MDM Enrollment Server Architecture

  • Article

2/9/2009

Mobile Device Manager Enrollment Server provides the services that are required to enable a Windows Mobile device to join the managed device environment.

The following illustration shows the architecture of MDM Enrollment Server.

Dd261813.f3da3ebc-a850-4745-9b3c-bd8cade8e406(en-us,TechNet.10).gif

The MDM Enrollment Server has the following components:

  • Administration services: This collection of Web services is functionally similar to the administration services on MDM Device Management Server. Because the Enrollment Web service uses TCP port 443, the Administration Services uses other TCP ports that the administrator can configure. The default administration Web site port for enrollment is 8445.
  • Enrollment Web service: Internet Information Services (IIS) hosts this Web service that manages incoming requests from Windows Mobile devices to enroll in the managed infrastructure. After the Enrollment Web service receives a request, the service manages later communications with the Windows Mobile device until it becomes a domain-joined managed device. Then, MDM Gateway Server handles the communications.
  • Enrollment service: This Windows service handles all communications to your Active Directory Domain Service and PKI infrastructure.

MDM Enrollment Server provides a protected over the air (OTA) process to request and retrieve certificates for Windows Mobile devices. To help protect against malicious attacks, MDM Enrollment Server uses shared-secret encryption to perform protected enrollment over nonsecure connections, such as public General Packet Radio Service (GPRS), or other mobile data networks. This lets users enroll their device without having to cradle it and without having physical access to the company network.

Regardless of the size of your organization, the enterprise requires only one MDM Enrollment Server. If your company has to support the concurrent enrollment of thousands of Windows Mobile devices, consider MDM Enrollment Server similar to a server that is running IIS. In this scenario, you should follow the best practices for any IIS instance, and scale MDM Enrollment Server according to the expected traffic load and help protect by adding a proxy.

For more information about how MDM Enrollment Server enrolls a Windows Mobile device into the managed environment, see Device Enrollment with Mobile Device Manager.