locked
Windows 10 MDM Enrollment Service issue RRS feed

  • Question

  • I am developing a windows phone 10 insider preview mdm solution i have gone through the document "wp 8.1 Enterprise Device Management Protocol  available and  successfully done the implementation of discovery and EnrollmentPolicyService web services but facing problem while certificate enrollment webservice . I am done with the part of  PKCS#10 request from device and tried to generate certificate using BouncyCastle. I am returning DER format PKCS#10 certificate request in Base64 encoding under </wsse:BinarySecurityToken> xml tag. I have done everything as per the protocol documentation but no luck.  I am posting the response and wap.xml for the certificate enrollment web service. Please help me with the  issue. Stuck with this issue for a long time.

    WAP xml file 

    <wap-provisioningdoc version="1.1"><characteristic type="CertificateStore"><characteristic type="Root"><characteristic type="System"><characteristic type="031336C933CC7E228B88880D78824FB2909A0A2F"><parm name="EncodedCertificate" value="MIICtjCCAZ6gAwIBAgIEAJcIBTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZyb290Q0EwHhcNMTUwNzIxMDA1MDE4WhcNMTcwNzIyMDA1MDE4WjARMQ8wDQYDVQQDEwZyb290Q0EwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDXfhffZDQzUk5uE1cE67mRDGF1wyFxSgF4mipMXZXBbx/qkH4rYBUxrcDRZnQfhJQ+j9muyKREHouzOqc7p3HDpN1mBGGiJb0YT1+49zSd8hd/H7WLjNOv9x03at6Dfh+zCZQ7sHqx7Itwy4uBArhWTKzTiEfQMfq8Qr7/Yd7ZqWi+kNyUjYJ1aLFP7aoJripIl1De3/TFuEsRRPHAqYnN25ZnYTrAqCFkbThCkj9vvlBniytXkiIQBgFFlAkIyuKhNcFFwxUEcrUCpE5YlX++fb5IUU8ILLcyMQdbdiPDh1YH9z+4I/Ign9csrreBlPlTbBxaPC42jddSfKtQHSvtAgMBAAGjFjAUMBIGA1UdEwEB/wQIMAYBAf8CAQAwDQYJKoZIhvcNAQEFBQADggEBACC8qeh0xYtqR9ScimTuYrdN1k8rQ6YfBLBGxFokCwK+Jp0vLJqECh0Ld5QBBHK5kwCONYZyBaRH++fQUW3AOoQyHJVymMIiZPO3RSLLf3iSLFWIRt81V5eYZ5ZuJCemO9UkItRkIK49UAyXmxT94pXVke0Z+jApl0HHd3RX97DpUVDNPP37erMU9nH+Iazr7RcLh+MWoa17/CExAWtzYd1Dn9ycJq7c+/1Ld2Mr5h5HthLpiErkR5YCUiAKJiTy3tMDOp0LjWpCobF9N5qdsi3mAOZjEhteuSz0dvbiyQIEHpTn0B6Dzrov35yl9Gr6ink4YTHcpnZgC0n9IsWISVI="/></characteristic></characteristic></characteristic><characteristic type="My"><characteristic type="User"><characteristic type="F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462"><parm name="EncodedCertificate" value="MIIC1jCCAb6gAwIBAgICAfQwDQYJKoZIhvcNAQEFBQAwETEPMA0GA1UEAxMGcm9vdENBMB4XDTE1MDcyMTAwNTAxOVoXDTE3MDcyMjAwNTAxOVowSzFJMEcGA1UEAxNAQjkyRTczMDUtOTQ2Mi00QjQ4IXVybjp1dWlkOjk4MTc0ODg0LUNCN0UtNTNDRi1BRDIxLUQ5MzJFREJBODE3NDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAKPLlG5ZoIVIv5TGMU0B8vz9EcgHlUVXULVQ/89ONFb8DYztcVNSG171CD8DHE+8tp+Auh1dZtk9rsYhvCLT3j3V8WLLoWj9enbzfWLRSU2ugD2MLpoYKXW1MibVYhz2Bx4qSsY9QyeqZMKoc4VDdqpWjz00jIci//Hu27f9ZUS/zZ9BQBWEZX2fm9N/lEixEFYfmj6Jh3nPc9kZ9BYxHiyeC8qMZTG6iGPtXEHj3B+dJd5iMngWkIuSNk8OgfTXr0QRXAPGtOncWh7hw6LjfhPHKklfb3/C2zQEi1VTfsDXywsnQmb2RZp8Aitmxdymi7mLCS3Ij7xSacNVvLxNa9MCAwEAATANBgkqhkiG9w0BAQUFAAOCAQEAQMQZ5+Cle4PXvamsXBTEteQQNF2zTMNGJocs3s/durbMZp2eKTQnQ4PlUhg96HJzesbNjqCqv/38fFQlSa4iJ29JP4fKkr3/q2VqQEVKSprdU2w1jJnESrhPg6JUNiHHj9uyQP1rX93zKpbM2Oi7XSyJqkD0jVeHUlYAeXnpFsmjBhf09zC8UKFDjNk6g2OjtqAFBZQ3UKIIHggUpcuTWhIQIfVPe0Q1yVfVRPMD/EzqNcrGhEWASslfsfapSuCidRAdxnciwRHkdgJmt813vr+NP8T8vmtSe/lZafqE7Rc8GaeXs12k4BkykWWLgTWUc54oxYEJe2BORoHBzZb//Q=="/></characteristic><characteristic type="PrivateKeyContainer"/>  <parm name="KeySpec" value="2"/>          <parm name="ContainerName" value="ConfigMgrEnrollment"/>          <parm name="ProviderType" value="1"/><!