Upcoming Microsoft sessions on Device Management & Security – If you are at TechEd 2009 or not!

An quick updated post from the one I posted previously on this.. One of these sessions is live at TechEd and the rest are being broadcasted live on TechNet starting next week. All are being presented by colleagues of mine here at Enterprise Mobile.

· Webcast: TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)
Tuesday, April 7, 2009
10:00 A.M.–11:00 A.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032407362&culture=en-US
Description: “So, you are using Microsoft System Center Mobile Device Manager 2008 and Windows Mobile 6.1. Now what? You probably know that Mobile Device Manager can manage, secure, and install software on your phones. But did you know Mobile Device Manager also gives your users the potential to control the PC at their desk and access everything they need on the corporate network, including file shares, Microsoft Office SharePoint Server, instant messaging, and internal Web pages. In this webcast, we present the best practices for a Mobile Device Manager installation that provides users with access to everything they need in the corporate network through their phone and (just as important) denies access to resources mobile users don’t need. We review the basics of Mobile Device Manager and IP security (IPsec) virtual private networks (VPNs), and we discuss the tools that users can take advantage of so they can work wherever they would like using their phone. Discover how Mobile Device Manager eliminates the need to expose your organization’s Microsoft Exchange Server to the Internet.”

· Webcast: TechNet Webcast: Windows Mobile Digital Certificate Management (Level 300)
Thursday, April 9, 2009
11:00 A.M.–12:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032409997&Culture=en-US
Description:  “Digital Certificates and public/private key technology is core to Windows Mobile platform security.  In this session, you’ll learn about how certificates are used to provide authentication, access control and encryption for the OS, applications and networking..  You’ll also learn best practices and “gotchas” for managing certificates on the device.   The speaker is an expert on Windows Mobile Certificate management and certificate-related features in the OS.  Therefore, come ready to ask any questions you may have:  enrollment, import, SSL, root certificates, email security, application security, etc.”

· Webcast: TechNet Webcast: Deploying Mobile Device Manager 2008 is easier (and cheaper) than you think (Level 300)
Tuesday, April 17, 2009
11:30 A.M.–1:00 P.M. Pacific Time
Attendee Registration URL: http://msevents.microsoft.com/CUI/EventDetail.aspx?EventID=1032410692&culture=en-US
Description: “System Center Mobile Device Manager (SCMDM) is a complex product with a lot of dependencies which must all be in place in order for it to work correctly. This session, which takes almost 2 years of hands-on experience of deploying implementing SCMDM in the field, steps through how to successfully (and cost effectively) implement this product in the enterprise. The objective of this session is to address the misconception that SCMDM is hard to implement while showing how MDM eliminates almost all of the overhead associated with Blackberrys while retaining and elevating both manageability and security.”

· TechEd 2009 “Chalk Talk” in the WM area:  Management Lockdown of Windows Mobile Devices
Tuesday, May 12, 2009
10:15 A.M.-11:30 A.M. Pacific Time
Description:  “You can completely secure a Windows Mobile device without deploying expensive third party applications. In this session we’ll show you how bar viruses, malicious and unsupported code from installing and running on the device. In addition, we’ll look at various out-of-the-box devices and analyze their threat surface. Last, we’ll describe all Windows mobile application security threat surfaces and how to manage all of them.”

Register them now and get it on your calendar! :-)

|\\arco..


Upcoming Microsoft Webcasts on Device Management & Security

A quick heads up on some interesting new Microsoft webcasts coming up early next month on Windows Mobile Device Management and Security that may be of interest to many of you:

TechNet Webcast: Windows Mobile 6.1 and Mobile Device Manager 2008: The Gateway to Your Corporate Network (Level 200)

Tuesday, April 7, 2009
10:00 A.M.-11:00 A.M. Pacific Time

TechNet Webcast: Management Lockdown of Windows Mobile Devices (Level 300)Thursday, April 9, 2009
11:30 A.M.-12:30 P.M. Pacific Time

Register now and get it on your calendar! :-)

|\\arco..


