locked
Why Windows Phone8.1 MDM DMClient doesn't send ClientCertificate to MDM Server RRS feed

  • Question

  • hi

    We are developing our Window8.1 MDM server. Enrollment is completed and works well for my WP(8.1), next WP will setup the connection with DM management server. The issue is:

    1. If our management server doesn't request Client Certificate, WP DM client can work well with management server,

    2. but if management server configured to ask for client certificate, WP DM client will failed to setup connection with management server as it doesn't send client certificate to server, but PC or tablets Windows8.1 can send client certificate to server and can setup the connection.

    3. the provision response to WP and tablets are same, but why WP cannot setup connection when DM management server request client certificate?

    Here is the connection error log for WP:

    http-bio-8443-exec-9, READ: TLSv1.2 Handshake, length = 141
    *** ClientHello, TLSv1.2
    RandomCookie:  GMT: 1391166912 bytes = { 166, 69, 188, 3, 152, 76, 52, 227, 142, 74, 181, 116, 0, 95, 93, 118, 2, 64, 28, 1, 59, 120, 178, 254, 168, 6
    0, 22, 176 }

    *******************

    *** ServerHello, TLSv1.2
    RandomCookie:  GMT: 1391167275 bytes = { 156, 191, 4, 2, 92, 39, 125, 126, 68, 144, 194, 221, 226, 54, 194, 104, 56, 181, 6, 76, 157, 45, 74, 87, 40,
    231, 45, 233 }
    *******************

    ***
    *** CertificateRequest
    Cert Types: RSA, DSS, ECDSA
    Supported Signature Algorithms: SHA512withECDSA, SHA512withRSA, SHA384withECDSA, SHA384withRSA, SHA256withECDSA, SHA256withRSA, SHA224withECDSA, SHA22
    4withRSA, SHA1withECDSA, SHA1withRSA, SHA1withDSA, MD5withRSA
    Cert Authorities:
    <CN=10.104.150.118, OU=Unknown, O=Unknown, L=Unknown, ST=tj, C=cn>
    <CN=pro-DC-CA, DC=pro, DC=qagood, DC=com>    
    <CN=9ee656d6-6c15-4fd0-9707-87f717e33455>
    *** ServerHelloDone

    *********************

    http-bio-8443-exec-9, received EOFException: error
    http-bio-8443-exec-9, handling exception: javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    %% Invalidated:  [Session-32, TLS_RSA_WITH_AES_128_CBC_SHA256]
    http-bio-8443-exec-9, SEND TLSv1.2 ALERT:  fatal, description = handshake_failure
    http-bio-8443-exec-9, WRITE: TLSv1.2 Alert, length = 2
    [Raw write]: length = 7
    0000: 15 03 03 00 02 02 28                               ......(
    http-bio-8443-exec-9, called closeSocket()
    http-bio-8443-exec-9, IOException in getSession():  javax.net.ssl.SSLHandshakeException: Remote host closed connection during handshake
    http-bio-8443-exec-9, called close()
    http-bio-8443-exec-9, called closeInternal(true)

