Mobile Device Manager (MDM) Enrollment Server provides the services that are required to enable a Windows Mobile device to join the managed device environment.
The following illustration shows the architecture of MDM Enrollment Server.
The MDM Enrollment Server has the following components:
Administration services: This collection of Web services is
functionally similar to the administration services on MDM Device
Management Server. Because the Enrollment Web service uses TCP port
443, the Administration Services uses other TCP ports that the
administrator can configure. The default administration Web site
port for enrollment is 8445.
Enrollment Web service: Internet Information Services (IIS)
hosts this Web service that manages incoming requests from Windows
Mobile devices to enroll in the managed infrastructure. After the
Enrollment Web service receives a request, the service manages
later communications with the Windows Mobile device until it
becomes a domain-joined managed device. Then, MDM Gateway Server
handles the communications.
Enrollment service: This Windows service handles all
communications to your Active Directory Domain Service and PKI
MDM Enrollment Server provides a protected over the air (OTA) process to request and retrieve certificates for Windows Mobile devices. To help protect against malicious attacks, MDM Enrollment Server uses shared-secret encryption to perform protected enrollment over nonsecure connections, such as public General Packet Radio Service (GPRS), or other mobile data networks. This lets users enroll their device without having to cradle it and without having physical access to the company network.
Regardless of the size of your organization, the enterprise requires only one MDM Enrollment Server. If your company has to support the concurrent enrollment of thousands of Windows Mobile devices, consider MDM Enrollment Server similar to a server that is running IIS. In this scenario, you should follow the best practices for any IIS instance, and scale MDM Enrollment Server according to the expected traffic load and protect, or add, a proxy.
For more information about how MDM Enrollment Server enrolls a Windows Mobile device into the managed environment, see Device Enrollment with MDM.