1.3 Overview

The Mobile Device Enrollment (MDE) protocol enables a device to be enrolled with a Device Management Service (DMS) through an Enrollment Service (ES), including the discovery of the Management Enrollment Service (MES) and enrollment with the ES. After a device is enrolled, the device can be managed with the DMS using MDM.

The process for enrolling a device using MDE2 is shown in the following diagram.

Typical sequence for enrolling a message using MDE2

Figure 1: Typical sequence for enrolling a message using MDE2

The enrollment process consists of the following steps.

  1. The user’s email name is entered via the enrollment client.

  2. The enrollment client extracts the domain suffix from the email address, prepends the domain name with a well-known label, and resolves the address to the Discovery Service (DS). The administrator configures the network name resolution service (that is, the Domain Name System (DNS)) appropriately.

  3. The enrollment client sends an HTTP GET request to the Discovery Service (DS) to validate the existence of the service endpoint.

  4. The enrollment client sends a Discover message (section 3.1.4.1.1.1) to the Discovery Service (DS). The Discovery Service (DS) responds with a DiscoverResponse message (section 3.1.4.1.1.2) containing the Uniform Resource Locators (URLs) of service endpoints required for the following steps.

  5. The enrollment client communicates with the security token service (STS) (section 3.2) to obtain a security token to authenticate with the ES.

  6. The enrollment client sends a GetPolicies message (section 3.3.4.1.1.1) the ES endpoint [MS-XCEP] using the security token received in the previous step. The ES endpoint [MS-XCEP] responds with a GetPoliciesResponse message (section 3.3.4.1.1.2) containing the certificate policies required for the next step. For more information about these messages, see [MS-XCEP] sections 3.1.4.1.1.1 and 3.1.4.1.1.2.

  7. The enrollment client can send a RequestSecurityToken message (section 3.4.4.1.1.1) to the ES endpoint [MS-WSTEP] using the security token received in step 5. The ES endpoint [MS-WSTEP] responds with a RequestSecurityTokenResponseCollection message (section 3.4.4.1.1.2) containing the identity and provisioning information for the device management client [MS-MDM]. For more information about these messages, see [MS-WSTEP] sections 3.1.4.1.1.1 and 3.1.4.1.1.2.

The steps for MDE2 device enrollment correspond to five phases as shown in the following diagram.

MDE2 device enrollment phases

Figure 2: MDE2 device enrollment phases

For Mobile Application Management (MAM), the server skips the discover, get security token, and get policies phases and goes straight to the request security token phase.<1> For more information on MAM, see [MSDN-WinMAM].