My previous blog post described how to deploy an On Premise MDM solution with Configuration Manager Current Branch (1511 for now). It's a pretty cool solution. You can find that blog post here
There is one drawback though. It's a bit of a pain having to install a client certificate and the Trusted Root certificate on each Windows device before then having to enrol the device manually through Work Access. We're in luck. Configuration Manager has a very slick way to automate this process through provisioning packages. You can read about this process in the official Microsoft TechNet documentation .
This process could not be simpler. What does it look like?
There are a couple of prerequisites.
1. You must have installed Windows Image and Configuration Designer (WICD) from the Windows 10 ADK before you can create an enrollment package.
2. You must have already configured the solution for On-Premise MDM. During that process you would have created a Certificate Profile containing the Trusted Root Certificate.
Navigate to "Assets and Compliance" > "All Corporate-owned Devices > Windows > Enrolment Profile. Right click to create a new profile.
Enter a suitable name. See that you can choose On-Premises or Cloud as the Management Authority. We're interested in On-Premises for now.
Choose the Site Code.
Select "Intranet Only" and choose the Enrolment Point.
Choose the certificate profile.
You can optionally choose to configure a WiFi profile for network connectivity during enrolment.
Confirm the settings to configure the profile.
Profile has been created.
Right click the profile. You can view the properties or export.
See that you can still make changes in the properties. You can change the Management Authority.....
.....or add a WiFi profile, for example.
Now choose to export. Accept the validity period (the package will expire) and enter a location. You can choose to encrypt the package.
The enrollment package has been created. See there are two files.
Now let's go to our test client. It is not enrolled.
I removed the client certificate....
...and Trusted Root Certificate that I previously installed.
Copy the Enrollment Package to the Windows 10 client (the method is up to you). Launch the package.
Accept the UAC warning.
You are given information on what a provisioning package could do. You must accept this.
That's all you have to do. Almost instantly you will see that the device is enrolled (Settings > Accounts > Work Access). Note that it has been enrolled as a Corporate Owned device rather than by a specific user.
The first sync has started.
The device appears in the ConfigMgr console as is under On Premise Management. This is seriously cool.
Until next time....
Until next time....