Windows Phone 8.1 Enterprise Device
Contents
1. ie eee 44 Getting Push credentials through Windows Store uu csessessssssessessessesesssssescssesessssncssssesssssesessssassucsscsesssssessesseneessseess 45 Acquiring application based WNS credentials for MDM PUSh iiiien 45 GenerateyourPFil sailelele libia 49 Enterprise app management over DM SEMVE ccssssssssssssessesssssesessssscsessscsessssscsesssessssesesssssssecsscssssssscsucseenseessessesessnessenss 50 Enterprise application install update uninstall Update in Windows Phone 8 1 n 50 Enterprise application restrictions New in Windows Phone 8 1 50 Device lockpoliey conigurationa carnale dial poll Posse a ideale ie 53 AN E a Onan i a a a A ia 53 Querying idevice encryption STATUS Liss kininis av i a i i a a a i a i k i i i a i a i i 54 Enabling internal storage SNC DUC rin si sai a ia k i i i i i aaa 54 REMOTE WIDE sec ni aa i ai ia o i i i i fl a a eet 54 Storage card polieyconiiguiationa ssrca selle a a a a aes em ree re 54 Cellular app download limit configuration new for GDR2Z ecesssssssssssessessesssscssecsssssssecsecuseusssceuscussnsesecseeseeeeeneenes 55 Data protection under lock new TOMmGDRZ 15 iii a i a i i i a a weenie 55 Enterprise anti theft override New for GDR2 ccesssssssssssssesssssssscssesssssssscsssssssussucescesssuscscescesecescssesesuecesescesceusenceseeseens 56 Fully managed VPN setting new for GDR2 uu cessesssessessssssssesssssssscsscssccuss2. 30 Tehran Moscow St Petersburg Volgograd RTZ 2 Abu Dhabi Muscat Minsk Baku Yerevan 30 Kabul Tbilisi Port Louis Izhevsk Samara RTZ 3 Tashkent 30 Chennai Kolkata Mumbai New Delhi 30 Sri Jayawardenepura 45 Kathmandu Islamabad Karachi Ekaterinburg RTZ 4 Astana MICROSOFT 0x71C UTC 06 30 Yangon Rangoon 0x726 UTC 06 Dhaka 0x712 UTC 06 Novosibirsk RTZ 5 0x776 UTC 07 Bangkok Hanoi Jakarta 0x76C UTC 07 Krasnoyarsk RTZ 6 0x7DO UTC 08 Beijing Chongqing Hong Kong SAR Urumqi 0x7E4 UTC 08 Kuala Lumpur Singapore 0x7EE UTC 08 Taipei 0x7F8 UTC 08 Perth 0x802 UTC 08 Ulaanbaatar 0x7DA UTC 08 Irkutsk RTZ 7 0x834 UTC 09 Seoul 0x83E UTC 09 Osaka Sapporo Tokyo 0x852 UTC 09 30 Darwin 0x85C UTC 09 30 Adelaide 0x848 UTC 09 Yakutsk RTZ 8 0x898 UTC 10 Canberra Melbourne Sydney 0x8A2 UTC 10 Brisbane 0x8AC UTC 10 Hobart 0x8C0 UTC 10 Guam Port Moresby 0x8B6 UTC 10 Vladivostok Magadan RTZ 9 0x8FC UTC 11 Solomon Is New Caledonia 0x906 UTC 12 Magadan 0x91A UTC 11 Chokurdakh RTZ 10 0x960 UTC 12 Fiji 0x96A UTC 12 Auckland Wellington 0x974 UTC 12 Petropavlovsk Kamchatsky Old 0x97E UTC 12 Coordinated Universal Time 12 0x988 UTC 12 Anadyr Petropavlovsk Kamchatsky RTZ 11 0x9C4 UTC 13 Nuku alofa 0x64 UTC 13 Samoa 0xA28 UTC 14 Kiritimati Island Set the language and locale Here is an example For more information about the Windows Phone languages see Phone languages
3. MICROSOFT E Note In Windows Phone 8 1 the AccountName is not properly set To set the email account name use ContentTypes lt GUID gt Name This issue has been fixed for Windows Phone 8 1 GDR1 release Password Required A character string that specifies the password for the account Supported operations Get Replace Add and Delete For the Get command only asterisks are returned ServerName Required A character string that specifies the server name used by the account Supported operations Get Replace Add cannot Add after the account is created UserName Required A character string that specifies the user name for the account Supported operations Get Add cannot Add after the account is created The user name cannot be changed after a sync has been successfully performed The user name can be in the fully qualified format someone example com or just username depending on the type of account created For most Exchange accounts the user name format is just username whereas for Microsoft Google Yahoo and most POP IMAP accounts the user name format is someone example com UseSSL Optional A character string that specifies whether SSL is used The default is 1 used Supported operations Get Replace Add cannot Add after the account is created The value of 0 specifies that SSL is not used The default value of 1 specifies that SSL is used Schedule Required A character string that specifies t
4. amp gt amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt Application amp lt Application name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft Language amp quot amp gt Location amp quot amp gt MirrorUX amp quot amp gt NocenterSettings amp quot PhoneLock amp quot amp gt ProfileUpdate amp quot amp gt Proximity amp quot amp gt Regional amp quot amp gt RoamingCpl amp quot amp gt RotationLock amp quot amp gt SoftAP amp quot amp gt Sounds amp quot amp gt Speech amp quot amp gt StorageSettings amp quot Themes amp quot amp gt TouchKeyboard amp quot amp gt Updates amp quot amp gt USB amp quot amp gt VPN amp quot amp gt name amp quot Micro
5. lt Item gt lt Add gt lt Add gt lt CmdID gt 6 lt CmdID gt lt Item gt MICROSOFT lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install HashAlgorithm lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt SHA 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 7 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install SubjectName lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt CN AnnaLee lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install SubjectAlternativeNames lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 11 tom MyDomain Contoso com 3 MyDomain Contoso com lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install ValidPeriod lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt Years lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 10 lt CmdID gt
6. lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 1 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Facebook gt lt Application productId 0C340A67 3288 4C76 9375 0F2FEFBA0412 gt lt Games gt lt Application productId 50A6AEF0 4F35 434B 9308 CB3251303AE4 gt lt Internet Explorer gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5660 gt lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 1 lt LocationX gt lt LocationY gt 1 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Maps gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5686 gt lt Messaging gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5610 gt lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 1 lt LocationX gt lt LocationY gt 0 lt LocationY gt lt Location gt lt PinToStart gt MICROSOFT lt Application gt lt Music gt lt Application productId D2B6A184 DA39 4C9A 9E0A 8B589B03DEC0 gt lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 2 lt LocationX gt lt LocationY gt 4 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Office Hub gt lt Application productId 5B04B
7. Allow List Two allowed publishers lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt MICROSOFT lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Al low amp x3E 3 amp x3C Allow Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 amp X201E amp amp XA2 5 amp HX22 B X3BE 5 amp HX3C Al low amp X3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List Bing News and Skype lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyMana
8. RSTR message Header HTTP 1 1 200 OK Cache Control private Content Length 10231 Content Type application soap xml charset utf 8 Server Microsoft IIS 7 0 Date Fri 03 Aug 2012 00 32 59 GMT lt s Envelope xmlns s http schemas xmlsoap org soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity utility 1 0 xsd gt lt s Header gt lt Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollment RSTRC wstep lt Action gt lt a RelatesTo gt urn uuid 81a5419a 496b 474f a627 5cdd33eed8ab lt a RelatesTo gt lt o Security s mustUnderstand 1 xmlns o http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt u Timestamp u Id _0 gt lt u Created gt 2012 08 02700 32 59 420Z lt u Created gt lt u Expires gt 2012 08 02700 37 59 420Z lt u Expires gt lt u Timestamp gt lt o Security gt lt s Header gt lt s Body gt MICROSOFT lt RequestSecurityTokenResponseCollection xmlns http docs oasis open org ws sx ws trust 200512 gt lt ReguestSecurityTokenResponse gt lt TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt TokenType gt lt RequestedSecurityToken gt lt BinarySecurityToken ValueType http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentProvisio nDoc Enc
9. UTC 04 Kabul UTC 04 Tbilisi UTC 04 Port Louis UTC 06 Ekaterinburg UTC 05 Tashkent UTC 05 Chennai Kolkata Mumbai New Delhi UTC 05 Sri Jayawardenepura UTC 05 Kathmandu UTC 05 Islamabad Karachi UTC 06 Astana UTC 07 Novosibirsk UTC 06 Yangon Rangoon UTC 06 Dhaka UTC 08 Krasnoyarsk UTC 08 Beijing Chongqing Hong Kong Urumgi UTC 09 Irkutsk UTC 08 Kuala Lumpur Singapore UTC 08 Taipei UTC 08 Perth UTC 08 Ulaanbaatar UTC 09 Seoul UTC 09 Osaka Sapporo Tokyo UTC 10 Yakutsk UTC 09 Darwin UTC 09 Adelaide UTC 10 Canberra Melbourne Sydney UTC 10 Brisbane UTC 10 Hobart UTC 11 Vladivostok UTC 10 Guam Port Moresby UTC 11 Solomon Is New Caledonia UTC 12 Magadan UTC 12 Fiji UTC 12 Auckland Wellington UTC 12 Petropavlovsk Kamchatsky UTC 12 Coordinated Universal Time 12 UTC 13 Nuku alofa MICROSOFT Locale Language The culture code that identifies the language to display on a device and specifies the formatting of numbers currencies time and dates For language values see Locale IDs Assigned by Microsoft The language setting is configured in the Default User profile only OMA client provisioning examples The XML examples in this section show how to perform various tasks by using OMA client provisioning Note These examples are XML snippets and do not include all sections that are required for a complete Prov xml file Assigned Access settings The following example shows how to add a
10. a74a0433fcea amp x22 8 amp x3E amp X3C Allow App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Allow Publisher Microsoft Studios amp xE2 amp x201E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 5 amp x3E 5 amp x3C Deny app published by allowed publisher Microsoft Corporation Facebook amp x3E amp x3C DenyApp ProductId amp x22 82a23635 5bd9 df11 a844 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Allow Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Deny app published by allowed publisher Microsoft Studios amp XE2 amp Xx201E amp xA2 Wordament amp x3E amp x3C DenyApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp Xx22 amp X3E 5 amp X3C Deny app published by allowed publisher Microsoft Studios amp amp xE2 amp x201E amp xA2 Halo SA Lite amp X3E amp x3C DenyApp ProductId amp x22 cf3f117d d5a6 4e81 9786 56dd337b9b02 amp X22 amp X3E amp x3C Publisher amp x3E 5 amp x3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt
11. eapCommon Type amp gt amp 1t eapCommon AuthorId gt 081t eapCommon AuthorId amp gt amp lt EapMethod amp gt amp l1t Config xmlns baseEap amp quot http www microsoft com provisioning BaseEapConnectionPropertiesV1 amp quot xmlns eapTls amp quot http www microsoft com provisioning EapTlsConnectionPropertiesV1 amp quot amp gt 3 amp lt baseEap Eap amp gt amp lt baseEap Type amp gt 13 amp lt baseEap Type amp gt amp lt eapTls EapType amp gt amp lt eapTls CredentialsSource amp gt amp lt eapTls CertificateStore amp gt amp lt eapTls SimpleCertSelection amp gt true amp lt eapTls SimpleCertSelection amp gt amp lt eapTls CertificateStore amp gt amp lt eapTls CredentialsSource amp gt amp lt eapTls EapType amp gt amp lt baseEap Eap amp gt amp lt Config amp gt amp l1t EapHostConfig amp gt lt Data gt lt Item gt lt Add gt lt Add gt lt Network trigger 1 2 3 4 16 gt lt CmdID gt 8008 lt CmdID gt lt Item gt lt Target gt lt LOcURI gt Vendor MSFT VPN EapTls SecuredResources NetworkAllowedList Networks000 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 1 2 3 4 16 lt Data gt lt Item gt lt Add gt lt Add gt lt Host trigger gt lt CmdID gt 8023 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls SecuredResources NameSpaceAllowedList
12. gt lt parm name AAUTHTYPE value BASIC gt lt parm name AAUTHNAME value testclient gt lt parm name AAUTHSECRET value password2 gt lt characteristic gt lt characteristic gt lt characteristic type DMClient gt lt Staring with Windows Phone 8 1 an enrollment server should use DMClient CSP XML to configure DM polling schedules The polling schedule regisitry keys will be deprecated after Windows Phone 8 1 gt lt characteristic type Provider gt lt ProviderID in DMClient CSP must match to PROVIDER ID in w7 APPLICATION characteristics gt lt characteristic type TestMDMServer gt lt characteristic type Poll gt lt parm name NumberOfFirstRetries value 8 datatype integer gt lt parm name IntervalForFirstSetOfRetries value 15 datatype integer gt lt parm name NumberOfSecondRetries value 5 datatype integer gt lt parm name IntervalForSecondSetOfRetries value 3 datatype integer gt lt parm name NumberOfRemainingScheduledRetries value 0 datatype integer gt lt In Windows Phone 8 1 MDM push is supported for real time communication The DM client long term polling schedule s retry waiting interval should be more than 24 hours 1440 to reduce the impact to data consumption and battery life Refer to the DMClient Configuration Service Provider section for information about polling schedule parameters gt lt parm name IntervalForRemainingScheduledRetries
13. lt SyncBody gt lt SyncML gt 4 Starts the unenrollment process IT admin requested disconnection The server requests an enterprise management disconnection request by issuing an Exec OMA DM SyncML XML command to the phone via the DMClient configuration service provider s Unenroll node MICROSOFT during the next client initiated DM session The Data tag inside the Exec command should be the value of the provisioned DM server ProviderlD For more details see Enterprise specific DM client configuration When the disconnection is completed the user is notified that the phone has been disconnected from enterprise management SETTINGS SETTINGS Account deleted system applicati workplace account name has deleted all of the information associated with your region language Some companies offer policies organization account including United State certificate and apps that help you business apps password connect to your business What s a La licv requirements and other policies from ease of access company policy IA TTY TDD offl However if you still have an Exchange Once you add a company account your account on your phone that is not company will be able to disable your SD managed by this account any policies speech card or remotely delete all your content for that Exchange account will audio confirmations on and settings continue to apply untill you delete it find my phone close connect add account
14. lt Application lt Application lt Application lt Application lt Application lt Application lt Application lt Application lt Application lt Application name Microsoft name Microsoft name Microsoft name Microsoft name Microsoft name Microsoft Search gt TEME Maps gt Messaging gt name Microsoft name Microsoft name Microsoft name Microsoft name Microsoft name Microsoft Wallet gt AssistUX gt OfficeMobile gt Contacts gt Phone gt Photos gt Search gt Marketplace gt lt Settings gt lt StartScreenSize gt Small lt StartScreenSize gt lt Default gt lt HandheldLockdown gt Sample AssignedAccess SyncML lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Add gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess AssignedAccess AssignedAccessXm1 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt CDATA insert xml here lt Data gt lt Item gt lt Add gt lt Final gt lt SyncBody gt lt SyncML gt Schema for AssignedAccess XML This XSD can be used to validate that the XML in the lt Data gt block is a valid XML that can be provisioned successfully onto the device NOTE The following features are unsupported for Windows Phone 8 1 e Role Lists e CSP Runner e Butt
15. lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess LockScreenWallpaper BGFileName lt LocURI gt lt Target gt lt Item gt lt Get gt The following example shows how to change the existing lock screen image to one of your choosing lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess LockScreenWallpaper BGFileName lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt c windows system32 lockscreen 480x800 Wallpaper_015 jpg lt Data gt lt Item gt MICROSOFT lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt Persist provisioned data lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseEAssignedAccess PersistData PersistProvisionedData lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Final gt lt SyncBody gt lt SyncML gt Time zone The following example shows how to set the time zone to UTC 07 Mountain Time US amp Canada lt Syn
16. lt Final gt lt SyncBody gt lt SyncML gt VPN single sign on configuration For all supported VPN profiles i e IKEv2 3 party SSL VPN plugins Windows Phone 8 1 supports a single sign on user experience where users will be authenticated to all NTLM protected domain resources inside an enterprise when VPN is connected for resources that are protected by the VPN profile The user only needs to enter username password once in the authentication dialog if VPN gateway authentication is U P based or in the VPN profile edit page found in Settings gt VPN if the VPN gateway authentication is certificate based The intranet sites accessed by the user via IE or other Line of Business applications with a specified capability will not ask user for their username password after VPN gets connected To achieve this function the MDM server needs to configure the device s IE intranet zone settings This will enable Internet Explorer to treat certain intranet sites as trusted and will provide a single sign on experience The MDM server should configure intranet zone settings URLs domains IPs to following reg key path via Registry CSP HKCU Software Microsoft Windows CurrentVersion Internet Settings ZoneMap Domains NOTE 1 MDM sever could configure multiple nodes under HKCU Software Microsoft Windows CurrentVersion Internet Settings ZoneMap Domains Refer FQDN part in kb article http support microsoft com kb 303650 for detailed descr
