If you are supporting a corporate enterprise every day may bring new devices from employees that you may be asked to support.  Even if you have a strict supported device list that you hold regular end-users to, are you really going to say no way to your boss or one of the CxOs?

Using a new iPad this weekend I have run into some minor quirks so far, but nothing major I believe. Sharing my experiences here so you may save some research time:

- Biggest confusion factor was that it appears it won’t charge on a regular USB connection, and needs the full 10W charge from a wall adaptor. Otherwise you may see the “Not Charging” text next to the battery icon in the top right corner.

- You need to download the latest iTunes 9.1 (or higher) version to setup and register the iPad for the first time. Still no way over the air.

- Some applications on the Apple iTunes AppStore are “universal” and can run on either on the iPhone/iPod Touch or iPad. Others may have separate versions with different names. If you sync Apps from your Apple account from previous devices, you may find yourself with several “duplicate” applications showing up and should delete the non-iPad versions.

- Older “legacy” iPhone/iPod Touch applications can be zoomed up to full screen by tapping the round “2x” icon in the bottom right when running.

- The iBooks app is free (as is the Amazon Kindle app for iPad), but the three iWork apps are USD $9.99 each at this time. Pages is a word processor, Numbers a spreadsheet app, and Keynote a presentation app. All native apps sold by Apple and only for the iPad at this time. Together they are probably one of the best competitors to most of the upcoming Windows 7 Phone Office Hub functionality.

- You can place up to 6 icons in the bottom line of the screen for easy access. This is compared to the usual 4 on the other platforms.

It will be interesting to see the future Android and Microsoft based tablets and how they will compete against the iPad..

Useful Links

Apple iPad Enterprise Support Forum:
http://discussions.apple.com/category.jspa?categoryID=269 

For a good listing of iPad supported apps:
http://appshopper.com/ipad

The iPhone Config Utility has been updated to v2.2 last week to support the iPad:
http://support.apple.com/kb/DL926
http://images.apple.com/ipad/business/pdf/iPad_Deployment_Scenarios.pdf

But I don’t see any updates to the “Enterprise Deployment Guide” yet:
http://www.apple.com/support/ipad/enterprise/

Marco..
http://marco.blogsite.org

As I have blogged about previously, there was some interesting webcast  sessions on Windows Mobile, Security and Device Management on TechNet recently.

If you were unable to attend you can also catch a glimpse of one of the speakers I know, David Field here on TechNet Edge:
http://edge.technet.com/Media/Enterprise-Mobile-Security-Interview/

Dave Field spoke at TechEd on mobile security and gives us some insight into mobile phone security on topics such as:

• Areas where Windows Mobile security is strong against the competition
• Scenarios where companies will want to look to 3rd party solutions for mobile security
• Recommended ways to implement 2 factor authentication for phones

The Windows Mobile security whitepaper Dave mentions is available here: http://www.enterprisemobile.com/resources/white-papers.htm

|\\arco..
mnielsen(at)enterprisemobile.com

There appears to be a lack of public information regarding the inner secrets of successfully navigating and configuring the proxy and work exceptions on the Windows Mobile platform. My fellow Enterprise Mobile colleague, Patrick Salmon, has broken through and made some very interesting observations and facts about how to get it all configured correctly. This article contains all of the material and information Patrick has researched.

Most of this boils down to how the Windows Mobile Connection Manager is handling the connections and the decisions it makes to route the traffic. The Connection Manager is well aware of the native L2TP and PPTP connection methods in Windows Mobile, but appears to lack direct support for the Windows Mobile 6.1 Mobile VPN that is used by SCMDM 2008. See more information here: http://msdn.microsoft.com/en-us/library/ms879581.aspx.

This article assumes you are already well familiar with the SCMDM network routing requirements and how to configure Group Policies.

Proxy Issues Today

1. If you set the proxy via the SCMDM 2008 Group Policy you may observe that the necessary connectivity to the SCMDM Device Management server and WSUS services break.

