Enrolling Devices
2/9/2009
Before you can manage a Windows Mobile device in System Center Mobile Device Manager, you must enroll the device. Device enrollment is the mechanism that builds the relationship between the company IT network and a Windows Mobile device.
Note
If you want to assign devices to an Active Directory organizational unit (OU) other than the default OU, SCMDM Managed Devices, you must create the OU in Active Directory, and you must use the Set-EnrollmentPermissions cmdlet to set the appropriate permissions for that OU before you start the enrollment process. For more information, see Set-EnrollmentPermissions.
Before you continue with the enrollment steps, make sure that you meet the following prerequisites on the Windows Mobile device:
- The device is running Windows Mobile 6.1
- The device can connect to MDM Enrollment Server by way of an operator data plan, Wi-Fi access, or some other network connection.
- The date and time on the device are set correctly
You achieve enrollment in two steps:
Creating a pre-enrollment request: You use MDM Console to enter a name for the Windows Mobile device, assign the device to a user and to an Active Directory organizational unit (OU), and create an enrollment password. This alphanumeric enrollment password is a security requirement and is necessary to complete the enrollment process. To generate the password, you use the Pre-Enrollment Wizard in MDM Console. After you finish pre-enrollment, MDM gives you a one-time enrollment password that you must communicate, together with an enrollment ID (e-mail address or user name), to the Windows Mobile device user.
Note
We recommend that you provide this password to the device user in as secure a manner as possible. The most secure approach is for the device user to obtain the enrollment password from inside the company network.
Completing the enrollment process: The user finishes the enrollment process on the Windows Mobile device. This procedure creates an Active Directory object for the managed device and provides a certificate for security-enhanced communication with MDM Gateway Server. The following steps summarize the second phase of the enrollment process:
- The user receives the one-time enrollment password from the administrator
- The device establishes an unauthenticated SSL connection to the public Enrollment Web service
- The Web service component pre-authenticates the device and returns the certificate trust chain with a digital signature
- The device verifies the digital signature and installs the certificate trust chain
- The device reestablishes the SSL connection, and authenticates the server certificate by checking the SSL certificate against the trust chain installed in step 4
- The device generates a certificate request, and transmits it to the server together with a digital signature
- MDM Enrollment service validates the digital signature
- MDM Enrollment service creates a machine account for the device within Active Directory
- MDM Enrollment service submits the certificate request to the certification authority on behalf of the device
- A machine certificate is issued
- The machine certificate is linked to the device Active Directory object
- The internally-generated machine certificate returns to the device
- The device disconnects from the Enrollment Web service
When the enrollment process is complete, the Windows Mobile device receives a machine certificate and the Active Directory device object is created in the designated organizational unit. The machine certificate establishes the IPsec tunnel mode communication session between the Windows Mobile device and MDM Gateway Server.
Note
After pre-enrollment, a device can be moved from one OU to another even if the destination is the default OU of another instance. However, moving the device and/or the device enrollment record between instances is not supported.
You can cancel an enrollment request before the request completes (see Canceling a Pending Enrollment).
Once the enrollment is completed, you can revoke the enrollment only by wiping the device** (see Wiping Managed Devices)**. To enroll a device again after it has been wiped, you must unblock the device (see Unblocking a Managed Device) and then create a new enrollment request.
Manually moving an enrolled device out of the SCMDMEnrolledDevices group in Active Directory is not supported and is not recommended. If a Device has been manually removed from the SCMDMEnrolledDevices group then you must manually return it to the group. The correct way to remove a device from the SCMDMEnrolledDevices group is to revoke its enrollment.
Note
You can use MDM Shell cmdlets and PowerShell scripts to automate Windows Mobile device management tasks. For more information on enrolling devices with MDM Shell cmdlets, see Device Enrollment Cmdlets. MDM Device Enrollment Cleanup Tool is a PowerShell script-based tool that helps you remove managed devices from MDM when a device has been locally wiped and the entries in Active Directory and the MDM databases still exist, and when a device has not connected to the server for a long time, indicating the account is not being used. To download MDM Device Enrollment Cleanup Tool, see MDM Client Tools at this Microsoft Web page: https://go.microsoft.com/fwlink/?LinkID=127030&clcid=0x409.
In This Section
- Creating an Enrollment Request
Describes how to create a new enrollment request through MDM Console.
- Enrolling a New Device
Describes how the user completes enrollment from the Windows Mobile device.
- Viewing Pending Enrollments
Describes how MDM Console provides easy access to information about pre-enrolled devices.
- Canceling a Pending Enrollment
Describes how to cancel an enrollment before a device joins the enterprise.
See Also
Reference
Concepts
Overview of MDM Management Console