17. lt LocURI gt Vendor MSFT NodeCache MDMSRV1 CacheVersion lt LocURI gt lt Target gt lt Item gt lt Get gt lt Get gt lt CmdID gt 20 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache SCCM01 ChangedNodes lt LocURI gt lt Target gt lt Item gt lt Get gt lt Get gt lt CmdID gt 21 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDM1 Nodes Node 0001 lt LocURI gt lt Target gt lt Item gt MICROSOFT lt Get gt lt Get gt lt CmdID gt 22 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache SCCM01 Nodes Node 0001 ExpectedValue lt LocURI gt lt Target gt lt Item gt lt Get gt Replacing the cache version node URI and expected value lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 CacheVersion lt LocURI gt lt Target gt lt Data gt SCCM0001 Replace lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node 0001 NodeURI lt LocURI gt lt Target gt lt Data gt Vendor MSFT DeviceLock DeviceValue AllowSimpleDevicePassword lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node 0001 ExpectedVa
18. lt SyncBody gt lt Atomic gt lt CmdID gt 8000 lt CmdID gt lt Add gt lt CmdID gt 8001 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls Server lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt vpntestgateway vpntest com lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8002 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls TunnelType lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt IKEv2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8004 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls Authentication Method lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt EAP lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8005 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT VPN EapTls Authentication EAP lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt EapHostConfig xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot amp gt amp l1t EapMethod amp gt amp 1t Type xmlns amp quot http www microsoft com provisioning EapCommon amp
19. publisher IDs Whenever etc there is a Refer change to the Enterprise value the application device parses restrictions the node section on value and how to set enforce the application restriction restriction policies policy in specified in details the policy NOTE the application may not be immediately terminated if the application was previously running ApplicationManag Specify 0 not Most MDM ement AllowDevel whether allowed restricted operUnlock developer 1 default value is 0 unlock is allowed allowed at the device Browser Specify 0 not Most MDM EAS AllowBrowser AllowBrowser whether IE is allowed restricted allowed in the 1 default value is 0 device allowed Experience Specify 0 not Most AllowScreenCaptu whether allowed restricted MICROSOFT re screen capture 1 default value is 0 is allowed allowed System Allow Disallow 0 not Most MDM AllowLocation location allowed restricted service 1 default value is 0 allowed 2 When set the location service Is always turned on The Settings gt Location in the user interface is disabled and the location services toggle will be turned on The following message is displayed to the user Enabled by company policy Connectivity Allow Disallow 0 not Most MDM AllowUSBConnect desktop to allowed restricted ion access phone 1 default value is 0 storage via allowed USB Both
20. 5B04B775 356B 4AA0 AAF8 6491FFEA5633 gt lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 2 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt MICROSOFT lt Applic lt Vid lt Application productId 6AFFE59E 0467 4701 851F 7AC026E21665 gt lt Wal lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5683 gt lt Apps gt lt Buttons gt lt ButtonL ation gt eo gt let gt ockdownList gt lt Lockdown all buttons gt lt Button name Search gt lt Butt lt Button name Camera gt on gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Butt lt Button on gt LockdownList gt lt ButtonRemapList gt lt Button name Search gt lt ButtonEvent name Press gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 parameters gt lt System lt System lt Settings gt lt ButtonEvent gt lt Button gt lt ButtonRemapList gt lt Buttons gt lt MenuItems gt lt DisableMenuItems gt lt MenuItems gt lt Settings gt lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft
21. Admins may choose to disconnect a user s phone after they ve left the company or because the phone is regularly failing to comply with the organization s security settings policy During disconnection the client does the following e Removes the enterprise application token that allowed installing and running LOB apps Any business applications associated with this enterprise token are removed as well e Removes certificates that are configured by MDM server e Ceases enforcement of the settings policies that the management infrastructure has applied e Removes the device management client configuration and other setting configuration added by MDM server including the scheduled maintenance task The client remains dormant unless the user reconnects it to the management infrastructure e Reports successful initiated disassociation to the management infrastructure if the admin initiated the process Note that in Windows Phone 8 1 user initiated disassociation is reported to the server as a best effort User initiated disconnection The following mockup shows the user experience of disconnection from enterprise management SETTINGS workplace Contoso Delete account Some companies offer policies certificates and apps that help you connect to your business What s a workplace account If you delete this account any Office files you haven t saved or uploaded yet will be deleted All apps and policies required by your company
22. Allow app published by denied publisher Microsoft Corporation YouTube amp x3E amp x3C AllowApp ProductId amp x22 dcbb1lac6 a89a df11 a490 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt MICROSOFT lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List one denied publisher with two allowed application exceptions and one denied publisher lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns
23. B64 encoded SCEP enrollment challenge Format is chr Supported operations are Get Add Replace Delete Challenge will be deleted shortly after the Exec command is accepted My SCEP lt UniquelD gt Install RetryCount Optional Special to SCEP Specify device retry times when the SCEP sever sends pending status Format Is int Default value is 3 Max value the value cannot be larger than 30 If it is larger than 30 the device will use 30 The min value is 0 which means no retry Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install RetryDelay Optional When the SCEP server sends pending status specify device retry waiting time in minutes Default value is 5 The min value is 1 Format is int Supported operations are Get Add Delete My SCEP lt UniquelD gt Install TemplateName Optional OID of certificate template name Note that this name is typically ignored by the SCEP server therefore the MDM server typically doesn t need to provide it Format is chr Supported operations are Get Add Delete My SCEP lt UniquelD gt Install KeyUsage Required for enrollment Specify the key usage bits 0x80 0x20 OxA0 etc for the certificate in decimal format The value should at least have second 0x20 or forth 0x80 or both bits set If the value doesn t have those bits set configuration will fail Format is int Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install KeyLe
24. Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 7 lt CmdID gt lt Item gt MICROSOFT lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D REPLYADDR lt LOCURI gt lt Target gt lt Data gt user contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 8 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D NAME lt LOCURI gt lt Target gt lt Data gt test1 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D INSERVER lt LOCURI gt lt Target gt lt Data gt pop contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 11 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D AUTHNAME lt LOCURI gt lt Target gt lt Data gt user contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 13 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a0 4e048b25e87216 7D OUTSERVER lt LocURI gt lt Target gt lt Data gt smtp contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 14 lt CmdID gt lt Item gt
25. MDM Solutions here Submit a support ticket MICROSOFT
26. NonPersistent The EnterpirseExtFileSystem CSP allows an enterprise to read write delete and list files in this folder Anything stored in the NonPersistent folder will be deleted the next time the device is wiped lt File directory gt The name of a directory in the device file system Any lt file directory gt node can have directories and files as child nodes Use the add command to create a new directory You cannot use it to add a new directory under a file system root Use the get command to return the list of child node names under lt file directory gt Use the get command with List Struct to recursively return all child node names including subdirectory names under lt file directory gt lt file name gt The name of a file in the device file system Supported operations get The following table shows supported characteristics for files and directories Property Description Name Supported operations get The get command returns the name of the file or file directory Format For a directory specify node For a file leave blank Supported operations get For files when binary data is sent over XML it is Base64 encoded When binary data is sent over wbxml bin format is used directly Type Supported operations get For the FileSystem root node the get command returns for the object identifier similar to the following com microsoft windowsmobile 1 1 FileSystemMO The get command returns blank for all o
27. Note that first set of retries is intended to give management server some buffered time to be ready to send policies and settings configuration to the device The total time for first set of retries shouldn t be more than a few hours The server shouldn t set NumberOfFirstRetries to be 0 RemainingScheduledRetries is used for long run device polling schedule lt ProviderlD gt Poll IntervalForSecondSetOfRetries Optional The waiting time in minutes for the second set of retries as specified by the number of retries in lt ProviderlID gt Poll NumberOfSecondRetries Default value is 0 If this value is set to zero then this schedule is disabled Supported operations are Get Replace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry RetryInterval path that previously utilized the Registry CSP lt ProviderlD gt Poll NumberOfSecondRetries Optional The number of times the DM client should retry second round connecting to the server when the client is initially configured enrolled to communicate with the server Default value is O If the value is set to 0 and IntervalForSecondSetOfRetries isn t set to 0 AND first set of retries isn t set as infinite retries then schedule will be set to repeat an infinite number of times However if first set of retries is set at infinite then this schedule will be disabled Supported operations are Get Replace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry NumRetr
28. Required Returns the firmware version SwV Required Returns the Windows Phone OS software version HwV Reguired Returns the hardware version LrgObj Reguired Returns whether the phone uses OMA DM Large Object Handling as defined in the specification SyncML Device Information version 1 1 2 This value is always false MaxDepth Reguired Returns the maximum depth of the management tree that the phone supports The default is O This is the maximum number of URI segments that the phone supports The default value zero 0 indicates that the phone supports a URI of unlimited depth MaxTotLen Required Returns the maximum total length of any URI used to address a node or node property The default is 0 This is the largest number of characters in the URI that the phone supports The default value zero 0 indicates that the phone supports a URI of unlimited length MaxSegLen Required Returns the total length of any URI segment in a URI that addresses a node or node property The default is 0 This is the largest number of characters that the phone can support in a single URI segment The default value zero 0 indicates that the phone supports URI segment of unlimited length MobilelD Required Returns the mobile phone ID associated with the cellular network The IMSI value is returned for GSM and UMTS networks CDMA and worldwide phones will return a 404 Not Found status code error if queried for this element LocalT
29. app which is automatically installed on the phone Scope is dynamic Supported operations are Get and Add EnterpriselD StoreUri Optional The character string that contains the URI of the first enterprise application to be installed on the phone The enrollment client downloads and installs the application from this URI Scope is dynamic Supported operations are Get and Add EnterpriselD CertificateSearchCriteria Optional The character string that contains the search criteria to search for the DM enrolled client certificate The certificate is used for client authentication during enterprise application download The company s application content server should use the enterprise enrolled client certificate to authenticate the phone The value must be a URL encoded representation of the X 500 distinguished name of the client certificates Subject property The X 500 name must conform to the format required by CertStrToName refer to http msdn microsoft com en us library windows desktop aa377160 v vs 85 aspx This search parameter is case sensitive Scope is dynamic Supported operations are Get and Add NOTE Do NOT use Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 The server must replace this value in the supplied client certificate If your server returns a client certificate containing the same Subject value this can cause unexpected behavior The server should always override the subject value and not use the default devic
30. contoso com lt Data gt lt Item gt lt Replace gt Enterprise anti theft override new for GDR2 In Windows Phone GDR2 The Security AntiTheftMode policy is added to allow the enterprise to disable the anti theft mode of Windows Phone devices by overwriting policy when user does not have it turned on lt prevents enterprise managed devices from being locked with individual user Note that the policy does not enable anti theft roll back User will still have to manually disable the anti theft mode before this policy could take effect MICROSOFT The following SyncML sample shows how to disable Anti Theft mode lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Security AntiTheftMode lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt Fully managed VPN setting new for GDR2 In Windows Phone GDR2 the Connectivity AllowManualVPNConfiguration policy is added to prevent user from creating changing VPN profiles or toggle VPN off It prevents users from circumventing enterprise security policy for data in transit The following SyncML sample shows how to enable fully managed VPN setting lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Connectivity AllowManualVPNConfiguratio
31. docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility 1 0 xsd xmlns wsse http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns ac http schemas xmlsoap org ws 2006 12 authorization gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollmentpolicy IPolicy GetPolicies lt a Action gt lt a MessageID gt urn uuid 72048B64 0F19 448F 8C2E B4C661860AA0 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt a To gt lt wsse Security s mustUnderstand 1 gt lt wsse BinarySecurityToken wsse ValueType http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentUserToken wsse EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt B64EncodedSampLeBinarySecurityToken lt wsse BinarySecurityToken gt lt wsse Security gt lt s Header gt lt s Body xmlns xsi http www w3 0rg 2001 XMLSchema instance xmlns xsd http www w3 0rg 2001 XMLSchema gt lt GetPolicies MICROSOFT xmlns http
32. lt OOBE Settings gt lt Oobe gt lt AcceptTermsOfUse gt true lt AcceptTermsOfUse gt lt SkipSettings gt true lt SkipSettings gt lt SkipOnlineConsumerRegistration gt true lt SkipOnlineConsumerRegistration gt lt Oobe gt When AcceptTermsOfUse is set to true the Accept Term of Use screen will not be displayed to the user and default value is set When SkipSetting is set to true the Customize Setting pages from OOBE are skipped and the default values are set When SkipOnlineConsumerRegisteration is set to true the Microsoft User Account setting flow is skipped during OOBE Set the MDM server setting Here s an example lt MDM Settings gt lt EnterpriseExt gt lt MDM gt lt Server gt enterpriseenrollment s manage beta microsoft com lt Server gt MICROSOFT lt MDM gt lt EnterpriseExt gt lt Common gt lt Settings gt lt Customization gt When you set the MDM enrollment server it triggers the MDM enrollment flow where the user may sign up to the MDM server The IT administrator is reguired to provide a valid Wi Fi profile to enable the network connection with a specific MDM server Sample customizations xml lt Customization version 1 0 gt lt Settings gt lt Common gt lt Certificate Store CSP gt lt CertificateStore gt lt CA gt lt System ThumbPrint 7ca93a74e10fc99ca948c15802032f9c25c24abc gt lt EncodedCertificate gt MITEqT CCA5GgAwI BAgIT FQHmAwbWyZ
