Before you can manage a Windows Mobile device in System Center Mobile Device Manager, you must enroll the device. Device enrollment is the mechanism that builds the relationship between the company IT network and a Windows Mobile device.
|If you want to assign devices to an Active Directory organizational unit (OU) other than the default OU, SCMDM Managed Devices, you must create the OU in Active Directory, and you must use the Set-EnrollmentPermissionscmdlet to set the appropriate permissions for that OU before you start the enrollment process. For more information, see Set-EnrollmentPermissions.|
Before you continue with the enrollment steps, make sure that you meet the following prerequisites on the Windows Mobile device:
- The device is running Windows Mobile 6.1
- The device can connect to MDM Enrollment Server by way of an
operator data plan, Wi-Fi access, or some other network connection.
- The date and time on the device are set correctly
You achieve enrollment in two steps:
Creating a pre-enrollment request: You use MDM Console to
enter a name for the Windows Mobile device, assign the device to a
user and to an Active Directory organizational unit (OU), and
create an enrollment password. This alphanumeric enrollment
password is a security requirement and is necessary to complete the
enrollment process. To generate the password, you use the
Pre-Enrollment Wizard in MDM Console. After you finish
pre-enrollment, MDM gives you a one-time enrollment password that
you must communicate, together with an enrollment ID (e-mail
address or user name), to the Windows Mobile device user.
Note: We recommend that you provide this password to the device user in as secure a manner as possible. The most secure approach is for the device user to obtain the enrollment password from inside the company network.
Completing the enrollment process: The user finishes the
enrollment process on the Windows Mobile device. This procedure
creates an Active Directory object for the managed device and
provides a certificate for security-enhanced communication with MDM
Gateway Server. The following steps summarize the second phase of
the enrollment process:
- The user receives the one-time enrollment password from the
- The device establishes an unauthenticated SSL connection to the
public Enrollment Web service
- The Web service component pre-authenticates the device and
returns the certificate trust chain with a digital signature
- The device verifies the digital signature and installs the
certificate trust chain
- The device reestablishes the SSL connection, and authenticates
the server certificate by checking the SSL certificate against the
trust chain installed in step 4
- The device generates a certificate request, and transmits it to
the server together with a digital signature
- MDM Enrollment service validates the digital signature
- MDM Enrollment service creates a machine account for the device
within Active Directory
- MDM Enrollment service submits the certificate request to the
certification authority on behalf of the device
- A machine certificate is issued
- The machine certificate is linked to the device Active
- The internally-generated machine certificate returns to the
- The device disconnects from the Enrollment Web service
- The user receives the one-time enrollment password from the administrator
When the enrollment process is complete, the Windows Mobile device receives a machine certificate and the Active Directory device object is created in the designated organizational unit. The machine certificate establishes the IPsec tunnel mode communication session between the Windows Mobile device and MDM Gateway Server.
|After pre-enrollment, a device can be moved from one OU to another even if the destination is the default OU of another instance. However, moving the device and/or the device enrollment record between instances is not supported.|
You can cancel an enrollment request before the request completes (see Canceling a Pending Enrollment).
Once the enrollment is completed, you can revoke the enrollment only by wiping the device (see Creating a Wipe Request) . To enroll a device again after it has been wiped, you must unblock the device (see Unblocking a Managed Device) and then create a new enrollment request.
Manually moving an enrolled device out of the SCMDMEnrolledDevices group in Active Directory is not supported and is not recommended. If a Device has been manually removed from the SCMDMEnrolledDevices group then you must manually return it to the group. The correct way to remove a device from the SCMDMEnrolledDevices group is to revoke its enrollment.
|You can use MDM Shell cmdlets and PowerShell scripts to
automate Windows Mobile device management tasks. For more
information on enrolling devices with MDM Shell cmdlets, see
Enrollment Cmdlets. MDM Device Enrollment Cleanup Tool is a
PowerShell script-based tool that helps you remove managed devices
from MDM when a device has been locally wiped and the entries in
Active Directory and the MDM databases still exist, and when a
device has not connected to the server for a long time, indicating
the account is not being used. To download MDM Device Enrollment
Cleanup Tool, see MDM Client Tools at this Microsoft Web page:
In This Section
- Creating an Enrollment Request
Describes how to create a new enrollment request through MDM Console.
- Enrolling a New Device
Describes how the user completes enrollment from the Windows Mobile device.
- Viewing Pending Enrollments
Describes how MDM Console provides easy access to information about pre-enrolled devices.
- Canceling a Pending Enrollment
Describes how to cancel an enrollment before a device joins the enterprise.