locked
Windows Phone 8 MDM: Problem after enrollment RRS feed

  • Question

  • I am implementing a server side solution for Windows Phone 8 MDM and have completed the enrollement-process. When i enter the URL to my discovery-service in the "Company Apps" UI, the phone sends all the expected requests:

    1. GET Discovery
    2. POST Discovery
    3. POST Policy
    4. POST Enrollment

    After i respond to the Enrollment POST with the two certificates etc, the phone shows "Account added" and my account is added under company apps.

    However, below the app-name the text "attention required" is shown and when i enter the app, it asks for a password. When i enter a password and press "done" the phone makes the following requests:

    1. GET Discovery
    2. POST Discovery 
    3. POST Policy

    I respond with the exact same info as in the initial step, but there is no request to Enrollment.

    And now my questions: 

    1. What is supposed to happen after Enrollment POST? I expect some request being sent to the url that is provided in the w7 APPLICATION object of the response. Is this correct?
    2. As i understand it, the app entered a "certificate renewal state" and therefore need attention. But why does it not make the request to the enrollment service where the certificates are exchanged.

    Any help as to why this is happening is much appreciated.


    Monday, April 29, 2013 12:17 PM

Answers

  • Question 1: A POST to the address provided in the ADDR parameter in the response containing a SyncML message.
    Monday, May 20, 2013 2:44 PM

All replies

  • Question number 2 was because the client certificate was set to expire in 30 days, while the renewal period was set to 42 days. Changing the OMA Client Provisioning XML from

    <characteristic type="Registry">
    		<characteristic type="HKLM\Software\Microsoft\Enrollment">
    			<parm name="RenewalPeriod" value="42" datatype="integer" />
    		</characteristic>
    

    to

    <characteristic type="Registry">
    		<characteristic type="HKLM\Software\Microsoft\Enrollment">
    			<parm name="RenewalPeriod" value="10" datatype="integer" />
    		</characteristic>
    

    solved this.

    However Question 1 remains unanswered.

    Monday, April 29, 2013 2:39 PM
  • Question 1: A POST to the address provided in the ADDR parameter in the response containing a SyncML message.
    Monday, May 20, 2013 2:44 PM
  • Hi PatrikAnderson,

    I am stuck in certificate enrollment step..This is wap provisioning xml...