33. lt Button gt lt ButtonLockdownList gt lt ButtonRemapList gt lt Button name Search gt lt ButtonEvent name Press gt lt Settings gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 parameters gt lt ButtonEvent gt lt Button gt lt ButtonRemapList gt lt Buttons gt MICROSOFT lt Default gt lt HandheldLockdown gt Button Sample XML Excerpt lockdown Here is a sample of the AssignedAccess XML that locks down the default Camera button both press and press and hold remaps the Search press button to launch the Settings application Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt Buttons gt lt ButtonLockdownList gt lt Button name Camera gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt ButtonRemapList gt lt Button name Search gt lt ButtonEvent name Press gt lt Settings gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 parameters gt lt ButtonEvent gt lt Button gt lt ButtonRemapList gt lt ButtonLockdownList gt lt Buttons gt lt Default gt lt HandheldLockdown gt Settings System Application settings lockdown Several s
34. lt Replace gt lt Replace gt lt CmdID gt 10 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF 1 B6C1 BC22746DAE82 7D OUTSERVER lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt smtp mail contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 11 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D AUTHREQUIRED lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 12 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SMTPALT ENABLED lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 13 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt MICROSOFT Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SMTPALTDOMAIN lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt
35. lt Data gt Device Factory lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt CertifiateStore CSP Update to support SCEP certificate enrollment configuration CertificateStore CSP is updated to accepting SCEP certificate enrollment related configuration The following diagram shows SCEP corresponding parameters in CSP Refer CertificateStore configuration service provider for detailed description for each node MICROSOFT Vendor MSFT CertificateStore My SCEP Install ServerURL Challenge EKUMapping Key Usage SubjectName Key Protection RetryDelay RetryCount TemplateNam KeyLength HashAlgrithm CAThumbPrint SubjectAlterna tiveNames ValidPeriod ValidPeriodUni ts Enroll CertThumbPrint Status ErrorCode In summary the MDM server could configure the device with SCEP enrollment server URL SCEP challenge pending retry schedule key usage key length subject name template name hash algorithm trusted CA certificate s thumb print validation period where private key should be saved etc Exec DM command to Enroll node triggers the device to start the enrollment process with SCEP server Readonly CertThumbPrint node provide enrolled certificate s certificate thumbprint that is associated with the specific parent lt unique id gt Readonly Status node provides information on whether enroll succeeds pending or fails If the server needs to enroll multiple client
36. lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP1 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Add gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install RetryCount lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install RetryDelay lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install KeyUsage lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 160 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install KeyLength lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1024 lt Data gt
37. lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft lt System name Microsoft name Microsoft name Microsoft About gt Accessibility gt Accounts gt Advertisingid gt AirplaneMode gt AssistUX gt BatterySaver gt Bluetooth gt Brightness gt CellularConn gt CloudStorageCpl gt CompanyAccount gt DateTime gt DoNotDisturb gt DrivingMode gt Feedback gt FindMyPhone gt KidZone gt Language gt Location gt Mirrorux gt NocenterSettings gt PhoneLock gt ProfileUpdate gt Proximity gt Regional gt RoamingCpl gt RotationLock gt SoftAP gt Sounds gt Speech gt StorageSettings gt Themes gt MICROSOFT lt System name Microsoft TouchKeyboard gt lt System name Microsoft Updates gt lt System name Microsoft VPN gt lt System name Microsoft WiFi gt lt Application lt Application
38. lt xs extension base default_basic_t gt lt xs attribute name guid type guid t use required gt lt xs attribute name name type xs string use reguired gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt COMPLEX TYPE DEFAULT ROLE TYPE gt lt xs complexType name default role t gt lt xs complexContent gt lt xs extension base default basic t gt lt xs sequence minOccurs 1 gt lt xs element name StartScreenSize type startscreen size t minOccurs 1 gt lt XS seguence gt lt xs extension gt lt xs complexContent gt lt xs complexType gt lt COMPLEX TYPE Action Center gt lt xs complexType name actioncenter t gt lt xs attribute type xs boolean name enabled use reguired gt lt xs complexType gt lt COMPLEX TYPE APPLICATION TYPE gt lt xs complexType name application t gt lt xs all minOccurs 0 gt lt xs element name PinToStart type start_tile t gt lt xs all gt lt xs attribute name productId type guid t use required gt lt xs attribute name parameters type xs string use optional gt lt xs attribute name autoRun type xs boolean use optional gt lt xs complexType gt lt COMPLEX TYPE START SCREEN TILE CONFIGURATION TYPE gt lt xs complexType name start tile t gt lt xs all minOccurs 1 maxOccurs 1 gt lt xs element name Size type tile size t minOccurs 1 gt lt xs element n
39. request a device to establish a management session with the server through a push notification Once a device is configured to support Push by the management server by providing the device with a PFN the device will register a persistent connection with the WNS cloud Battery Sense and Data Sense conditions permitting In order to initiate a device management session the management server must first authenticate with WNS using its SID and client secret Once authenticated the server will receive a token that it can use to initiate a raw push notification for any ChannelURI When the management server wishes to initiate a device management session with a device it can utilize its token and the device s ChannelURI and begin communicating with the device Because a device may not be currently connected to the WNS cloud it is possible to configure the raw notification request to get status information back from the WNS cloud The server can receive the connection status when it sends a push notification using a device s ChannelURI using the X WNS MICROSOFT RequestForStatus header This will instruct WNS to return to the server whether or not a device is connected to WNS This can be used by the management server to determine if a push notification has reached the device Additionally if the server wishes to send a time bound raw push notification the server can use the X WNS TTL header that will provide WNS with a time to live binding so that th
40. schemas microsoft com windows pki 2009 01 enrollmentpolicy gt lt client gt lt lastUpdate xsi nil true gt lt preferredLanguage xsi nil true gt lt client gt lt requestFilter xsi nil true gt lt GetPolicies gt lt s Body gt lt s Envelope gt Response After the user is authenticated the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties A sample of the response can be found on MSDN MS XCEP supports very flexible enrollment policies using various Complex Types and Attributes For Windows Phone we will first support the minimalKeyLength the hashAlgorithmOIDReference policies and the CryptoProviders The hashAlgorithmOIDReference has related OID and OIDReferencelD and policySchema in the GetPolicesResponse The policySchema refers to the certificate template version Version 3 of MS XCEP supports hashing algorithms Note that the HTTP server response must not be chunked it must be sent as one message Header HTTP 1 1 200 OK Date Fri 03 Aug 2012 20 00 00 GMT Server lt sever name here gt Content Type application soap xml Content Length xxxx lt xml version 1 0 encoding UTF 8 standalone yes gt lt s Envelope xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility LOL XSAL xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005
41. the full path of the file on the device is C data test bin filename txt lt Results gt lt CmdID gt 3 lt CmdID gt lt MsgRef gt 1 lt MsgRef gt lt CmdRef gt 2 lt CmdRef gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseExtFileSystem C 3A data test bin filename txt lt LocURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt b64 lt Format gt lt Type xmlns syncml metinf gt application octet stream lt Type gt lt Meta gt lt Data gt aGVsbG8gd29ybG0 lt Data gt MICROSOFT lt Item gt lt Results gt The following example shows how to push a file to the device lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExtFileSystem C 43A data test bin new txt lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt b64 lt Format gt lt Type xmlns syncml metinf gt application octet stream lt Type gt lt Meta gt lt Data gt aGVsbG8gd29ybGQ lt Data gt lt Item gt lt Add gt Reference e MS XCEP X 509 Certificate Enrollment Policy Protocol Specification e MS WSTEP WS Trust X 509v3 Token Enrollment Extensions e OMA Device Management Protocol v1 2 e OMA Device Management Security e OMA DM Standardized Objects e OMA DM Representation protocol e OMA DM Tree and Description e OMA DM Bootstrap e Application Characteristic for OMA Device Management e SCEP Simple Certificate
42. type CT_AllowedPublisher minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs complexType gt lt xs element gt lt xs element name AppPolicy gt lt xs complexType gt lt xs choice minOccurs 0 maxOccurs 1 gt lt xs element ref Deny gt lt xs element ref Allow gt MICROSOFT lt xs choice gt lt xs attribute name Version use required type xs unsignedLong gt lt xs complexType gt lt Uniqueness Checks gt lt xs unigue name NoDuplicateProductIDs gt lt xs selector xpath gt lt xs field xpath ProductId gt lt xs unigue gt lt Unigueness Checks gt lt xs unigue name NoDuplicatePublisherNames gt lt xs selector xpath gt lt xs field xpath PublisherName gt lt xs unigue gt lt xs element gt lt xs schema gt XML samples for ApplicationRestriction policy in PolicyManager Allow List One allowed application lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x
43. value 1560 datatype integer gt lt characteristic gt lt parm name EntDeviceName value Administrator_WindowsPhone datatype string gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type EnterpriseAppManagement gt lt characteristic type 1 gt lt parm datatype string name EnrollmentToken value AppEnroLLTokenInsertedHere gt lt parm datatype string name StoreProductId value 92A7F577 6F01 243F 8399 088E0DC40656 gt lt parm datatype string name StoreURI value HTTPS DM contoso com 443 EnrollmentServer clientcabs EnterpriseApp1 xap gt lt parm datatype string name StoreName value Contoso App Store gt lt The value must be a URL encoded representation of the X 500 destinguished name of the client certificates Subject property gt lt parm datatype string name CertificateSearchCriteria value SearchCriteriaInsertedHere gt lt parm datatype string name CRLCheck value 0 gt lt characteristic gt lt characteristic gt lt wap provisioningdoc gt MICROSOFT NOTE 1 parm name and characteristic type in w7 APPLICATION CSP XML are case sensitive and must be all uppercase NOTE 2 In w7 APPLICATION characteristic both CLIENT and APPSRV credentials should be provided in XML For detailed descriptions of these settings see the Enterprise settings policies and app management section later in this document Note
44. x3C AllowApp ProductId amp x22 cf3f117d d5a6 4e81 9786 56dd337b9b02 amp x22 amp x3E amp x3C Publisher amp xX3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List one denied publisher and one denied publisher with one allowed application exception lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt MICROSOFT lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 5 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp x3E amp x3C Deny amp X3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp X3E 5 amp x3C Deny Publisher Microsoft Studios amp xE2 amp x2 Q1E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios
45. 08 addressing gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollmentpolicy IPolicy GetPoliciesResponse lt a Action gt lt ActivityId CorrelationId 08d2997e e8ac 4c97 a4ce d263e62186ab xmlns http schemas microsoft com 2004 09 ServiceModel Diagnostics gt d4335d7c e192 402d b0e7 f5d550467e3c lt ActivityId gt lt a RelatesTo gt urn uuid 69960163 adad 4a72 82d2 bb0e5cff5598 lt a RelatesTo gt lt s Header gt lt s Body xmlns xsi http www w3 0rg 2001 XMLSchema instance xmlns xsd http www w3 0rg 2001 XMLSchema gt lt GetPoliciesResponse xmlns http schemas microsoft com windows pki 2009 01 enrollmentpolicy gt lt response gt lt policyFriendlyName xsi nil true xmlns xsi http www w3 0rg 2001 XMLSchema instance gt lt nextUpdateHours xsi nil true xmlns xsi http www w3 0rg 2001 XMLSchema instance gt lt policiesNotChanged xsi nil true xmlns xsi http www w3 0rg 2001 XMLSchema instance gt lt policies gt lt policy gt lt policyOIDReference gt lt policyOIDReference gt MICROSOFT lt cAs xsi nil true gt lt attributes gt lt policySchema gt 3 lt policySchema gt lt privateKeyAttributes gt lt minimalKeyLength gt 2048 lt minimalKeyLength gt lt keySpec xsi nil true gt lt keyUsageProperty xsi nil true gt lt permissions xsi nil true gt lt algorithmOIDReference xsi nil true gt lt cryptoProvid
46. 0x618 0x64A 0x654 0x65E 0x668 0x672 0x67C OXx6AE 0x6B8 0x6C2 Ox6CC 0x6D6 0x6A4 0x708 UTC 06 UTC 05 UTC 05 UTC 05 UTC 04 UTC 04 UTC 04 UTC 04 UTC 04 UTC 04 UTC 03 UTC 03 UTC 03 UTC 03 UTC 03 UTC 03 UTC 03 UTC 02 UTC 02 UTC 01 UTC 01 Guadalajara Mexico City Monterrey Eastern Time US amp Canada Bogota Lima Quito Indiana East Atlantic Time Canada Cuiaba Santiago Georgetown La Paz Manaus San Juan 30 Caracas Asuncion 30 Newfoundland Brasilia Greenland Montevideo Cayenne Fortaleza Buenos Aires Salvador Mid Atlantic Coordinated Universal Time 02 Azores Cabo Verde Is UTC Dublin Edinburgh Lisbon London UTC Monrovia Reykjavik UTC Casablanca UTC Coordinated Universal Time UTC 01 UTC 01 UTC 01 UTC 01 UTC 01 UTC 01 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 02 UTC 03 UTC 03 UTC 03 UTC 02 UTC 03 UTC 03 UTC 04 UTC 03 UTC 04 UTC 04 UTC 04 UTC 04 UTC 04 UTC 04 UTC 05 UTC 05 UTC 05 UTC 05 UTC 05 UTC 05 UTC 06 Belgrade Bratislava Budapest Ljubljana Prague Sarajevo Skopje Warsaw Zagreb Brussels Copenhagen Madrid Paris West Central Africa Amsterdam Berlin Bern Rome Stockholm Vienna Windhoek E Europe Cairo Helsinki Kyiv Riga Sofia Tallinn Vilnius Athens Bucharest Jerusalem Amman Beirut Harare Pretoria Damascus Istanbul Kuwait Riyadh Baghdad Nairobi Kaliningrad RTZ 1
47. 193 SampieAssignedAGcess SyYOCM Lai ease a K i i i i a a 197 Schema for AssignedACCESs XM Isso nici ice iaia ei 197 Windows Embedded 8 1 Handheld device Management 201 Theprovisioning XML file Handhield 8 1 sescrrsna dii ll is ba aa a a a a alias 201 To create a Prov xml file to configure dEV ESen iniiai EA E EA RA AA 202 Sample OMA Client PFOVISIO NO ass asi ia ii a a a i i i E R 202 TEO DVS SIO DLA Torsas tai aa ia aaa lo a aa i i i a i A 205 Enpiograpiyiforpro omissis dodici 205 Cryptographic algorithms and key lengths uiiiria 206 key manageme reiso niai da i i r o a a a A i Vi I i elle 206 Data on WRICh EMypro i applied kitts ais aaa ai A a a a ai i a al ai 206 Standards afidProto60 Suardi 206 Cpto related AP Secere ll el i T i ec acudee didi 206 Set time to sync automatically over Wi Fi Handheld 8 1 207 TOCORNGUFENTE OO E solai codone cli cond ripeto lrn acri A a S 207 Enable near field commiunicationiHandheld 8 1 s iii alal ina 208 Components of an NFC tag and an NFC enabled device tag u cecessesssessesessessesnssssssessecsesssssessecsesnseseeseeseeneenee 208 NFC tags are suitable for very light applications where minimal provisioning is required The size of NFC tags that contain provisioning XML files is typically 4 KB to 10 KB 208 To write to an NFC tag you will need to use an NFC Writer tool or you can use the ProximityDevice class API to write your own custom tool to transfer your provisioning XML file to your NF
48. 2012 9 27T04 25 03 408Z lt u Expires gt lt u Timestamp gt lt o Security gt lt s Header gt lt s Body gt lt s Fault gt lt s Code gt lt s Value gt s Receiver lt s Value gt lt s Subcode gt lt s Value gt s MessageFormat lt s Value gt lt s Subcode gt lt s Code gt lt s Reason gt lt s Text xml lang en US gt Invalid TokenType in reguest lt s Text gt lt s Reason gt lt s Fault gt lt s Body gt lt s Envelope gt InternalServerFault Internal error such as SOL down InvalidRenewalReguesterFault Request for renewal is different from initial enrollment requester RenewalWindowFault Cert not in renewal window ClientVersionFault Unsupported version of client NotReachedRenewalWindow Renewal reguest isn t within the renewal window Reguester user thumbprint lt thumbprint inserted here gt Best practice tips General notes All POSTs should have HTTP Content Type application soap xml charset utf 8 for the discovery and enrollment phase For SyncML the proper content types are either app lication vnd syncml dm xm1 or application vnd synceml dm wbxm1 depending on the choice made in the provisioning XML HTTP 1 1 Content Encoding using Chunked is not supported The server should explicitly specify the Content Length header accordingly in all responses which turns off the chunked response generation in most frameworks MICROSOFT Certificates Web server SS
