11/11/2008

Before a Windows Mobile device can connect to Mobile Device Manager (MDM) Gateway Server, it must establish itself as a known and authenticated object in the Active Directory® Domain Service. A Windows Mobile device requests a certificate. MDM Enrollment Server creates an Active Directory Domain Service computer account for the device, and issues the machine certificate based on the certificate request. MDM Enrollment Server also links the computer account to the Active Directory account for the user. MDM Enrollment Server then creates a link between the certificate and the device object in the Active Directory Domain Service.

By design, the enrollment password is for one-time use only and has a limited lifetime (the default is eight hours). If the enrollment process fails, the password is valid until it is either used successfully or it expires. After expiration, the administrator must generate a new enrollment request and communicate the password to the user.

The following enrollment steps show how a Windows Mobile device can authenticate to MDM Gateway Server and become an MDM-managed device:

  1. The administrator uses a wizard to create a new device enrollment request.

  2. This process generates a one-time enrollment password that the administrator shares with the user of the device in a secure manner.

  3. The user starts an enrollment wizard on the device and provides the e-mail address that the wizard will use to connect to MDM Enrollment Server.

    If the enrollment process cannot discover the address for MDM Enrollment Server, it prompts the user for the URL.

  4. The enrollment wizard on the Windows Mobile device contacts MDM Enrollment Server and requests the Enterprise Trust Root Certificate.

  5. The enrollment wizard authenticates the server response by verifying that the returned data was derived from the one-time enrollment password and the Enterprise Trust Root Certificate.

  6. The enrollment wizard generates a certificate request and sends it to MDM Enrollment Server together with a hash that is generated from the one-time enrollment password and the certificate request.

  7. MDM Enrollment Server creates an Active Directory Domain Service computer account for the device, and the device certificate is issued based on the certificate request received from the device. MDM Enrollment Server also links the computer account to the Active Directory account for that user.

  8. The machine certificate is returned to the device, completing the process.

  9. The device disconnects from MDM Enrollment Server and prompts the user to reset the device.