none
Windows Phone 8 couldn't enroll to MDM Server RRS feed

  • Question

  • I have create a key pair and using these I generated a self signed root certificate. And, When I got a CSR, I signed it with root certificate. I encode the root and client certificate(signed by root CA) and sent them to device.

    But, I couldn't enroll successfully. There is no logs or any thing. I'm using Windows Phone 8.

    Please help on this.


    Thursday, July 3, 2014 11:52 AM

All replies

  • I assume you're placing those certificates inside a wap-provisioningdoc XML ...

    What other values are you setting in the wap-provisioningdoc?

    You should also read my troubleshooting blog post: http://blogs.msdn.com/b/wsdevsol/archive/2013/10/03/troubleshooting-your-windows-phone-8-enterprise-mobile-device-management-implementation.aspx


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Thursday, July 3, 2014 2:56 PM
    Moderator
  • Following is my policy service xml

    <s:Envelope
            xmlns:a="http://www.w3.org/2005/08/addressing"
            xmlns:s="http://www.w3.org/2003/05/soap-envelope">
        <s:Header>
            <a:Action s:mustUnderstand="1">
                http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy/IPolicy/GetPoliciesResponse
            </a:Action>
        </s:Header>
        <s:Body xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
                xmlns:xsd="http://www.w3.org/2001/XMLSchema">
            <GetPoliciesResponse   xmlns="http://schemas.microsoft.com/windows/pki/2009/01/enrollmentpolicy">
                <response>
                    <policyID>{083C7011-1D0A-4855-885D-AC945184658C}</policyID>
                    <policyFriendlyName>WSO2 Enrollment Policy</policyFriendlyName>
                    <nextUpdateHours>8</nextUpdateHours>
                    <policiesNotChanged xsi:nil="true"/>
                    <policies>
                        <policy>
                            <policyOIDReference>9</policyOIDReference>
                            <cAs>
                                <cAReference>0</cAReference>
                            </cAs>
                            <attributes>
                                <commonName>wso2.com</commonName>
                                <policySchema>1</policySchema>
                                <certificateValidity>
                                    <validityPeriodSeconds>31536000</validityPeriodSeconds>
                                    <renewalPeriodSeconds>3628800</renewalPeriodSeconds>
                                </certificateValidity>
                                <permission>
                                    <enroll>true</enroll>
                                    <autoEnroll>false</autoEnroll>
                                </permission>
                                <privateKeyAttributes>
                                    <minimalKeyLength>2048</minimalKeyLength>
                                    <keySpec>1</keySpec>
                                    <keyUsageProperty xsi:nil="true"/>
                                    <permissions xsi:nil="true"/>
                                    <algorithmOIDReference xsi:nil="true"/>
                                    <cryptoProviders>
                                        <provider>
                                            Microsoft Enhanced Cryptographic Provider v1.0</provider>
                                        <provider>
                                            Microsoft Base Cryptographic Provider v1.0</provider>
                                    </cryptoProviders>
                                </privateKeyAttributes>
                                <revision>
                                    <majorRevision>3</majorRevision>
                                    <minorRevision>1</minorRevision>
                                </revision>
                                <supersededPolicies xsi:nil="true"/>
                                <privateKeyFlags nil="true"/>
                                <subjectNameFlags nil="true"/>
                                <enrollmentFlags nil="true"/>
                                <generalFlags nil="true"/>
                                <hashAlgorithmOIDReference xsi:nil="true"></hashAlgorithmOIDReference>
                                <rARequirements xsi:nil="true"/>
