Step 2: Installing MDM Enrollment Server

  • Article

2/9/2009

The following steps show you how to install Mobile Device Manager Enrollment Server for the MDM system. Enrollment is a one-time process that is required to join a Windows Mobile device to your company domain. During MDM Enrollment Server Setup, the domain certification authority issues two Secure Sockets Layer (SSL) certificates for MDM Enrollment Server. The Active Directory Configuration Tool (ADConfig) creates the template for this certificate automatically by using the /createtemplates and /enabletemplates parameters as discussed in Step 1a: Configuring the Active Directory Domain for MDM.

Important

We strongly recommend that you use a proxy server to provide more secure Web publishing for MDM Enrollment Server on the company network. Microsoft Internet Security and Acceleration (ISA) Server 2006, although not required, can provide this functionality. For more information about MDM perimeter network configuration, best practices, and general network deployment information, see the MDM Planning Guide. Also, you may use enrollment autodiscovery in Microsoft System Center Mobile Device Manager (MDM) 2008 Service Pack 1. For a detailed description see Using Enrollment Autodiscovery in Mobile Device Manager 2008 Service Pack 1 in Best Practices in MDM Deployment.

You may install the MDM Enrollment Server, MDM Device Management Server, and MDM Administrator Tools in any order. However, the MDM Gateway Server setup must be performed after the installation of the previous components.

MDM Enrollment Server Installation Procedures

The following procedures represent a single MDM Enrollment Server installation. If you deploy multiple computers that are running MDM Enrollment Server, the related device certification authority and Administrative Web site port pages will not appear after the first MDM Enrollment Server installation. The computer that is running the SQL database instance for MDM, and the Active Directory service connection points (SCPs), store the information that is collected from these screens for successive MDM Enrollment Server installations. Additionally, if you deploy multiple computers that are running MDM Enrollment Server, you must enter the information for the load balancer in the Setup wizard instead of the information for the individual computer that is running MDM Enrollment Server. Even if you install only one server, and may or may not use a load balanced scenario, you can avoid manual certificate steps later by using a load balancer. For more information about load balancers and load balancing topologies, please see MDM System Topologies in the MDM Planning Guide.

Before you install and deploy MDM by following the steps in this guide, you must first plan your deployment and configure your IT environment. To do this, follow the steps and guidelines in the MDM Planning Guide. MDM Deployment Checklists specifies the permissions and roles required to complete the following steps.

To install MDM Enrollment Server

  1. On the installation disc for System Center Mobile Device Manager, on the Setup menu, choose Enrollment Server.

  2. On the Enrollment Server Setup page, choose Next.

  3. Read the Microsoft Software License Terms and then select the I accept the License Terms for Microsoft Software check box. Choose Next.

  4. On the Instance Selection page select the instance you want to add the server to. You can only add servers to MDM instances of which you are a server administrator. Choose Next.

    Dd261818.746faa5f-baf8-49d4-98b5-988c582c198f(en-us,TechNet.10).gif

  5. On the Installation Directory page, type the path of the directory, or accept the default directory path, and then choose Next.

  6. On the Database Installation page, type the fully qualified domain name (FQDN) for the location of the computer that is running Microsoft SQL Server. If you have a server that is running Microsoft SQL Server locally, you must still supply the FQDN and you cannot enter the value, localhost or localhost\<sqlinstance>. Select the Current Windows credentials check box, unless you can access the SQL database instance only by using another user name and password. Choose Next.

  7. On the Enrollment Server Location page, in the Configure the Enrollment Server section, type the external FQDN for MDM Enrollment Server in the External Enrollment Server FQDN box. Type the internal FQDN in the Internal Enrollment Server FQDN box. If you are using more than one server that is running MDM Enrollment Server, type the internal and external FQDN for the load balancer. To continue without enrollment FQDN validation, select Skip external FQDN validation (not recommended), and then choose Next.

    Note

    The internal enrollment FQDN uses the example, es.contoso.com, and the external enrollment FQDN uses the example, mobileenroll.contoso.com for MDM Enrollment Server. To clarify, the administrator must enter the FQDN of their specific MDM Enrollment Server, such as servername.yourdomain.tld. The external address is the MDM Enrollment Server address accessible from outside your company network. The internal address is the MDM Enrollment Server FQDN used from inside the company network. In some cases these FQDNs may be the same. If you are using, or will ever use, multiple servers that are running MDM Enrollment Server, you must enter the FQDN for the load balancer(s). This makes sure that Setup correctly configures the MDM certificates and service connection point (SCP).

    Dd261818.8168df54-521c-47b4-a53d-d3c254c0f24a(en-us,TechNet.10).gif

  8. On the Enrollment Setup page, specify the port that you want to use for the Administration Web site and then choose Next. This port will be used for all MDM Enrollment Server administration. You must make sure that the port is currently not in use.

    Dd261818.2caef501-815b-4711-8a23-e9f9d4a1584a(en-us,TechNet.10).gif

  9. On the Device Certification Authority page, in the Device Certification Authority box, type the location and the name of the certification authority that will enroll and manage the certificates for the Windows Mobile devices, and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name*>*. This should be a certification authority where you have the MDM certificate templates enabled.

    Dd261818.4de5cd62-f5a0-47f8-b2e2-2b92287ec48e(en-us,TechNet.10).gif

  10. On the Server Certification Authority page, in the Certification Authority box, type the location and the name of your certification authority server and then choose Next. Type the certification authority in the form of <ca_server_name>\<ca_instance_name>. This should be a certification authority where you have MDM certificate templates enabled.

    Note

    If you prefer manual certificate installation, select the Do not request certificates during Setup check box (not recommended). If you choose to create certificates manually, see the following topic in the Technical Reference: Manual Certificate Procedures.

    Dd261818.f2cb6b7b-cd2e-4acc-8b3a-c4db6966dd8e(en-us,TechNet.10).gif

  11. If you have not already configured Microsoft Update on the server, a Microsoft Update page will appear that prompts you to configure the server for Microsoft Update. Make your selection and choose Next.

  12. On the Ready to Install page, verify your selections, and then choose Install.

  13. Choose Finish to complete MDM Enrollment Server Setup. You must allow for enough time for Active Directory replication to finish.