none
MDM Workplace Enrollment on RT Tablet RRS feed

  • Question

  • I'm trying to setup a custom MDM enrollment on a Lumia 2520 tablet. Unlike windows 8.1 phones, you can't enter in the enrollment URL. Thus, the enrollment process takes your @domain and uses: 

    https://EnterpriseRegistration.[yourdomain]/EnrollmentServer/contract

    That's all fine & dandy. My JSON from that contract URL is returning the proper server response (i've replaced my URLs):

    {
      "DeviceRegistrationService": {
        "RegistrationEndpoint": "https://sts.contoso.com/EnrollmentServer/DeviceEnrollmentWebService.svc",
        "RegistrationResourceId": "urn:ms-drs:sts.contoso.com",
        "ServiceVersion": "1.0"
      },
      "AuthenticationService": {
        "OAuth2": {
          "AuthCodeEndpoint": "https://sts.contoso.com/adfs/oauth2/authorize",
          "TokenEndpoint": "https://sts.contoso.com/adfs/oauth2/token"
        }
      },
      "IdentityProviderService": {
        "PassiveAuthEndpoint": "https://sts.contoso.com/adfs/ls"
      }
    }

    However, when this is returned to the device the device than loads https://EnterpriseRegistration.[yourdomain]/ URL.

    I'm at a lost on how to get it to follow the flow on a windows phone. I was hoping it would pass in the same XML a Win Phone does during enrollment. ie.

    <s:Envelope xmlns:a="http://www.w3.org/2005/08/addressing" xmlns:s="http://www.w3.org/2003/05/soap-envelope"><s:Header><a:Action s:mustUnderstand="1">http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover</a:Action><a:MessageID>urn:uuid:748132ec-a575-4329-b01b-6171a9cf8478</a:MessageID><a:ReplyTo><a:Address>http://www.w3.org/2005/08/addressing/anonymous</a:Address></a:ReplyTo><a:To s:mustUnderstand="1">http://enrollment URL/xxx</a:To></s:Header><s:Body><Discover xmlns="http://schemas.microsoft.com/windows/management/2012/01/enrollment"><request xmlns:i="http://www.w3.org/2001/XMLSchema-instance"><EmailAddress>xxxxx@xxxx.com</EmailAddress><RequestVersion>2.0</RequestVersion><DeviceType>WindowsPhone</DeviceType></request></Discover></s:Body></s:Envelope>

    Any help would be appreciated! 

    Thursday, October 23, 2014 3:48 PM

Answers

All replies

  • The MDM protocol for Windows 8.1 and Windows 8.1 RT devices, MS-MDM, is slightly different than Windows Phone 8 & 8.1, the protocol documentation for Windows 8.1 Enterprise device management can be downloaded here:

    http://download.microsoft.com/download/9/5/E/95EF66AF-9026-4BB0-A41D-A4F81802D92C/[MS-MDM].pdf

    We also have a white-paper on the protocol that provides the same information in a format more like the Windows Phone protocol document, here:

    http://download.microsoft.com/download/8/6/B/86BAC59D-0DA3-4B9C-AF15-C077DC0D46CF/Windows%208.1%20Enterprise%20Device%20Management%20Protocol.pdf


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    • Marked as answer by Danny Conroy Monday, October 27, 2014 9:22 PM
    Friday, October 24, 2014 1:56 PM
    Moderator
  • Thank you for these docs! I knew there had to be slight differences, didn't know there were separate doc files. 
    Friday, October 24, 2014 4:57 PM
  • It seems I was overly confused between the 2 different options: Join a workplace, and Turn On management. I believe the Turn On management is what I want.

    Where I'm at now is that when I click it, my code activities and the discovery.svc gets called. However, when I send back a HTTP Status 200 I'm expecting to get a POST to discovery.svc. However, it just dies after the Response is return to device. 

    Is there anything special that needs to be done upon that first GET? I'm following the docs and it just doesn't seem to work.

    Also - is there anywhere in the event viewer to see the events/logs? I know for the "JOIN" workplace option that I can view the events and logs via: Apps & Services Logs > Microsoft > Windows > Workplace Join

    Friday, October 24, 2014 7:45 PM
  • Want to address my own issue:

    There seems to be calls to both enterpriseenrollment.yourdomain.com AND enterpriseregistration.yourdomain.com

    My cert was for the opposite of what was being called. That seems to be resolved now. 

    Friday, October 24, 2014 8:44 PM