49. 3 datatype integer gt lt parm name Aux2NumRetries value 0 datatype integer gt lt parm name Aux2RetryInterval value 480 datatype integer gt lt characteristic gt lt characteristic gt lt characteristic type DMClient gt lt characteristic type Provider gt lt characteristic type SCConfigMgr gt lt parm name EntDeviceName value Bulk Profile WNindowsEmbeddedHandheld 1 e7a3c90f c datatype string gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type EnterpriseAppManagement gt lt characteristic type 4000000001 gt lt parm datatype string name EnrollmentToken value ENROLLMENT TOKEN GOES HERE lt parm datatype string name StoreProductId value 00000000 0000 0000 0000 000000000000 gt MICROSOFT lt parm datatype string name StoreURI value gt lt parm datatype string name StoreName value Contoso App Store gt lt parm datatype string name CertificateSearchCriteria value DC 3dC0M 2cDCX3d4CONTOSO X2cDC X3dENROLLTEST 2cCN 3dUsers 2cCN X3duser 4 contoso com gt lt parm datatype string name CRLCheck value 0 gt lt characteristic gt lt characteristic gt lt wap provisioningdoc gt Apps Corner Handheld 3 1 Therearetwo ways toYou can export generate a WEHLockdown xml file to an SD card in Apps Corner and then use it provision devicesthat you can provision to devices e Pre installed an assigned
50. 9786 56dd337b9b02 amp x22 amp x3E amp x3C Publisher amp xX3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt MICROSOFT lt SyncML gt Deny List One denied application one denied publishers with two allowed application exceptions and one denied publishers with two allowed application exceptions lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E 5 amp x3C Deny App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b 731ce2 cdee 4cad afe1 a74a0433fcea amp H X22 5 amp X3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Corporation Facebook amp x3E amp x3C AllowApp Prod
51. C03771ED741A 5B04B775 356B 4AA0 AAF8 6491FFEA5631 5B04B775 356B 4AA0 AAF8 6491FFEA568C 5B04B775 356B 4AA0 AAF8 6491FFEA5646 5B04B775 356B 4AA0 AAF8 6491FFEA5614 0C340A67 3288 4C76 9375 0F2FEFBA0412 50A6AEF0 4F35 434B 9308 CB3251303AE4 5B04B775 356B 4AA0 AAF8 6491FFEA5666 5B04B775 356B 4AA0 AAF8 6491FFEA5686 5B04B775 356B 4AA0 AAF8 6491FFEA5610 D2B6A184 DA39 4C9A 9E0A 8B589B03DECO 5B04B775 356B 4AA0 AAF8 6491FFEA561E AD543082 80EC 45BB AA02 FFE7F4182BA8 5B04B775 356B 4AA0 AAF8 6491FFEA561B 5B04B775 356B 4AA0 AAF8 6491FFEA5615 5B04B775 356B 4AA0 AAF8 6491FFEA5611 5B04B775 356B 4AA0 AAF8 6491FFEA5632 C3215724 B279 4206 8C3E 61D1A9D63ED3 5B04B775 356B 4AA0 AAF8 6491FFEA5601 5B04B775 356B 4AA0 AAF8 6491FFEA564D 5B04B775 356B 4AA0 AAF8 6491FFEA5633 6AFFE59E 0467 4701 851F 7AC026E21665 5B04B775 356B 4AA0 AAF8 6491FFEA5683 See the following sample Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt Apps gt lt Alarms gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA560A gt MICROSOFT lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 4 lt LocationY gt lt Location g
52. CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Device Connectivity CellularAppDownloadMBLimit lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt Data protection under lock new for GDR2 In Windows Phone 8 1 GDR2 for organizations looking to protect themselves from enterprise data leakage when device is PIN locked and a device gets lost or stolen an additional policy can be applied by MDM that will help protect access to enterprise email and attachments when device is PIN locked Protected email accounts can be provisioned either via EAS or MDM In addition the protected data will be encrypted using a separate enterprise key at all times This policy is in addition to the existing device encryption policy that applies globally to all data personal and business on the device MICROSOFT While the GDR2 policy for data protection under lock applies only to enterprise emails and associated attachments in future releases this same policy will expand its scope to other types of enterprise content Future versions of this document will document support for additional applications as they get released The DataProtection RequireProtectionUnderLockConfig policy allows data encryption of email data and associated attachments Pin lock key is required to unlock and decode the content In ad
53. Configuration service providers supported during MDM enrollment and certificate renewal 27 COR 27 BESSER iaia 28 GATAL TO eaa E E na 28 C dadi 29 Disconnecting from the management infrastructure UNENFOIMENt iii 30 IJ SON SIE ALCO CISC GIG CEO Atis irreali 30 User unenrollment notification to the MDM SErver eine 31 IT admin requested CISCONMECTI ON tinkantis iii o ii o i iii 32 Enterprise settings policies and app MANAGEME NL cccecessessesessesesseeseseesesseesesseseesesseesseeseeuesesseeseeseeeeseeseeneseeseeseeeeeeenees 33 DM SyncML unEtiGnaliLY SUDDO PE siais eisi iui iii i i i i i i i i i i eae 35 MADNSER den 35 OMA DM protocol common elements iii 37 Device management SESSION 38 OMA DM provisioning GS eis 39 Ele tormentati 40 SvncHerelement isi li lalla lalla i i a i 40 Code example 25 kai ia ee ai aaa a a a inn iii i a 41 SyhncBogy Clement laid 41 COGS exampl Erse nenene ceases a eae eae rn teak eo 41 Update phone settings exampl E sindi a ania aa a a a a a i k a a i i i a 41 E D0B6 6XA01 DLE ski i m a iiu a A A A aaa 42 Seiverregurements 0 OMA DNI mu m i a a a r a a 42 Enterprise OMA DM supported configuration service providers iirreeei iene 43 DM client configuration Updated in Windows Phone 8 1 cccssessssssssessessessessessesssssessecsecsecsscsecsecssseseseeseeseeneeseeneens 43 Enterprise specific DM client CONfIGUrAtioN
54. DataProtection Re Allows data O default Most MDM quireProtectionUn encryption of data restriced derLockConfig email data protection value is 1 new for GDR2 and under lock associated is disabled attachments Pin lock key is 1 data required to protection unlock and under lock decode the is enabled content DataProtection En Specifies the string terpriseProtectedD enterprise domain omainNames domain names name new for GDR2 Multiple domain names may be defined using character as the separator Example Contoso co m Fabrikam com Default value lt empty gt Company Owned Provided Liable Device Policies MICROSOFT As a Mobile Device Management Solutions Vendor you must provide the following disclaimer to the IT administrator prior to the use of the feature This feature may cause the device to fail or lose connectivity and require that the device be serviced at a Nokia authorized repair center to reset to factory settings Microsoft is not liable for any damage to the device or any loss of productivity that results from use of this feature Microsoft requires that software vendors provide disclaimers to users when their products expose this feature and capabilities Area Policy name Description Supported Value Supported via EAS policy value evaluation MDM or EAS name n a rule p System AllowUser Specify 0 not Most MDM ToResetPhone whether allow allo
55. DisableMenultems to prevent use of the context menu which is displayed when a user presses and holds an application in the All Programs list You can include this entry in the default profile and in any additional user role profiles that you create Example lt MenuItems gt lt DisableMenuItems gt lt MenuItems gt Important note If DisableMenultems is not included in a profile users of that profile can uninstall apps Turning on tile manipulation By default under Assigned Access tile manipulation is turned off blocked and only available if enabled in the user s profile If tile manipulation is enabled in the user s profile they can pin unpin move and resize tiles based on their preferences When multiple people use one device and you want to enable tile manipulation for multiple users you must enable it for each user in their user profile Important note If a device is turned off then back on the tiles reset to their predefined layout If a device has only one profile the only way to reset the tiles is to turn off then turn on the device If a device has multiple profiles the device resets the tiles to the predefined layout based on the logged in user s profile The following sample file contains code for enabling tile manipulation Note Tile manipulation is disabled when you don t have a lt Tiles gt node in WEHLockdown xml or if you have a lt Tiles gt node but don t have the lt EnableTileManipulation gt no
56. EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D KEEPMAX lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 19 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D RETRIEVE lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 20480 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 20 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D ACCOUNTTYPE lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt Email lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 23 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF 1 B6C1 BC22746DAE82 7D TAGPROPS lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 24 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D TAGPROPS 8128000B lt LOCURI gt lt Target gt lt Data gt 1 lt Da
57. Enrollment Protocol Q amp A This section lists the common questions MDM vendors may have and corresponding answers Can enrollment be initiated via SMS Not supported in Windows Phone 8 and 8 1 Can the DM client support using a HTTP proxy over Wi Fi is supported Proxy authentication isn t proxy to make connections to the supported in Windows Phone 8 and 8 1 MDM server for authentication and check in Do you support SSL offloading Not supported in Windows Phone 8 and 8 1 MICROSOFT Will the discovery request accept self While the discovery request doesn t reject self signed certs and signed certs or prompt the user the phone prompts the user for permission to continue if server use WAB to get security token WAB server certificate must root to a device known root certificate The user could manually install root certificate before MDM enrollment Can a phone to be enrolled with In Windows Phone 8 and 8 1 we support one company account multiple companies Can a user create for the enterprise device management server If desired the user multiple company apps accounts can acquire and install multiple companies enterprise application tokens They can then manually install apps that depend on those tokens alongside apps installed via the enrolled company account Can a phone be owned by multiple One phone could be used by multiple users However at any users one time there is only one company apps account The us
58. NameSpace001 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8024 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls DNSSuffix lt LocURI gt lt Target gt MICROSOFT lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt corp test com lt Data gt lt Item gt lt Add gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt VPN profile using EAP MSCHAPV2 authentication method lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 8000 lt CmdID gt lt Add gt lt CmdID gt 8001 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 Server lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt wp test com lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8002 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 TunnelType lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt IKEv2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8004 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT VPN EapMsChapv2 Auth
59. Phone 8 the device will not notify the server when user deletes the organization account In WP Windows Phone 8 1 after the user confirms the account deletion command and before the account is deleted the MDM client will send a notification to the MDM server notifying that the server the account will be removed This is a best effort action as no retry is built in to ensure the notification is successfully sent to the device This leverages the OMA DM generic alert 1226 function to send a user an MDM unenrollment user alert to the MDM server after the device accepts the user un enroll request but before it deletes any enterprise data The server should set expectation that un enroll may succeed or fail and the server can check whether the device is unenrolled by either checking whether the device calls back at scheduled time or by sending a push notification to the device to see whether it responds back If the server plans to send push notification it should allow for some delay to give the device the time to finish the un enrollment work 1 User unenroll generic alert definition 1226 generic Alert is an OMA DM standard For more information check OMA Device Management Protocol specification OMA TS DM_Protocol V1 2 1 20080617 A available from the OMA website Vendor uses Type attribute to specify what type of generic alert it is For device initiated MDM unenroll the following alert type is used com microsoft mdm unenrollment userrequest
60. Required The PORTNBR parameter is used in the PORT characteristic to get or set the number of the port to connect to This parameter takes a numeric value in string format APPAUTH This characteristic is used in the w7 APPLICATION characteristic to specify authentication information APPAUTH AAUTHDATA Optional The AAUTHDATA parameter is used in the APPAUTH characteristic to get or set additional data used in authentication This parameter is used to convey the nonce for MD5 digest authentication type This parameter takes a string value The value of this parameter is base64 encoded in the form of a series of bytes Note that if the AAUTHTYPE is DIGEST this is used as a nonce value in the MD5 hash calculation and the octal form of the binary data should be used when calculating the hash at server side and device side APPAUTH AAUTHLEVEL Required The AAUTHLEVEL parameter is used in the APPAUTH characteristic to indicate whether credentials are for server authentication or client authentication This parameter takes a string value You can set this value The valid values are listed below e APPSRV specifies that the client authenticates itself to the OMA DM Server at the DM protocol level e CLIENT specifies that the server authenticates itself to the OMA DM Client at the DM protocol level APPAUTH AAUTHNAME Optional The AAUTHNAME parameter is used in the APPAUTH characteristic to differentiate OMA DM client names This parameter tak
61. Valid value 1 1000 NOTE when set renew schedule over SyncML DM commands to ROBOSupport RenewalPeriod and RetryInterval those command should be wrapped in Atomic command My WSTEP Renew RetryInterval Optional This parameter specifies retry interval when previous renew failed in days It applies to both manual cert renewal and ROBO automatic cert renewal Retry schedule will stop at cert expiration date For ROBO renew failure the client will retry the renew periodically till the device reach cert expiration date This parm specify the ROBO renew failure retry waiting period For manual retry failure there is no built in renew failure retry the user on the other side could retry later At next scheduled cert renew retry time the device will prompt credential to be expired soon dialog again Supported operations are Add Get Delete Replace Default value is 7 Datatype of this node value is int Valid value 1 1000 NOTE when set renew schedule over SyncML DM commands to ROBOSupport RenewalPeriod and RetryInterval those command should be wrapped in Atomic command My WSTEP Renew Status Required Show the latest action status for this certificate Datatype of this node value is int Supported option is Get Supported value 0 not start 1 renewal in progress 2 renew succeeded 3 renew failed My WSTEP Renew ErrorCode Optional If certificate renew fails this integer value indicates the HRESULT of the last
62. WSS section 6 3 The lt wsse BinarySecurityToken gt element MUST be included as a child of the lt wsse Security gt element in the SOAP header As was described in the discovery response section the inclusion of the lt wsse BinarySecurityToken gt element is opaque to the enrollment client and the client does not interpret the string and the inclusion of the element is agreed upon by the security token authentication server as identified in the lt AuthenticationServiceUrl gt element of lt DiscoveryResponse gt and the enterprise server The lt wsse BinarySecurityToken gt element contains a base64 encoded string The enrollment client uses the security token received from the authentication server and base64 encodes the token to populate the lt wsse BinarySecurityToken gt element wsse BinarySecurityToken attributes ValueType The lt wsse BinarySecurityToken gt ValueType attribute MUST be http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentUserToken wsse BinarySecurityT oken attributes EncodingType The lt wsse BinarySecurityToken gt EncodingType attribute MUST be http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd base64binary The following is an enrollment policy request example with a received security token as client credential lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http
63. X3E amp x3C Deny amp X3E 5 amp x3C Deny App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b 731ce2 cdee 4cad afe1 a74a0433fcea amp X22 5 amp X3E amp xX3C Deny App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 5 amp x3E 5 amp x3C Allow app published by denied publisher Microsoft Corporation Facebook amp x3E amp x3C AllowApp ProductId amp x22 82a23635 5bd9 df11 a844 00237de2db9e amp x22 amp x3E amp Xx3C Allow app published by denied publisher Microsoft Corporation YouTube amp x3E amp x3C AllowApp ProductId amp x22 dcbb1lac6 a89a df11 a490 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 amp X201E amp XxA2 amp Xx22 amp X3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp xE2 amp x201E amp xA2 Halo SA Lite amp x3E amp
