MDM Enrollment Server provides Administration service, Enrollment Web service, and Enrollment service.

The Administration service provides the interface for cmdlets that support command-line configuration and other services to interact with the server. This includes configuring services and requesting new enrollment passwords. MDM Console or the MDM Shell cmdlets address these services.

The Enrollment Web service manages incoming requests from Windows Mobile devices to enroll on the company network. When the Enrollment Web service receives a request, it manages communications with the Windows Mobile device until it enrolls. Afterward, MDM Gateway Server handles communications.

The Enrollment service processes all incoming enrollment requests. This includes Active Directory Domain Service and public key infrastructure (PKI) communication to the company.

You should prevent MDM Enrollment Server from accessing other computer accounts in Active Directory. To restrict Active Directory permissions for MDM Enrollment Server to allow only MDM managed devices, do the following:

1. In Active Directory, create one or more separate Organization Units (OU) to contain MDM managed device accounts.
   
   
2. Restrict MDM Enrollment Server access permissions to the OUs reserved for MDM managed device accounts. You can use the Set-EnrollmentPermissionscmdlet to grant MDM Enrollment Server permission to create managed device accounts in the specified OUs. For more information about this cmdlet, see the topic Set-EnrollmentPermissions in Administrator Tools Help, or at the MDM Shell prompt, type get-help set-enrollmentpermissions -detailed .
   
   

The following shows how MDM Enrollment Server processes a new Windows Mobile device:

Note:
As an alternative to enrolling a device over the air (OTA), you can also enroll a device when it is tethered to a computer. Make sure that Desktop Passthrough (DTPT) on the computer is enabled and that the device has Internet/intranet access to the Enrollment server through the passthrough.

1. The administrator creates a new device enrollment request. This creates an Active Directory Domain Service account for the Windows Mobile device and generates a password that is sent to the user of the device to be enrolled.
   
   
2. The user starts the Domain Enroll application on the Windows Mobile device and enters an e-mail address and the password supplied in step 1.
   
   
3. The Windows Mobile device connects to MDM Enrollment Server and requests the Enterprise Trust Root Certificate.
   
   
4. The wizard on the device generates a certificate request and sends it to MDM Enrollment Server, together with a hash value generated from the password.
   
   
5. MDM Enrollment Server then forwards the certificate request to the Windows Enterprise certification authority, which issues a machine certificate based on the request.
   
   
6. The machine certificate is sent to the Windows Mobile device, together with the information necessary to connect to the VPN and MDM Device Management Server.
   
   
7. The process is complete and the managed device disconnects from MDM Enrollment Server. The managed device can now authenticate to MDM Gateway Server and communicate with the company network.