Preparation steps for on-premises MDM in Configuration Manager

Applies to: System Center Configuration Manager (Current Branch)

To manage devices with Configuration Manager on-premises mobile device management (MDM), first set up the necessary infrastructure. The required site system roles need to communicate across a trusted channel with the mobile devices. These roles include the enrollment proxy point, enrollment point, device management point, and distribution point.

The following high-level tasks are required to prepare Configuration Manager for on-premises MDM:

  • Set up a Microsoft Intune subscription for on-premises MDM

    Sign up for Microsoft Intune, and then add the subscription to Configuration Manager through the Configuration Manager console. This step is required for licensing purposes only. Intune isn't used to manage the devices or store management information. All coordination and management of devices is with your organization's enterprise using the on-premises Configuration Manager infrastructure.


    Starting in version 1810, an Intune connection is no longer required for new on-premises MDM deployments. Your organization still requires Intune licenses to use this feature. You can't currently remove the Intune connection from existing on-premises MDM deployments. For more information, see the Intune support blog post.

  • Install site system roles for on-premises MDM

    Install and configure the site systems required to manage devices with on-premises Configuration Manager infrastructure. At a minimum, this feature requires the enrollment proxy point, enrollment point, device management point, and distribution point roles.

  • Set up certificates for trusted communications for on-premises MDM

    Configure the on-premises Configuration Manager infrastructure to allow trusted communications (HTTPS) between managed devices and the servers hosting the required site system roles.

  • Set up device enrollment for on-premises MDM

    Grant permission to users to enroll computers and devices. Install the trusted root certificate on devices to permit HTTPS connections to the site system servers. These devices typically aren't domain-joined.