64. a managed object MO The settings supported by the managed object are represented in a conceptual tree structure This logical view of configurable phone settings simplifies the way the server addresses the phone settings by isolating the implementation details from the conceptual tree structure To facilitate security enhanced communication with the remote server for enterprise management Windows Phone 8 supports certificate based mutual authentication over an encrypted SSL HTTP channel between the DM client and management service The server and client certificates are provisioned during the enrollment process DM client configuration company policy enforcement business application management and phone inventory are all exposed or expressed via configuration service providers CSPs CSPs are the Windows Phone term for managed objects The DM client communicates with the server and sends configuration request to CSPs The server only needs to know the logical local URIs defined by those CSP nodes in order to use the DM protocol XML to manage the phone The Windows Phone has similar level of OMA DM protocol v1 2 support as Windows Mobile 6 5 This document focuses on what Windows Phone managed objects are enabled to be accessible by an enterprise DM server As a summary the following are the DM tasks that an organization s management server could support e Company policy management Company policies are supported via the DeviceLock CSP Sto
65. a rare i in cate dtincassetsetetaecant 71 Global Certificate Revocation SUPpPOrt L e an aan cei 71 Rhone conngurdtio a R pps 71 Wi Fi configuration Windows Phone S 1 ik asai ia i ia i i a k A a 71 VPN configuratron Windows Rhone stalle a i a a a a i a a e 71 Eradi EO Gura Oka tv L anos aule i 72 Exchange Outlook account cAngurat O 25 ra ia a Sa a a a ae bina 72 Internet email account configuration atriale lui bi alilelioiisaliae 72 INventor cachie nanding scsi eis 72 Coexistence of Exchange servers and enterprise MANAGEMENT SErver ieri 72 Logging support for Enterprise server creation New in Windows Phone 8 1 iiinne 75 RetfieyveMDM TOGS thriller 75 VIET Siani i a o a i i i o a k a a a i 75 Steps to use WPA tool to view MDM log file rri iii 76 COnfiguration sernice Providerreterence raslet olii ai a i a S I a 78 ActiveSync contfiguration service providers ssaa 78 ERA D IS ias a a a aa a Sone Ree i a i a a S ee Sere ee 82 CertificateStore configuration service provider Updated in Windows Phone 8 1 cessssssesessececsesseeseeseenes 84 EKALIDISS Akai RR IR ER i A A VORO a ia 91 DevDetall configuration servic PFOVIABL Ls sis ai ead a I a NA a a A Late 95 DeviceLock configuration service provider rrriireeree ae ease aa aa ease aa aa ease aa aa aaa aaa aaa 98 How to implement complex password reQuireMent cccecccsessecsessecseses
66. a single technology for a single provider Once added the value cannot be changed e g Replace command isn t supported Format node Supported operations Add Get Delete Occurrence OneOrMore Vendor MSFT PolicyManager My lt area name gt lt name gt Description The node specifies a name value pair used in the policy Note that for multi strings value it will be separated by a specific Unicode amp xF000 in the XML file The multi strings will be terminated with amp xF000 One string amp xF000 two string amp xF000 red string amp xFO00 Windows Phone 8 1 string amp xF000 amp xF000 Note that a query from different caller could provide a different value as each caller could have different values for named policy o NOTE Any Syncml used to set policy should be wrapped with the Atomic XML tag which treats the policy settings as a single transaction Format string Supported operations Add Get Delete Replace Occurrence OneOrMore Vendor MSFT PolicyManager Device Description An interior node grouping all the evaluated policies that can be configured This node corresponds to the evaluated policies of all the providers Format node Supported operations Get Occurrence One Vendor MSFT PolicyManager Device lt area name gt Description An interior node grouping all policies that can be configured by a single technology independent of the providers Format node Supported operations Get Occurrence
67. access version e Export an XML file to an SD card in Apps Corner Steps for exporting a file in Apps Corner 1 Manually setup one device Make sure there is an SD card 2 Install the desired enterprise app on the device 3 Inthe control panel click Settings gt Advanced gt Apps Corner gt Export the configuration to the SD card This generates a WEHLockdown XML file that you need can to install on every device Assigned Access Handheld 8 1 Enabling the Assigned Access feature requires the addition of special registry keys and placing the WEHLockdown xml onto the device in a specific folder of the file structure The XML file must be authored by the enterprise following the guidelines defined in the Administrator Guide for Windows Embedded 8 1 Handheld The file must be named WEHLockdown xml and placed into the Data SharedData Enterprise Persistent directory The following table shows the relevant registry keys for Assigned Access Registry key Value Value data HKLM System Features Lockdown WindowsEmbeddedDeviceLockdownProfile dll HKLM System Features ButtonRemapping WEHButtonRouter dll EnterpriseAssignedAccess configuration service provider Handheld 8 1 The EnterpriseAssignedAccess configuration service provider allows Information Technology IT administrators to configure settings such as language and themes lock down a device and use Windows Embedded 8 1 Handheld features to configure custom l
68. amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E 5 amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Deny Publisher Microsoft Studios amp amp xE2 amp X201E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp xE2 amp x201E amp xA2 Halo SA Lite amp x3E amp x3C AllowApp ProductId amp x22 cf3f117d d5a6 4e81 9786 56dd337b9b02 amp x22 amp x3E amp x3C Publisher amp xX3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt MICROSOFT Known Issues Support If you still have questions after reading through this whitepaper please use the support forum below created exclusively for MDM development discussions to post your questions Developing MDM Solutions e For 1 1 paid development support please submit a support incident and choose Developing
69. amp gt amp lt Onex amp gt amp 1t s security amp gt amp lt MSM amp gt amp lt WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Atomic gt Adding PEAP MSCHAPv2 network with SSID MyNetwork and root CA validation for server certificate lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Meta gt MICROSOFT lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt xml version amp quot 1 0 amp quot amp gt amp 1t WLANProfile xmlns amp quot http www microsoft com networking WLAN profile vi amp quot amp gt amp lt name amp gt MyNetwork amp lt name amp gt amp l1t SSIDConfig amp gt amp lt SSID amp gt amp 1t name amp gt MyNetwork amp 1t name amp gt amp 1lt SSID amp gt amp 1t nonBroadcast amp gt false amp lt nonBroadcast amp gt amp lt SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1t con nectionType amp gt amp lt connectionMode amp gt manual amp lt connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt WPA2 amp l1t authentication amp gt amp lt encryption amp gt AES amp 1t s encryption amp gt amp lt use0neX amp gt true amp lt use0OneX amp gt amp lt authEncryption amp gt amp 1t 0OneX xmlns amp quot http www micros
70. amp gt amp lt WLANProfile xmlns amp quot http www microsoft com networking WLAN profile v1 amp quot amp gt amp lt name amp gt Wifi Chan dler amp lt name amp gt amp 1t SSIDConfig amp gt amp lt SsIb amp gt amp lt name amp gt Wifi Chandler amp lt name amp gt amp lt SSID MICROSOFT amp gt amp lt nonBroadcast amp gt true amp lt nonBroadcast amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1t connectionType amp gt amp lt connectionMode amp gt auto amp lt connectionMode amp gt amp 1t MSM amp gt amp lt security amp et amp lt authEncryption amp gt amp lt authentication amp gt WPA2PSK amp lt authentication amp gt amp lt encryption amp g t AES841t encryption gt 81lt authEncryption amp gt amp lt sharedKey amp gt amp 1t keyType amp gt passPhrase amp lt keyType amp gt amp lt protected amp gt false amp lt protected amp gt amp lt keyMaterial amp gt Microsoft1234 amp 1t keyMat erial amp gt amp lt sharedKey amp gt amp lt security amp gt amp lt MsM amp gt amp lt WLANProfile amp gt lt WlanXml gt lt Profile gt lt WiFi gt The Profile name is the actual profile name To export an existing Wi Fi profile 1 Run cmd as an administrator 2 Run netsh 3 Run export profile folder c profiles name WiFi Profile name 4 Copy the content of the exported profile as encoded text into WlanXml in the customizations xml Set the system time server Here s an e
71. and lowercase letters numbers and punctuation required fora strong password An integer X where 0 lt X lt 999 0 default No timeout is defined The default of 0 is Mango parity and is interpreted by as No timeout is defined An integer X where l x lt 4 Default 1 Min policy MDM EAS values except 0 is most restricted value Max policy values is most restricted value MaxlnactivityTi meDeviceLock MinDevicePass wordComplexC haracters WiFi AllowWiFi Allow or disallow WiFi connection Configurable by Exchange as well 0 use WiFi connection IS disallowed 1 default use Wi Fi Most restricted value is 0 AllowWiFi MICROSOFT definition will connection be consistent is allowed with EAS definition WiFi Allow or 0 Do not Most MDM EAS AllowInternetSh AllowlnternetShar disallow allow the restricted aring ing internet use of value is 0 sharing Internet Configurable Sharing by Exchange 1 default as well Allow the definition will use of be consistent Internet with EAS Sharing definition WiFi Allow or 0 not Most restrict MDM AllowAutoConnec disallow the allowed value is 0 tToWiFiSenseHots device to 1 default pots automatically allowed connect to Wi Fi hotspots and friend social network WiFi Allow or 0 HotSpot Most MDM AllowWiFiHotSpo disallow WiFi reporting is r
72. and the total number of bytes 1 through 131072 The following example shows the format Vers 1 0 Len lt nnnn gt The target device caches the header information and then waits for the specified amount of data to arrive from the transmitter The largest block of data that can be transmitted by NFC is 10 KB so for large files the data must be transferred in separate chunks that are up to 10 KB in size The receiver tallies the chunks and the content is reassembled When all data has been received the Handheld 8 1 powered device processes the provisioning data Although this method of transmitting and receiving protects against loss of data transmission communication can be lost if the transmitting and receiving devices are out of range during the transmission or if the transmitter stops sending data Communication between the two devices resynchronizes when a new header is transferred or when proximity is re established The following example shows how to transmit a provisioning XML file to a target device This example assumes that the devices are already in contact private void TransmitProvXMLFile String provXMLFile proximityDevice Windows Networking Proximity ProximityDevice GetDefault if proximityDevice null MICROSOFT Publish the header var dataWriter new Windows Storage Streams DataWriter dataWriter UnicodeEncoding Windows Storage Streams UnicodeEncoding Utf8 datawriter WriteString Vers 1 0 Len pro
73. by disabling policies PolicyManager You cannot allow Wi Fi but prevent the user from changing the state to prevent the user from turning off Wi Fi e faction notification center is usable settings and apps may be directly deep linked from this experience This can be addressed by blocking access to apps using PolicyManager and Allow Deny lists e Any application that has a web browser control can deep link into the Microsoft Store and purchase apps against any provisioned Microsoft Account If a Microsoft Account is not present one can be added even if the settings page is not visible This can be addressed by blocking access to the Store and Microsoft Account provisioning using PolicyManager e Apps that have web links can launch Internet Explorer enabling a full browser experience even if Internet Explorer is not visible This can be addressed by blocking access to Internet Explorer using PolicyManager e Any app that is visible in a user action required state allows deep linking into the Store This can be addressed by blocking access to the Store using PolicyManager e Internet Explorer cache and back stack are not cleared when provisioning EnterpriseAssignedAccess The following diagram shows the EnterpriseAssignedAccess configuration service provided object in a tree format Vendor MSFT EnterpriseAssignedAccess AssignedAccess AssignedAccessXml T OMA DM only E OMA DM and OMA Client Provisioning AssignedAccess The
74. certificate enrollment web service request The SOAP request is identical to Windows Phone 8 1 Enterprise Device Management Protocol v2 0 SOAP request except for the following 1 ac AdditionalContext ac Contextitem Name DeviceType ac Value is WindowsEmbeddedHandheld 2 ac AdditionalContext ac Contextltem Name Deviceld ac Value is new and represents a unigue Device Identifier that persists across resets 3 The modified certificate request has a DevicelD value embedded as described here Note DevicelD is referenced throughout this document Each device running Handheld 8 1 must have a unigue DevicelD that can be used to identify the specific device running Handheld 8 1 and only that device The DevicelD should remain constant throughout the lifetime of the device running Handheld 8 1 and survive any form of reset SOAP Request The following sample RST message shows a SOAP request Header MICROSOFT POST EnrollmentServer DeviceEnrollmentWebService svc HTTP 1 1 Content Type application soap xml charset utf 8 User Agent Windows Phone 8 Enrollment Client Host enrolltest contoso com Cache Control no cache lt s Envelope xmlns s http www w3 org 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility 1 0 xsd xmlns 0 http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd
75. change or delete product IDs after you submit the app for certification Product ID Price tier a Product lifetime 7 Content type a Pick a price tier v Forever v Inherit from app v Add another offer This will re direct to the following page MICROSOFT 47 Push notifications and Live Connect services info Overview Identifying your app Authenticating your service Representing your app to Live Connect users Overview You can add Microsoft Cloud Services to your app to give it live app tiles and access to the customer s data Windows Push Notification Service WNS provides notifications so your app can display dynamic info on the app tile and Live Connect provides access to services such as single sign on SSO 4 Outlook com and Skype Before you test or upload your app to the Store review the following sections that apply to the services your app uses If your app uses WNS for push notifications review Identifying your app Authenticating your service If your app uses Live Connect services review Identifying your app Authenticating your service Representing your app to Live Connect users Click on Identifying your application Record the lt Identity gt portion This will be used inside a temporary Windows application Push notifications and Live Connect services into Overview Identifying your app Authenticating your service Representing your app to Live Connect users Identifyin
76. describes the entries in Prov xml Important note The formatting used in the examples in this table cannot be used in your actual provisioning file The example is provided in this format for readability only The provisioning file must use escaped characters for EnterpriseAssignedAcces such as amp lt instead of lt because xml is embedded in xml Do not replace the escaped characters in the provisioning file See The provisioning XML file Prov xml for the correct formatting Entry ActionCenter StartScreenSi ze Application Description You can enable or disable the Action Center formerly known as Notification Center on the device Set to true to enable the Action Center or set to false to disable the Action Center Example lt ActionCenter enabled true gt lt ActionCenter gt Specify the size of the Start screen Large sets the width to be big enough to hold six small tiles or the eguivalent For example six small tiles are about the same as one large tile and one medium tile Small sets the width to 4 which is eguivalent to the total width of four small tiles Example lt StartScreenSize gt Large lt StartScreenSize gt Provide the product ID for each app that will be available on the device To obtain the product ID for apps that you install from the Windows Phone Store open a browser and navigate to the installation page for the app In the URL you will see the GUID for the app as shown in the followi
77. device supports the pending function to allow server side to do additional verification before issuing the cert In this case a pending status is sent back to the device The device will periodically contact the SCEP server based on preconfigured retry count and retry period parameters Retrying ends when either o A certificate is successfully received from the SCEP server o The SCEP server returns an error o The number of retries reaches the preconfigured limit The cert is installed in the device Browser Wi Fi VPN Email and other first party applications have access to this certificate e If MDM requested private key being stored in Trusted Process Module TPM configured during enrollment request the private key will be saved in TPM Note that SCEP enrolled cert protected by TPM isn t guarded by a PIN If the certificate installed successfully the device will trigger an OMA DM connection to the server to report the successful installation of client certificate via Generic Alert XML tag in the first DM package the device is sent to the server The management server could leverage this information to decide next step of configuration such as sending VPN WiFi Email configuration to the device Note that sending success SCEP client certificate installation notification to the OMA server is a best effort action No additional retry is built in for guaranteed delivery The server could query SCEP status node in CertificateStore CSP to fi
