Blog
Enrollment Point Installation & Proxy Point Installation
- April 20, 2022
- Posted by: Pavithra
- Category: End User Computing
Enrollment Point Installation & Proxy Point Installation
Enrollment Point Installation & Proxy Point Installation We will describe how to install SCCM Current Branch Enrolment Point and Enrolment Proxy Point site system roles.
ROLE DESCRIPTION
The Enrolment Point uses PKI certificates for Configuration Manager to enrol mobile devices, Mac computers and to provision Intel AMT-based computers.
The Enrolment Proxy Point manages Configuration Manager Enrolment requests from mobile devices and Mac computers.
This is not a mandatory site system, but you need both Enrolment Point and Enrolment Proxy Point if you want to enrol legacy mobile devices, Mac computers and to provision Intel AMT-based computers. Since modern mobile devices are mostly managed using Windows Intune, this post will focus mainly on Mac computer Enrolment .
SITE SYSTEM ROLE PLACEMENT IN HIERARCHY
The SCCM Enrolment Point, and Enrolment Proxy Point are site-wide options. It’s supported to install those roles on a stand-alone or child Primary site. It’s not supported to install it on a Central Administration site or Secondary site.
You must install an SCCM Enrolment Point in the user’s forest so that the user can be authenticated if a user enrols mobile devices by using SCCM and their Active Directory account is in a forest that is untrusted by the site server’s forest.
When you support mobile devices on the Internet, as a security best practice, install the Enrolment Proxy Point in a perimeter network and the Enrolment Point on the intranet.
PREREQUISITES
Beginning with System Centre 2012 Configuration Manager SP2, the computer that hosts the SCCM Enrolment Point or Enrolment Proxy Point site system role must have a minimum of 5% of the computers available memory free to enable the site system role to process requests. When those site system role are co-located with another site system role that has this same requirement, this memory requirement for the computer does not increase, but remains at a minimum of 5%.
Using Windows Server 2012, the following features must be installed before the role installation:
Enrolment Point
Features:
- .NET Framework 3.5
- .NET Framework 4.5
- HTTP Activation (and automatically selected options)
- ASP.NET 4.5
- Common HTTP Features
- Default Document
- Application Development
- ASP.NET 3.5 (and automatically selected options)
- .NET Extensibility 3.5
- ASP.NET 4.5 (and automatically selected options)
- .NET Extensibility 4.5
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
Enrolment Proxy Point
Features:
- .NET Framework 3.5
- .NET Framework 4.5
- HTTP Activation (and automatically selected options)
- ASP.NET 4.5
IIS Configuration:
- Common HTTP Features
- Default Document
- Static Content
- Application Development
- ASP.NET 3.5 (and automatically selected options)
- ASP.NET 4.5 (and automatically selected options)
- .NET Extensibility 3.5
- .NET Extensibility 4.5
- Security
- Windows Authentication
- IIS 6 Management Compatibility
- IIS 6 Metabase Compatibility
SCCM ENROLMENT POINT INSTALLATION
For this post we will be installing both roles on a stand-alone Primary site using HTTPS connections. If you split the roles between different machine, do the installation section twice, once for the first site system (selecting Enrolment Point during role selection)and a second time on the other site system (selecting Enrolment Proxy Point during role selection).
- Open the SCCM console
- Navigate to Administration / Site Configuration / Servers and Site System Roles
- Right click your Site System and click Add Site System Roles
- On the General tab, click Next



o In the IIS Website and Virtual application name fields,leave both to the default values
§ This is the names that you’ll see in IIS after the installation
o Enter the port number you want to use. The HTTPS setting is automatically selected and requires a PKI certificate on the server for server authentication to the Enrolment Proxy Point and for encryption of data over SSL. For more information about the certificate requirements, see PKI Certificate Requirements for Configuration Manager.

o The Enrolment point will be populated by default and can’t be changed
o Keep the Website name to it’s default value
o Enter the port and protocol that you want to use
o The Virtual application name can’t be changed. This will be used for client installation (https://servername/Enrolment Server)


Logs
You can verify the role installation in the following logs:
· ConfigMgrInstallationPath\Logs\enrollsrvMSI.log and Enrolment service.log – Records details of about the Enrolment Point installation
· ConfigMgrInstallationPath\Logs\enrollwebMSI.log – Records details of about the Enrolment Proxy Point installation
· ConfigMgrInstallationPath\Logs\Enrolment web.log – Records communication between mobile devices and the Enrolment Proxy Point
That’s it, you’ve installed your SCCM Enrolment Point, follow this Technet Guide if you want to proceed to next steps for Mac computers Enrolment
SCCM Training
Live Instructor-led Online Training
Click here for SCCM Course Content