                                <keyArchivalAttributes xsi:nil="true"/>
                                <extensions>
                                    <extension>
                                        <oIDReference>5</oIDReference>
                                        <critical>false</critical>
                                        <value></value>
                                    </extension>
                                    <extension>
                                        <oIDReference>6</oIDReference>
                                        <critical>false</critical>
                                        <value>
                                            MCAGCCsGAQUFBwMCB…YBBAGCNwoDBA==
                                        </value>
                                    </extension>
                                    <extension>
                                        <oIDReference>7</oIDReference>
                                        <critical>true</critical>
                                        <value>
                                            AwIFoA==
                                        </value>
                                    </extension>
                                </extensions>
                            </attributes>
                        </policy>
                    </policies>
                </response>
                <cAs>
                    <cA>
                        <uris>
                            <cAURI>
                                <clientAuthentication>8</clientAuthentication>
                                <uri>https://9-1351c1223a.dom9-1351c1223a.nttest.microsoft.com/EntRootCA_CES_Certificate/service.svc/CES</uri>
                                <priority>1</priority>
                                <renewalOnly>false</renewalOnly>
                            </cAURI>
                            <cAURI>
                                <clientAuthentication>4</clientAuthentication>
                                <uri>https://9-1351c1223a.dom9-1351c1223a.nttest.microsoft.com/EntRootCA_CES_UsernamePassword/service.svc/CES</uri>
                                <priority>1</priority>
                                <renewalOnly>false</renewalOnly>
                            </cAURI>
                            <cAURI>
                                <clientAuthentication>2</clientAuthentication>
                                <uri>https://9-1351c1223a.dom9-1351c1223a.nttest.microsoft.com/EntRootCA_CES_Kerberos/service.svc/CES</uri>
                                <priority>1</priority>
                                <renewalOnly>false</renewalOnly>
                            </cAURI>
                        </uris>
                        <certificate>
                            MIID4TCCAsmgAwI…Cz1HRi2TpCY3OlJLUPG/+Nw==
                        </certificate>
                        <enrollPermission>true</enrollPermission>
                        <cAReferenceID>0</cAReferenceID>
                    </cA>
                </cAs>
                <oIDs>
                    <oID>
                        <value>1.3.6.1.4.1.311.20.2</value>
                        <group>6</group>
                        <oIDReferenceID>5</oIDReferenceID>
                        <defaultName>Certificate Template Name</defaultName>
                    </oID>
                    <oID>
                        <value>2.5.29.37</value>
                        <group>6</group>
                        <oIDReferenceID>6</oIDReferenceID>
                        <defaultName>Enhanced Key Usage</defaultName>
                    </oID>
                    <oID>
                        <value>2.5.29.15</value>
                        <group>6</group>
                        <oIDReferenceID>7</oIDReferenceID>
                        <defaultName>Key Usage</defaultName>
                    </oID>
                    <oID>
                        <value>
                            1.3.6.1.4.1.311.21.8.3800100.3166153.13323660.9808540.8334961.78.1.6
                        </value>
                        <group>9</group>
                        <oIDReferenceID>9</oIDReferenceID>
                        <defaultName>Basic EFS</defaultName>
                    </oID>
                </oIDs>
            </GetPoliciesResponse>
        </s:Body>
    </s:Envelope>