78. e Management phase The DM server is in control It sends management commands to the phone and the phone responds Phase two ends when the DM server stops sending commands and terminates the session This phase is represented by steps 3 4 and 5 in the following table The following table shows the sequence of events during a typical DM session Note 1 The step numbers in the table do not represent message identification numbers MsgID All messages from the server must have a MsgID that is unique within the session starting at 1 for the first message and increasing by an increment of 1 for each additional message For more MICROSOFT information about MsgID and OMA SyncML protocol see OMA Device Management Representation Protocol OMA TS DM_RepPro V1_2 20070209 A available from the OMA website Note 2 During OMA DM application level mutual authentication if the device response code to Cred element in the server request is 212 no further authentication is needed for the remainder of the DM session In the case of the MD5 authentication the Chal element can however be returned Then the next nonce in Chal MUST used for the MD5 digest when the next DM session is started If a request includes credentials and the response code to the request is 200 the same credential must be sent within the next request If the Chal element is included and the MD5 authentication is required a new digest is created by using the next nonce via Chal ele
79. enrollment endpoint This step provides the enrollment endpoint configuration settings 2 Certificate installation This step handles user authentication certificate generation and certificate installation The installed certificates will be used in the future to manage client server SSL mutual authentication 3 Enterprise application token and first app installation recommended is an app that allows the user to discover more enterprise apps such as a Company Hub This step installs the enterprise application token that allows users to download and install enterprise applications A Company Hub application could be installed at the end of the enrollment process to allow users to easily find out what business applications are available 4 DM client provisioning This step configures the DM client to connect to a Mobile Device Management MDM server after enrollment via DM SyncML over HTTPS aka OMA DM XML Conceptual flow The following diagram illustrates the enrollment flow The following examples refer to the fictional company Contoso whose website is contoso com MICROSOFT Windows Discovery Management User y Phone 8 service service 1 Enroll username contoso com password gt i 2 Where to enroll a user from contoso com r gt 4 Get certificate policy device details 5 Certificate policy 6 Enroll username password 7 Devi
80. example the schedule starts on October 27 2013 10 27 2013 at 2 00 A M and lasts for 4 hours lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow ScheduleXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt MWList amp gt amp lt MW Enabled amp quot True amp quot amp gt amp lt Schedule StartDate amp quot 2013 10 27T02 00 00 amp quot ISUTC amp quot False amp quot amp gt amp lt Duration Days amp quot amp quot Hours amp quot 4 amp quot Minutes amp quot 0 amp quot amp gt amp lt Recurrence Type amp quot None amp quot MinuteSpan amp quot amp quot HourSpan amp quot amp quot DaySpan amp quot 0 amp quot amp gt amp lt Schedule amp gt amp lt MW amp gt amp lt MWList amp gt lt Data gt lt Item gt lt Add gt lt SyncBody gt lt SyncMl gt Retrieve the maintenance window schedule lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Get gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow ScheduleXml lt LocURI gt lt Target gt lt Item gt lt Get gt lt SyncBody gt lt SyncM1 gt Retrieve the MaintenanceAllowed value lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Get g
81. gt lt HandheldLockdown gt Sample AssignedAccess XML The following is a sample AssignedAccess XML Note that this must be escaped prior to being provisioned through SyncML NOTE PolicyManager policy settings should be used together with lockdown XML to provide blocking access through deep linking Lockdown only blocks user facing pieces of the experience and does not prevent users from deep linking into applications both first and thrid party and settings pages NOTE All top level fields under lt Default gt are required to be included even if no sub fields are used NOTE Please ensure that the XML is wrapped inside a SyncML body payload when it is provisioned to the device NOTE The XML should be placed in the lt Data gt field and either fully escaped or use lt Data gt CDATA lt insert_xml_here gt lt Data gt for wrapping unescaped data lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt ActionCenter enabled true gt lt Apps gt lt Alarms gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA560A gt lt Battery Saver gt lt Application productId C551F76F 3368 42BB 92DF 7BFBB9265636 gt lt Bing Finance gt lt Application productId 1E0440F1 7ABF 4B9A 863D 177970EEFB5E gt lt Bing Food gt lt Application productId CC512389 0456 430F 876B 704B17317DE2 gt lt Bing Health gt lt A
82. gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow List One allowed application and two allowed publishers lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01 a74a0433fcea amp x22 8 amp x3E amp x3C Allow Publisher Microsoft Corporation amp Xx3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow Publisher Microsoft Studios amp xE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 amp X201E amp amp XA2 amp X22 8 amp X3E amp x3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow L
83. gt lt Target gt lt Data gt Exchange lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 7 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D Password lt LOCURI gt lt Target gt lt Data gt Password1 lt Data gt MICROSOFT lt Item gt lt Add gt lt Add gt lt CmdID gt 6 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f 2 77fb2b96c42d 7D AccountName lt LOCURI gt lt Target gt lt Data gt TestAccount lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D UserName lt LOCURI gt lt Target gt lt Data gt user lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f 2 77fb2b96c42d 7D ServerName lt LOCURI gt lt Target gt lt Data gt contoso com lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D EmailAddress lt LOCURI gt lt Target gt lt Data gt user contoso com lt Data gt lt Item gt lt Add gt lt Ad
84. gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https enrolltest contoso com 443 ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt a To gt lt wsse Security s mustUnderstand 1 gt lt wsse BinarySecurityToken wsse ValueType http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentUserToken wsse EncodingType http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt B64EncodedSampLeBinarySecurityToken lt wsse BinarySecurityToken gt lt wsse Security gt lt s Header gt lt s Body gt lt wst ReguestSecurityToken gt lt wst TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt wst TokenType gt lt wst RequestType gt http docs oasis open org ws sx ws trust 200512 Issue lt wst ReguestType gt lt wsse BinarySecurityToken ValueType http schemas microsoft com windows pki 2009 01 enrollment PKCS10 EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary gt DER format PKCS 10 certificate request in Base64 encoding Insterted Here lt wsse BinarySecurityToken gt lt ac AdditionalContext xmlns http schemas xmlsoap org ws 2006 12 authorization gt lt ac ContextItem Name DeviceType gt lt ac Value gt WindowsPhone lt ac Value gt l
85. gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Connectivity AllowNFC lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt The following example shows how to disallow an NFC tag lt Add gt lt CmdID gt 3 lt CmdID gt lt Item gt MICROSOFT lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Connectivity AllowNFC lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Add gt The following example shows how to guery the current policy value lt Get gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager Device Connectivity AllowNFC lt LocURI gt lt Target gt lt Item gt lt Get gt EnableDeviceEnrollment Request and Response Handheld 8 1 The differences from Windows Phone when bulk enrollment is enabled by setting EnableDeviceEnrollment to true are as follows e The discovery service is skipped e The get certificate policy is skipped e There is a modified certificate enrollment web service request for a specific Server URI For more information about EnableDeviceEnrollment see The provisioning XML file Prov xml and EnterpriseExt configuration service provider topics for Handheld 8 1 Modified
86. information see later in this document Note that in Windows Phone 8 the Storage configuration service MICROSOFT provider is used to configure storage card policy While this is still supported Windows Phone 8 1 it will be depreciated post Windows Phone 8 1 It is recommended MDM server uses PolicyManager CSP to configure company policies including storage card policy starting in Windows Phone 8 1 In addition to noting the DM command response from the phone the server can query the PolicyManager CSP to confirm that the policy has been applied The following SyncML sample shows how to disable the storage card by using SyncML lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My System AllowStorageCard lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt Cellular app download limit configuration new for GDR2 In Windows Phone 8 1 GDR2 the Connectivity CellularAppDownloadMBLimit policy is added that blocks cellular application download if the application file size exceeds the specified file limit It prevents excessive celluar data cost for large application downloads when Wi Fi connection is not available The following SyncML sample shows how to set the default cellular download limit to 20MB for app download lt Replace gt lt CmdID gt 3 lt
87. logs for MDM enrollment MDM client cert renew process e Microsoft WindowsPhone Enrollment APl Provider SCEP certificate enrollment e Microsoft WindowsPhone SCEP Provider VPN Configuration e Microsoft WindowsPhone CmCspVpnPlus MICROSOFT Configuration service provider reference The following terms are used to describe the configuration service provider functionalities Required If a parameter is marked required it means the node must exist to ensure that configuration succeeds Optional If a parameter is marked Optional it means the configuration will succeed with or without that value In other words the value may be required to be set at some point for proper operation but the phone won t throw an error if the value isn t included in the provisioning request payload Be sure to check the description of each node to understand whether an optional node is required in certain scenarios Get A device management command to query the phone settings Add A device management command to Add a new setting to the phone Replace A device management command to Update the phone value to a new value Delete A device management command to delete a phone setting ActiveSync configuration service provider The following image shows the ActiveSync configuration service provider management object MICROSOFT Vendor MSFT ActiveSync Accounts GUID EmailAddress Domain Accounticon Account ype AccountN
88. lt s Envelope gt Enrollment response The enrollment response is base 64 encoded in the SOAP message The following listing shows the decoded enrollment response lt wap provisioningdoc version 1 1 gt lt characteristic type CertificateStore gt lt characteristic type Root gt lt characteristic type System gt lt characteristic type E22790C0148DDF3B699C5706B7881FDED60B51EB gt lt parm name EncodedCertificate value CERTIFICATE GOES HERE gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type My gt lt characteristic type User gt lt characteristic type A9D27BAA6DB9EBE54F0750494A1ABD323281A0F6 gt lt parm name EncodedCertificate value CERTIFICATE GOES HERE lt characteristic type PrivateKeyContainer gt lt parm name KeySpec value 2 gt lt parm name ContainerName value ConfigMgrEnrollment gt MICROSOFT lt parm name ProviderType value 1 gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type APPLICATION gt lt parm name APPID value w7 gt lt parm name PROVIDER ID value SCConfigMgr gt lt parm name NAME value Microsoft gt lt parm name ADDR value https enrolltest contoso com 443 omadm WindowsPhoneEmbedded ashx gt lt parm name CRLCheck value 0 gt lt parm name CONNRETRYFREQ value 6 gt lt parm
89. multiple devices bulk enroll enter the same user credentials for all devices MDM Password A string that specifies the password for the person to enroll MDM EnableDeviceEnrollment Set to true to skip the discovery service otherwise set to false The default value is true This value is saved in the HKLM Software Microsoft Enrollment EnableDeviceEnrollment registry key and is set to a pre defined value of 0 zero Pfx The parent node for enterprise certificate validation DisableEnterpriseValidation Set to true to disable validation of certificates installed on the device if set to false or if the value is not set then the validation of certificates is performed by contacting the Microsoft server over the Internet If the device does not have an Internet connection and the value is set to false then apps may be disabled or deployments may be blocked Value type is Boolean MICROSOFT This value is saved in the registry in the HKLM software microsoft enterpriseappmanagement appmanagementvalidation config DisabledByEnter prise key The restart process 1 The restart command is sent as an XML provisioning file to the device 2 The user is alerted that the company IT requires that the device be restarted and the device will be restarted after waiting for the number of seconds specified in DeviceReboot WaitTime The enrollment process 1 When you load the provisioning file to a device during the OOBE by using a Secure Digital
90. name INITIALBACKOFFTIME value 30000 gt lt parm name MAXBACKOFFTIME value 120000 gt lt parm name BACKCOMPATRETRYDISABLED gt lt parm name DEFAULTENCODING value application vnd syncml dm wbxml gt lt parm name SSLCLIENTCERTSEARCHCRITERIA value Subject DC 3dCOM 2cDC 3dCONTOSO 2cDC 3dENROLLTEST 2cCN 3dUsers 2cCN 3duser 40contoso co m amp amp Stores MY 5CUser gt lt characteristic type APPAUTH gt lt parm name AAUTHLEVEL value CLIENT gt lt parm name AAUTHTYPE value DIGEST gt lt parm name AAUTHSECRET value dummy gt lt parm name AAUTHDATA value nonce gt lt characteristic gt lt characteristic type APPAUTH gt lt parm name AAUTHLEVEL value APPSRV gt lt parm name AAUTHTYPE value DIGEST gt lt parm name AAUTHNAME value dummy gt lt parm name AAUTHSECRET value dummy gt lt parm name AAUTHDATA value nonce gt lt characteristic gt lt characteristic gt lt characteristic type Registry gt lt characteristic type HKLM Software Microsoft Enrollment gt lt parm name RenewalPeriod value 42 datatype integer gt lt characteristic gt lt characteristic type HKLM Software Microsoft Enrollment OmaDmRetry gt lt parm name NumRetries value 8 datatype integer gt lt parm name RetryInterval value 15 datatype integer gt lt parm name AuxNumRetries value 5 datatype integer gt lt parm name AuxRetryInterval value
91. new policy lt wap provisioningdoc gt lt characteristic type EnterpriseAssignedAccess gt lt characteristic type AssignedAccess gt lt parm name AssignedAccessXml datatype string value 81t xm1l version amp quot 1 0 amp quot encoding amp quot utf 8 amp quot amp gt amp 1t HandheldLockdown version amp quot 1 0 amp quot amp gt amp Ilt Default amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B 4B775 356B 4AA0 AAF8 6491FFEA5615 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5612 amp quot pinToStart amp quot 0 amp quot amp gt amp lt Apps amp gt amp 1lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp lt System name amp quot Microsoft About amp quot amp gt amp 1lt Settings amp gt amp lt Buttons amp gt amp lt ButtonLockdownList amp gt amp lt Button name amp quot Start amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp lt Button amp gt amp lt Button name amp quot Camera amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp lt Button amp gt amp lt Button name amp quot Search amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp
92. parent node for the AssignedAccess XML AssignedAccess XML The XML code that controls the assigned access settings applied to the device Supported operations are Add Get and Replace First party application Product IDs In order to pin or allow certain first party applications application Product IDs are required to configure their placement Third party Store application Product IDs can be found on windowsphone com MICROSOFT The list of lt Apps gt in the AssignedAccess XML is an allow list of applications As a result if no apps are included in the list no apps will be visible on Start The following table shows the applications and their product IDs Application Alarms Battery Saver Bing Finance Bing Food Bing Health Bing News Bing Sports Bing Travel Bing Weather Calculator Calendar Camera built in Cortana Data Sense Email Facebook Games Internet Explorer Maps Messaging Music Office Hub OneDrive OneNote People Phone Photos Podcasts Settings Storage Sense Store Video Wallet productld 5B04B775 356B 4AA0 AAF8 6491FFEA560A C551F76F 3368 42BB 92DF 7BFBB9265636 1E0440F1 7ABF 4B9A 863D 177970EEFB5E CC512389 0456 430F 876B 704B17317DE2 CBB8C3BD 99E8 4176 AD8C 95EC6A3641C2 9C3E8CAD 6702 4842 8F61 B8B33CC9CAF1 0F4C8C7E 7114 4E1E A84C 50664DB13B17 19CD0687 980B 4838 8880 5F68ABA1671E 63C2A117 8604 44E7 8CEF DF10BE3A57C8 5B04B775 356B 4AA0 AAF8 6491FFEA5603 36F9FA1C FDAD 4CF0 99EC