2. Trying to use the Work/Internet capabilities as currently documented breaks the SCMDM VPN.
Although http://technet.microsoft.com/en-us/library/dd261930.aspx does explain some of the necessary steps. Also on http://technet.microsoft.com/en-us/library/dd261921.aspx it also states to make sure that the SCMDM Gateway server is listed.

3. No visibility on the client of what is configured.
The Windows Mobile Connection Manager internally uses something called a URL Mapping Table to decide if a specific URL is destined for the Internet or the corporate network connection. It can use a URL pattern which we will go into in more detail below. Please see http://msdn.microsoft.com/en-us/library/aa455992.aspx.

Where to set the Proxy server setting in the SCMDM 2008 Group Policies:

The solution is to correctly configure the Internet proxy setting and also specify the routing of which URLs go to the “Internet” and through the configured proxy, and which are internal or go through “Work” back through the VPN connection.

Overall best practices

Keeping things as simply as possible will go a long way. The basics are:

1. “Internet” bound traffic = Route via proxy if defined, otherwise use Default Gateway on SCMDM Gateway Server.

2. “Work” bound traffic = Route traffic directly to internal network using local routing tables on SCMDM Gateway Server.

3. If the FQDN of the Proxy is part of an internal domain do not put the FQDN in the Proxy configuration!
This will not work, as it will be detected as an Internet domain, due to the dotted name and you won’t see it working as you think. The solution is to use the direct IP address. Example: instead of “proxy_host.company.com:8080″ use “172.16.1.1:8080″.

Where to configure the specific Internet/Work routing is done through a “hidden” existing Group Policy setting:

The dialog window has two areas. One for the Internet domains (which will be routed to a proxy if configured so) and at the bottom for Work domains (not routed to the proxy if configured). This is what the default values are:

Next we will go into how to configure these entries in more detail.

Connection Manager URL Mapping Pattern

The Windows Mobile Connection Manager uses a general *://*.*/* URL type format. This can be further broken down into these examples:

• "*" & "?" can be used anywhere.:
  • “*” = Zero or more of any type of characters.
  • “?” = Can take the place for any single character.
• *:// = Any protocol (usually http or https).
• /*.*/ = Any FQDN namespace
• /*/ = Any NetBIOS/WINS name
• *://servername/* = specific NetBIOS server name
• *://*.company.com/* = Any host in a FQDN domain called company.com.
• *://host1.company.com/* = Only host1, any protocol, any website on target.
• *://host?.company.com/* = All traffic to host[a-z, 0-9], any website.
• https://host1.company.com/home = Only https requests to host1’s "home’ directory.

Some things to think about when defining you own URL Mapping table:

- Obey classic firewall rules – most granular is processed first
- Define your targets and know your internal name space
- Put in sequence (most specific first, least specific last)
- Decide whether traffic goes via the “internet” or “work” network routing from your SCMDM Gateway Server

Example and Outcome

Here is what a working example of URL Mapping Filter entries could look like:

Please note the above setting details:
- *://www.company.com/* – Externally hosted Internet site
- *://mdmvpn.company.com/* – Route SCMDM Gateway Server access through Internet
- *://*.company.com/* – Internal work namespace
- *://*.*/* – Catch all for all other Internet requests
- *://*/* – Catch all for all other internal NetBIOS/WINS requests – However, not found to work in testing, and removed so Internet requests are not caught by it!

Outcome with the above setting details:
- SCMDM VPN will connect correctly through the Carrier/MO/ISP on the device
- SCMDM Device Management and WSUS traffic will require no further invention.
- Internal Line-Of-Business application traffic will go direct.
- Internet bound traffic will go to the corporate proxy (if defined in separate Group Policy).

Internal namespace sans WINS

Since most companies are well on their way to totally get rid of WINS and have put in place DNS suffix search order standards. Another solution is to push a default DNS suffix to your Windows Mobile. Brian Puhl from Microsoft IT blogged about this last year here:

http://imav8n.wordpress.com/2008/08/21/getting-single-label-name-resolution-on-mdm-enrolled-phones/.

