Modifying the script for SCMDM Device Certificate Renewal Time
The script used for this solution was created for a different propose in a generic fashion. It has a hard-coded warning threshold of 1 month. Due to the default SCMDM device certificate template having a 6 week automatic renewal period before the certificate expires after 1 year. I am gravely concerned that a 1 month/4 week warning for the expiration of the CA certificate will not be enough time for the devices to auto renew their certificates.
So I have modified the script to have a 3 month/12 week warning period instead of the 1 month. A 2 month/8 week setting may also work, but I like having a cushion. :-) I have placed this logic into the script by using a new variable named CA_CHECK_WARNING. So you can change this constant variable with the value of your choice.
Download this modified .VBS script here: camonitorV1.5.zip
SCMDM Resource Kit Server Tool: MDM Certificate
As I mentioned in the beginning, the .VBS script is geared towards an automated solution for the CA server certificates which make the foundation for your PKI that SCMDM leverages. As for the certificates that work within the SCMDM infrastructure a handy tool could be the MDM Certificate tool (MDMCert.exe) from the SCMDM Server Resource Kit. You can download it from here: http://www.microsoft.com/downloads/details.aspx?FamilyId=E898BF6D-325F-43E7-98A6-40149FDF2C2D
It states that the: "MDM Certificate Tool helps administrators to request certificates for MDM components. Administrators can also set Access Control Lists (ACLs) on certificates, place requested certificates in a specific folder, and invalidate Global Certification Manager (GCM) certificates.". So it can assist on a number of different things as I have blogged about before. Here we will just talk about the alerting functionality.
The MDMCert tool is a little quirky and I have found doesn't have the best documentation or error messages at this point in time. But through some trial and error here are some good tips to know about:
- The fully qualified CA instance name must be used if you use the /validate function. Ie. You can't use /ca:CASERVER\CAINSTANCE, but /ca:CASERVER.domain.com\CAINSTANCE.domain.com will work. Although it doesn't appear to care when you use the /alert function if either are fully qualified. :-)
- The /alert function to notify on expired web certificates and website parameter needs the IIS website names as they appear in the IIS console on the local server they are hosted! So this also means you need to run the tool on each server locally, not remotely.
Usage screen for the /alert function:
Here is an example of the MDMCert tool running on a SCMDM Gateway Server where the certificate for the "Gateway Management Web Site" is still valid in 5 days and I specified the alert text to be placed (will be overwritten) in the C:\GatewayCertExpiration.txt file:
This is the contents of the C:\GatewayCertExpiration.txt file after the above execution:
Here I run the MDMCert tool again with the maximum value of 365 days in the future and use the fully qualified CA and instance name, where is shows that the certificate will expire:
Again, here is the C:\GatewayCertExpiration.txt file after the above execution:
I believe with this example something automated could be setup to monitor the Gateway web certificates and all the Device Management and Enrollment sites. Either by using the command line output from the tool itself, or grep'ing the text that could be written to a file. Not to mention the e-mail delivery method where rules could be kicked off..
System Center Operations Manager (SCOM) Management Pack
As with all new Microsoft products, the SCMDM 2008 release has a SCOM Management Pack that can monitor the basic services on all the SCMDM server components.
Microsoft System Center Mobile Device Manager 2008 Management Pack for SC Operations Manager 2007:
Another angle to perhaps monitor your SCMDM environment if you use Microsoft ISA server and use that to publish your SCMDM enrollment site, is to monitoring for any errors on the publishing rule. Once the certificate for the enrollment site expires it will show up as an error on that publishing rule. :-)
Renewing CA and SCMDM Certificates
As this table from the Deploying MDM in a Global Enterprise white paper clearly shows, the monitoring and renewal maintenance of the certificates in a SCMDM infrastructure shouldn't be a surprise:
As this post is already get quite long I will save the details on how specifically to manually renew the certificates for another day. But the documented steps in the MDM Deployment Guide should cover the SCMDM side of things.
For the CAs I believe this should be a good starting point:
Additional references material if you need more information:
Windows Server 2003 PKI Operations Guide:
MCS Talks Security and PKI Webcast: http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032387210&EventCategory=5&culture=en-GB&CountryCode=GB
Let me know if all this information is helpful and provides a usable certificate monitoring solution!
During troubleshooting environments with Windows Mobile devices, it usually becomes clear that you might need to get back to basics on testing the name resolution and/or network connectivity.