    <wap-provisioningdoc version="1.1">
      <characteristic type="CertificateStore">
        <characteristic type="Root">
          <characteristic type="9E84B48B06FEBAD4EEEAAE5E8F9A61C890443CAC">
            <parm name="EncodedCertificate" value="MIIE5jCCA86gAwIBAgIJAMU+KPSD6vm8MA0GCSqGSIb3DQEBBQUAMIGcMQswCQYDVQQGEwJJTjEMMAoGA1UECBMDTUFIMRQwEgYDVQQHEwtCQU5ZQU4gUEFSSzEVMBMGA1UEChMMVENTIE1PQklMSVRZMR4wHAYDVQQLExVXSU5ET1dTIE1ETSBKVU5FIDIwMTMxFjAUBgNVBAMTDVRDUyBKVU5FIDIwMTMxGjAYBgkqhkiG9w0BCQEWC3Rjc0B0Y3MuY29tMB4XDTEzMDYxMjEzNTAxMFoXDTE0MDYxMjEzNTAxMFowgZwxCzAJBgNVBAYTAklOMQwwCgYDVQQIEwNNQUgxFDASBgNVBAcTC0JBTllBTiBQQVJLMRUwEwYDVQQKEwxUQ1MgTU9CSUxJVFkxHjAcBgNVBAsTFVdJTkRPV1MgTURNIEpVTkUgMjAxMzEWMBQGA1UEAxMNVENTIEpVTkUgMjAxMzEaMBgGCSqGSIb3DQEJARYLdGNzQHRjcy5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDVTO0rRk2fyk3xL8HxrVCaP4Nrbz7OrnxqxozyUeESyUSbFq6F7Ucxk1z6s9evqgTfUUQjcsJvuPALhfEzkG1cg6Q1S1aHnL7FOmmksjYGpq96qcW1vpQAJD9jdT1tMYRFrvy/4MSUVVJpThQcKplX1rgT1vg+w1Nwv6VM8RVCZFa6IpXEvZq72FCP702kPCa1SzCSBhyN4xm3qzR0D2zruQhqXfiadV5xLmqROoAqJRZk7KS6nR6E00Jj8oYpcMAL6oEtyGw+Hhgm1NJ5um8pzeahuKTEnpy5fF/vv3whKGuRAohBJgGxN9+88e6Z1mInjEaVKceZCJJnNPuk2mnTAgMBAAGjggEnMIIBIzAdBgNVHQ4EFgQU5wwv5wSRYfo76/31ojtCITBSwrgwgdEGA1UdIwSByTCBxoAU5wwv5wSRYfo76/31ojtCITBSwrihgaKkgZ8wgZwxCzAJBgNVBAYTAklOMQwwCgYDVQQIEwNNQUgxFDASBgNVBAcTC0JBTllBTiBQQVJLMRUwEwYDVQQKEwxUQ1MgTU9CSUxJVFkxHjAcBgNVBAsTFVdJTkRPV1MgTURNIEpVTkUgMjAxMzEWMBQGA1UEAxMNVENTIEpVTkUgMjAxMzEaMBgGCSqGSIb3DQEJARYLdGNzQHRjcy5jb22CCQDFPij0g+r5vDAMBgNVHRMEBTADAQH/MAsGA1UdDwQEAwIFoDATBgNVHSUEDDAKBggrBgEFBQcDATANBgkqhkiG9w0BAQUFAAOCAQEAaQXV6XjLeRrlNKtRRe3l/K/2aU6bTcXQwxIVZ4/eALZa6wJPCpRZqNChg1qU9G4/by01hd3sl4OOjIDYDsn7D1cxEs2rZRkH1DYkR7cJW4ZWrANHrX1EilL3l6PS3udcXmfpBjSSm42tTLBO+kyKeZ2OD+Rwx0TvMqdenriSv5UYjyLNUoHdQkthiaLSkvo8aVJFSAmJtwemZbRNKA0ET86a/mHuQ9whnALcj8XYENKsTavQJNb2R3O/YuV/r9oNlHMnx0cSbmkJ+ejimx99wcsY4SZzEQ4m3+7gLGR1tUcEwl+wdYTaZZcYFGhlm5iML25N8kvZnQVW1dgiCs0g3w=="/>
          </characteristic>
        </characteristic>
        <characteristic type="My">
          <characteristic type="User">
            <characteristic type="4930A92543ECEE668BB213037E3AA75455A848AC">
              <parm name="EncodedCertificate" value="MIIDfzCCAmegAwIBAgIJAO6FjtlsAR8rMA0GCSqGSIb3DQEBBQUAMIGcMQswCQYDVQQGEwJJTjEMMAoGA1UECBMDTUFIMRQwEgYDVQQHEwtCQU5ZQU4gUEFSSzEVMBMGA1UEChMMVENTIE1PQklMSVRZMR4wHAYDVQQLExVXSU5ET1dTIE1ETSBKVU5FIDIwMTMxFjAUBgNVBAMTDVRDUyBKVU5FIDIwMTMxGjAYBgkqhkiG9w0BCQEWC3Rjc0B0Y3MuY29tMB4XDTEzMDYxODEyMjg1MFoXDTE0MDYxODEyMjg1MFowMDEuMCwGA1UEAxMlQjFDNDNDRDAtMTYyNC01RkJCLThFNTQtMzRDRjE3REZEM0ExADCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALhqJFYLAKgu6GbL1oFUL5LB+ojBQ+NFFFJht42Ie8uC25oyqp82wEoQ9I4aH/6cHcwVioTav+9ybgNnprNt1uFDms2+8ic+b4lLPnX4KtzfmEu9CslJkIRJF759zcRDP/4QpB12WewMzK91LuzdrOoNY+PbpynEI7TqDeUCGp/KGaas07RiiEHshW55ED5kcBGrFlHqw3lICKnb1dhiT79FLRCImNbUJz5HKX/D7FP71XRiGXfl5ZRUL3hKhXICp3g/12Y2y9m4mLw1hDi7Z/Ng7zBUtnVl/6ebUviZeAe4rZQSEtdqis2OJdwmzDy4mnkAC3YjOOET5ZypORTmG00CAwEAAaMvMC0wCQYDVR0TBAIwADALBgNVHQ8EBAMCB4AwEwYDVR0lBAwwCgYIKwYBBQUHAwIwDQYJKoZIhvcNAQEFBQADggEBAEbW28sjCsV6iEz2bOMcY0AO4pRG1Y7Q3eedbh4bm+pNd9eo+PCNAO+Goi4I9/Ze0lviwneEVlais6H64yLvDVqdFVoFImpfz26OCsxG09sPbScsXTRGl0vF3vGfZWKd61iJzW4E/uaxuMV0Nw2OX9wcgB5vYDrqlWrx/G7ratnI+vQu9+vR6hasTz7N/2bvORzfGL2/AIh2pi8eANkJTfYLUL6acggwUpj1Ja0euRE6K9/KY5geuFvC8vA4YBrzt2SXoODXd/QySlXi4xEtLizrgn0n3rIqbyjl3YUB5qmHXpU/20ZDHFMixvcJznY/JbO8O5yKfzgWsIXSZURuBro="/>
            </characteristic>
             