Windows Mobile 6.1.x Upgrades and Build Levels – March 11, 2009

I’ve been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well implementing SCMDM and researching which devices are compatible.

Several links fixed, and several devices purchased with WM 6.1.x builds now listed as reference as well. Interesting to see the slow uptake of devices having the 6.1.4 build finally that has the Internet Explorer Mobile 6 (IE6on6).

Included is the specific OS/AKU build for each device for SCMDM 2008 SP1 support.

MO/OEM OS/AKU Build Number
Alltel:
Alltel HTC PPC8600 WM 6.1 ?
Alltel HTC Touch WM 6.1 ?
Alltel Palm Treo Pro WM 6.1.4 w/AKU 1.4.4 Build 20765.1.4.4?
ASUS:
ASUS PDA Phone P527 WM 6.1 w/AKU 1.0.4 Build 19214.1.0.4
ASUS PDA Phone P750  Patch WM 6.1 ?
ASUS P565 WM 6.1 ?
AT&T:
AT&T Motorola Q9h WM 6.1 w/AKU 1.0.2? Build 19209.1.0.2?
AT&T Tilt WM 6.1 w/AKU 1.0.4 Build 19214.1.0.4
AT&T Pantech C810 Duo WM 6.1 w/AKU 1.1.8 Build 19597.1.1.8
AT&T BlackJack II (SGH-i617) WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
AT&T Fuze (HTC Touch Pro) WM 6.1 w/AKU 1.2.6 Build 19971.1.2.6
AT&T Epix (SGH-i907) WM 6.1 w/AKU 1.3.2 Build 20276.1.3.2
AT&T LG Incite (CT810) WM 6.1 w/AKU 1.2.8 Build 19974.1.2.8
Bell:
Bell HTC Touch WM 6.1 ?
Fido:
Fido BlackJack (SGH-i616) WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
HTC:
HTC TyTN II (unlocked) WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3
HTC Touch Diamond (unlocked) WM 6.1.4 w/AKU 1.4.3 Build 20764.1.4.3
HTC Touch Pro (unlocked) WM 6.1.4 w/AKU 1.4.3 Build 20764.1.4.3
HTC Touch Cruise WM 6.1 ?
HTC Touch Dual WM 6.1 ?
HTC Touch HD WM 6.1.4 w/AKU 1.4.0 Build 20757.1.4.0
i-mate:
Ultimate 6150 WM 6.1 w/AKU 1.2.1 Build 19959.1.2.1
Ultimate 8150 WM 6.1 w/AKU 1.2.1 Build 19959.1.2.1
Ultimate 8502 WM 6.1 w/AKU 1.1.2 Build 19585.1.1.2
Ultimate 9502 WM 6.1 w/AKU 1.1.2 Build 19585.1.1.2
JAMA 101 (Pending)
Intermec:
Intermec CN3 WM 6.1 w/AKU 1.1.1 Build 19581.1.1.1
Intermec CK3 WM 6.1 ?
Motorola (Symbol):
Motorola MC55 WM 6.1 w/AKU 1.1.1 Build 19581.1.1.1
Motorola MC70 (BSP 0.01.09.00) WM 6.1 w/AKU 1.1.5 Build 19590.1.1.5
O2:
O2 XDA Stellar (HTC TyTN II) WM 6.1 ?
O2 XDA Orbit 2 (HTC Touch Cruise) WM 6.1 ?
O2 XDA Mantle (HTC P6500) WM 6.1 ?
Orange:
Orange HTC TyTN II WM 6.1 ?
Orange HTC P6500 WM 6.1 ?
Palm:
Palm Treo Pro (unlocked/GSM) WM 6.1 w/AKU 1.0.5 Build 19216.1.0.5
Rogers:
Rogers BlackJack (SGH-i616) WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
Samsung:
Samsung SCH-i200 WM 6.1 w/AKU 1.0.4 Build 19214.1.0.4
Samsung BlackJack II (SCH-i617) WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
Samsung SCH-i760 WM 6.1 w/AKU 1.0.0 Build 19202.1.0.0
Samsung Omnia SCH-i900 (non-US) WM 6.1 w/AKU 1.3.1 Build 20270.1.3.1?
Samsung SGH-i780
(IT, NL, Nordic, Singapore, UK only)
WM 6.1 ?
Sprint:
Sprint Motorola Q9c WM 6.1 w/AKU 1.0.2? Build 19209.1.0.2?
Sprint Mogul WM 6.1 w/AKU 1.0.2 Build 19208.1.0.2
Sprint HTC Touch WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
Sprint Samsung Ace (SPH-i325) WM 6.1 w/AKU 1.0.0 Build 19202.1.0.0?
Sprint HTC Touch Diamond
(Pending)
WM 6.1.4 w/AKU 1.4.3? Build 20764.1.4.3?
Sprint Palm Treo 800w WM 6.1 w/AKU 1.0.5 Build 19216.1.0.5
Sprint Palm Treo Pro WM 6.1.4 w/AKU 1.4.4 Build 20765.1.4.4
Telus:
Telus HTC Touch WM 6.1 ?
Telus HTC S720 WM 6.1 ?
Telus HTC P4000 WM 6.1 ?
Verizon:
Verizon Samsung SCH-i760 WM 6.1 w/AKU 1.0.0 Build 19202.1.0.0
Verizon UStarcom XV6800 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3
Verizon HTC XV6900 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3
Verizon Motorola Q9c WM 6.1 w/AKU 1.1? Build 19704.1.1.50
Verizon HTC Touch Pro WM 6.1 w/AKU 1.2.7 Build 19972.1.2.7
Verizon Samsung Omnia (SGH-i910) WM 6.1 w/AKU 1.3.1 Build 20270.1.3.1
Verizon Samsung Saga (SCH-i770) WM 6.1 w/AKU 1.3.2 Build 20276.1.3.2
Vodafone:
Vodafone v1615 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3