93. policies certificates and apps that help you connect to your business What s a workplace account Once you adda workplace account your company will be able to collect personal information disable apps or features prevent you from resetting your phone or removing your workplace account andremotely modify or delete all your content and settings You can talk with your company s support person to find out what your company s policy allows Contoso Sign in Cancel enrolled If auto discovery fails the user is given the option to manually enter discovery server address workplace We weren t able to find the server with provided email address Make sure the email address is correct or manually enter server address then try again Email address pguin contoso com Server address li Launch workplace control panel from hyperlink Windows Phone 8 1 supports the launching of the workplace control panel using a hyperlink ms settings workplace formatted to lt a href ms settings workplace gt Settings Workplace lt a gt The enterprise can leverage this functionality to build a better user experience for example by instructing the user to create a workplace account using a workplace setup email The email can include above hyperlink for the user to click directly to launch workplace control panel to start enrolling MICROSOFT Supported protocols summary The following subsections describe the protoc
94. process via the Registry CSP during the enrollment process These registry keys are only set and used during the enrollment process The usage of those registry keys are deprecated in post Windows Phone 8 and instead starting with Windows Phone 8 1 the DMClient CSP is used to configure scheduled DM polling events during enrollment Those DM polling schedules should be updated later by the MDM server via the DMClient CSP The behavior of those polling parameters are also updated Please refer to the DMClient configuration service provider section for a detailed description e The following example shows how to configure a DM client by using W7 APPLICATION provisioning XML sent during enrollment lt wap provisioningdoc version 1 1 gt lt characteristic type APPLICATION gt MICROSOFT lt parm name APPID value w7 gt lt parm name PROVIDER ID value TestMDMServer gt lt parm name NAME value Microsoft gt lt parm name ADDR value https DM contoso com 443 omadm WindowsPhone ashx gt lt parm name CONNRETRYFREQ value 6 gt lt parm name INITIALBACKOFFTIME value 30000 gt lt parm name MAXBACKOFFTIME value 120000 gt lt parm name BACKCOMPATRETRYDISABLED gt lt parm name DEFAULTENCODING value application vnd syncml dm wbxml gt lt parm name SSLCLIENTCERTSEARCHCRITERIA value Subject DC 3dcom 2cDCX 3dmicrosoftX2cCN X3dUsers 2cCN 3dAdministrator amp amp Stores My 5CUser gt lt characteri
95. quot amp gt 13 amp l1t Type amp gt MICROSOFT amp lt VendorId xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt VendorId amp gt 8lt VendorType xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt VendorType amp gt amp 1t Authorid xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt AuthorId amp gt amp lt EapMethod amp gt amp l1t Config xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot amp gt 8lt Eap xmlns amp quot http www microsoft com provisioning BaseEapConnectionPropertiesV1 amp quot amp gt amp lt Type amp gt 13 amp 1t Type amp gt amp 1t EapType xmlns amp quot http www microsoft com provisioning EapTlsConnectionPropertiesV1 amp quot amp gt amp lt CredentialsSource amp gt amp lt CertificateStore amp gt amp lt SimpleCertSelection amp gt true amp lt SimpleCertSelection amp gt amp lt CertificateStore amp gt amp lt CredentialsSource amp gt amp lt ServerValidation amp gt amp 1t DisableUserPromptForServerValidation amp gt false amp lt DisableUserPromptForServerValidation amp gt amp lt ServerNames amp gt amp lt ServerNames amp gt amp 1t TrustedRootCA amp gt 50 d4 d5 e 9c f5 Oe Ye 17 34 2c 83 79 11 ed 21 39 52 bf f3 amp lt TrustedRootCA amp gt amp lt ServerValidation amp gt amp lt DifferentUsername amp gt false amp lt Diff
96. quot 76C01983 A872 4C4E B4C6 321EAC709CEA amp quot name amp quot Associate amp quot amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5615 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp lt System name amp quot Microsoft About amp quot amp gt amp lt Settings amp gt amp 1t Buttons amp gt amp lt Button name amp quot Start amp quot disableEvents amp quot PressAndHold amp quot amp gt amp lt Button name amp quot Camera amp quot disableEvents amp quot All amp quot amp gt amp l1t Buttons amp gt amp lt MenuItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Role amp gt amp lt Role guid amp quot 8ABB8A10 4418 4467 9E18 99D11FA54E30 amp quot name amp quot Manager amp quot amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5612 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp lt Settings amp gt amp lt Buttons amp gt amp 1t Button name amp quot Start amp quot disableEvents amp quot PressAndHold amp quot amp gt amp l1t Buttons amp gt amp lt MenuItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Role amp gt amp 1t R
97. recommended to use PolicyManger CSP to configure device lock related policies starting from Windows Phone 8 1 The following image shows the DeviceLock configuration service provider in tree format MICROSOFT EI AVendor MSFT DeviceLock Provider ProvideriD DevicePasswordEnabled AllowSimpleDevicePassword MinDevicePasswordLength AlphanumericDevicePasswordRequired DevicePasswordExpiration DevicePasswordHistory MaxDevicePasswordFailedAttempts MaxlnactivityTimeDeviceLock MinDevicePasswordComplexCharacters DeviceValue DevicePasswordEnabled AllowSimpleDevicePassword MinDevicePasswordLength AlphanumericDevicePasswordRequired DevicePasswordExpiration DevicePasswordHistory MaxDevicePasswordFailedAttempts MaxInactivity TimeDeviceLock MinDevicePasswordComplexCharacters Provider Required An interior node to group all policy providers Scope is permanent Supported operation is Get MICROSOFT E Provider lt ProviderlD gt Optional The node that contains the configured management server s ProviderID In Windows Phone 8 only one enterprise management server is supported That is there should be only one ProviderID node Exchange ActiveSync policies set by Exchange are saved by the Sync client separately Scope is dynamic The following operations are supported Add Add the management account to the configuration service provider tree Delete Delete all policies set by this account This command could be
98. request It is the server s decision on how to use this valid period to create the certificate My SCEP lt UniquelD gt Install EKUMapping Required Specify extended key usages Subjected to SCEP server configuration The list of OIDs are separated by plus Sample format 0ID1 01D2 01D3 Format is chr Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install KeyProtection Optional Specify where to keep the private key Note that even it is protected by TPM it is not guarded with TPM PIN SCEP enrolled cert doesn t support TPN PIN protection Supported values 1 private key protected by phone TPM 3 default private key saved in OS not protected by TPM 2 private key protected by phone TPM if the device supports TPM All Windows Phone 8 1 devices support TPM and will treat value 2 as 1 Format is int Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install Enroll Required Trigger the device to start the cert enrollment The MDM server could later query the device to find out whether new cert is added Format is null e g this node doesn t contain a value Supported operation is Exec MICROSOFT My SCEP lt UniquelD gt Status Required Specify the latest status for the certificate due to enroll request Format is chr Supported operation is Get Valid value 1 finished successful 2 pending the device hasn t finish the action but receives the SCEP server pend
99. steps show how TLS can be enabled 1 The phone attempts to connect to the mail server using SSL 2 If the SSL connection fails the phone attempts to connect using deferred SSL 3 If the connection fails over both SSL and deferred SSL and the user selected Server requires encrypted SSL connection the phone does not attempt another connection 4 If the user did not select Server requires encrypted SSL connection the phone attempts to establish a non SSL connection MICROSOFT 5 If the connection succeeds using any of the encryption protocols the phone requests the server capabilities 6 If one of the capabilities sent by the mail server is STARTTLS and the connection is deferred SSL the phone enables TLS TLS is not enabled on connections using SSL or non SSL When managing over OMA DM make sure to always use a unique GUID Provisioning with an account that has the same GUID as an existing one deletes the existing account and does not create the new account Examples IMAP account configuration The following sample shows how to use SyncML commands to configure an IMAP email account lt must be wrapped in a SyncML package sent from the server The GUID must be replaced with the appropriate unique GUID lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D lt LOCURI gt lt Targe
100. that the PrivateKeyContainer characteristic is required and must be present in the Enrollment provisioning XML by the enrollment Other important settings are the PROVIDER ID NAME and ADDR parameter elements which need to contain the unique ID and NAME of your DM provider and the address where the phone can connect for configuration provisioning The ID and NAME can be arbitrary values but they must be unique Also important is the SSLCLIENTCERTSEARCHCRITERIA which is used for selecting the certificate to be used for client authentication The search is based on the subject attribute of the signed user certificate Request for certificate renewal The enrolled client certificate expires after a period of use The expiration date is specified by the server To ensure continuous access to enterprise applications the phone supports a user triggered certificate renewal process The user is prompted to provide the current password for the corporate account and the enrollment client gets a new client certificate from the enrollment server and deletes the old certificate The client generates a new private public key pair generates a PKCS 7 request and signs the PKCS 7 request with the existing certificate In Windows Phone 8 1 automatic MDM client certificate renewal is also supported Refer following section for more details Note Make sure that the EntDMID in the DMClient configuration service provider is set before the certificate renewal reque
101. used in enterprise unenrollment for removing policy values set by the enterprise management server Get Return all policies set by the management server Note The value cannot be changed after it is added The Replace command isn t supported lt ProviderlD gt DevicePasswordEnabled Optional An integer value that specifies whether device lock is enabled Values are 1 device lock not enabled and 0 device lock is enabled An invalid value is treated as configuration failure The default value is 1 The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt AllowSimpleDevicePassword Optional An integer value that specifies whether simple passwords such as 1111 or 1234 are allowed Possible values for this node are 0 not allowed 1 allowed Invalid values are treated as a configuration failure The default value is 1 Scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt MinDevicePasswordLength Optional An integer value that specifies the minimum number of characters required in the PIN Valid values are 4 to 18 inclusive The default value is 4 Invalid values are treated as a configuration failure The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt AlphanumericDevicePasswordRequired Optional An integer value that specifies the complexity of the password or PIN allowed Valid values are 0 alphanumeric password required 1 n
102. value Search gt lt xs enumeration value Camera gt lt xs enumeration value Custom1 gt lt xs enumeration value Custom2 gt lt xs enumeration value Custom3 gt lt xs restriction gt lt xs simpleType gt lt SIMPLE TYPE SUPPORTED BUTTON EVENT TYPE gt lt xs simpleType name supported button event t gt lt xs restriction base xs string gt lt xs enumeration value A11 gt lt xs enumeration value Press gt lt xs enumeration value PressAndHold gt lt xs restriction gt lt xs simpleType gt lt SIMPLE TYPE GUID gt lt xs simpleType name guid t gt lt xs restriction base xs string gt lt xs pattern value 0 9a fA F 8 0 9a fA F 4 3 0 9a fA F 12 gt lt xs restriction gt lt xs simpleType gt lt SIMPLE TYPE TILE SIZE gt lt xs simpleType name tile size t gt lt xs restriction base xs string gt lt xs enumeration value Small gt lt xs enumeration value Medium gt lt xs enumeration value Large gt lt xs restriction gt lt xs simpleType gt lt SCHEMA gt lt xs element name HandheldLockdown gt lt xs complexType gt lt xs all minOccurs 1 gt lt xs element name Default type default role t gt lt xs element name RoleList type role list t minOccurs 0 gt lt xs unigue name duplicateRolesForbidden gt lt xs selector xpath Role gt lt xs field xpath guid gt lt xs unigue gt lt xs elemen
103. will also be deleted However if you still have an Exchange email account on your phone and policies for that account will continue to apply untill you delete it Once you adda workplace account your company will be able to collect personal information disable apps or features prevent you from resetting your phone or removing your workplace account andremotely modify or delete all your content and settings You can talk with your company s support person boid out o sui ny s policy allows Contoso enrolled Tap company name Contoso Tap Trash icon Tap delete button to confirm MICROSOFT SETTINGS workplace Some companies offer policies certificates and apps that help you connect to your business What s a workplace account Once you adda workplace account your company will be able to collect personal information disable apps or features prevent you from resetting your phone or removing your workplace account andremotely modify or delete all your content and settings You can talk with your company s support person to find out what your company s SETTINGS system applicati Airplane mode turned off Bluetooth turned off Cellular SIM CarrierA NFC turned off VPN policy allows set up workplace add a workplace account workplace settings screen Contoso removed System settings screen Contoso removed User unenrollment notification to the MDM server In Windows
104. x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E amp x3C Deny App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b 731ce2 cdee 4cad afe1 a74a0433fcea amp amp x22 amp Xx3E amp X3C Deny Publisher Microsoft Corporation amp Xx3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Corporation Facebook amp x3E amp x3C AllowApp ProductId amp x22 82a23635 5bd9 df11 a844 00237de2db9e amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Corporation YouTube amp x3E amp x3C AllowApp ProductId amp x22 dcbb1lac6 a89a df11 a490 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List One denied application one denied publisher with one allowed application exception and one denied publisher with two allowed application exceptions lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt
105. xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns wsse http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd xmlns ac http schemas xmlsoap org ws 2006 12 authorization lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollment RST wstep lt a Action gt lt a MessageID gt urn uuid d7cfb6f6 9bf4 4771 bdc2 d4bf66f8b4f5 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a TO s mustUnderstand 1 gt https enrolltest contoso com ENROLLMENTSERVICE DeviceEnrollmentService SVC lt a To gt lt o Security s mustUnderstand 1 xmlns 0 http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt o UsernameToken u Id uuid 9c2e505d 1795 46db a520 7f69fec0aaa3 3 gt lt o Username gt user dcontoso com lt o Username gt lt o Password Type http docs oasis open org wss 2004 01 0asis 200401 wss username token profile 1 0 PasswordText gt mypassword lt o Password gt lt o UsernameToken gt lt o Security gt lt s Header gt lt s Body gt lt wst ReguestSecurityToken gt lt wst TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt wst TokenType gt lt wst RequestType gt http docs oasis open org ws sx ws trust 200512 Issue lt wst Reg
106. 00000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D lt LOCURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Type xmlns syncml metinf gt lt Type gt lt Meta gt lt Item gt lt Item gt lt Source gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Version lt LOCURI gt lt Source gt lt Data gt 1 0 0 0 lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Title lt LocURI gt lt Source gt lt Data gt Sample1 lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Publisher lt LocURI gt lt Source gt lt Data gt ExamplePublisher lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D InstallDate lt LOCURI gt lt Source gt lt Data gt 2012 10 30T21 09 52Z lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Version lt Loc
