Review the following deployment guidelines and security considerations as you plan your Mobile Device Manager (MDM) Enrollment Server deployment.
MDM Enrollment Server Placement
You should install MDM Enrollment Server on a dedicated server. The server should be a domain member and should be located within the company network.
Because certain parts of the MDM Enrollment Server run under IIS, the enrollment process involves previously un-trusted clients by using MDM Enrollment Server services in order to enroll through MDM and join the Active Directory® domain. We strongly recommend that you securely publish MDM Enrollment Server through another mechanism, for example, by using ISA Server 2006.
SQL Considerations
To install MDM databases successfully, the account that executes the MDM Enrollment Server installation script must have local administrator credentials on the computer that is running Microsoft® SQL Server®.
Security Recommendations for Enrollment Servers
You should make sure that MDM Enrollment Server is part of the enterprise infrastructure and include it in all update-management processes to keep it up to date with security and operating system updates.
We also recommend that you apply best practices for
making the server that is running IIS for MDM Enrollment Server as
secure as possible. This is also known as hardening the computer.
For more information about how to harden the TCP/IP stack, see this
Microsoft Web site:
You can also run the Security Configuration Wizard that is included with Windows Server® 2003 with Service Pack 1 (SP1) and later versions, to create an IIS-specific .adm file to apply to MDM Enrollment Server directly, or by using Group Policy.
Mobile Device Enrollment Requirements
Users must be pre-enrolled and receive an enrollment
password before they start the enrollment process from a Windows
Mobile device. For information about how to create a pre-enrollment
request and the steps to complete enrollment, see
Enrolling
Devicesin MDM Operations at this Microsoft Web page:
Note: |
---|
MDM Bulk Pre-Enrollment is a command line tool to pre-enroll in
MDM groups of Windows Mobile powered devices in your organization.
Bulk pre-enrollment can be simpler and more efficient than
pre-enrolling a large number of devices individually. As part of
pre-enrollment, the tool generates passwords that you can share
with users to enroll their devices. To download MDM Bulk
Pre-Enrollment Tool, see MDM Server Tools at this Microsoft Web
page:
|
Managed Device Wipe and Enrollment Request Cancellation Requirements
You can request to wipe a managed device or cancel an enrollment request for a Windows Mobile device. Before you take steps to issue a device wipe, or cancel a pending enrollment request, make sure that you follow administrative processes correctly to report theft, loss, compromise, or other circumstances as required by company policy.
For information about the steps to wipe a device, see
Wiping Managed
Devicesin MDM Operations at this Microsoft Web page:
Note: |
---|
The MDM Self Service Portal is a Web-based interface that lets
users manage their Windows Mobile powered devices. On this portal,
based on settings the you configure, users can enroll their Windows
Mobile devices, monitor enrollment status, and wipe managed
devices. To download MDM Self Service Portal, see MDM Resource Kit
Tools at this Microsoft Web page:
|