-- This tag must be present for XML syntax correctness. --></characteristic><characteristic type="WSTEP"><characteristic type="Renew"><parm datatype="boolean" name="ROBOSupport" value="true"/><parm datatype="integer" name="RenewPeriod" value="60"/><parm datatype="integer" name="RetryInterval" value="4"/></characteristic></characteristic></characteristic></characteristic><characteristic type="APPLICATION"><parm name="APPID" value="w7"/><parm name="PROVIDER-ID" value="TestMDMServer"/><parm name="NAME" value="Enrollment"/><parm name="ADDR" value="http://10.120.76.220:8999/EnrollmentServer/Auth.svc"/> <parm name="CONNRETRYFREQ" value="6"/><parm name="INITIALBACKOFFTIME" value="30000"/><parm name="MAXBACKOFFTIME" value="120000"/><parm name="BACKCOMPATRETRYDISABLED"/><parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml"/><parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DB92E7305-9462-4B48&amp;Stores=My%5CUser"/><characteristic type="APPAUTH"><parm name="AAUTHLEVEL" value="CLIENT"/><parm name="AAUTHTYPE" value="DIGEST"/><parm name="AAUTHSECRET" value="password1"/><parm name="AAUTHDATA" value="B64encodedBinaryNonceInsertedHere"/></characteristic><characteristic type="APPAUTH"><parm name="AAUTHLEVEL" value="APPSRV"/><parm name="AAUTHTYPE" value="BASIC"/><parm name="AAUTHNAME" value="testclient"/><parm name="AAUTHSECRET" value="password2"/></characteristic></characteristic><characteristic type="DMClient"> <!-- Staring with Windows Phone 8.1, an enrollment server should use DMClient CSP XML to configure DM polling schedules. The polling schedule regisitry keys will be deprecated after Windows Phone 8.1.--><characteristic type="Provider"><!-- ProviderID in DMClient CSP must match to PROVIDER-ID in w7 APPLICATION characteristics --><characteristic type="TestMDMServer"><characteristic type="Poll"><parm datatype="integer" name="NumberOfFirstRetries" value="8"/><parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15"/><parm datatype="integer" name="NumberOfSecondRetries" value="5"/><parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3"/><parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0"/><!-- In Windows Phone 8.1, MDM push is supported for real-time communication. The DM client long term polling schedule’s retry waiting interval should be more than 24 hours (1440) to reduce the impact to data consumption and battery life. Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters.--><parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560"/></characteristic><parm datatype="string" name="EntDeviceName" value="Administrator_WindowsPhone"/></characteristic></characteristic></characteristic></wap-provisioningdoc>