    here is the provision response both for WP8.1 and Tablets 8.1

    <wap-provisioningdoc version="1.1">
    <characteristic type="CertificateStore">
    <characteristic type="Root">
    <characteristic type="System">
    <characteristic type="8ec6a5a9504a31e17a7dda1d3773aea0c985aeab">
    <parm name="EncodedCertificate" value="**" />
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="My">
    <characteristic type="User">
    <characteristic type="3a06dfa6d143ad7a2bc144d32631f9cfb7b5d5e3">
    <parm name="EncodedCertificate" value="***" />
    <characteristic type="PrivateKeyContainer">
    <parm name="KeySpec" value="2" />
    <parm name="ContainerName" value="ConfigMgrEnrollment" />
    <parm name="ProviderType" value="1" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="CertificateStore">
    <characteristic type="My">
    <characteristic type="WSTEP">
    <characteristic type="Renew">
    <parm name="ROBOSupport" value="true" datatype="boolean" />
    <parm name="RenewPeriod" value="42" datatype="integer" />
    <parm name="RetryInterval" value="7" datatype="integer" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="APPLICATION">
    <parm name="APPID" value="w7" />
    <parm name="PROVIDER-ID" value="Test" />
    <parm name="NAME" value="Test" />
    <parm name="ADDR" value="https://10.104.150.118:8443/DeviceGatewayProxy/WindowsPhone.ashx" />
    <parm name="CONNRETRYFREQ" value="6" />
    <parm name="INITIALBACKOFFTIME" value="2000" />
    <parm name="MAXBACKOFFTIME" value="120000" />
    <parm name="BACKCOMPATRETRYDISABLED" />
    <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
    <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D15930d74-75c0-44bd-b1e9-ab8543a08970&amp;Stores=MY%5CUser" />
    <parm name="USEHWDEVID"/>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="CLIENT" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHSECRET" value="dummy" />
    <parm name="AAUTHDATA" value="bm9uY2U=" />
    </characteristic>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="APPSRV" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHNAME" value="CN=15930d74-75c0-44bd-b1e9-ab8543a08970" />
    <parm name="AAUTHSECRET" value="dummy" />
    <parm name="AAUTHDATA" value="bm9uY2U=" />
    </characteristic>
    </characteristic>
    <characteristic type="DMClient">
    <characteristic type="Provider">
    <characteristic type="Test">
    <parm name="EntDeviceName" value="CN=15930d74-75c0-44bd-b1e9-ab8543a08970" datatype="string" />
    <characteristic type="Poll">
    <parm name="NumberOfFirstRetries" value="5" datatype="integer" />
    <parm name="IntervalForFirstSetOfRetries" value="3" datatype="integer" />
    <parm name="NumberOfSecondRetries" value="8" datatype="integer" />
    <parm name="IntervalForSecondSetOfRetries" value="15" datatype="integer" />
    <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
    <parm name="IntervalForRemainingScheduledRetries" value="480" datatype="integer" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    </wap-provisioningdoc>

    • Edited by -FreeSoul- Friday, August 15, 2014 4:52 AM
    • Moved by Eric Fleck Friday, August 15, 2014 2:34 PM MDM question
    Thursday, August 14, 2014 10:07 AM

Answers

  • We will try PRINTABLE_STRING, but currently we haven't get an company account to get the AET(Application Enrollment Token) file form Symantec, so cannot verify the Company Hub Download function.

    For the current issue of Windows Phone doesn't send client certification to MDM server, do you have any suggestion?



    • Edited by -FreeSoul- Wednesday, August 20, 2014 5:59 AM
    • Marked as answer by -FreeSoul- Tuesday, November 25, 2014 2:13 AM
    Wednesday, August 20, 2014 3:30 AM

All replies

  • What are the characteristics of the client certificate you are sending to the device?  (Subject, Key Usage, Extended Key Usage, etc...)

    Was the client certificate signed by one of the requested authorities?

    <CN=10.104.150.118, OU=Unknown, O=Unknown, L=Unknown, ST=tj, C=cn>
    < CN=pro-DC-CA, DC=pro, DC=qagood, DC=com>    
    < CN=9ee656d6-6c15-4fd0-9707-87f717e33455>

    http://blogs.msdn.com/b/wsdevsol/archive/2013/10/03/troubleshooting-your-windows-phone-8-enterprise-mobile-device-management-implementation.aspx


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Friday, August 15, 2014 2:51 PM
  • Thanks Eric for your response.

    Yes, client certificate signed by the second one

    < CN=pro-DC-CA, DC=pro, DC=qagood, DC=com> , which is self-sign CA.


    The client certificate subject is: CN = 1ad89c8a-9df7-433c-9506-db3334903c42

    Issued by: pro-DC-CA

    Key Usage:Digital Signature (80)

    Enhanced Key Usage:Client Authentication (1.3.6.1.5.5.7.3.2)

    Subject Key Identifier:10 8f 35 c0 12 e3 65 9f e1 61 3f 31 67 ae 08 7f 65 0e 93 b0

    MSDN doesn't allow me to attach image, here is the certificate in provision doc, please save it as cer file to check it. thanks.

