11/11/2008

You can enroll a Windows Mobile 6.1 device in Microsoft System Center Mobile Device Manager (MDM) 2008 by using Wi-Fi from wireless access points that are both external and internal to your company network. The MDM Enrollment Server enrollment Web site must be published to the Internet. Also, an external DNS entry should be created with a server name corresponding to the name on the Secure Sockets Layer (SSL) certificate used to help secure the enrollment Web site.

Note:
For more information about MDM Enrollment Server deployment and architecture, see MDM Deployment Guideand MDM Architecture Guide. For information about how to enable and configure Wi-Fi on your Windows Mobile device, see Windows Mobile Device Wi-Fi Configuration.

After enrollment, the Wi-Fi connection configuration will disappear from the managed device. You must configure Wi-Fi again to enable wireless operation. See Windows Mobile Device Wi-Fi Configuration.

External Enrollment by Using Wi-Fi

The following illustration shows a Windows Mobile device enrolling externally by using Wi-Fi.

The numbers in the illustration highlight aspects of using Wi-Fi to enroll external to your network:

  1. You can enroll a Windows Mobile 6.1 device external to your network by using Wi-Fi and the Domain Enroll utility on the device.

  2. It is strongly recommended to use a secure Web publishing proxy to publish the external MDM Enrollment Server URL.

Internal Enrollment by Using Wi-Fi

The following illustration shows a Windows Mobile device enrolling internally by using Wi-Fi.

The numbers in the above illustration highlight using Wi-Fi to enroll internal to your network:

  1. You can enroll an internal Windows Mobile 6.1 device by using an internal wireless access point and the Domain Enroll utility on the device.

  2. An internal DNS Server resolves the name of the MDM Enrollment Server for the mobile device. While enrolling by using the Domain Enroll utility, you supply the fully qualified domain name (FQDN) of the enrollment server (internal name).

If you enroll a device internally by using Wi-Fi, the VPN client is enabled when finishing the enrollment process. An internal or external MDM Gateway Server is configured to accept the VPN traffic for the device to function with MDM. If the MDM Gateway Server is in the perimeter network, you must configure the internal firewall to allow IPsec traffic (500 UDP, 4500 UDP, and Protocol 50 - IPsec ESP) bidirectionally for the device to use MDM and access the Internet. The VPN client on the managed device is enabled and the Wi-Fi connection will be associated to the Internet.

Note:
If you connect to an internal MDM Gateway Server, the VPN Wi-Fi connection on the managed device should be associated to the Internet. The only exception is if the device has already been configured to associate the internal MDM Gateway Server to the Work network.
[an error occurred while processing this directive]