    And Following is my device wap provisioning xml response

    <wap-provisioningdoc version="1.1">
        <characteristic type="CertificateStore">
            <characteristic type="Root">
                <characteristic type="System">
                    <characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F">
                        <parm name="EncodedCertificate" value=""/>
                    </characteristic>
                </characteristic>
            </characteristic>
            <characteristic type="My" >
                <!-- "My" and “User” are case-sensitive -->
                <characteristic type="User">
                    <characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462">
                        <parm name="EncodedCertificate" value=""/>
                    </characteristic>
                    <characteristic type="PrivateKeyContainer"/>
                    <!-- This tag must be present for XML syntax correctness. -->
                </characteristic>
            </characteristic>
        </characteristic>
        <characteristic type="APPLICATION">
            <parm name="APPID" value="w7"/>
            <parm name="PROVIDER-ID" value="TestMDMServer"/>
            <parm name="NAME" value="Microsoft"/>
            <parm name="ADDR" value="https://DM.contoso.com:443/omadm/WindowsPhone.ashx"/>
            <parm name="CONNRETRYFREQ" value="6" />
            <parm name="INITIALBACKOFFTIME" value="30000" />
            <parm name="MAXBACKOFFTIME" value="120000" />
            <parm name="BACKCOMPATRETRYDISABLED" />
            <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />
            <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="CN%3DB1C43CD0-1624-5FBB-8E54-34CF17DFD3A1&amp;Stores=My%5CUser"/>
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="CLIENT"/>
                <parm name="AAUTHTYPE" value="DIGEST"/>
                <parm name="AAUTHSECRET" value="password1"/>
                <parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/>
            </characteristic>
            <characteristic type="APPAUTH">
                <parm name="AAUTHLEVEL" value="APPSRV"/>
                <parm name="AAUTHTYPE" value="BASIC"/>
                <parm name="AAUTHNAME" value="testclient"/>
                <parm name="AAUTHSECRET" value="password2"/>
            </characteristic>
        </characteristic>
        <characteristic type="Registry">
            <characteristic type="HKLM\Software\Microsoft\Enrollment">
                <parm name="RenewalPeriod" value="42" datatype="integer" />
            </characteristic>
            <characteristic type="HKLM\Software\Microsoft\Enrollment\OmaDmRetry">
                <parm name="NumRetries" value="8" datatype="integer" />
                <parm name="RetryInterval" value="15" datatype="integer" />
                <parm name="AuxNumRetries" value="5" datatype="integer" />
                <parm name="AuxRetryInterval" value="3" datatype="integer" />
                <parm name="Aux2NumRetries" value="0" datatype="integer" />
                <!-- Retry waiting interval less than 60 minutes isn’t suggested due to impact to data
                comsumption and battery life. -->
                <parm name="Aux2RetryInterval" value="480" datatype="integer" />
            </characteristic>
        </characteristic>
        <characteristic type="DMClient">
            <characteristic type="Provider">
                <characteristic type="TestMDMServer">
                    <parm name="EntDeviceName" value="Administrator_WindowsPhone" datatype="string" />
                </characteristic>
            </characteristic>
        </characteristic>
        <!-- Specify application Enrollment Token (AET) in EnrollmenToken node, provide URL for
        downloading company app hub apps, specify client certificate search criteria for downloading
        company app from SSL server that requires client cert based authentication . -->
        <characteristic type="EnterpriseAppManagement">
            <characteristic type="EnterpriseIDInsertedHere">
                <parm datatype="string" name="EnrollmentToken" value="AETInsertedHere"/>
                <parm datatype="string" name="StoreProductId"
                      value="AppProductIDInsertedHere"/>
                <parm datatype="string" name="StoreURI"
                      value="HTTPS://DM.contoso.com:443/EnrollmentServer/clientcabs/EnterpriseApp1.xap"/>
                <parm datatype="string" name="StoreName" value="Wso2 App Store"/>
                <parm datatype="string" name="CertificateSearchCriteria"
                      value="ClientCertSearchCriteriaInsertedHere"/>
                <parm datatype="string" name="CRLCheck" value="0"/>
            </characteristic>
        </characteristic>
    </wap-provisioningdoc>

    I have added the encoded root and signed CSR in the wap provisioning xml. I couldn't identify the reason why it's not enrolled.



    Friday, July 4, 2014 6:02 AM
  • I think that Windows Phone 8 does not support those policy extension, anything it doesn't recognize is usually ignored or passed through.
    Basically, the example you see in the documentation is all that it supports.

    For example, IIRC, WP8 only supports SHA1 RSA Sign.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Monday, July 7, 2014 3:10 PM
    Moderator
  • Also, make sure that any of the places where the sample XML shows "*InsertedHere" are replaced with valid values. (ex: "B64encodedBinaryNonceInsertedHere", "EnterpriseIDInsertedHere", "AETInsertedHere", "AppProductIDInsertedHere")

    Tip: if you don't have an application enrollment token (AET) then leave out the "EnterpriseAppManagement" node for now.

    Tip2: make sure your "EncodedCertificate" string is valid binary 64 encoding and does not contain any XML character replacements like: "&#10"...


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.


    Monday, July 7, 2014 6:01 PM
    Moderator