The following illustration shows a Windows Mobile device enrolling externally by using Wi-Fi.

The numbers in the illustration highlight aspects of using Wi-Fi to enroll external to your network:

1. You can enroll a Windows Mobile 6.1 device external to your network by using Wi-Fi and the Domain Enroll utility on the device.
   
   
2. It is strongly recommended to use a secure Web publishing proxy to publish the external MDM Enrollment Server URL.
   
   

The following illustration shows a Windows Mobile device enrolling internally by using Wi-Fi.

The numbers in the above illustration highlight using Wi-Fi to enroll internal to your network:

1. You can enroll an internal Windows Mobile 6.1 device by using an internal wireless access point and the Domain Enroll utility on the device.
   
   
2. An internal DNS Server resolves the name of the MDM Enrollment Server for the mobile device. While enrolling by using the Domain Enroll utility, you supply the fully qualified domain name (FQDN) of the enrollment server (internal name).
   
   

If you enroll a device internally by using Wi-Fi, the VPN client is enabled when finishing the enrollment process. An internal or external MDM Gateway Server is configured to accept the VPN traffic for the device to function with MDM. If the MDM Gateway Server is in the perimeter network, you must configure the internal firewall to allow IPsec traffic (500 UDP, 4500 UDP, and Protocol 50 - IPsec ESP) bidirectionally for the device to use MDM and access the Internet. The VPN client on the managed device is enabled and the Wi-Fi connection will be associated to the Internet.

Note:
If you connect to an internal MDM Gateway Server, the VPN Wi-Fi connection on the managed device should be associated to the Internet. The only exception is if the device has already been configured to associate the internal MDM Gateway Server to the Work network.