If you know of others, updates or corrections, please let me know!

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org


Windows Mobile Troubleshooting – How to log like an expert

As part of supporting Windows Mobile in an enterprise environment, one of the things that often will come up is what tools are available for troubleshooting..

One powerful tool that has been around since the dawn of the first computer programs is logging. Here are a few important Windows Mobile logging tips that can be extremely helpful and save your day:

Exchange ActiveSync Device Logging

Nice write-up from Vik Thairani on how to enable the verbose logging on Windows Mobile for Exchange ActiveSync troubleshooting:
http://blogs.technet.com/vik/archive/2008/12/04/setting-up-verbose-logging-in-windows-mobile-and-parsing-logs.aspx

imageimage

The log is saved in text file in the \Windows\ActiveSync folder starting with “serverlog” and a sequential number.

SCMDM Device Management Logging

With MDM Connect Now Tool, you can enable or disable various types of logging as necessary. To enable enrollment logging on a device using MDM Connect Now Tool, select Menu, and then select Logging.

For information about MDM Connect Now Tool, see the MDM Resource Kit Tools at this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=127030.

  1. EnableNodeMon log – If this option is checked, the system generates a log file at \NodeCache.txt.
  2. Enable OMADM log – If this option is checked, the system generates a log file at \deviceupdate.log.
    See http://technet.microsoft.com/en-us/library/dd252860.aspx for some information on what this log can show.
  3. Enable Enroll log – If this option is checked, the system generates a log file at \deviceupdate.log.
  4. Enable Scheduler log – If this option is checked, the system generates a log file at \Application Data\Logs\Scheduler.txt.
  5. Enable alerter log – Generates a log file at \deviceupdate.log.
    If this option is checked, the system enables the following values:

    • Alerter – Search for “Rejecting packet” or “Successful push packets” in the log.
    • Nodemon InitSession
    • Nodemon configuration service provider
    • Software Distribution
    • TDET settings

Please see http://technet.microsoft.com/en-us/library/dd261878.aspx for additional details on these logs.

image

SCMDM VPN Device Logging

The MDM VPN Diagnostics Tool can be downloaded from http://go.microsoft.com/fwlink/?LinkID=127030.

