Which CNAMEs to use for Auto-discovery during MDM Enrollment


We’ve had questions about the CNAME configuration required for Windows devices to automatically discover the MDM server for mobile device management (MDM). We’ve also had questions about the MDM server address users have to enter manually if prompted. This blog hopes to help you understand the requirements.

Device Enrollment

If you have iOS or Android devices, they don’t have to worry about auto-discovery or manual enrollment; as long as the Company Portal is installed, it knows how to find the right server to get the device enrolled.

Windows Device Enrollment -End User Experience

Unlike iOS and Android, Windows devices (Windows Phone 8.1, and 10 and Windows PCs 8.1 and 10) have UI built into the operating system to enroll a device for management. The user enters a corporate email address which matches the User Principal Name (UPN) set for user identity. The device tries to auto-discover the server and start the enrollment process.
Underneath the covers, here’s what happens when enrolling a Windows Phone 8.1 device:

cname-flowchart

In Windows Phone 8.1 it looks like this:

cnamepic1

cnamepic2

If there is no CNAME configured, the device enrollment server won’t be found, and the device presents a screen to allow the user to enter the server address.
IMPORTANT: The server address the user needed to enter used to be manage.microsoft.com, but due to the changes necessary to move to the new grouping and targeting structure, the FQDN to enroll a device to Microsoft Intune changed to enrollment.manage.microsoft.com. Both FQDNs can be used now, but support for manage.microsoft.com ended in February of 2017.

cnamepic3

For more information about the MDM enrollment protocol, see https://msdn.microsoft.com/en-us/library/mt221945.aspx.

Windows 10 Automatic MDM Enrollment

If you are enrolling Windows 10 devices using automatic MDM enrollment, you don’t have to worry about configuring CNAMEs because the MDM server is configured by default when you enable automatic MDM enrollment. For more information, see https://docs.microsoft.com/en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune.

Windows Device Enrollment -Configuring Auto-Discovery

To configure auto-discovery of the enrollment server, there has to be a CNAME record to point to the enrollment server.

 

 Type  Host name  Points to  TTL
 CNAME  EnterpriseEnrollment.company_domain.com  EnterpriseEnrollment-s.manage.microsoft.com  1 hour

 

The company_domain in the FQDN should be the registered domain name(s) you are using for single sign on with the UPN. For example if users at Contoso use name@contoso.com as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.

 

 Type  Host name  Points to  TTL
 CNAME  EnterpriseEnrollment.contoso.com  EnterpriseEnrollment-s.manage.microsoft.com  1 hour

 

If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. For example if users at Contoso use name@contoso.com, but also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin would need to create the following CNAMEs.

 

 Type  Host name  Points to  TTL
 CNAME  EnterpriseEnrollment.contoso.com  EnterpriseEnrollment-s.manage.microsoft.com  1 hour
 CNAME  EnterpriseEnrollment.us.contoso.com  EnterpriseEnrollment-s.manage.microsoft.com  1 hour
 CNAME  EnterpriseEnrollment.eu.contoso.com  EnterpriseEnrollment-s.manage.microsoft.com  1 hour

 

For more information, see https://docs.microsoft.com/en-us/intune/deploy-use/set-up-windows-device-management-with-microsoft-intune.

Additional Endpoints Are Supported but Not Recommended

EnterpriseEnrollment-s.manage.microsoft.com is the preferred FQDN for enrollment, but there are two other endpoints that have been used by customers in the past and are supported. EnterpriseEnrollment.manage.microsoft.com (without the -s) and manage.microsoft.com both work as the target for the auto-discovery server, but the user will have to touch OK on a confirmation message. If you point to EnterpriseEnrollment-s.manage.microsoft.com, the user won’t have to do the additional confirmation step, so this is the recommended configuration.

Alternate Methods of Redirection Are Not Supported

Using a method other than the CNAME configuration is not supported. For example, using a proxy server to redirect enterpriseenrollment.contoso.com/EnrollmentServer/Discovery.svc to either enterpriseenrollment-s.manage.microsoft.com/EnrollmentServer/Discovery.svc or manage.microsoft.com/EnrollmentServer/Discovery.svc is not supported.

Registration vs Enrollment CNAMEs

Azure Active Directory has a different CNAME that it uses for device registration for iOS, Android, and Windows devices. Intune conditional access requires devices to be registered, also called “workplace joined”. If you plan to use conditional access, you should also configure the EnterpriseRegistration CNAME for each company name you have.

 

 Type  Host name  Points to  TTL
 CNAME  EnterpriseRegistration.company_domain.com  EnterpriseRegistration.windows.net  1 hour

 

For more information about device registration, see
https://docs.microsoft.com/en-us/azure/active-directory/active-directory-conditional-access-device-registration-overview.
Hopefully this information helps clarify the CNAMEs and FQDNs needed for auto-discovery.


Comments (2)

  1. Marius says:

    Great post, guys!
    Keep it on!

Skip to main content