So this could ensure proper name resolution to a FQDN for internal names used on the Windows Mobile device. In the example above this could be routed to the “work” side of things by the *://*.company.com/* URL Mapping.

For more information on creating custom ADM templates for use in SCMDM 2008 please see: http://blog.enterprisemobile.com/2008/10/writing-custom-gpos-for-scmdm-2008/.

SCMDM 2008 SP1 Source-based Routing

Another feature that can be used to better assist with the complex nature of network routing, proxies and Internet access is the source-based routing feature present in SCMDM 2008 SP1. Some details can be found here: http://technet.microsoft.com/en-us/library/dd252779.aspx

The source-based routing option on the Gateway Wizard:
One example of how this could work is instead of having the default gateway on the External NIC of the Gateway Server, you place one on the Internal NIC. You can then configure the source-based routing option to an IP address of an external firewall that is accessible from the Internal NIC. Now Internet IPSec traffic will come in and terminate on the external NIC, but return back to the device through the Internal NIC and the IP address of the source-based routing, back to the Internet. Now any traffic from the Windows Mobile devices not configured to the proxy will default out to the Internal NIC gateway. This could be useful for applications that are not proxy aware, or if you won’t want to use any proxy but direct all traffic to the internal side and to be taken care of there for either internal or external Internet routing..

Split DNS

Another idea that could perhaps assist in some architectures is the use of split-DNS. In the Gateway Wizard you can specify the DNS server the Windows Mobile clients will use to resolve hostnames. Many simply use the existing DNS server present internally and make sure connectivity on TCP port 53 is open to it. Another idea could be to use a separate DNS server that contains hostname zone entries that could be similar but resolve to different IP addresses to better resolve network routing or DMZ issues at hand. DNS forwarding could still be used to forward remaining requests to the primary internal DNS servers.

Tethering Devices

Another Enterprise Mobile colleague, Dave Field, also points out:

“Please note that if you have a proxy setup on the device and you partner the device to a desktop that has “automatic” setup for the Connection setting, it will auto-configure the device proxy and overwrite whatever you have. It will configure it for port 80 automatically too.”.

At this of this writing I’m not sure if the Group Policies will automatically refresh the settings again down to the device. A work around may be to disable the tethering functionality all together if this is a big concern.

Wrap up

The final best advice is to have patience in troubleshooting and testing the proxy and network routing. It can be complex and quite difficult to get setup correctly in a large organization. Logic flow, re-verifying settings, and looking at logs could be your best friends.

Thanks again to Patrick Salmon for getting the answers together. Also a thanks to Wayne Phillips and David Creedy from Airloom for their feedback and corrections!

Please leave a comment or contact me directly if you have additional findings or feedback on how these settings work and act for you!

Reference links – for additional information:
Default URL Mapping values in Connection Manager:
http://msdn.microsoft.com/en-us/library/aa456095.aspx
How Connection Manager works:
http://blogs.msdn.com/fzandona/archive/2005/10/10/ConnectionManager02.aspx
How the Mapping Index works and what are some of the high-end catch all values:
http://msdn.microsoft.com/en-us/library/aa455850.aspx
http://msdn.microsoft.com/en-us/library/aa456095.aspx
Using Connection Manager URL Mapping:
http://msdn.microsoft.com/en-us/library/aa455992.aspx
SCMDM Forum thread discussion on these settings:
http://social.technet.microsoft.com/Forums/en-US/SCMDM/thread/9a295dc0-55a6-4783-b43e-132748e8e7b5

|\\arco..

Updated on May 12, 2009 with some corrections.

Don’t believe this is that recent news, but just learned about it and thought I would share as I think it could be quite useful for many enterprise scenarios..

This is a public website that can be used to troubleshoot Exchange server connectivity issues. Originally written by a Microsoft Escalation Engineer and continually updated.

You can test such things Exchange ActiveSync (EAS) issues, including Windows Mobile 5 and Windows Mobile 5 w/MSFP, Windows Mobile 6.1 clients with AutoDiscover, Outlook RPC over HTTP (Outlook Anywhere), Outlook 2007 and AutoDiscover and even inbound SMTP. The tool will give you a nice detailed report that you can drill down into and research where any failure might be.

