Blog

Enrollment Point Installation & Proxy Point Installation

No Comments

Enrollment Point Installation & Proxy Point Installation

Enrollment Point Installation & Proxy Point Installation We will describe how to install SCCM Current Branch Enrolment  Point and Enrolment  Proxy Point site system roles.

ROLE DESCRIPTION

The Enrolment  Point uses PKI certificates for Configuration Manager to enrol mobile devices, Mac computers and to provision Intel AMT-based computers.

The Enrolment  Proxy Point manages Configuration Manager Enrolment  requests from mobile devices and Mac computers.

This is not a mandatory site system, but you need both Enrolment  Point and Enrolment  Proxy Point if you want to enrol legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are mostly managed using Windows Intune, this post will focus mainly on Mac computer Enrolment .

SITE SYSTEM ROLE PLACEMENT IN HIERARCHY

The SCCM Enrolment Point, and Enrolment  Proxy Point are site-wide options. It’s supported to install those roles on a stand-alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.

You must install an SCCM Enrolment  Point in the user’s forest so that the user can be authenticated if a user enrols mobile devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.

When you support mobile devices on the Internet, as a security best practice, install the Enrolment  Proxy Point in a perimeter network and the Enrolment  Point on the intranet.

PREREQUISITES

Beginning with System Centre 2012 Configuration Manager SP2, the computer that hosts the SCCM Enrolment  Point or Enrolment  Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the site system role to process requests. When those site system role are co-located with another site system role that has this same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.

Using Windows Server 2012, the following features must be installed before the role installation:

Enrolment Point

Features:

  • .NET Framework 3.5
  • .NET Framework 4.5
    • HTTP Activation (and automatically selected options)
    • ASP.NET 4.5
  • Common HTTP Features
    • Default Document
  • Application Development
    • ASP.NET 3.5 (and automatically selected options)
    • .NET Extensibility 3.5
    • ASP.NET 4.5 (and automatically selected options)
    • .NET Extensibility 4.5
  • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility

Enrolment  Proxy Point

Features:

  • .NET Framework 3.5
  • .NET Framework 4.5
    • HTTP Activation (and automatically selected options)
    • ASP.NET 4.5

IIS Configuration:

  • Common HTTP Features
    • Default Document
    • Static Content
  • Application Development
    • ASP.NET 3.5 (and automatically selected options)
    • ASP.NET 4.5 (and automatically selected options)
    • .NET Extensibility 3.5
    • .NET Extensibility 4.5
  • Security
    • Windows Authentication
  • IIS 6 Management Compatibility
    • IIS 6 Metabase Compatibility

SCCM ENROLMENT  POINT INSTALLATION

For this post we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles between different machine, do the installation section twice, once for the first site system (selecting Enrolment  Point during role selection)and a second time on the other site system (selecting Enrolment  Proxy Point during role selection).

  • Open the SCCM console
  • Navigate to Administration / Site Configuration / Servers and Site System Roles
  • Right click your Site System and click Add Site System Roles
  • On the General tab, click Next
·         On the Proxy tab, click Next
·         On the Site System Role tab, select Enrolment  Point and Enrolment  Proxy Point, click Next
·         On the Enrolment  Point tab
o    In the IIS Website and Virtual application name fields,leave both to the default values
§  This is the names that you’ll see in IIS after the installation
o    Enter the port number you want to use. The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the Enrolment  Proxy Point and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.
·         On the Enrolment  Proxy Point tab,
o    The Enrolment  point will be populated by default and can’t be changed
o    Keep the Website name to it’s default value
o    Enter the port and protocol that you want to use
o    The Virtual application name can’t be changed. This will be used for client installation (https://servername/Enrolment Server)
·         On the Summary tab, review your settings, click Next and complete the wizard
VERIFICATION AND LOGS FILES
Logs
You can verify the role installation in the following logs:
·         ConfigMgrInstallationPath\Logs\enrollsrvMSI.log and Enrolment service.log – Records details of about the Enrolment  Point installation
·         ConfigMgrInstallationPath\Logs\enrollwebMSI.log – Records details of about the Enrolment  Proxy Point installation
·         ConfigMgrInstallationPath\Logs\Enrolment web.log – Records communication between mobile devices and the Enrolment  Proxy Point
That’s it, you’ve installed your SCCM Enrolment  Point, follow this Technet Guide if you want to proceed to next steps for Mac computers Enrolment

SCCM Training 

Live Instructor-led Online Training

Click here for SCCM Course Content

Watch SCCM Demo Video

Leave a Reply