To enable and disable Mobile VPN logging on your Windows Mobile device, run the MDM VPN Diagnostics Tool and follow these steps:

  1. On the Start page, select Menu.
  2. Select Logging.
  3. Select Enable or Disable.

MDM VPN Diagnostics Tool includes a Log Browser for viewing the VPN Service log file located at \Application Data\Logs\ipsecvpnpm.txt.

image

Network Traffic Device Logging

Sometimes the best recourse for technical troubleshooting is determining what is going on on the network level. On a Windows Mobile device this can also be accomplished.

The Microsoft Windows Mobile Network Analyzer PowerToy v1.0 can be directly downloaded from: http://www.microsoft.com/downloads/details.aspx?familyid=081c6401-49d4-4506-a03b-c41bc76c2f51&displaylang=en.

If you have a storage card inserted, Network Analyzer will write all logs under \Storage Card\NetworkLogs. If there is no \Storage Card, it will write all logs under \NetworkLogs.

To capture the network traffic (NetMon) log for analysis, run the start analyzer script in the Program directory. Run the stop analyzer script to stop the network logging.

Then you can view the .cap file in your network protocol analyzer of your choice to properly decipher all the information. I highly recommend the freebie WireShark efforts from http://www.wireshark.org/.

imageimage

An example (from http://technet.microsoft.com/en-us/library/dd252860.aspx) to troubleshoot SCMDM VPN issues on a Windows Mobile device:

  1. Install the Windows Mobile Network Analyzer PowerToy.
  2. Install MDM VPN Diagnostics Tool.
  3. Start MDM VPN Diagnostics Tool, select Menu, and then disable VPN.
  4. Make sure that you can browse the Internet using Internet Explorer Mobile through your WiFi or Mobile Operator (carrier) data connection.
  5. Start the Windows Mobile Network Analyzer PowerToy to capture network traffic on the device.
  6. Enable VPN using MDM VPN Diagnostics Tool.
  7. When the VPN connection fails, stop capturing network traffic, and save the trace file.
  8. View the VPNDiag report and the ipsecvpnpm.txt file from the device.

For more information, view the readme file that accompanies the Windows Mobile Network Analyzer PowerToy.

|\\arco..
mnielsen (at) enterprisemobile.com
http://marco.blogsite.org


SCMDM 2008 SP1 PIN Reset or Password Recovery Feature

This is a brand new feature of SP1 of great interest in an enterprise implementation. This mimics the similar Exchange and Windows Mobile device functionality, but without the need for any Exchange requirements. With this feature end users who have forgotten their device password or PIN, can recover (without wiping the device) and set a new device password or PIN. In this posting I will dive a little deeper and show how this all works on both the server and client side.

Overview

As nicely stated in the MDM Password Reset Client v1.0 download overview:

“MDM Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM. Password reset in MDM 2008 Service Pack 1 (SP1) enables a user who has forgotten his or her Windows Mobile device password to reset it by using MDM.

Password reset is supported on Windows Mobile 6.1 devices, starting with version 6.1.4. To use the feature, you must install the .cab file on the user’s Windows Mobile device as well as enable the feature in MDM by using Group Policy.

To reset the device password, the user chooses the password reset option, resets the device password, and then enters a one-time recovery password on the device to complete the process. The recovery password is stored on MDM servers and retrieved by the user when she or he has forgotten the device password.”

What is required?

Even though the client patch description mentioned above states it is first supported on Windows Mobile 6.1.4 or above device, the patch appears to install on some of my 6.1.1 devices. But “your mileage may vary” (YMMY) as they say..  The patch, available here, can be manually installed, but with MDM handy why not deploy it it out directly!  Please note the installation failures on the devices that are below the 6.1.1 levels.