It is accessed from here: https://www.TestExchangeConnectivity.com.

This could be very useful in testing your Exchange configuration and setup before you have Windows Mobile clients to access your environment. Validation of certificates and which Windows Mobile versions are supported is also included!

Main menu:

Apply test credentials:

Example report:

Reference Links:
Blog: http://msexchangeteam.com/archive/2009/03/25/450908.aspx
Video: http://edge.technet.com/Media/The-Remote-Connectivity-Analyzer-for-Exchange-Server/
Facebook Group: http://www.facebook.com/group.php?gid=58417140899
Twitter: http://twitter.com/ExRCA 

|\\arco..

An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile.

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407362&culture=en-US
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don’t need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization’s Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300)�
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032409997&Culture=en-US
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692&culture=en-US
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we’ll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we’ll look at various out-of-the-box devices and analyze their threat surface. Last, we’ll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar!

|\\arco..

After writing up my last blog article about Windows Mobile troubleshooting and logging utilities (see it again here), I was more closely at the lookout for other tools and tricks that might help assist in a similar fashion.. Of course I found some more good additional information and have included it in this round..   Especially the memory management information I don’t think has been that well communicated in the past..

.NET Compact Framework Logging

On Steve Hegenderfer and Reed Robinson’s excellent blog Reed posted a great article about how to enable .NET CF loader logs and what to look out for. Specifically referencing this MSDN information on how to enable the logging: http://msdn.microsoft.com/en-us/library/ms229650.aspx. It is all controlled in specific registry keys on the device to enable 6 different flavors of .NET CF logging: "Interop", "Error", "Loader", "Network", "Finalizer", or "Trace".

The Power Toys for .NET Compact Framework v3.5 download gives you additional tools to make this easier. One is the Remote Logging Configuration Tool:

So the most interesting for non-developers trying to troubleshoot .NET CF applications is probably the "Loader" logging. This is where you can see if the application even makes it off the ground and why. As Reed suggests in the article I mentioned it could be referencing a .NET assembly not present on the device for whatever reason..

Additional details on how to read the "Loader" logging can be found here: http://msdn.microsoft.com/en-us/library/ms229667.aspx.

File System Logging

This is a type of extreme logging that can really slow down a working operating system. But it can also show you exactly what is going on at the file I/O level. Specifically what files are being accessed or written to. This could be useful to trace back missing files or folders, or figuring out the last file access a specific application did before failing.

I only recently found a tool called MobileMon v0.5 by Brian Dunn. His website, http://www.mobilmon.com/, has more information and you can download the .CAB file there.

Basically you can install and run it in the background while it logs file activity.

Once you are done you can save it to a log file. Be aware however that the file name "mobilmon.log" may be hard to open on the device itself unless you install a tool (Like Voyager or Total Commander) to rename the file to mobilmon.txt. Then you can open it with the native Word Mobile.

Memory Management and Monitoring

Another important area of concern for current Windows Mobile troubleshooting is available memory on the device.  Memory leaks, multiple running applications, and garbage heaps can all attribute to doing frequent soft-reboots to get a device functional again. A little known fact that I wasn’t fully aware of is that only 32 applications (actually processes) can run at the same time and each can at a maximum access 32mb of virtual memory..

An excellent resource of a virtual memory management overview is William Blanke’s article: http://www.codeproject.com/KB/mobile/VirtualMemory.aspx

In it he also has a small (12Kb) Virtual Memory tool (must register to download, the compiled .exe in included with the source code) you can run and visually see available memory (in red) for each of the 32 process slots.

Issue #1: One key thing apart from seeing how many of the slots are being used and if they are full, is finding the “device.exe” process. This process is responsible for loading up all the device drivers and William points out the potential issues if memory is low for this slot. Specific device features may simply not work.

Issue #2: Another area of concern could be applications that load up .DLL files. These can be loaded up in *any* processing slot and can be accessed by any process. This can be bad if your process or application running in the slot needs the memory and doesn’t use the particular DLL.

