10/17/2008

Before you can manage a Windows Mobile device in System Center Mobile Device Manager, you must enroll the device. Device enrollment is the mechanism that builds the relationship between the company IT network and a Windows Mobile device.

Note:
If you want to assign devices to an Active Directory organizational unit (OU) other than the default OU, SCMDM Managed Devices, you must create the OU in Active Directory, and you must use the Set-EnrollmentPermissionscmdlet to set the appropriate permissions for that OU before you start the enrollment process. For more information, see Set-EnrollmentPermissions.

Before you continue with the enrollment steps, make sure that you meet the following prerequisites on the Windows Mobile device:

You achieve enrollment in two steps:

  1. Creating a pre-enrollment request: You use MDM Console to enter a name for the Windows Mobile device, assign the device to a user and to an Active Directory organizational unit (OU), and create an enrollment password. This alphanumeric enrollment password is a security requirement and is necessary to complete the enrollment process. To generate the password, you use the Pre-Enrollment Wizard in MDM Console. After you finish pre-enrollment, MDM gives you a one-time enrollment password that you must communicate, together with an enrollment ID (e-mail address or user name), to the Windows Mobile device user.

    Note:
    We recommend that you provide this password to the device user in as secure a manner as possible. The most secure approach is for the device user to obtain the enrollment password from inside the company network.
  2. Completing the enrollment process: The user finishes the enrollment process on the Windows Mobile device. This procedure creates an Active Directory object for the managed device and provides a certificate for security-enhanced communication with MDM Gateway Server. The following steps summarize the second phase of the enrollment process:

    1. The user receives the one-time enrollment password from the administrator

    2. The device establishes an unauthenticated SSL connection to the public Enrollment Web service

    3. The Web service component pre-authenticates the device and returns the certificate trust chain with a digital signature

    4. The device verifies the digital signature and installs the certificate trust chain

    5. The device reestablishes the SSL connection, and authenticates the server certificate by checking the SSL certificate against the trust chain installed in step 4

    6. The device generates a certificate request, and transmits it to the server together with a digital signature

    7. MDM Enrollment service validates the digital signature

    8. MDM Enrollment service creates a machine account for the device within Active Directory

    9. MDM Enrollment service submits the certificate request to the certification authority on behalf of the device

    10. A machine certificate is issued

    11. The machine certificate is linked to the device Active Directory object

    12. The internally-generated machine certificate returns to the device

    13. The device disconnects from the Enrollment Web service

When the enrollment process is complete, the Windows Mobile device receives a machine certificate and the Active Directory device object is created in the designated organizational unit. The machine certificate establishes the IPsec tunnel mode communication session between the Windows Mobile device and MDM Gateway Server.

Note:
After pre-enrollment, a device can be moved from one OU to another even if the destination is the default OU of another instance. However, moving the device and/or the device enrollment record between instances is not supported.

You can cancel an enrollment request before the request completes (see Canceling a Pending Enrollment).

Once the enrollment is completed, you can revoke the enrollment only by wiping the device (see Creating a Wipe Request) . To enroll a device again after it has been wiped, you must unblock the device (see Unblocking a Managed Device) and then create a new enrollment request.

Manually moving an enrolled device out of the SCMDMEnrolledDevices group in Active Directory is not supported and is not recommended. If a Device has been manually removed from the SCMDMEnrolledDevices group then you must manually return it to the group. The correct way to remove a device from the SCMDMEnrolledDevices group is to revoke its enrollment.

Note:
You can use MDM Shell cmdlets and PowerShell scripts to automate Windows Mobile device management tasks. For more information on enrolling devices with MDM Shell cmdlets, see Device Enrollment Cmdlets. MDM Device Enrollment Cleanup Tool is a PowerShell script-based tool that helps you remove managed devices from MDM when a device has been locally wiped and the entries in Active Directory and the MDM databases still exist, and when a device has not connected to the server for a long time, indicating the account is not being used. To download MDM Device Enrollment Cleanup Tool, see MDM Client Tools at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=127030&clcid=0x409 .

In This Section

Creating an Enrollment Request

Describes how to create a new enrollment request through MDM Console.

Enrolling a New Device

Describes how the user completes enrollment from the Windows Mobile device.

Viewing Pending Enrollments

Describes how MDM Console provides easy access to information about pre-enrolled devices.

Canceling a Pending Enrollment

Describes how to cancel an enrollment before a device joins the enterprise.

See Also