You also need the SCMDM 2008 SP1 installation on the back-end. Especially the changes on the DM server, SQL tables, and Self Service Portal (SSP) if you wish to use that for retrieving the reset password.

How it works:

After the client patch on the devices is installed and the device locked with a PIN, triggers a local generation of a password reset key. After 2 cycles of traffic to and from the Device Management server, that recovery password will have uploaded to the SCMDM side and be available for use.  This can be verified with a cmdlet or on the MDM console by seeing that the “Display Recovery Password” action is no longer grayed out on the right hand side of the screen when a managed device is selected:
 image

More details can also be found here on the overall user experience of this feature: http://technet.microsoft.com/en-us/library/dd252841.aspx

Client Functionality

These are actual screen-shots of a managed device that has the client patched installed.

In a locked state, the “Reset Password” option is no longer grayed out. Suggesting that the password reset key has been uploaded and ready to use:

 image 

After the “Reset Password” option is selected, a confirmation that the user can indeed retrieve the recovery password from an administrator or help desk.

 image

It will then let the user create a new password. Using the same requirements that might have been enforced to the device.

image

Now the user must contact the administrator or help desk. In this example the administrator clicks on the “Display Recovery Password” in the MDM console and is shown the 20 digit Recovery Password that the device has uploaded into the MDM database.

image

The user must type in the 20 digit recovery password to validate the new password.

image

If there is a match with the recovery password stored on the device, the new password is granted and the device is unlocked!

image 

Instead of the MDM console, the MDM Self Service Portal (SSP) could have been used. It also has a “Display Recovery Password” button at the bottom which will display the 20 digit recovery password:

image

The Password Recovery feature in the SSP is selectable by the administrator to be made available on the web site just as the Device Wipe and Device Enrollment features. Please see more information available here: http://technet.microsoft.com/en-us/library/dd261796.aspx.

Password Recovery References

SCMDM Cmdlets: http://technet.microsoft.com/en-us/library/dd261726.aspx
SCMDM User Experience: http://technet.microsoft.com/en-us/library/dd252841.aspx
Windows Mobile 6.x AKUs: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/31/windows-mobile-6-x-akus.aspx
Windows Mobile 6.1.x Upgrades and Build Levels: http://myitforum.com/cs2/blogs/mnielsen/archive/2009/01/24/windows-mobile-6-1-x-upgrades-now-available.aspx

|\\arco..
mnielsen (at) enterprisemobile.com


Microsoft System Center Mobile Device Manager 2008 Service Pack 1 (SP1) Released

SP1 has now been officially released and supported!!
Read all about it here: http://www.microsoft.com/systemcenter/mobile
All the resource kits tools have also been refreshed, see the downloads below!

Key Features and Benefits:

Mobile Device Manager 2008 enables efficient control of Windows Mobile 6.1 devices by providing reliable, low-cost, and consistent manageability, easy integration with your existing Microsoft infrastructure, and secure access to the corporate network.

SP1 is designed to cost-effectively support large-scale deployments of Mobile Device Manager with new features and enhancements:

• Multiple Instance: Supports deployments where multiple points of control are required within a single forest.
• PIN Reset: Allows users to request a PIN reset on their device. (details here: http://technet.microsoft.com/en-us/library/dd252841.aspx)
• Enrollment Auto Discovery: Facilitates easier self-service enrollments.
• Runs with Windows Server 2008: Provides support for Windows Server 2008 Active Directory functional level.
• Performance/Scalability: Increased system capacity.
• Virtualization: Provides Hyper-V testing support using Windows Server 2003 as a guest OS.