    <characteristic type="CertificateStore">
    <characteristic type="Root">
    <characteristic type="System">
    <characteristic type="4829986bbda8fbb3580eb3eeb809d17807db633a">
    <parm name="EncodedCertificate" value="MIIDKDCCAhCgAwIBAgIEEmh7dzANBgkqhkiG9w0BAQUFADBWMRMwEQYKCZImiZPyLGQBGRYDY29t
    MRYwFAYKCZImiZPyLGQBGRYGcWFnb29kMRMwEQYKCZImiZPyLGQBGRYDcHJvMRIwEAYDVQQDEwlw
    cm8tREMtQ0EwHhcNMTQwODE1MDI0NjA0WhcNMTYwODE0MDI0NjA0WjBWMRMwEQYKCZImiZPyLGQB
    GRYDY29tMRYwFAYKCZImiZPyLGQBGRYGcWFnb29kMRMwEQYKCZImiZPyLGQBGRYDcHJvMRIwEAYD
    VQQDEwlwcm8tREMtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZv0Ep8JwhI+v4
    S6CU2D/wfvZ5KMosa0q5LNscv0DWxBXWhqgPgatpefhTDd63o/KGvG10gxI4RDkjqaSzuBGDR+q1
    tV/Z5anUzacIZYn8pIzvd3ba4oJ/ZEg2918GTJEr2aqFqcrOEl6DWU2KXCQCvGO26CJ0vM5j0nEr
    aAliWWZDL+XP3fPwWjlm5WblHR+64OqSlvZG7JZ2MdLmVKt/IUMfB2WBwab3wXWGQf4wkQEDY1Yy
    yhgPKWR0264NK4eAbMuUQGmOQKWAla8i5FKneXUpyS3we3CkSjA+EBb2gCce4AaWEUKSjWpjEuW8
    LAmPzjCF6eiZTUZ5GGd0GPmnAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIch7rR/rj7MpRwV5qJP
    yveYtcOUbG6n2tMXlp9IPKgpGMDnPnKwjMvp8ouFnh+nq3Vmqxe8cScYGAB/VmvAysPK+3ptwlC8
    f6GzAc2+WlkhQbMQ+mob050JccG682QWD4GRFXkD/q7w450lWwphbPo2/Pkwuy/trm2Mh+vt0sDp
    XUNYyUFfnE6OknyJjRL0xXDPDiJ6oKIIKDWDj1SvJJBVPBh5Sh2HwTMu7qV3eIG6JU+xbzNEJ8Xz
    4UD6WyMVaiaiX//H1OSXlba+yN/vRwQRkXwic510PMcCC4DRSR4atyweAlKhmJjOEblWXiK8XuRc
    b5gq2n0NEngHhBFRnV8=
    " /> </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="My">
    <characteristic type="User">
    <characteristic type="755a3d6fb4493c0d89ef7238c6d4acf12be4fca0">
    <parm name="EncodedCertificate" value="MIIDSTCCAjWgAwIBAgIBATAJBgUrDgMCHQUAMFYxEzARBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJ
    kiaJk/IsZAEZFgZxYWdvb2QxEzARBgoJkiaJk/IsZAEZFgNwcm8xEjAQBgNVBAMMCXByby1EQy1D
    QTAeFw0xNDA4MTgwNDEyNDhaFw0xNjA4MTcwNDEyNDhaMC8xLTArBgNVBAMMJDFhZDg5YzhhLTlk
    ZjctNDMzYy05NTA2LWRiMzMzNDkwM2M0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AOKYfmAD6xZuQVZ3VUIDv1tRxjLgkLiOx5aqOal5g7ZLW/HWZf1G2lsSkOGNSI+VRZ1J/rRyTSTR
    aMFMWKNDRy/hExjpVwx4W62sGBYCfd1kgklYHqqRXsHndN1bQZbmU1/i5xLEGimFpo0FPqQ8o59O
    qabc07ClnZZ9dUMov32B/BBUnaVe0ZU7RHdIy/HGPOvuL5P6mOOBkKJIoc/3gyTrFfStR5vQpuze
    x3dAu8UTMhJtFRpdA9Z2ux4gNtVewe6XsB+ymhgMak73x2e6tMU7Yu7TwoXSDWbOsEbjYaQwQ2qt
    rvL/cXKS4Vsg7+5yV001FfHjxnGiZbqJsac5CRECAwEAAaNRME8wDgYDVR0PAQH/BAQDAgeAMAkG
    A1UdEwQCMAAwHQYDVR0OBBYEFBCPNcAS42Wf4WE/MWeuCH9lDpOwMBMGA1UdJQQMMAoGCCsGAQUF
    BwMCMAkGBSsOAwIdBQADggEBAHTvMN01SL3eIrTT1dlsqykv6fdiQoifEvDOUjkK0in0GxFxnwve
    MmhJkzc9S2QoOaDELIhyT0YA6lgwLgG+vy03+UDJlR2bPH5N5maU8LYrpJ0jHPDja3UA74E4AiyH
    OTVFqp0Ryknno5zH2tsM1SQo+3zC3xAnBHkOg8w3i42LQoYfTdgGj6SDcGDpGYBhLeO83lGYIQqI
    GTGjrCISg/5MvvtTadG30XN6u2qeUuAwVVLDI6IksKTKey4kKK9xlC5qpoFI7z9nMQQI2Jx9jSxR
    TWViXwiV4rrW7Qv7gnoVqBLd3YFOJJCBLLFkOaZhCqRdkHGqy510aYG87tKhsfM=
    " /> <characteristic type="PrivateKeyContainer">
    <parm name="KeySpec" value="2" />
    <parm name="ContainerName" value="ConfigMgrEnrollment" />
    <parm name="ProviderType" value="1" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="CertificateStore">
    <characteristic type="My">
    <characteristic type="WSTEP">
    <characteristic type="Renew">
    <parm name="ROBOSupport" value="true" datatype="boolean" />
    <parm name="RenewPeriod" value="42" datatype="integer" />
    <parm name="RetryInterval" value="7" datatype="integer" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>



