Managing Mobile Devices by GPO
Mobile devices can be managed in a fashion similar to desktops or laptops through the use of Group Policy Objects (GPOs). However, you first need to load an administrative template containing mobile settings. To do so, launch GPMC from Administrative Tools on the machine where you installed the MDM Administrator Tools. Next, right-click Group Policy Objects, select New, and give the GPO a name to create it. Next, edit the GPO and expand the Policies node under Computer Configuration. Right-click Administrative Templates and select Add/Remove Templates. In the dialog box that appears, click the Add button, then scroll down the list of folders and templates displayed in the Policy Templates picker until you find one called mobile.adm, and double-click it.
After the mobile device policy template is loaded, you'll find that additional policies have been added to the Group Policy Management Editor under both Computer Configuration and User Configuration. In each one, you'll find Windows Mobile Settings under Administrative Templates in the Policies node. On Vista systems, they're under Classic Administrative Templates (ADM). Device policies let you control things such as passwords, device features (e.g., cameras, Bluetooth), applications, encryption, VPN connections, and software distribution. User policies are limited to EAS settings and the use of Secure MIME (S/MIME) for secure email.
To apply a policy to mobile devices, simply link the GPO to an OU containing objects representing mobile devices. Note that the Group Policy modeling tools don't work well with mobile device settings, but you can use the Windows Mobile Group Policy Results Wizard to generate a report of settings that apply to a device or user. This wizard is available from GPMC on the system on which you installed the MDM Administrator Tools.
Distributing Software to Mobile Devices
You can create and distribute software packages to mobile devices by launching the MDM Software Distribution Console, which is available in the MDM Administrator Tools collection. Before you create a package, you need to point the console to a WSUS server running on a Device Management Server. You then launch the Create Package Wizard from the console by expanding the Software Distribution node, the node representing the WSUS server, and the Packages node. In the Packages node, right-click Software Packages to launch the wizard.
In the wizard, you specify the location of the .cab file containing the software to be distributed, along with information to sign the .cab file if desired. You can restrict software on mobile devices to only that which is distributed with MDM or Group Policy. Other information required when creating packages for distribution to mobile devices includes which devices, mobile OS versions, and languages the package is intended for, as well as dependencies and uninstall options. After a package has been created for distribution, you can track its installation by running reports with the Software Distribution Console.
Complex, Yet Versatile
You should now have a good grasp of how to deploy MDM 2008 SP1, as well as some of its capabilities for mobile device management. Although it's a reasonably complex product to get up and running, MDM offers an excellent platform to manage security of mobile devices, especially to enterprises with sophisticated mobile device management needs. However, MDM can be used to manage just a small number of mobile devices as well—for instance, those belonging to key personnel or other employees who have business-critical data on their devices.