Information:
Get the evaluation here:
http://technet.microsoft.com/en-us/evalcenter/cc339027.aspx 
Great must-read “What’s New” overview:
http://technet.microsoft.com/en-us/library/dd261938.aspx 
Updated SP1 TechNet documentation appears to be slowly published here:
http://technet.microsoft.com/en-us/library/dd261783.aspx

Downloads:
System Center Mobile Device Manager 2008 SP1 Evaluation Edition – 120 day
System Center Mobile Device Manager (MDM) 2008 SP1 Evaluation Edition is a system that enables Windows Mobile devices to become managed and authenticated members of the IT infrastructure of an organization.

System Center Mobile Device Manager 2008 SP1 MSDN
System Center Mobile Device Manager (MDM) 2008 SP1 MSDN is a system that enables Windows Mobile devices to become managed and authenticated members of the IT infrastructure of an organization.

Mobile Device Manager 2008 SP1 MP for OpsMgr 2007 v1.0.2430.0
This Microsoft System Center Mobile Device Manager Service Pack 1 (MDM SP1) 2008 Management Pack provides proactive monitoring of your Microsoft System Center Mobile Device Manager 2008 SP1 environment.

MDM 2008 SP1 Resource Kit Tools – Password Reset Client v1.0
System Center Mobile Device Manager (MDM) Password Reset Client provides a .cab file that you install on Windows Mobile 6.1 devices enrolled in MDM so that users can use the password reset feature in MDM.

MDM 2008 SP1 Resource Kit Tools – Reporting Services v2.0
System Center Mobile Device Manager (MDM) 2008 Server Pack 1 (SP1) Reporting Services provides a reporting and data access service across all areas of an MDM system.

MDM 2008 SP1 Resource Kit Tools – Server Tools v2.0
System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) Server Tools provides tools to help administrators manage deployment and cleanup tasks in an MDM system.

MDM 2008 SP1 Resource Kit Tools – Best Practices Analyzer v2.0
Best Practices Analyzer Tool for System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) helps you analyze a group of servers to determine if the prerequisites and best practices are met for MDM deployment.

MDM 2008 SP1 Resource Kit Tools – Client Tools v2.0
System Center Mobile Device Manager (MDM) 2008 Service Pack 1 (SP1) Client Tools provides tools to help administrators troubleshoot connections and monitor device synchronization for Windows Mobile devices as part of an MDM system.

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org


Windows Mobile 6.1.x Upgrades and Build Levels – Dec 15, 2008

I’ve been compiling a running alphabetical list of which devices now have official supported upgrades available for them since the summer of 2008. This may be useful for many of you as well. New entries are in red..  Sorted by mobile operator/OEM and now made it more condensed as well!

Now included the specific OS/AKU build for each upgrade for SCMDM SP1 support.

