Backup and Recovery: Recommended Procedure for Symantec Mobile Management Servers

book

Article ID: 157775

calendar_today

Updated On:

Products

Mobile Management

Issue/Introduction

What is required to recover from a disaster involving the device-facing Mobile Management Server (MMS)?  What backup and recovery activities are needed to help minimize downtime and loss of services for Mobile Management? 

Resolution

Important note: These instructions are provided "as is" and as general guidelines for backup and recovery of a Mobile Management server.  Symantec is not responsible for loss or damage in any part due to these guidelines.  Each customer environment can potentially be configured differently, thus altering the validity of these instructions.  It assumes you have implemented regular backup processes on other vital parts of your organizations infrastructure.  This includes, but is not limited to, backup of Active Directory, DNS, Certificate Authority, reverse proxy hosts, Exchange, and SQL servers.  It also assumes you run regular backup and recovery drills, validating your organization's business continuity and disaster recovery procedures.

This document will refer to MMS and SMP acronyms.  MMS denotes Mobile Management Server and SMP denotes the Symantec Management Platform server.

What You Need to Back Up Regularly

This article assumes are you performing backup activities on the Symantec Management Platform (SMP) server (formerly known as Altiris Notification Server or NS), and its associated database, cryptographic keys, registry, and files.  For advice and additional details please see Disaster Recovery Advice for Symantec Mobile Security 7.2 and Symantec Mobile Management 7.2

If your backup / recovery solution can backup full server disk volume contents, you should backup all disk volumes of your Mobile Management Server.

If your backup / recovery solution does not backup full server disk contents, you should backup the following items on your Mobile Management Server:

  1. All Mobile Management Server and reverse proxy SSL certificates.
  2. All signing and encryption certificates used in the Mobile Management solution.
  3. The Apple Push Notification Service (APNS) certificate.
  4. On the Symantec Management Platform server, back up all contents and subfolders of C:\Program Files\Altiris.
  5. On the Mobile Management Server, all contents and subfolders of  C:\Program Files (x86)\Symantec\Mobile Management
  6. Any customization settings for IIS.  To backup IIS, you can run the following command: %windir%\system32\inetsrv\appcmd.exe add backup "My Backup Name".  Special configurations should be documented.
  7. The Mobile Management Server's registry.

 

Restoration of Symantec Management Platform

Restoration of the Symantec Management Platform requires that you follow the proper restore procedure for your version; including restoration of cryptographic keys. In addition, it's important to restore the KMS keys.  Please contact Symantec support for assistance. 

Restore a Mobile Management Server

If you are able to restore the entire Mobile Management Server disk contents, you should not need to re-install or re-deploy the MMS package.  All necessary configurations and files should be in place to resume operation.

If you are not able to restore the entire Mobile Management server disk contents, you will need to deploy a replacement MMS server and restore the necessary files to it.  This process assumes that the new Windows server will be using the same server name, IP address, and DNS settings as previously configured.   If your environment uses a reverse proxy, you should not need to change its rules if you deploy your Mobile Management Server with the same previous IP and associated network settings. 

If your Mobile Management Server was deployed on the same server as your Symantec Management Platform server, you will need to follow the steps below to re-deploy the MMS and restore the listed components.  This list assumes you have already restored your Symantec Management Platform server and it's associated Symantec_CMDB database. 

Additional information can be found in the Symantec Mobile Management 7.2 SP1 Implementation Guide


To deploy a replacement Mobile Management Server:
Note: Please follow these steps carefully, in order to prevent mobile devices from being forced to re-enroll.