            <characteristic type="PrivateKeyContainer">
               
              <parm name="KeySpec" value="2"/>
              <parm name="ContainerName" value="ConfigMgrEnrollment"/>
              <parm name="ProviderType" value="1"/>
               
            </characteristic>
          </characteristic>
        </characteristic>
      </characteristic>
      <characteristic type="APPLICATION">
        <parm name="APPID" value="w7"/>
        <parm name="PROVIDER-ID" value="TestMDMServer"/>
        <parm name="NAME" value="Microsoft"/>
         
        <parm name="CONNRETRYFREQ" value="6"/>
        <parm name="INITIALBACKOFFTIME" value="30000"/>
        <parm name="MAXBACKOFFTIME" value="120000"/>
        <parm name="BACKCOMPATRETRYDISABLED"/>
        <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/>
        <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DB1C43CD0%2D1624%2D5FBB%2D8E54%2D34CF17DFD3A1&Stores=My%5CUser"/>
        <characteristic type="APPAUTH">
          <parm name="AAUTHLEVEL" value="CLIENT"/>
          <parm name="AAUTHTYPE" value="DIGEST"/>
          <parm name="AAUTHSECRET" value="password1"/>
          <parm name="AAUTHDATA" value="-285701335"/>
        </characteristic>
        <characteristic type="APPAUTH">
          <parm name="AAUTHLEVEL" value="APPSRV"/>
          <parm name="AAUTHTYPE" value="BASIC"/>
          <parm name="AAUTHNAME" value="testclient"/>
          <parm name="AAUTHSECRET" value="password2"/>
        </characteristic>
      </characteristic>
      <characteristic type="Registry">
        <characteristic type="HKLM\Software\Microsoft\Enrollment">
          <parm datatype="integer" name="RenewalPeriod" value="42"/>
        </characteristic>
        <characteristic type="HKLM\Software\Microsoft\Enrollment\OmaDmRetry">
          <parm datatype="integer" name="NumRetries" value="8"/>
          <parm datatype="integer" name="RetryInterval" value="15"/>
          <parm datatype="integer" name="AuxNumRetries" value="5"/>
          <parm datatype="integer" name="AuxRetryInterval" value="3"/>
          <parm datatype="integer" name="Aux2NumRetries" value="0"/>
           
          <parm datatype="integer" name="Aux2RetryInterval" value="480"/>
        </characteristic>
      </characteristic>
      <characteristic type="DMClient">
        <characteristic type="Provider">
          <characteristic type="TestMDMServer">
            <parm datatype="string" name="EntDeviceName" value="Administrator_WindowsPhone"/>
          </characteristic>
        </characteristic>
      </characteristic>
    </wap-provisioningdoc>

    1. Is root certificate should be the one who signs device CSR or it should be web server root certificate?

    2. In client Appauth what should be the value AuthType?

    3. What should be the value ofSSLCLIENTCERTSEARCHCRITERIA in application tag?

    4.Is it mandatory to include EnterpriseAppManagement characteristic?

    Wednesday, June 19, 2013 7:55 AM
  • Hi PatrikAndersson,

    I am face problem in enrollment.I have create a public domain and create a sub domain as a name of enterpriseenrollment.I have create a web service but when phone send Post Request it give error 404.

    Url enterpriseenrollment.domain-name/enrollmentserver/discovery.scv working fine in IE, i am really stuck please guide me in writing discovery and enrollment web service.

    Thanks

    Shailesh


     
    Thursday, October 17, 2013 6:37 AM
  • I would advice you to ask this in a new thread, since it does not relate directly to the main topic of this thread.

    However, where do you see the 404? Is the problem with automatic discovery from e-mail address or do you enter the URL manually in the Company Apps UI? If you enter the url manually, it does not have to be on the form enterpriseenrollment... 

    I would try to enter the url manually, use https, manually install the https ssl certificate on the phone if needed. This is what i did to get the discovery service to work.

    Thursday, October 17, 2013 7:13 AM
  • sorry for asking mu query in this post,I crate a new thread put dint get any response.

    Can u please share me the code of discovery and enrollment web service.I tried  what u have said but still get the error 307.

    Thanks

    Thursday, October 17, 2013 2:15 PM
  • I edited code in Application_BeginRequest (global.asax.cs) to return HTTP 200. But Company app wasn't sent POST after Get response. Can you share me the code of Discovery Service? 

    Long Tom

    Monday, November 4, 2013 7:33 AM