    • Edited by -FreeSoul- Monday, August 18, 2014 4:21 AM
    Monday, August 18, 2014 4:16 AM
  • The client certificate Subject name (1ad89c8a-9df7-433c-9506-db3334903c42) in your latest post does not match the SSLCLIENTSERTSEARCHCRITERIA (15930d74-75c0-44bd-b1e9-ab8543a08970) value from your previous post...

    009e:    |  |        0c 24                      ; UTF8_STRING (24 Bytes)
    00a0:    |  |           31 61 64 38 39 63 38 61  2d 39 64 66 37 2d 34 33  ; 1ad89c8a-9df7-43
    00b0:    |  |           33 63 2d 39 35 30 36 2d  64 62 33 33 33 34 39 30  ; 3c-9506-db333490
    00c0:    |  |           33 63 34 32                                       ; 3c42
             |  |              ; "1ad89c8a-9df7-433c-9506-db3334903c42"
    
    
    <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D15930d74-75c0-44bd-b1e9-ab8543a08970&amp;Stores=MY%5CUser" />
    

    ...are these from separate enrollment attempts?

    FYI: I also notice that the client certificate Subject CN is using UTF8_STRING ASN encoding rather than PRINTABLE_STRING ASN encoding type, this should not affect SyncML session but will prevent Company Hub download from working.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Monday, August 18, 2014 6:03 PM
  • Eric,

    Yes, they are from separate enrollment testing.  Here is the whole provision doc for Subject Name(1ad89c8a-9df7-433c-9506-db3334903c42)

