The Mobile Device Enrollment (MDE) protocol enables a device to be enrolled with a Device Management Service (DMS) through an Enrollment Service (ES), including the discovery of the Management Enrollment Service (MES) and enrollment with the ES. After a device is enrolled, the device can be managed with the DMS using MDM.
The process for enrolling a device using MDE2 is shown in the following diagram.
Figure 1: Typical sequence for enrolling a message using MDE2
The enrollment process consists of the following steps.
The user’s email name is entered via the enrollment client.
The enrollment client extracts the domain suffix from the email address, prepends the domain name with a well-known label, and resolves the address to the Discovery Service (DS). The administrator configures the network name resolution service (that is, the Domain Name System (DNS)) appropriately.
The enrollment client sends a Discover message (section 188.8.131.52.1.1) to the Discovery Service (DS). The Discovery Service (DS) responds with a DiscoverResponse message (section 184.108.40.206.1.2) containing the Uniform Resource Locators (URLs) of service endpoints required for the following steps.
The enrollment client sends a GetPolicies message (section 220.127.116.11.1.1) the ES endpoint [MS-XCEP] using the security token received in the previous step. The ES endpoint [MS-XCEP] responds with a GetPoliciesResponse message (section 18.104.22.168.1.2) containing the certificate policies required for the next step. For more information about these messages, see [MS-XCEP] sections 22.214.171.124.1.1 and 126.96.36.199.1.2.
The enrollment client can send a RequestSecurityToken message (section 188.8.131.52.1.1) to the ES endpoint [MS-WSTEP] using the security token received in step 5. The ES endpoint [MS-WSTEP] responds with a RequestSecurityTokenResponseCollection message (section 184.108.40.206.1.2) containing the identity and provisioning information for the device management client [MS-MDM]. For more information about these messages, see [MS-WSTEP] sections 220.127.116.11.1.1 and 18.104.22.168.1.2.
The steps for MDE2 device enrollment correspond to five phases as shown in the following diagram.
Figure 2: MDE2 device enrollment phases
For Mobile Application Management (MAM), the server skips the discover, get security token, and get policies phases and goes straight to the request security token phase.<1> For more information on MAM, see [MSDN-WinMAM].