Device Enrollment with Mobile Device Manager

2/9/2009

Before a Windows Mobile device can connect to Mobile Device Manager Gateway Server, it must establish itself as a known and authenticated object in the Active Directory Domain Service. In general, this is accomplished in the following way:

1. A Windows Mobile device requests a certificate.
2. MDM Enrollment Server creates an Active Directory Domain Service computer account for the device and issues the machine certificate based on the certificate request. MDM Enrollment Server also links the computer account to the Active Directory account for the user.
3. MDM Enrollment Server then creates a link between the certificate and the device object in the Active Directory Domain Service.

By design, this process includes issuing an enrollment password that is for one-time use within a default eight-hour time period. If the enrollment process fails, the password is valid until it is either used successfully or expires. After expiration a new enrollment request must be generated and the password communicated to the user.

Device enrollment in a multiple-instance scenario differs slightly from that in a scenario that has only one MDM instance.

Device Enrollment for One Instance

The following illustration shows device enrollment in a one-instance scenario.

The following enrollment steps show how a Windows Mobile device can authenticate to MDM Gateway Server and become an MDM–managed device:

1. A device enrollment request is generated.
2. The device enrollment request process generates a one-time enrollment password that is shared with the user of the device in a security-enhanced manner. Also, the MDM Enrollment Server creates an Active Directory computer account for the device.
3. The user starts the enrollment wizard on the device and provides the e-mail address that the wizard uses to discover and connect to MDM Enrollment Server.
   If the enrollment process cannot discover the address for MDM Enrollment Server, it prompts the user for the URL.
4. The enrollment wizard on the Windows Mobile device contacts MDM Enrollment Server and requests the Enterprise Trust Root Certificate.
5. The enrollment wizard authenticates the server response by verifying that the returned data was derived from the one-time enrollment password and the Enterprise Trust Root Certificate.
6. The enrollment wizard generates a certificate request and sends it to MDM Enrollment Server together with a hash that is generated from the one-time enrollment password and the certificate request.
7. MDM Enrollment Server locates the Active Directory Domain Service computer account for the device, and the device certificate is issued based on the certificate request received from the device. MDM Enrollment Server also links the computer account to the Active Directory account for that user.
8. The machine certificate is returned to the device, completing the process.
9. The device disconnects from MDM Enrollment Server.
10. If the mobile virtual private network (VPN) is required, the user is prompted to reset the device.

Device Enrollment for Multiple Instances

In MDM 2008 SP1, an instance specifies a separate, independent installation of MDM in a forest or in a domain. When you install more than one instance of MDM, each instance requires an MDM Enrollment Server. In a multiple-instance scenario, when you want to enable enrollment autodiscovery so the user does not have to provide a URL, only one MDM Enrollment Server is published to the Internet with the mobileenroll.<domain.com> name. The MDM Enrollment Server for other instances may still be accessed through the Internet but must be given a different external name, such as mobileenroll02.<domain.com>, and must have Secure Sockets Layer (SSL) certificates corresponding to the published name. All communication for device enrollment goes to this published server.

When you install an MDM Enrollment Server in more than one instance, the MDM Enrollment Server published to the Internet relays incoming enrollment requests to other MDM Enrollment Servers to find a valid pre-enrollment record. It returns all MDM Enrollment Server names that have a pre-enrollment record for the device. The device then establishes communication with one of these MDM Enrollment Servers to complete the enrollment process.

The following illustration shows the enrollment process in a multiple-instance scenario.

In this example, instance 1 and instance 2 each contains an MDM Enrollment Server. The following steps describe the enrollment process:

1. A pre-enrollment request is created for instance 2.
2. The user begins the enrollment process on the Windows Mobile device.
3. The mobile device discovers the public MDM Enrollment Server in instance 1.
4. The MDM Enrollment Server in instance 1 checks the Active Directory service connection points (SCPs) that contain information for all instances. It contacts the MDM Enrollment Servers for all other instances in the Active Directory forest, and in this case finds the pre-enrollment request for the user in instance 2.
5. The MDM Enrollment Server in instance 1 searches internally for the Domain Name System (DNS) name of the MDM Enrollment Server in instance 2. Once it is located, the external DNS name of the MDM Enrollment Server in instance 2 is provided to the device.
6. The mobile device is redirected to the MDM Enrollment Server in instance 2, and the user is asked to supply a password. This completes the enrollment process.

MDM 2008 SP1 also supports enrollment autodiscovery that finds a specific MDM Enrollment Server from an e-mail address that the user enters in the device enrollment tool.

For more information about using enrollment autodiscovery, see Best Practices in MDM Deployment, under MDM Server Installation.