    <wap-provisioningdoc version="1.1">
    <characteristic type="CertificateStore">
    <characteristic type="Root">
    <characteristic type="System">
    <characteristic type="4829986bbda8fbb3580eb3eeb809d17807db633a">
    <parm name="EncodedCertificate" value="MIIDKDCCAhCgAwIBAgIEEmh7dzANBgkqhkiG9w0BAQUFADBWMRMwEQYKCZImiZPyLGQBGRYDY29t
    MRYwFAYKCZImiZPyLGQBGRYGcWFnb29kMRMwEQYKCZImiZPyLGQBGRYDcHJvMRIwEAYDVQQDEwlw
    cm8tREMtQ0EwHhcNMTQwODE1MDI0NjA0WhcNMTYwODE0MDI0NjA0WjBWMRMwEQYKCZImiZPyLGQB
    GRYDY29tMRYwFAYKCZImiZPyLGQBGRYGcWFnb29kMRMwEQYKCZImiZPyLGQBGRYDcHJvMRIwEAYD
    VQQDEwlwcm8tREMtQ0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCZv0Ep8JwhI+v4
    S6CU2D/wfvZ5KMosa0q5LNscv0DWxBXWhqgPgatpefhTDd63o/KGvG10gxI4RDkjqaSzuBGDR+q1
    tV/Z5anUzacIZYn8pIzvd3ba4oJ/ZEg2918GTJEr2aqFqcrOEl6DWU2KXCQCvGO26CJ0vM5j0nEr
    aAliWWZDL+XP3fPwWjlm5WblHR+64OqSlvZG7JZ2MdLmVKt/IUMfB2WBwab3wXWGQf4wkQEDY1Yy
    yhgPKWR0264NK4eAbMuUQGmOQKWAla8i5FKneXUpyS3we3CkSjA+EBb2gCce4AaWEUKSjWpjEuW8
    LAmPzjCF6eiZTUZ5GGd0GPmnAgMBAAEwDQYJKoZIhvcNAQEFBQADggEBAIch7rR/rj7MpRwV5qJP
    yveYtcOUbG6n2tMXlp9IPKgpGMDnPnKwjMvp8ouFnh+nq3Vmqxe8cScYGAB/VmvAysPK+3ptwlC8
    f6GzAc2+WlkhQbMQ+mob050JccG682QWD4GRFXkD/q7w450lWwphbPo2/Pkwuy/trm2Mh+vt0sDp
    XUNYyUFfnE6OknyJjRL0xXDPDiJ6oKIIKDWDj1SvJJBVPBh5Sh2HwTMu7qV3eIG6JU+xbzNEJ8Xz
    4UD6WyMVaiaiX//H1OSXlba+yN/vRwQRkXwic510PMcCC4DRSR4atyweAlKhmJjOEblWXiK8XuRc
    b5gq2n0NEngHhBFRnV8=
    " /> </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="My">
    <characteristic type="User">
    <characteristic type="755a3d6fb4493c0d89ef7238c6d4acf12be4fca0">
    <parm name="EncodedCertificate" value="MIIDSTCCAjWgAwIBAgIBATAJBgUrDgMCHQUAMFYxEzARBgoJkiaJk/IsZAEZFgNjb20xFjAUBgoJ
    kiaJk/IsZAEZFgZxYWdvb2QxEzARBgoJkiaJk/IsZAEZFgNwcm8xEjAQBgNVBAMMCXByby1EQy1D
    QTAeFw0xNDA4MTgwNDEyNDhaFw0xNjA4MTcwNDEyNDhaMC8xLTArBgNVBAMMJDFhZDg5YzhhLTlk
    ZjctNDMzYy05NTA2LWRiMzMzNDkwM2M0MjCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEB
    AOKYfmAD6xZuQVZ3VUIDv1tRxjLgkLiOx5aqOal5g7ZLW/HWZf1G2lsSkOGNSI+VRZ1J/rRyTSTR
    aMFMWKNDRy/hExjpVwx4W62sGBYCfd1kgklYHqqRXsHndN1bQZbmU1/i5xLEGimFpo0FPqQ8o59O
    qabc07ClnZZ9dUMov32B/BBUnaVe0ZU7RHdIy/HGPOvuL5P6mOOBkKJIoc/3gyTrFfStR5vQpuze
    x3dAu8UTMhJtFRpdA9Z2ux4gNtVewe6XsB+ymhgMak73x2e6tMU7Yu7TwoXSDWbOsEbjYaQwQ2qt
    rvL/cXKS4Vsg7+5yV001FfHjxnGiZbqJsac5CRECAwEAAaNRME8wDgYDVR0PAQH/BAQDAgeAMAkG
    A1UdEwQCMAAwHQYDVR0OBBYEFBCPNcAS42Wf4WE/MWeuCH9lDpOwMBMGA1UdJQQMMAoGCCsGAQUF
    BwMCMAkGBSsOAwIdBQADggEBAHTvMN01SL3eIrTT1dlsqykv6fdiQoifEvDOUjkK0in0GxFxnwve
    MmhJkzc9S2QoOaDELIhyT0YA6lgwLgG+vy03+UDJlR2bPH5N5maU8LYrpJ0jHPDja3UA74E4AiyH
    OTVFqp0Ryknno5zH2tsM1SQo+3zC3xAnBHkOg8w3i42LQoYfTdgGj6SDcGDpGYBhLeO83lGYIQqI
