Politics, Pieces, and Parts…
Posted by BPuhl on July 29, 2008
I suppose I should have expected this, but I didn’t. In my first post on MDM, when I said:
Wow, it’s been a remarkably long road to getting System Center Mobile Device Manager deployed here internally at Microsoft – and to be honest, we really don’t have it released to the general population yet – but since we’ve got the infrastructure stabilized, and enough pilot users to be “close enough”, then it’s probably a good time to start a series on “How Microsoft IT designed and deployed System Center Mobile Device Manager.”
No – I didn’t actually mean that MDM as a system was hard to deploy. Thanks to the commenters, pingbackers, other otherers, that decided to interpret this as “Wow, this system must be really hard to deploy”. Come on guys, gimme a break – it’s just servers, we’re not talking rocket science here.
One thing which occurred to me though, is that I wonder how many of these people actually work in an IT department? You know, limited budget, lots of politics, too many projects and not enough resources…yeah, the life that 98% of the IT guys in the world live in.
Just to be clear – No, quite frankly, MDM wasn’t all that hard to deploy. Especially for those of us in MSIT, we actually had the opportunity to do something which we haven’t done in a long time – Rather than dogfooding the initial deployment of Yona (the codename that became SCMDM), politics, resources, and priorities intervened. So we started our deployment just prior to MDM releasing to the public. This is the rare case, where we actually had the documentation and whitepapers to use to deploy from. That was actually refreshing! So I’ll stop ranting here, and say that if you’re looking to deploy MDM, take a look at the Architecture, Deployment, and Operations guides – and you’ll be rock’n and rollin’. Then you just need to deal with your own internal organizational issues 🙂
That was politics, so here are the pieces and parts of the MDM service:
Gateway Server – This is the one which everyone calls the “MDM Server”, though it’s really only one component of the system. The MDM gateway server is the box which you deploy on the edge of your network. Mobile devices connect to the Internet through their wireless service provider, and establish a VPN-like connection to this machine. The idea is that this server would sit on the edge next to your VPN or other remote access infrastructure, and from here, devices can access your internal network.
Device Management Server – This is the box which does all of the work. The MDM DM (sorry…had to…I love that acronym), runs WSUS and is used to manage the GW servers. Devices connect to the the DM (via the gateway) to do things like software inventory, patching, application publishing, and policy application. The DM server will also interpret the GPO’s which apply to a device from AD, and translate them into phone-speak for application.
SQL Server – The DM needs one of these. We had multiple DM’s, which use the same SQL server that we set up on a SAN (not required). We also have a separate server to use as the reporting server.
Enrollment Server – Web portal used for tethered enrollment of phones into MDM. Think of this as “domain joining” the machine. This server touches AD and the CA.
AD and CA – There is a domain prep and some certificate templates which need to be installed. More on these later.