11/11/2008

The following steps show you how to install Mobile Device Manager (MDM) Enrollment Server for the MDM system. Enrollment is a one-time process that is required to join a Windows Mobile device to your company domain. During MDM Enrollment Server Setup, the domain certification authority issues two SSL certificates for MDM Enrollment Server. The Active Directory configuration tool, ADConfig.exe, creates the template for this certificate automatically by using the /createtemplatesand /enabletemplatesparameters as discussed in Step 1a: Configuring the Active Directory Domain for MDM.

Important:
We strongly recommend that you use a proxy server to provide more secure Web publishing for MDM Enrollment Server on the company network. Microsoft® Internet Security and Acceleration (ISA) Server 2006, although not required, can provide this functionality. For more information about MDM perimeter network configuration, best practices, and general network deployment information, see the MDM Planning Guide.

Important:

We strongly recommend that you use a proxy server to provide more secure Web publishing for MDM Enrollment Server on the company network. Microsoft® Internet Security and Acceleration (ISA) Server 2006, although not required, can provide this functionality. For more information about MDM perimeter network configuration, best practices, and general network deployment information, see the MDM Planning Guide.

You may install the MDM Enrollment Server, MDM Device Management Server, and MDM Administrator Tools in any order. However, the MDM Gateway Server setup must be performed after the installation of the previous components.

MDM Enrollment Server Installation Procedures

The following procedures represent a single MDM Enrollment Server installation. If you deploy multiple computers that are running MDM Enrollment Server, the related device certification authority and Administrative Web site port pages will not appear after the first MDM Enrollment Server installation. The computer that is running the SQL database instance for MDM stores the information that is collected from these pages for successive MDM Enrollment Server installations. This information is collected at the first MDM Device Management Server or MDM Enrollment Server installation. Additionally, if you deploy multiple computers that are running MDM Enrollment Server, you must enter the information for the load balancer instead of the information for the individual computer that is running MDM Enrollment Server. Even if you install only one server, you can avoid manual certificate steps later by using a load balancer. For more information about load balancers and load balancing topologies, please see MDM System Topologiesin the MDM Planning Guide.

Before you install and deploy MDM by following the steps in this guide, you must first plan your deployment and configure your IT environment. To do this, follow the steps and guidelines in the MDM Planning Guide. MDM Planning and Deployment Checklistsspecifies the permissions and roles required to complete the following steps.

To install MDM Enrollment Server

On the installation disc for System Center Mobile Device Manager (MDM), on the Setup menu, choose Enrollment Server.
On the Enrollment Server Setuppage, choose Next.
Read the End-User License Agreementand then select the I accept the License Terms for Microsoft Softwarecheck box. Choose Next.
On the Installation Directorypage, type the path of the directory, or accept the default directory path, and then choose Next.
On the Database Installation Optionspage, type the fully qualified domain name (FQDN) for the location of the computer that is running Microsoft SQL Server®. If you have a server that is running Microsoft SQL Server locally, you must still supply the FQDN and you cannot enter the value, localhost or localhost\ <sqlinstance>. Select the Current Windows credentialscheck box, unless you can access the SQL database instance only by using another user name and password. Choose Next.

On the Enrollment Server Locationpage, in the Configure the Enrollment Serversection, type the external FQDN for MDM Enrollment Server in the External enrollment FQDNbox. Type the internal FQDN in the Internal enrollment FQDNbox. If you are using more than one server that is running MDM Enrollment Server, type the internal and external FQDN for the load balancer. To continue without enrollment FQDN validation, select Skip Enrollment FQDN validation(not recommended), and then choose Next.

Note:
The internal enrollment FQDN uses the example, es.contoso.com, and the external enrollment FQDN uses the example, mobileenroll.contoso.com for MDM Enrollment Server. To clarify, the administrator must enter the FQDN of their specific MDM Enrollment Server, such as servername.yourdomain.tld. The external address is the MDM Enrollment Server address accessible from outside your company network. The internal address is the MDM Enrollment Server FQDN used from inside the company network. In some cases these FQDNs may be the same. If you are using, or will ever use, multiple servers that are running MDM Enrollment Server, you must enter the FQDN for the load balancer(s). This makes sure that Setup correctly configures the MDM certificates and service connection points (SCP).

Note:

The internal enrollment FQDN uses the example, es.contoso.com, and the external enrollment FQDN uses the example, mobileenroll.contoso.com for MDM Enrollment Server. To clarify, the administrator must enter the FQDN of their specific MDM Enrollment Server, such as servername.yourdomain.tld. The external address is the MDM Enrollment Server address accessible from outside your company network. The internal address is the MDM Enrollment Server FQDN used from inside the company network. In some cases these FQDNs may be the same. If you are using, or will ever use, multiple servers that are running MDM Enrollment Server, you must enter the FQDN for the load balancer(s). This makes sure that Setup correctly configures the MDM certificates and service connection points (SCP).

On the Enrollment Setuppage, specify the port that you want to use for the Administration Web site and then choose Next. This port will be used for all MDM Enrollment Server administration. You must make sure that the port is currently not in use.
On the Device Certification Authoritypage, in the Device Certification Authoritybox, type the location and the name of the certification authority that will enroll and manage the certificates for the Windows Mobile devices, and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name >. This should be a certification authority where you have the MDM certificate templates enabled.

On the Server Certification Authoritypage, in the Certification Authoritybox, type the location and the name of your certification authority server and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name>. This should be a certification authority where you have MDM certificate templates enabled.

Note:
If you prefer manual certificate installation, select the Do not request certificates during setupcheck box (not recommended). If you choose to create certificates manually, see the following topic in the Technical Reference: Creating Manual Certificates.

If you have not already configured Microsoft Update on the server, a Microsoft Update page will appear that prompts you to configure the server for Microsoft Update. Make your selection and choose Next.
On the Ready to Installpage, verify your selections, and then choose Install.
Choose Finishto complete MDM Enrollment Server Setup. You must allow for enough time for Active Directory replication to finish.