    GTGjrCISg/5MvvtTadG30XN6u2qeUuAwVVLDI6IksKTKey4kKK9xlC5qpoFI7z9nMQQI2Jx9jSxR
    TWViXwiV4rrW7Qv7gnoVqBLd3YFOJJCBLLFkOaZhCqRdkHGqy510aYG87tKhsfM=
    " /> <characteristic type="PrivateKeyContainer">
    <parm name="KeySpec" value="2" />
    <parm name="ContainerName" value="ConfigMgrEnrollment" />
    <parm name="ProviderType" value="1" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="CertificateStore">
    <characteristic type="My">
    <characteristic type="WSTEP">
    <characteristic type="Renew">
    <parm name="ROBOSupport" value="true" datatype="boolean" />
    <parm name="RenewPeriod" value="42" datatype="integer" />
    <parm name="RetryInterval" value="7" datatype="integer" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    <characteristic type="APPLICATION">
    <parm name="APPID" value="w7" />
    <parm name="PROVIDER-ID" value="GOODMDM" />
    <parm name="NAME" value="GOODMDM" />
    <parm name="ADDR" value="https://10.104.150.118/DeviceGatewayProxy/WindowsPhone.ashx" />
    <parm name="CONNRETRYFREQ" value="6" />
    <parm name="INITIALBACKOFFTIME" value="2000" />
    <parm name="MAXBACKOFFTIME" value="120000" />
    <parm name="BACKCOMPATRETRYDISABLED" />
    <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
    <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3D1ad89c8a-9df7-433c-9506-db3334903c42&amp;Stores=MY%5CUser" />
    <parm name="USEHWDEVID"/>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="CLIENT" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHSECRET" value="dummy" />
    <parm name="AAUTHDATA" value="bm9uY2U=" />
    </characteristic>
    <characteristic type="APPAUTH">
    <parm name="AAUTHLEVEL" value="APPSRV" />
    <parm name="AAUTHTYPE" value="DIGEST" />
    <parm name="AAUTHNAME" value="CN=1ad89c8a-9df7-433c-9506-db3334903c42" />
    <parm name="AAUTHSECRET" value="dummy" />
    <parm name="AAUTHDATA" value="bm9uY2U=" />
    </characteristic>
    </characteristic>
    <characteristic type="DMClient">
    <characteristic type="Provider">
    <characteristic type="GOODMDM">
    <parm name="EntDeviceName" value="CN=1ad89c8a-9df7-433c-9506-db3334903c42" datatype="string" />
    <characteristic type="Poll">
    <parm name="NumberOfFirstRetries" value="5" datatype="integer" />
    <parm name="IntervalForFirstSetOfRetries" value="3" datatype="integer" />
    <parm name="NumberOfSecondRetries" value="8" datatype="integer" />
    <parm name="IntervalForSecondSetOfRetries" value="15" datatype="integer" />
    <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
    <parm name="IntervalForRemainingScheduledRetries" value="480" datatype="integer" />
    </characteristic>
    </characteristic>
    </characteristic>
    </characteristic>
    </wap-provisioningdoc>

