First published on TechNet on Mar 04, 2017 We’ve had questions about the CNAME configuration required for Windows devices to automatically discover the MDM server for mobile device management (MDM). We’ve also had questions about the MDM server address users have to enter manually if prompted. This blog hopes to help you understand the requirements.
If you have iOS or Android devices, they don’t have to worry about auto-discovery or manual enrollment; as long as the Company Portal is installed, it knows how to find the right server to get the device enrolled.
Windows Device Enrollment -End User Experience
Unlike iOS and Android, Windows devices (Windows Phone 8.1, and 10 and Windows PCs 8.1 and 10) have UI built into the operating system to enroll a device for management. The user enters a corporate email address which matches the User Principal Name (UPN) set for user identity. The device tries to auto-discover the server and start the enrollment process. Underneath the covers, here’s what happens when enrolling a Windows Phone 8.1 device:
In Windows Phone 8.1 it looks like this:
If there is no CNAME configured, the device enrollment server won’t be found, and the device presents a screen to allow the user to enter the server address. IMPORTANT : The server address the user needed to enter used to be manage.microsoft.com , but due to the changes necessary to move to the new grouping and targeting structure, the FQDN to enroll a device to Microsoft Intune changed to enrollment.manage.microsoft.com . Both FQDNs can be used now, but support for manage.microsoft.com ended in February of 2017.
Windows Device Enrollment -Configuring Auto-Discovery
To configure auto-discovery of the enrollment server, there has to be a CNAME record to point to the enrollment server.
Type Host name Points to TTL
The company_domain in the FQDN should be the registered domain name(s) you are using for single sign on with the UPN. For example if users at Contoso use email@example.com as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.
Type Host name Points to TTL
If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example if users at Contoso use firstname.lastname@example.org, but also use email@example.com, and firstname.lastname@example.org as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.
Additional Endpoints Are Supported but Not Recommended
EnterpriseEnrollment-s.manage.microsoft.com is the preferred FQDN for enrollment, but there are two other endpoints that have been used by customers in the past and are supported. EnterpriseEnrollment.manage.microsoft.com (without the -s) and manage.microsoft.com both work as the target for the auto-discovery server, but the user will have to touch OK on a confirmation message. If you point to EnterpriseEnrollment-s.manage.microsoft.com , the user won’t have to do the additional confirmation step, so this is the recommended configuration.
Alternate Methods of Redirection Are Not Supported
Using a method other than the CNAME configuration is not supported. For example, using a proxy server to redirect enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc to either enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc or manage.microsoft.com/EnrollmentServer/Discovery.svc is not supported.
Registration vs Enrollment CNAMEs
Azure Active Directory has a different CNAME that it uses for device registration for iOS, Android, and Windows devices. Intune conditional access requires devices to be registered, also called “workplace joined”. If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.