HowTo entitle pass-thru authentication for enrollment process

Article:TECH175678  |  Created: 2011-11-29  |  Updated: 2013-09-09  |  Article URL
Article Type
Technical Solution



Entitle pass-thru authentication is requested for the enrollment process to avoid issues like:


The profile "MDM Enrollment" could not be installed.


iPad or iPhone
iOS 5


The certificate which had defined for the IIS HTTPS binding was generated for the Mobile Management Server (MMS) and used the fully qualified domain name (FQDN) of the server (e.g. But the IP override on the MMS configuration policy was set to the public IP address of the MMS which is reachable from the internet.

In this situation the enrollment works when using HTTP. For iOS5 devices however, there is need for HTTPS. So in this example the trust could not be made because the certificate is generated for the FQDN ( and this DNS record is not reachable from the internet (only the IP address is reachable).


1. Create a (temporary) trusted root certificate ( for testing and importing on the MMS

2. Change the HTTPS (443) port binding in IIS on the MMS to this trusted root certificate (
3. Create a public DNS record to forwarded ( the public IP address of the MMS.
4. Change the IP override for the MMS to the public DNS name (
Now all iOS devices should enroll without any problem. The configuration profiles that are configured during the enrollment (additional profiles) should apply successfully as well.

Article URL

Terms of use for this information are found in Legal Notices