However William doesn’t address that in Windows Mobile 6.1 specific changes were made to better accommodate DLL files over 64Kb. These will now be loaded into specific slots higher and away from the process slots. Thus freeing up application space and reducing this potential worry. Please see more information on this 6.1 feature from Doug Boling here.

How sure if anything has/will change in Windows Mobile 6.5 as of yet. What we can look forward to is Windows Mobile 7.0 (which is based upon Windows CE 6.0) and it’s larger scale advanced memory management, explained in more detail here or here. But basically a little like Windows XP, and a limit of 32K processes and 2GB per process, compared to 32 and 32Mb per process.

Issue #3: Careful on the usage of storage cards to install or run applications from. If the device goes into hibernation or sleep mode, it could power down the storage card and render any application housed there non-functional. See more tips here.

Some older reference links on Windows Mobile memory management: 
- RAM, ROM and Task Managers 
- How WM 5.0 Shell Handles Low Memory Situations 
- Memory Management on WM 6.x 
- MSDN Webcast: Memory Management for Windows Mobile
- DumpMem Utility

If you are using a Motorola/Symbol ruggedized device you also may want to ask your Motorola rep about their “Private SDK” and a tool called the “Remote Memory Viewer”. It may also be beneficial as Raffaele Limosani states here..

Hope this article further assists in troubleshooting Windows Mobile issues you might run into!

|\\arco..
http://marco.blogsite.org

A quick heads up on some interesting new Microsoft webcasts coming up early next month on Windows Mobile Device Management and Security that may be of interest to many of you:

TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.-11:00 A.M. Pacific Time

TechNet Webcast: Management Lockdown of Windows Mobile Devices (Level 300)Thursday, April 9, 2009
11:30 A.M.-12:30 P.M. Pacific Time

Register now and get it on your calendar!

|\\arco..

I’ve been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well implementing SCMDM and researching which devices are compatible. 

Several links fixed, and several devices purchased with WM 6.1.x builds now listed as reference as well. Interesting to see the slow uptake of devices having the 6.1.4 build finally that has the Internet Explorer Mobile 6 (IE6on6).

Included is the specific OS/AKU build for each device for SCMDM 2008 SP1 support.

If you know of others, updates or corrections, please let me know! 

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org

As part of supporting Windows Mobile in an enterprise environment, one of the things that often will come up is what tools are available for troubleshooting..

One powerful tool that has been around since the dawn of the first computer programs is logging. Here are a few important Windows Mobile logging tips that can be extremely helpful and save your day:

Exchange ActiveSync Device Logging

Nice write-up from Vik Thairani on how to enable the verbose logging on Windows Mobile for Exchange ActiveSync troubleshooting:
http://blogs.technet.com/vik/archive/2008/12/04/setting-up-verbose-logging-in-windows-mobile-and-parsing-logs.aspx

The log is saved in text file in the \Windows\ActiveSync folder starting with “serverlog” and a sequential number.

SCMDM Device Management Logging

With MDM Connect Now Tool, you can enable or disable various types of logging as necessary. To enable enrollment logging on a device using MDM Connect Now Tool, select Menu, and then select Logging.

For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

1. EnableNodeMon log – If this option is checked, the system generates a log file at \NodeCache.txt.
2. Enable OMADM log – If this option is checked, the system generates a log file at \deviceupdate.log.
   See http://technet.microsoft.com/en-us/library/dd252860.aspx for some information on what this log can show.
3. Enable Enroll log – If this option is checked, the system generates a log file at \deviceupdate.log.
4. Enable Scheduler log – If this option is checked, the system generates a log file at \Application Data\Logs\Scheduler.txt.
5. Enable alerter log – Generates a log file at \deviceupdate.log.
   If this option is checked, the system enables the following values:
   • Alerter – Search for “Rejecting packet” or “Successful push packets” in the log.
   • Nodemon InitSession
   • Nodemon configuration service provider
   • Software Distribution
   • TDET settings

Please see http://technet.microsoft.com/en-us/library/dd261878.aspx for additional details on these logs.