MO/OEM OS/AKU Build Number
Alltel:
Alltel HTC PPC8600 WM 6.1 ?
Alltel HTC Touch WM 6.1 ?
ASUS:
ASUS PDA Phone P527 WM 6.1 w/AKU 1.0.4 Build 19214.1.0.4
ASUS PDA Phone P750  Patch WM 6.1 ?
AT&T:
AT&T Motorola Q9h WM 6.1 w/AKU 1.0.2? Build 19209.1.0.2?
AT&T Tilt WM 6.1 w/AKU 1.0.4 Build 19214.1.0.4
AT&T Pantech C810 Duo WM 6.1 w/AKU 1.1.8 Build 19597.1.1.8
AT&T BlackJack II (SGH-i617) WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
Bell:
Bell HTC Touch WM 6.1 ?
Fido:
Fido BlackJack (SGH-i616) WM 6.1 ?
HTC:
HTC TyTN II (unlocked) WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3*
HTC Diamond (unlocked) WM 6.1 w/AKU 1.2.3 Build 19965.1.2.3*
HTC Touch Pro (unlocked) WM 6.1 w/AKU 1.2.3 Build 19965.1.2.3*
HTC Touch Cruise WM 6.1 ?
HTC Touch Dual WM 6.1 ?
i-mate:
Ultimate 6150 WM 6.1 w/AKU 1.2.1 Build 19959.1.2.1*
Ultimate 8150 WM 6.1 w/AKU 1.2.1 Build 19959.1.2.1*
Ultimate 8502 WM 6.1 w/AKU 1.1.2 Build 19585.1.1.2*
Ultimate 9502 WM 6.1 w/AKU 1.1.2 Build 19585.1.1.2
JAMA 101 (Pending)
Intermec:
Intermec CN3 WM 6.1 w/AKU 1.1.1 Build 19581.1.1.1*
Intermec CK3 WM 6.1 ?
O2:
O2 XDA Stellar (HTC TyTN II) WM 6.1 ?
O2 XDA Orbit 2 (HTC Touch Cruise) WM 6.1 ?
O2 XDA Mantle (HTC P6500) NEW! WM 6.1 ?
Orange:
Orange HTC TyTN II WM 6.1 ?
Orange HTC P6500 WM 6.1 ?
Rogers:
Rogers BlackJack (SGH-i616) WM 6.1 ?
Samsung:
Samsung SCH-i200 WM 6.1 w/1.0.4 Build 19214.1.0.4*
Samsung SCH-i617 WM 6.1 w/1.0.1 Build 19208.1.0.1*
Samsung SCH-i760 WM 6.1 ?
Samsung Omnia SCH-i900 WM 6.1 ?
Samsung SGH-i780 (pending)
Sprint:
Sprint Motorola Q9c WM 6.1 w/AKU 1.0.2? Build 19209.1.0.2?
Sprint Mogul WM 6.1 w/AKU 1.0.2 Build 19208.1.0.2
Sprint HTC Touch WM 6.1 w/AKU 1.0.1 Build 19208.1.0.1
Sprint Samsung Ace (SPH-i325) WM 6.1 ?
Telus:
Telus HTC Touch WM 6.1 ?
Telus HTC S720 WM 6.1 ?
Telus HTC P4000 WM 6.1 ?
Verizon:
Verizon Samsung SCH-i760 WM 6.1 ?
Verizon UStarcom XV6800 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3
Verizon HTC XV6900 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3
Verizon Motorola Q9m WM 6.1 w/AKU 1.0.2? Build 19209.1.0.2?
Vodafone:
Vodafone v1615 WM 6.1 w/AKU 1.0.3 Build 19212.1.0.3

If you know of others, updates or corrections, please let me know!

Update Dec 15, 2008: * Thanks to Wayne Philips of Airloom for these build numbers!

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org


Writing custom GPOs for SCMDM 2008

UPDATED: Oct 5, 2008: Updated v1.1 .ADM file with corrections and additional settings.

One of the most powerful things about Microsoft System Center Mobile Device Manager (SCMDM) is the ability to manage all of your Windows Mobile 6.1 or above devices through Active Directory (AD) Group Policy Objects (GPOs). A large percentage of the corporate market is already using GPOs to manage their desktop, notebook and server environments.

The GPO technology was introduced in Windows 2000 Server. Before that there were System Policies in Windows NT 4.0. There is already a fair amount of documentation and knowledge around extending GPOs to your own needs. But here I will go into some aspects more important around making use of SCMDM and supporting Windows Mobile in an enterprise running AD.

In this article I will go through how you can extend your own GPOs to have additional settings not available out of the box in the default Windows Mobile GPO template supplied by Microsoft in SCMDM 2008. I will expect that you already know how to access and use the default SCMDM GPO settings.

Windows Mobile Registry Keys

GPOs work by manipulating how registry keys are changed and written on the client machines. This is no different on Windows Mobile, compared to other Windows platforms at this point in time.

I will save the discussion on where to find and research Windows Mobile registry locations. But will point out that many are bound to specific OS levels, OEM and hardware requirements. So what works on one WM device may not work on another. So I can’t stress enough the aspect of testing such settings before a larger deployment to end-users.

