Software distribution with MDM

April 17, 2008

Share on LinkedInShare on Facebookvia@entmobile+1Save on DeliciousDigg Thishttp://www.enterprisemobile.com/blog/Share via email

UPDATE: Check out our CAB Signing Tool if you need to sign CAB files with your own certificate.

A recurring question I get is how to test and demo the software distribution capabilities of MDM.

People generally run into errors with importing test CAB files because the DM does not trust the signature the CAB was signed with – or the CAB is simply unsigned. First thing to note is the software distribution server can only import signed CAB files. You cannot disable this feature (as of this writing anyway.) The root certs of the certificate that signed the cab file must be in the Trusted Publisher store on the DM server. In most cases you will have to manually put it there.

If you have several unsigned apps, create a cert from your MDM CA and use that for signing all the CABs. The steps for how to do that are in a CAB Signing document on the Connect site or came with your MDM product documentation.

If you would like to do a quick test without going through the self signing cert process, you can deploy a Microsoft signed CAB like Live Search. You can download the Live Search cab here.

You will need to prep your DM server to trust the certs and CA used to sign the live search cab. Here’s the steps to do that on your DM server.

  1. Download and import the Verisign / Microsoft M2M root certs.
  2. Extract the contents to a temporary folder.
  3. Start → Run → MMC
  4. Add / Remove Snap In – Choose Certificates MMC (Not certificate templates or certificate authority)
  5. It will prompt for User, Service or Computer – choose computer.
  6. Right click Trusted Root Certs → All Tasks → Import and import all of the .cer files extracted in step 2.
  7. Right click on the LiveSearchWM5.cab file and choose properties.
  8. Choose Digital Signatures
  9. Click on Microsoft Corporation
  10. Click Details Button
  11. Click Details TAB
  12. Click Copy to File&hellep; button.
  13. Click Next twice in the Certificate Export Wizard
  14. Enter c:\Microsoft.cer as the file name and click next
  15. Click Finish
  16. Back to the MMC Right click Trusted Publishers → All Tasks → Import and import the file c:\Microsoft.cer
  17. Run the SW package import wizard and you should see success.

Once the CAB is imported you can simply follow the steps in the operations guide for how to deploy the application to your devices using the MDM software deployment MMC.

6 Responses to “Software distribution with MDM”

  1. Robert O'Hara says:

    Thanks for the post, most helpful. But I am a noobie with this stuff, and can’t do step 17 — I don’t know where to find the “SW package import wizard”.

    Can you point me to it?

    Thanks!

  2. csaintamant says:

    The SW package import wizard is accessible from the MDM Software Distribution Console. On any machine that has the MDM Admin Tools installed, you should be able to find that console under Start -> Programs. From within the console, there is an option to create a new package.

  3. T says:

    Is it true that all I need to do to get a Trusted Root CA cert on my WM devices is to import the cert to the Trusted Root CA on my DM, and the DM will then send down the WM “version” to my devices on next connect by the device?

  4. csaintamant says:

    T: No, there is a separate process for getting a CA cert down onto your WM devices. You must use the Group Policy Management Console (GPMC) to create a policy that adds your desired CA cert to the SPC and Privileged Execution certificate stores on the device.

Leave a Reply