Before a Windows Mobile device can connect to Mobile Device Manager (MDM) Gateway Server, it must establish itself as a known and authenticated object in the Active Directory® Domain Service. A Windows Mobile device requests a certificate. MDM Enrollment Server creates an Active Directory Domain Service computer account for the device, and issues the machine certificate based on the certificate request. MDM Enrollment Server also links the computer account to the Active Directory account for the user. MDM Enrollment Server then creates a link between the certificate and the device object in the Active Directory Domain Service.
By design, the enrollment password is for one-time use only and has a limited lifetime (the default is eight hours). If the enrollment process fails, the password is valid until it is either used successfully or it expires. After expiration, the administrator must generate a new enrollment request and communicate the password to the user.
The following enrollment steps show how a Windows Mobile device can authenticate to MDM Gateway Server and become an MDM-managed device:
- The administrator uses a wizard to create a new device
- This process generates a one-time enrollment password that the
administrator shares with the user of the device in a secure
- The user starts an enrollment wizard on the device and provides
the e-mail address that the wizard will use to connect to MDM
If the enrollment process cannot discover the address for MDM Enrollment Server, it prompts the user for the URL.
- The enrollment wizard on the Windows Mobile device contacts MDM
Enrollment Server and requests the Enterprise Trust Root
- The enrollment wizard authenticates the server response by
verifying that the returned data was derived from the one-time
enrollment password and the Enterprise Trust Root Certificate.
- The enrollment wizard generates a certificate request and sends
it to MDM Enrollment Server together with a hash that is generated
from the one-time enrollment password and the certificate request.
- MDM Enrollment Server creates an Active Directory Domain
Service computer account for the device, and the device certificate
is issued based on the certificate request received from the
device. MDM Enrollment Server also links the computer account to
the Active Directory account for that user.
- The machine certificate is returned to the device, completing
- The device disconnects from MDM Enrollment Server and prompts
the user to reset the device.