Assess infrastructure requirements to support device registration
Before using the Device Registration feature, you first must configure a company’s infrastructure to allow Device Registration. Several prerequisites must be in place before you can enable Device Registration on your devices:
Active Directory environment. Device Registration requires that you implement a domain environment. At least one domain controller must be running Windows Server 2012 or later, and the schema must be extended to the Windows Server 2012 R2 level.
Public key infrastructure. The Device Registration feature requires that public key infrastructure (PKI) is deployed and properly configured. Devices must trust the CA, which is true by default for domain-joined devices, but requires manual configuration on devices that are not domain members. Certificates must include information on both the following:
- Where the list of revoked certificates is available, such as the certificate revocation list (CRL), and CRL distribution point (CDP)
- Where up-to-date certificates for the CA are available, such as authority information access (AIA).
Devices must be able to access the CRL, delta CRL, and AIA before they can use Device Registration. Delta CRL is published in a file, which by default includes the plus sign (+) in its name. The Internet Information Services (IIS) Web server (also by default) does not allow access to files with special characters in their names, and you must enable double escaping to allow it. You can verify that you can access CRL, delta CRL, and AIA by running Pkiview.msc on the server where Active Directory Certificate Services (AD CS) is installed.
AD FS. A company must set up AD FS before users can use the Device Registration feature on their devices. You must configure AD FS with a Secure Sockets Layer (SSL) certificate from a trusted CA, and the SSL certificate must have properly configured Subject Name and Subject Alternative Name attributes.
Device Registration Service. When you perform Device Registration, Device Registration Service registers the device in AD DS. It also provides the certificate to the user who enables their device for Device Registration.
A DNS record for the host named Enterpriseregistration. The name Enterpriseregistration is mandatory, and you cannot change it. The DNS server must resolve this name to the IP address of the AD FS server, and the AD FS server must use it as one of its Subject Alternative Name attributes in the SSL certificate.
Web Application Proxy. This is an optional component that is not required when you enable Device Registration on devices that are connected to the company network. If you want to enable Device Registration on devices that are not connected to the company network, but are connected to the Internet, you must set up Web Application Proxy.
A supported operating system on the device. The device that you want to enable for Device Registration must be running a supported operating system. Currently, you can enable Device Registration only on devices that are running at least Windows 8.1 or later, or a currently supported iOS or Android operating system.
When users enable Device Registration on their devices, they can access a company’s internal web applications and company apps without entering credentials again. To use SSO, administrators must configure claims-based web applications and create a relying party trust between the AD FS server and the web server on which the web application is running.