For a Windows Mobile device to connect to Mobile Device Manager Gateway Server, you must enroll the Windows Mobile device in the Active Directory Domain Service. The Enrollment service bundles the services necessary to give a client an authenticated identity on the domain.
MDM Enrollment Server provides Administration service, Enrollment Web service, and Enrollment service.
The Administration service provides the interface for cmdlets that support command-line configuration and other services to interact with the server. This includes configuring services and requesting new enrollment passwords. MDM Console or the MDM Shell cmdlets address these services.
The Enrollment Web service manages incoming requests from Windows Mobile devices to enroll on the company network. When the Enrollment Web service receives a request, it manages communications with the Windows Mobile device until it enrolls. Afterward, MDM Gateway Server handles communications.
The Enrollment service processes all incoming enrollment requests. This includes Active Directory Domain Service and public key infrastructure (PKI) communication to the company.
You should prevent MDM Enrollment Server from accessing other computer accounts in Active Directory. To restrict Active Directory permissions for MDM Enrollment Server to allow only MDM managed devices, do the following:
- In Active Directory, create one or more separate Organization
Units (OU) to contain MDM managed device accounts.
- Restrict MDM Enrollment Server access permissions to the OUs
reserved for MDM managed device accounts. You can use the
Set-EnrollmentPermissionscmdlet to grant MDM Enrollment
Server permission to create managed device accounts in the
specified OUs. For more information about this cmdlet, see
the topic Set-EnrollmentPermissions in Administrator Tools
Help, or at the MDM Shell prompt, type
get-help set-enrollmentpermissions -detailed
The following shows how MDM Enrollment Server processes a new Windows Mobile device:
|As an alternative to enrolling a device over the air (OTA), you can also enroll a device when it is tethered to a computer. Make sure that Desktop Passthrough (DTPT) on the computer is enabled and that the device has Internet/intranet access to the Enrollment server through the passthrough.|
- The administrator creates a new device enrollment request. This
creates an Active Directory Domain Service account for the Windows
Mobile device and generates a password that is sent to the user of
the device to be enrolled.
- The user starts the Domain Enroll application on the Windows
Mobile device and enters an e-mail address and the password
supplied in step 1.
- The Windows Mobile device connects to MDM Enrollment Server and
requests the Enterprise Trust Root Certificate.
- The wizard on the device generates a certificate request and
sends it to MDM Enrollment Server, together with a hash value
generated from the password.
- MDM Enrollment Server then forwards the certificate request to
the Windows Enterprise certification authority, which issues a
machine certificate based on the request.
- The machine certificate is sent to the Windows Mobile device,
together with the information necessary to connect to the VPN and
MDM Device Management Server.
- The process is complete and the managed device disconnects from
MDM Enrollment Server. The managed device can now authenticate to
MDM Gateway Server and communicate with the company network.