Device Enrollment
Before a Windows Mobile device can connect to Mobile Device Manager Gateway Server, it must establish itself as a known and authenticated object in the Active Directory Domain Service. In general, this is accomplished in the following way:
A Windows Mobile device requests a certificate.
MDM Enrollment Server creates an Active Directory Domain Service computer account for the device and issues the machine certificate based on the certificate request. MDM Enrollment Server also links the computer account to the Active Directory account for the user.
MDM Enrollment Server then creates a link between the certificate and the device object in the Active Directory Domain Service.
By design, this process includes issuing an enrollment password that is for one-time use within a default eight-hour time period. If the enrollment process fails, the password is valid until it is either used successfully or expires. After expiration a new enrollment request must be generated and the password communicated to the user.
The following enrollment steps show how a Windows Mobile device can authenticate to MDM Gateway Server and become an MDM–managed device:
- A device enrollment request is generated.
- The device enrollment request process generates a one-time enrollment password that is shared with the user of the device in a security-enhanced manner. Also, the MDM Enrollment Server creates an Active Directory computer account for the device.
- The user starts the enrollment wizard on the device and provides the e-mail address that the wizard uses to discover and connect to MDM Enrollment Server.
If the enrollment process cannot discover the address for MDM Enrollment Server, it prompts the user for the URL. - The enrollment wizard on the Windows Mobile device contacts MDM Enrollment Server and requests the Enterprise Trust Root Certificate.
- The enrollment wizard authenticates the server response by verifying that the returned data was derived from the one-time enrollment password and the Enterprise Trust Root Certificate.
- The enrollment wizard generates a certificate request and sends it to MDM Enrollment Server together with a hash that is generated from the one-time enrollment password and the certificate request.
- MDM Enrollment Server locates the Active Directory Domain Service computer account for the device, and the device certificate is issued based on the certificate request received from the device. MDM Enrollment Server also links the computer account to the Active Directory account for that user.
- The machine certificate is returned to the device, completing the process.
- The device disconnects from MDM Enrollment Server.
- If the mobile virtual private network (VPN) is required, the user is prompted to reset the device.
Before it is provisioned with proxy settings, the client might be unable to access the Internet. After it is provisioned with proxy settings, the managed device sends an HTTP request to an Internet Web site. The managed device checks the URL within the request and then sends the request to the provisioned proxy through the VPN tunnel. When the request from the managed device arrives, the MDM Gateway Server queries the local routing table to see how to route this traffic to the Web proxy. The proxy receives the message, applies the proxy policy, changes its source IP address to a routable Internet IP address, and then sends the IP address back to the Internet.
Next step: Mobile VPN!
Reference: Microsoft Technet
