The device generates the certificate request and passes the request to MDM Enrollment Server, which impersonates the device account just long enough to submit the certificate request to the certification authority. Enrollment Server does not have permissions to the device-specific certificates and templates on the certification authority; only the device account has permissions. The private key never leaves the device.

You can perform bulk enrollments using MDM Shell. Users can also provision their own devices through MDM Self Service Portal. However, MDM Self Service Portal only provisions devices into a single organizational unit (OU) as designated by the administrator. To download MDM Self Service Portal, see this Microsoft Web site: http://go.microsoft.com/fwlink/?LinkId=116083 .

MDM has no administrative tools for un-enrolling a device. You should submit a wipe request for the device to remove all of the appropriate objects, such as the objects in Active Directory and SQL Server. Wiping also adds the device to the Blocked Devices list. The enrollment record remains in the database so that MDM can block the device. When re-enrolling a device, you should specify a new device name.

By default, MDM uses localhost@EnrollmentServer.comto send the e-mail message containing the one-time enrollment password. To specify an SMTP server for sending these messages, run the following command in MDM Shell:

	Copy Code
set-EnrollmentConfig -SmtpServer smtp.yourdomain.com

You can modify the other parameters similarly by running the following commands:

	Copy Code
set-EnrollmentConfig -SmtpServer set-EnrollmentConfig -EmailSubject set-EnrollmentConfig -EmailBodyTemplate set-EnrollmentConfig -EmailSender

On the device, select Settings, select Connections, and then select Domain Enroll. The Device Statusfield indicates if the device is enrolled or not.