    Tuesday, August 19, 2014 2:50 AM
  • Can you change your server code to use ASN.1 type: PRINTABLE_STRING for the Subject name property of the client certificate and retry your test?

    This may not make any difference in your current test scenario ...but you need to change this for Company Hub download to work so it's worth testing on the off chance that it affects this scenario.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, August 19, 2014 5:15 PM
  • We will try PRINTABLE_STRING, but currently we haven't get an company account to get the AET(Application Enrollment Token) file form Symantec, so cannot verify the Company Hub Download function.

    For the current issue of Windows Phone doesn't send client certification to MDM server, do you have any suggestion?



    • Edited by -FreeSoul- Wednesday, August 20, 2014 5:59 AM
    • Marked as answer by -FreeSoul- Tuesday, November 25, 2014 2:13 AM
    Wednesday, August 20, 2014 3:30 AM
  • Eric, it works after we change the client certiificate subject property from UTF8String to PrintableString. We can get the client certificate from dmclient now. Thanks a lot!

    Another question: As I said, we haven't a company account and an associated Symantec certificate, so is it possiable to distribute a company hub during the enrollment? Say, I generated a AET file and a XAP file by Windows App Studio, if I put the enrollment token from AET file and application id from the XAP file into the enrollment provision doc, will it work?

    Or we must buy a company account and a Symantec certificate? We're in the prototype phase, we don't have too much money:(

    Wednesday, August 20, 2014 2:57 PM
  • I was unaware that Windows App Studio could generate an AET...

    If Windows App Studio provides an AETX file, for a Windows Phone app, then I expect that you would be able to use that AET for testing this scenario.

     In the AETX file, which is an XML format file, you will find an EnterpriseAppManagement characteristic node.  Use this node as the bases for the same node in your servers enrollment provisioning response.  The AETX version of this node only contains the EnrollmentToken so you will need to add nodes: StoreProductID, StoreUri, CertificateSearchCriteria and CRLCheck ...as appropriate for your implementation / test configuration.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Wednesday, August 20, 2014 5:21 PM
  • Windows App Studio can generate xap file and with an AETX file, however, it's not signed by Symantec.

    I put the enrollment token from .aetx file and add some necessary fields to our provision doc, it doesn't work. Device downloads the xap file, however it pops up a dialog with message "Unable to install enterprise app". I guess the cause is the certificate. Seems the xap must be signed by Symantec. Device has some logic to check it, right?

    We have another two questions, 1. we have a surface 2(Windows RT8.1), login with microsoft account, why there is no 'Enter server address' when try to 'Turn on device management' in workplace? 2. We set the server address in 'HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM', then enrollment success, but failed to setup DMSession connection, the failed message is same with the message happened on phone before, and no matter what encoding used for certificate subject, it always failed as the same error.

    Thanks.

    • Edited by -FreeSoul- Thursday, August 21, 2014 10:37 AM more questions
    Thursday, August 21, 2014 6:15 AM
  • Eric, can you help on this? Thanks.
    Wednesday, August 27, 2014 7:59 AM
  • Was there any error value associated with the install failure?

    For managed Enterprise app Install on Windows Phone, the EnterpriseAppManagement node must be included in the wap-provisioningdoc pushed to the device during initial enrollment. 
    When you use the EnterpriseAppManagement CSP to install a XAP file it will check to make sure the app signing certificate has the same enterprise ID as the registered EnterpriseID, which is the first child node within EnterpriseAppManagement node.

    I'm not sure about your Windows Surface 2 question but I'll around.


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Friday, August 29, 2014 2:54 PM
  • The Windows Surface 2 issue (can't send client certificate) already fixed after having a system update.

    For the issue of Enterprise app Installation, it works using the sample app provided by Intune. But if using the app generated by Windows App Studio also failed. I guess it's because the enterprise ID is not associated with a company develop account? (BTW, the app generated by App Studio is also signed by Symantec, I made a mistake in previous reply.)

    The following is the error code I can find from the windows power tools.

    Microsoft-WindowsPhone-Enrollment-API-Provider//win:Info, Leaving  GetEnterpriseManagementAppURL with result (2147942487). 

    And something like this:

    Microsoft-WindowsPhone-EnrollmentUX-Provider//, Return value from function = 2147942402. 

    Microsoft-WindowsPhone-EnrollmentUX-Provider//, Return value from function = 2149056527. 

    Microsoft-WindowsPhone-EnrollmentUX-Provider//, Return value from function = 2147500037. 

    Monday, September 1, 2014 7:12 AM
  • What were the previous few log entries?  (... before the GetEnterpriseManagementAppURL log with the error.)

    Were there any previous log entries with "enterprise" in the text?


    Eric Fleck, Windows Store and Windows Phone Developer Support. If you would like to provide feedback or suggestions for future improvements to the Windows Phone SDK please go to http://wpdev.uservoice.com/ where you can post your suggestions and/or cast your votes for existing suggestions.

    Tuesday, September 2, 2014 2:46 PM
  • No more log contains "enterprise"...

    We have deferred implementing this feature until we get a Symantec certificate.

    Thanks for your help!

    Wednesday, September 3, 2014 2:12 AM