For this article I have asked my colleague, Chris De Herrera, to suggest some registry keys to use:

Improve text rendering performance by increasing the GLYPH Cache to 32k (decimal):

[HKEY_LOCAL_MACHINE\System\GDI\GLYPHCACHE]
“limit”=dword:00008000

Internet Explorer Mobile homepage settings:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs]
“home_0409″=”file://\\windows\\default_0409.htm”
“version_0409″=”file://\\windows\\about_0409.htm”
“blank”=”res://webview.dll/blank.htm”

Configure Communicator Mobile:

[HKEY_CURRENT_USER\Software\Microsoft\Communicator\System Settings]
“ServerInternal”=”sip.yourcompany.com”
“Server”=”sip.yourcompany.com:443″

Furthermore I have also researched the following registry keys which may be helpful in corporate environments:

ClearType Activation:

[HKEY_LOCAL_MACHINE\System\GDI\ClearType][HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings]
“ClearTypeText”=dword:1[HKEY_LOCAL_MACHINE\System\GDI\ClearTypeSettings]
“OffOnRotation”=dword:0

Browser History:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“DaysToKeep”=dword:00001E

Default Search Page:

[HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer\Main]
“Search Page”=http://m.live.com/search/Results.aspx?q=%&mid=8001

Internet Explorer User Agent:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
“Default”=”Mozilla/4.0″
“Platform”=”Windows CE”
“Version”=”MSIE 6.0″

Menu Animations:

[HKEY_LOCAL_MACHINE\SYSTEM\GWE\Menu]
“AniType”=dword:0

Windows Animations:

[HKEY_LOCAL_MACHINE\SYSTEM\GWE]
“Animate”=dword:0

Error Reporting:

[HKEY_LOCAL_MACHINE\System\ErrorReporting\DumpSettings]
“DumpEnabled”=dword:0
[HKEY_LOCAL_MACHINE\System\ErrorReporting\UploadSettings]
“DontUpload”=dword:1[HKEY_LOCAL_MACHINE\System\ErrorReporting\UploadSettings]
“ConnectionFlags”=dword:0

Today Screen Text:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell\DeviceBeta]
“Today”=”EnterpriseMobile”

Display Time/Date in Taskbar or disable for battery indicator:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Shell]
“TBOpt”=dword:3
“ShowTitleBarClock”=dword:1

Permit Bluetooth and IrDA File Transfer:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Obex]
“IsEnabled”=dword:1

Please be aware that most of these settings require a soft reboot of the device before they become effective. The SCMDM policy agent should prompt you for a reboot of the device when an updated policy is synchronized from the Device Management Server.

Creating .ADM Files

Using the information published about the correct registry key prefix to use for GPOs on Windows Mobile I created my own .ADM file with my sample registry keys listed above and a few other samples currently available.

You can download it here. I have noted in my sample the references used.

Look for a new folder called “Windows Mobile Settings-Extended” in the Computer Configuration section of the Group Policy Object Editor.

The single main trick was to prefix the native Windows Mobile registry keys with the <SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry> path.

So the native:
<HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer\AboutURLs> became the longer:
<SOFTWARE\Policies\Microsoft\Windows Mobile Settings\Registry\HKLM\Software\Microsoft\Internet Explorer\AboutURLs>.

Note the collapsed HKEY_LOCAL_MACHINE hive into the named HKLM. This also works for the HKEY_CURRENT_USER hive into HKCU.

Further Information on .ADM Files

Please see the reference links below for more details on the syntax used in the example .ADM file. The syntax and commands are not the easiest in the world of IT.

I also found a ADM file editor, called ADM Template Editor from a small company in Australia that may be useful if you are planning to write and manage a large number of custom .ADM/.ADMX files.

Again, please test the policies on the OS platform, level, and hardware you wish to broadly deploy your Windows Mobile settings out to.

Look for more articles soon on useful Windows Mobile registry keys and GPOs!

References:

|\\arco..
mnielsen(at)enterprisemobile.com
http://marco.blogsite.org