You should install MDM Enrollment Server on a dedicated server. The server should be a domain member and should be located within the company network.

Because certain parts of the MDM Enrollment Server run under IIS, the enrollment process involves previously un-trusted clients by using MDM Enrollment Server services in order to enroll through MDM and join the Active Directory® domain. We strongly recommend that you securely publish MDM Enrollment Server through another mechanism, for example, by using ISA Server 2006.

To install MDM databases successfully, the account that executes the MDM Enrollment Server installation script must have local administrator credentials on the computer that is running Microsoft® SQL Server®.

You should make sure that MDM Enrollment Server is part of the enterprise infrastructure and include it in all update-management processes to keep it up to date with security and operating system updates.

We also recommend that you apply best practices for making the server that is running IIS for MDM Enrollment Server as secure as possible. This is also known as hardening the computer. For more information about how to harden the TCP/IP stack, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=105660 .

You can also run the Security Configuration Wizard that is included with Windows Server® 2003 with Service Pack 1 (SP1) and later versions, to create an IIS-specific .adm file to apply to MDM Enrollment Server directly, or by using Group Policy.

Users must be pre-enrolled and receive an enrollment password before they start the enrollment process from a Windows Mobile device. For information about how to create a pre-enrollment request and the steps to complete enrollment, see Enrolling Devicesin MDM Operations at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkId=112415 .

Note:

MDM Bulk Pre-Enrollment is a command line tool to pre-enroll in MDM groups of Windows Mobile powered devices in your organization. Bulk pre-enrollment can be simpler and more efficient than pre-enrolling a large number of devices individually. As part of pre-enrollment, the tool generates passwords that you can share with users to enroll their devices. To download MDM Bulk Pre-Enrollment Tool, see MDM Server Tools at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=108953 .

You can request to wipe a managed device or cancel an enrollment request for a Windows Mobile device. Before you take steps to issue a device wipe, or cancel a pending enrollment request, make sure that you follow administrative processes correctly to report theft, loss, compromise, or other circumstances as required by company policy.

For information about the steps to wipe a device, see Wiping Managed Devicesin MDM Operations at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkId=112415 . For information about the steps to cancel a pending enrollment request for a device, see Canceling a Pending Enrollmentin MDM Operations at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkId=112415 .

Note:

The MDM Self Service Portal is a Web-based interface that lets users manage their Windows Mobile powered devices. On this portal, based on settings the you configure, users can enroll their Windows Mobile devices, monitor enrollment status, and wipe managed devices. To download MDM Self Service Portal, see MDM Resource Kit Tools at this Microsoft Web page: http://go.microsoft.com/fwlink/?LinkID=108953 .