SCMDM VPN Device Logging

The MDM VPN Diagnostics Tool can be downloaded from http://go.microsoft.com/fwlink/?LinkID=127030.

To enable and disable Mobile VPN logging on your Windows Mobile device, run the MDM VPN Diagnostics Tool and follow these steps:

1. On the Start page, select Menu.
2. Select Logging.
3. Select Enable or Disable.

MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.

Network Traffic Device Logging

Sometimes the best recourse for technical troubleshooting is determining what is going on on the network level. On a Windows Mobile device this can also be accomplished.

The Microsoft Windows Mobile Network Analyzer PowerToy v1.0 can be directly downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=081c6401-49d4-4506-a03b-c41bc76c2f51&displaylang=en.

If you have a storage card inserted, Network Analyzer will write all logs under \Storage Card\NetworkLogs. If there is no \Storage Card, it will write all logs under \NetworkLogs.

To capture the network traffic (NetMon) log for analysis, run the start analyzer script in the Program directory. Run the stop analyzer script to stop the network logging.

Then you can view the .cap file in your network protocol analyzer of your choice to properly decipher all the information. I highly recommend the freebie WireShark efforts from http://www.wireshark.org/.

An example (from http://technet.microsoft.com/en-us/library/dd252860.aspx) to troubleshoot SCMDM VPN issues on a Windows Mobile device:

1. Install the Windows Mobile Network Analyzer PowerToy.
2. Install MDM VPN Diagnostics Tool.
3. Start MDM VPN Diagnostics Tool, select Menu, and then disable VPN.
4. Make sure that you can browse the Internet using Internet Explorer Mobile through your WiFi or Mobile Operator (carrier) data connection.
5. Start the Windows Mobile Network Analyzer PowerToy to capture network traffic on the device.
6. Enable VPN using MDM VPN Diagnostics Tool.
7. When the VPN connection fails, stop capturing network traffic, and save the trace file.
8. View the VPNDiag report and the ipsecvpnpm.txt file from the device.

For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.

|\\arco..
mnielsen (at) enterprisemobile.com
http://marco.blogsite.org

This is a brand new feature of SP1 of great interest in an enterprise implementation. This mimics the similar Exchange and Windows Mobile device functionality, but without the need for any Exchange requirements. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.

Overview

As nicely stated in the MDM Password Reset Client v1.0 download overview:

“MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.

Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.

To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password.”

What is required?

Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But “your mileage may vary” (YMMY) as they say..  The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly!  Please note the installation failures on the devices that are below the 6.1.1 levels.

You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.

How it works:

After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use.  This can be verified with a cmdlet or on the MDM console by seeing that the “Display Recovery Password” action is no longer grayed out on the right hand side of the screen when a managed device is selected:
 

More details can also be found here on the overall user experience of this feature: http://technet.microsoft.com/en-us/library/dd252841.aspx

Client Functionality

These are actual screen-shots of a managed device that has the client patched installed.

In a locked state, the “Reset Password” option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:

After the “Reset Password” option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.

It will then let the user create a new password. Using the same requirements that might have been enforced to the device.

Now the user must contact the administrator or help desk. In this example the administrator clicks on the “Display Recovery Password” in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.

The user must type in the 20 digit recovery password to validate the new password.

If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!

Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a “Display Recovery Password” button at the bottom which will display the 20 digit recovery password:

The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here: http://technet.microsoft.com/en-us/library/dd261796.aspx.

Password Recovery References

SCMDM Cmdlets: http://technet.microsoft.com/en-us/library/dd261726.aspx
SCMDM User Experience: http://technet.microsoft.com/en-us/library/dd252841.aspx
Windows Mobile 6.x AKUs: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/31/windows-mobile-6-x-akus.aspx
Windows Mobile 6.1.x Upgrades and Build Levels: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/24/windows-mobile-6-1-x-upgrades-now-available.aspx

|\\arco..
mnielsen (at) enterprisemobile.com