    Thursday, July 23, 2015 7:03 PM

All replies

  • Try

    <wap-provisioningdoc version="1.1">
       <characteristic type="CertificateStore">
          <characteristic type="Root">
             <characteristic type="System">
                <characteristic type="CERTI_FINGERPRINT">
                   <parm name="EncodedCertificate" value="BASE64_ROOT_CERTIFICATE_HERE" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="CertificateStore">
          <characteristic type="My">
             <characteristic type="User">
                <characteristic type="CERTI_FINGERPRINT">
                   <parm name="EncodedCertificate" value="BASE64_USER_CERTIFICATE_HERE" />
                </characteristic>
                <characteristic type="PrivateKeyContainer" />
             </characteristic>
             <characteristic type="WSTEP">
                <characteristic type="Renew">
                   <parm name="ROBOSupport" value="true" datatype="boolean" />
                   <parm name="RenewPeriod" value="60" datatype="integer" />
                   <parm name="RetryInterval" value="4" datatype="integer" />
                </characteristic>
             </characteristic>
          </characteristic>
       </characteristic>
       <characteristic type="APPLICATION">
          <parm name="APPID" value="w7" />
          <parm name="PROVIDER-ID" value="MEMDM" />
          <parm name="NAME" value="MEMDM" />
          <parm name="ADDR" value="YOUR_MDM_URL" />
          <parm name="CONNRETRYFREQ" value="6" />
          <parm name="INITIALBACKOFFTIME" value="30000" />
          <parm name="MAXBACKOFFTIME" value="120000" />
          <parm name="BACKCOMPATRETRYDISABLED" />
          <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+xml" />
          <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CA_SUBJECT_HERE&amp;Stores=My%5CUser" />
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="CLIENT" />
             <parm name="AAUTHTYPE" value="DIGEST" />
             <parm name="AAUTHSECRET" value="password1" />
             <parm name="AAUTHDATA" value="ZHVtbXk=" />
          </characteristic>
          <characteristic type="APPAUTH">
             <parm name="AAUTHLEVEL" value="APPSRV" />
             <parm name="AAUTHTYPE" value="BASIC" />
             <parm name="AAUTHNAME" value="testclient" />
             <parm name="AAUTHSECRET" value="password2" />
          </characteristic>
       </characteristic>
       <characteristic type="DMClient">
          <characteristic type="Provider">
             <characteristic type="MEMDM">
                <parm name="UPN" value="USER_UPN" datatype="string" />
                <characteristic type="Poll">
                   <parm name="NumberOfFirstRetries" value="8" datatype="integer" />
                   <parm name="IntervalForFirstSetOfRetries" value="15" datatype="integer" />
                   <parm name="NumberOfSecondRetries" value="5" datatype="integer" />
                   <parm name="IntervalForSecondSetOfRetries" value="3" datatype="integer" />
                   <parm name="NumberOfRemainingScheduledRetries" value="0" datatype="integer" />
                   <parm name="IntervalForRemainingScheduledRetries" value="1560" datatype="integer" />
                   <parm name="PollOnLogin" value="true" datatype="boolean" />
                </characteristic>
                <parm name="EntDeviceName" value="Administrator_Windows" datatype="string" />
             </characteristic>
          </characteristic>
       </characteristic>
    </wap-provisioningdoc>

    Change 

    CERTI_FINGERPRINT,

    MEMDM,

    BASE64_ROOT_CERTIFICATE_HERE, 

    BASE64_USER_CERTIFICATE_HERE, 

    YOUR_MDM_URL, 

    CA_SUBJECT_HERE, 

    USER_UPN

    with appropriate values.

    Friday, July 24, 2015 8:19 AM