  1. Stop in-bound communication from all mobile devices.  You do not want devices to “check-in” with your replacement MMS until you have completely finished configuration.
  2. Per the Mobile Management Implementation Guide, deploy the Mobile Management Server package to your newly built Windows server.  For steps, please see the Implementation Guide.
  3. Restore and configure SSL certificates for IIS if not done already.
  4. Restore and configure APNS certificate and all necessary root and intermediate certificates.
  5. Restore and configure and Signing and Encryption certificates, if needed.
  6. Restore folder contents C:\Program Files (x86)\Symantec\Mobile Management\NTServices\symcdata\token to the same folder on the newly deployed MMS server.
  7. Reconfigure any communication overrides that were needed for the previous MMS server in the Communication Override menu.  Steps can be found in Symantec Management Platform and site server cannot communicate with each other  
  8. Reconfigure the External URL override, if necessary.  Details may be found in iOS Mobile Library is not displaying the icon for each item in the feed and Mobile Management Solution 7.1 Point Fix - Reverse Proxy Override URL for Mobile Library   
  9. Redirect device management ownership to the new MMS:
    a. In the Altiris console, obtain the GUID for the old Mobile Management Server.
    b. In the Altiris console, obtain the GUID for the new Mobile Management Server.
    c. In the Symantec_CMDB database, run the following SQL script, replacing with the GUIDs you obtained in steps a and b:
    USE Symantec_CMDB
    Go
    UPDATE dbo.Inv_Symantec_Mobile_Device_Site_Server
    SET ServerGuid = 'NEW MMS GUID'
    WHERE ServerGuid = 'OLD MMS GUID'
  10. Resume mobile device communication with this replacement server.


Change Over to a Different/Recovery Mobile Management Server

If you have a secondary or another active Mobile Management Server intended for recovery purposes, you can switch your device management over to use this available MMS.  Whether the Mobile Management Server communicates directly with devices or a reverse proxy server brokers communication, firewall rules and DNS records must be updated.  The devices will continue to communicate with the original external URL used for the Mobile Management Server.

Note: Please follow these steps carefully, in order to prevent mobile devices from being forced to re-enroll.

To redirect devices to a different Mobile Management Server:

  1. Stop in-bound communication from all mobile devices.  You do not want devices to “check-in” with your secondary Mobile Management Server until you have completely finished configuration.
  2. Restore folder contents C:\Program Files (x86)\Symantec\Mobile Management\NTServices\symcdata\token to the same folder on the recovery Mobile Management Server.
  3. Install / reconfigure any necessary signing and encryption certificates if necessary.
  4. Install / reconfigure the Apple APNS certificate and all necessary root and intermediate certificates.
  5. Reconfigure any communication overrides that were needed for the previous MMS in the Communication Override menu.  See Symantec Management Platform and site server cannot communicate with each other 
  6. Reconfigure the External URL override for this server, if necessary.  Details may be found in iOS Mobile Library is not displaying the icon for each item in the feed and Mobile Management Solution 7.1 Point Fix - Reverse Proxy Override URL for Mobile Library 
  7. Redirect device management ownership to the replacement Mobile Management Server:
    a. In the Altiris console, obtain the GUID for the old Mobile Management server.
    b. In the Altiris console, obtain the GUID for the recovery Mobile Management server.
    c. In the Symantec_CMDB database, run the following SQL script, replacing with the GUIDs you obtained in steps a and b:
    USE Symantec_CMDB
    Go
    UPDATE dbo.Inv_Symantec_Mobile_Device_Site_Server
    SET ServerGuid = 'RECOVERY MMS GUID'
    WHERE ServerGuid = 'OLD MMS GUID'
  8. Update internet and/or internal DNS server records to point the external device-facing URL to your recovery server.  You do not want to change the FQDN that devices use to communicate with Mobile Management.  *If your environment uses a reverse proxy, you may not need to update DNS records. Instead, update the reverse proxy rules to forward traffic to the recovery Mobile Management Server inside your environment.*
  9. Update any firewall rules for your old Mobile Management Server to allow device access to the recovery server.
  10. Resume mobile device communication with the recovery Mobile Management Server.

 


Applies To

Symantec Mobile Management 7.2 Mobile Management Server (MMS)