BTW, For network connectivity an excellent choice could be the handy free IP Utility from Enterprise Mobile and available here: :-)http://tools.enterprisemobile.com/iputil/
Another tool or weapon of choice is using static hosts on a Windows Mobile device to mimic name resolution locally to the device. Similar to the /windows/system32/drivers/etc/hosts file on desktops/notebooks, you can also place static host names on a Windows Mobile device for local lookup and resolution.
This can come in handy for circumventing an already available DNS name to another IP Address, or making sure a server name or URL can resolve. On Windows Mobile there is no /etc/hosts file however and this is driven all in the registry instead. Please see this article for more details and information:
Instead of loading up a Windows Mobile registry editor and with some pain convert an IP address into the registry Marc Zimmerman made his handy Pocket Hosts tool a while ago: http://www.zimac.de/cestuff.htm
But it could only run on PocketPC/Professional OS devices, thus troubleshooting SmartPhone/Standard OS devices were still painful.. <sigh><double sigh>
That is until Andreas Helland posted his flavor of the same tool, called Hosts File Editor but has coded it to run on either Professional or Standard based devices: !! Thank you Andreas!
Read all about it here:
Windows Mobile Professional: http://mobilitydojo.net/files/HostsFileEditPro.exe
Windows Mobile Standard:http://mobilitydojo.net/files/HostsFileEditStd.exe
Now, go out and have lots of static host fun, no .CAB file installation needed! :-)
Recently I have re-found a fairly useful document that I have seen previously but forgotten. It is a handy TechNet document that lists all the MDM error and event message numbers:
Highly recommended if you are trying to troubleshoot a setup and you notice some event messages. Many have resolution information that may be helpful. :-)
In the spirit of sharing, some recent experiences while troubleshooting a MDM RTM installation that may be interest for others..
Problem Scenario: Working MDM RTM instance installed 6+ months ago. Existing enrolled device where working fine and bringing up VPN. OTA Enrollment was no longer working. Error displayed on devices "Unable to enroll the device in the company domain. Make sure that the device has the correct date and time and then try again."
Troubleshooting: Triple checked all servers and devices tested. Date/time all correct! No event log entries with a smoking gun. Did notice that the Enrollment IIS log barely had any entries. Verified that the Enrollment site published through ISA was correctly configured. The Enrollment ShouldEnroll test came back with a successful “0” response..
Solution: Finally noticed that the main certificates and intermediate CA were all expiring a week from now, but still valid. Turned on ISA monitoring during an OTA enrollment and saw that the web connection was dropped very fast and explained the lack of data in the IIS logs. I checked the ISA listener rule for the enrollment web site and found that that cert was expired over a week ago and the root cause!
Seeing that all the certificates and intermediate CA server needed to be renewed anyhow, figured I would be daring and forego using Resource Kit cert tool and renew everything manually like a newbie might try.. :-)
All the certificates on the domain joined DM/Enrollment server were fairly easy. In IIS bring up the properties on each web site -> Directory Security -> Server Certificate -> Renew -> Online.
Even the intermediate CA wasn’t too bad, with it’s Action-> Renew Cert once I had the right session permissions. The ISA Listener and Gateway Web cert I did manually through the http://ca-server/certsrv website.
However to my horror and shock now newly successfully enrolled devices where not bring up VPN. The MDM VPNDiag tool showed Cert Chain errors on the device with “NAME_MATCH” errors. Double checking the certificates once again (did I mention I now hate certs?) it dawned on me that since the Gateway server is not a domain joined machine the new intermediate CA cert was not there and had to be manually imported. But even after doing so, the newly enrollment devices still had a chain error.. Also on the Gateway server MDM Mobile VPN Connections Event Log I saw these entries:
Once I rebooted both the Gateway and DM servers and enrolled another device from scratch, it finally all worked.. This leads me to believe that either the Pre-enrollment or the DM services or the Gateway services had some memory of the previous intermediate CA cert (still valid for another week) and got mixed-up negotiating the VPN connection..
- Date/time device enrollment errors could be issues with accessing the enrollment site and check it’s full access path, proxy cert etc.
- Always use MDM VPNDiag tool from the Resource Kit Client Tools on the device to troubleshoot and verify the cert chain!
- Perhaps best practice to reboot the DM and Gateway servers after changing an intermediate CA or root CA cert. :-)
- Recommend looking at using the MDM Certificate Tool from the Resource Kit Server Tools to simplify the renewal process.