107. 1 Roaming is functionally equivalent to using Vendor MSFT DevicelnstanceService Roaming e Format bool e Supported operations Get MICROSOFT e Occurrence One e Supported value o False device cellular is not in roaming o True device cellular is in roaming Vendor MSFT DevicelnstanceService PhoneNumber e Description Present device phone number In case of dual SIM mode when the device supports two different phone numbers querying SIM 1 explicitly with Vendor MSFT DevicelnstanceService Identify1 PhoneNumber is functionally equivalent to using Vendor MSFT DevicelnstanceService PhoneNumber e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService IMSI e Description Present first 6 digits of device IMSI number Mobile Country Code Mobile Network Code In case of dual SIM mode when the device supports two different phone numbers querying SIM 1 explicitly with Vendor MSFT DevicelnstanceService Identify1 IMSI is functionally equivalent to using Vendor MSFT DevicelnstanceService IMSI e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService IMEI e Description Present device IMEI number In case of dual SIM mode when the device supports two different phone numbers querying SIM 1 explicitly with Vendor MSFT DevicelnstanceService Identify1 IMEI is functionally equivalent to using Vendor MSFT DevicelnstanceService IMEI e Forma
108. 13 policy Application Restrictions Deny List A deny list contains a set of applications defined by a set of application GUIDs and application publisher names that cannot to be installed or run on the device if the application already exists on the device Here is a sample lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp x3E amp X3C Deny amp X3E amp x3C Deny App01 with a WindowsPhone com GUID of f5f53dbf c7bd 4b26 a1lbf e1cf8d69b9d5 amp X3E amp x3C App ProductId amp x22 f5f53dbf c7bd 4b26 albf e1cf8d69b9d5 amp x22 amp x3E amp x3C Deny Publisher Contoso amp x3E amp x3C Publisher PublisherName amp x22 Contoso amp x22 amp x3E amp x3C Deny Publisher Fabrikam amp x3E amp x3C Publisher PublisherName amp x22 Fabrikam amp x22 amp x3E amp x3C Allow FabrikamApp 1 with a WindowsPhone com GUID of b79fb25e ea4a 4dda bbba 66c282377105 amp x3E amp x3C AllowApp ProductId amp x22 b79fb25e ea4a 4dda bbba 66c282377105 amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt In this sample application App01 and any applications published by Fabrikam cannot be installed or run on the device Additionally any applications published by Fabrikam except for FabrikamApp01 cannot be installed or run on the devi
109. 14 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SMTPAL TAUTHNAME lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 15 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SMTPALTPASSWORD lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 16 lt CmdID gt lt Item gt lt Target gt lt LOcURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D LINGER lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 120 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 17 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF 1 B6C1 BC22746DAE82 7D DWNDAY lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 7 lt Data gt lt Item gt MICROSOFT lt Replace gt lt Replace gt lt CmdID gt 18 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT
110. 1t Button amp gt amp 1t ButtonRemapList amp gt amp lt Buttons amp gt amp lt MenuItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft About amp quot amp gt amp lt System name amp quot Microsoft NocenterSettings amp quot amp gt amp lt System name amp quot Microsoft CompanyAccount amp quot amp gt amp lt Settings amp gt amp lt StartScreenSize amp gt Small amp lt StartScreenSize amp gt amp 1t Default amp gt amp lt RoleList amp gt amp lt Role guid amp quot 88501844 3B51 4C9F 9DA7 7CA745E7DA6B amp quot name amp quot Associate amp quot amp gt amp lt ActionCenter enabled amp quot false amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5601 amp quot amp gt amp gt amp gt amp lt PinToStart amp gt amp 1t Size amp gt Medium amp lt Size amp gt amp lt Location amp gt amp lt LocationX amp gt 0 amp lt LocationX amp gt amp lt LocationY amp gt 0 amp lt LocationY amp gt amp 1t Location amp gt amp 1t PinToStart amp gt amp 1t Application amp gt amp 1t Apps amp gt amp lt Buttons amp gt amp 1t ButtonLockdownList amp gt amp 1t ButtonLockdownList amp gt amp lt Buttons amp gt amp lt MenuItems amp gt amp lt DisableMenuItems amp
111. 2 Example Flow 1 User elects to un enroll 2 Any active MDM OMA DM sessions are terminated MICROSOFT 3 DM client kicks off DM session including a user unenroll generic alert in the first package it sends to the server Sample OMA DM pkg 1 that contains generic alert message listed below For more information on WP OMA DM support check section DM SyncML functionality support lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncHdr gt lt VerDTD gt 1 2 lt VerDTD gt lt VerProto gt DM 1 2 lt VerProto gt lt SessionID gt 1 lt SessionID gt lt MsgID gt 1 lt MsgID gt lt Target gt lt LocURI gt funigue device ID lt LocURI gt lt Target gt lt Source gt lt LocURI gt https www thephone company com mgmt server lt LocURI gt lt Source gt lt SyncHdr gt lt SyncBody gt lt Alert gt lt CmdID gt 2 lt CmdID gt lt Data gt 1226 lt Data gt lt generic alert gt lt Item gt lt Meta gt lt Type xmlns syncml metinfo gt com microsoft mdm unenrollment userrequest lt Type gt lt Format xmlns syncml metinfo gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Alert gt lt other device information gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Source gt lt LocURI gt DevInfo DevID lt LocURI gt lt Source gt lt Data gt unique device ID lt Data gt lt Item gt lt Item gt lt Item gt lt Replace gt lt Final gt
112. 22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01 a74a0433fcea amp x22 8 amp x3E amp x3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow List One allowed application and publisher lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt MICROSOFT lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Al low amp x3E 3 amp x3C Allow App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Allow Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp X3E amp x3C Allow amp x3E amp Xx3C AppPolicy amp x3E lt Data gt lt Item
113. 26 amp lt baseEap Type amp gt amp lt msChapV2 EapType amp gt amp lt msChapV2 UseWinLogonCredentials amp gt false amp lt msChapV2 UseWinLogonCredentials amp gt amp 1t msChapV2 EapType amp gt amp lt baseEap Eap amp gt amp lt Config amp gt amp lt EapHostConfig amp gt lt Data gt lt Item gt lt Add gt lt Add gt lt Network trigger 1 2 3 4 16 gt lt CmdID gt 8008 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 SecuredResources NetworkAllowedList Networks0800 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 1 2 3 4 16 lt Data gt lt Item gt lt Add gt lt Add gt lt Host trigger corp test com gt lt CmdID gt 8022 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 SecuredResources NameSpaceAllowedList NameSpace000 lt LocU RI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt corp test com lt Data gt lt Item gt lt Add gt MICROSOFT lt Add gt lt CmdID gt 8024 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 DNSSuffix lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt corp test com lt Data gt lt Item gt lt Add gt lt Atomic gt
114. 3C Allow App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Allow Publisher Microsoft Studios amp xE2 amp x201E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 amp X201E amp amp XA2 amp X22 amp X3E amp x3C Allow amp xX3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow List Two allowed applications and two allowed publishers lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01 a74a0433fcea amp amp x22 8 amp Xx3E amp X3C Allow App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329
115. 775 356B 4AA0 AAF8 6491FFEA561E gt lt OneDrive gt lt Application productId AD543082 80EC 45BB AA02 FFE7F4182BA8 gt lt OneNote gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA561B gt lt People gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5615 gt lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 2 lt LocationX gt lt LocationY gt 0 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Phone gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5611 gt lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 0 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Photos gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5632 gt lt PinToStart gt lt Size gt Large lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Podcast gt lt Application productId C3215724 B279 4206 8C3E 61D1A9D63ED3 gt lt Settings gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 gt lt Storage Sense gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA564D gt lt Store gt lt Application productId
116. 89a df11 a490 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt MICROSOFT lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List Two denied applications one denied publisher with two allowed application exception and one denied publisher with two allowed application exception lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 5 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp
117. AdditionalContext gt lt RequestSecurityToken gt lt s Body gt lt s Envelope gt Automatic MDM client certificate renew via Renew On Behalf Of ROBO function in WSTEP In addition to manual certificate renew Windows Phone 8 1 adds support for automatic certificate renew ROBO Renew On Behalf Of that does not require any user interaction For auto renew the enrollment client uses the existing MDM client certificate to perform client Transport Layer Security TLS The user security token is not needed in the SOAP header As a result the MDM certificate enrollment server is required to support client TLS for certificate based client authentication for automatic certificate renew Note 1 Auto certificate renew is the only supported MDM client certficatecertificate renew method for the device that is enrolled via WAB authentication AuthPolicy Federated It also means if the server supports WAB authentication the MDM certificate enrollment server MUST also support client TLS in order to renew the MDM client certificate Note 2 For the device that is enrolled with the OnPremise authentication method for backward compatibility the default renew method is user manual certificate renew However for Windows Phone 8 1 device during the MDM client certificate enrollment phase or during MDM management section the enrollment server or MDM server could configure the device to support automatic MDM client certificate renew via Certificat
118. Application gt lt xs attribute name ProductId type CT LowerCaseGuid gt lt xs complexType gt lt xs complexType name CT_ApplicationWithPublisher gt lt xs attribute name ProductId type CT LowerCaseGuid gt lt xs attribute name PublisherName type ST Publisher use optional gt lt xs complexType gt lt xs complexType name CT_AllowedPublisher gt lt XS seguence gt lt xs element name DenyApp type CT Application minOccurs maxOccurs unbounded gt lt XS seguence gt lt xs attribute name PublisherName type ST Publisher use required gt lt xs complexType gt lt xs complexType name CT DeniedPublisher gt lt xs sequence gt lt xs element name AllowApp type CT_Application minOccurs maxOccurs unbounded gt lt XS seguence gt lt xs attribute name PublisherName type ST Publisher use required gt lt xs complexType gt lt xs element name Deny gt lt xs complexType gt lt xs sequence gt lt xs element name App type CT Application minOccurs maxOccurs unbounded gt lt xs element name Publisher type CT DeniedPublisher minOccurs 0 maxOccurs unbounded gt lt xs sequence gt lt xs complexType gt lt xs element gt lt xs element name Allow gt lt xs complexType gt lt xs sequence gt lt xs element name App type CT ApplicationWithPublisher minOccurs 0 maxOccurs unbounded gt lt xs element name Publisher
119. C 04 Atlantic Time Canada UTC 04 Cuiaba UTC 04 Santiago UTC 04 Georgetown La Paz Manaus San Juan UTC 04 Caracas UTC 04 Asuncion UTC 03 30 Newfoundland UTC 03 Brasilia UTC 03 Greenland UTC 03 Montevideo UTC 03 Cayenne Fortaleza UTC 03 Buenos Aires UTC 03 Salvador UTC 02 Mid Atlantic UTC 02 Coordinated Universal Time 02 UTC 01 Azores UTC 01 Cape Verde Is UTC Dublin Edinburgh Lisbon London UTC Monrovia Reykjavik UTC Casablanca UTC Coordinated Universal Time UTC 01 Belgrade Bratislava Budapest Ljubljana Prague UTC 01 Sarajevo Skopje Warsaw Zagreb UTC 01 Brussels Copenhagen Madrid Paris UTC 01 West Central Africa UTC 01 Amsterdam Berlin Bern Rome Stockholm Vienna UTC 01 Windhoek UTC 01 Tripoli UTC 02 E Europe UTC 02 Cairo UTC 02 Helsinki Kyiv Riga Sofia Tallinn Vilnius UTC 02 Athens Bucharest UTC 02 Jerusalem UTC 02 Amman UTC 02 Beirut UTC 02 Harare Pretoria UTC 02 Damascus MICROSOFT 1490 1500 1510 1520 1530 1540 1550 1600 1610 1620 1630 1640 1650 1700 1710 1720 1730 1740 1750 1800 1810 1820 1830 1900 2000 2010 2020 2030 2040 2050 2100 2110 2120 2130 2140 2200 2210 2220 2230 2240 2300 2310 2400 2410 2420 2430 2500 UTC 02 Istanbul UTC 03 Kuwait Riyadh UTC 03 Baghdad UTC 03 Nairobi UTC 03 Kaliningrad Minsk UTC 04 Moscow St Petersburg Volgograd UTC 03 Tehran UTC 04 Abu Dhabi Musca UTC 04 Baku UTC 04 Yerevan
120. C tag The tool must publish a binary message write a Chunk data type to your NFC tag 208 The following table describes the information that is required when writing to an NFC tag 208 NFC enabled device tag COMPONENMMS c ccceccecccsscssscecessscsessscssssscesnessccceseascectsasssusssenesesenetectecnscuesscescaesuasscrsenseseaucoees 209 Enableor disable NFEAPabiNAies siriaca asa 210 EnableDeviceEnrollment Request and Response Handheld 8 1 cccessssesessesesssssessssessessesesssesessesseseesteneseaee 211 Modified certificate enrollment web service FeQUEST cececssssssessesssssessessesssssessessessscsecsessessessscseeseeusesseseeseenseneenes 211 SOAR REGUS L aaa aa A loin 211 XD 09 GE cd LS PSUS SE asist aisiais aa ia ia ia i aa as ia eil 213 SOAF CSO SO Li asis asai ias ai Aaaa i i a a O i O a a ica 213 Apps omer PHondahe ld 8 Pescaia 216 Assigned Access thandie birraio 216 EnterpriseAssignedAccess configuration service provider Handheld 8 1 cccessessessesessessessesesseesesseesseseenes 216 OMA chent provisioning examp SS La aidai iai ai i i ia i E aA 228 ONA DM AND Ie Sta i aa a aaa A i a a i i a a a a 229 EnterpriseExt configuration service provider Handheld 8 1 cccccsssssssessessssssssessessssessessessssseeseesesesesseneesseneeseenes 233 The RESTA process aura iaia 238 E NerenrolliMment processuali RO ae 238 OMA client provisioning example iii ii i a a i a a
121. CA and returns it in the MICROSOFT RequestSecurityTokenResponse RSTR to the client Besides the issued certificate the response also contains configurations needed to provision the DM client Request The RequestSecurityToken RST must have the user credential and a certificate request The user credential in an RST soap envelop is the same as in GetPolicies and could be different depends on whether authentication policy is OnPremise or Federated The BinarySecurityToken in an RST soap body contains a Base64 encoded PKCS 10 certificate request which is generated by the client based on the enrollment policy The client could have requested an enrollment policy by using MS XCEP before requesting a certificate using MS WSTEP If the PKCS 10 certificate request is accepted by the certification authority CA the key length hashing algorithm etc match the certificate template the client can enroll successfully Note that the RequestSecurityToken will use a custom TokenType http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken because our enrollment token is more than an X 509 v3 certificate For more details see the Response section The RST may also specify a number of AdditionalContext items such as DeviceType and Version Based on these values for example the web service can return phone specific and version specific DM configuration Note that the policy service and the enrollment service
122. D the node can persist for up to 1 week or 7 days after an installation has completed then a 418 already exist error would be returned on the Add To get around the 418 error the server should issue a Replace command for the Name URL and Version nodes and then execute on the Downloadlnstall within an Atomic operation NOTE2 the application product ID curly braces need to be escaped where is 7B and is 7D lt Atomic gt lt CmdID gt 2 lt CmdID gt lt The Add command can be used if the download node does not have a matching product ID node in it or application was installer 7 or more days old Otherwise use the Replace command gt lt Add gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Download 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D Name lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt MICROSOFT lt Meta gt lt Data gt ContosoApp1 lt Data gt lt Item gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Download 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D URL lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt http contoso com enterpriseapps ContosoApp1 xap lt Data gt lt Item gt lt Item gt lt Target g
123. HTTP errors The following list specifies the possible faults e Redirection 3xx e 404 No CNAME DNS record was registered e Server error 5xx User interface The phone provides the user with the option to enter the discovery URL manually if automatic discovery fails This could be used to support scenarios such as e Anenterprise wants to migrate from one management service to another gradually and as part of the migration it wants to let only selected people enroll with the new service Those people will have to enter the discovery URL manually in order to enroll with the new service e The discovery URL cannot be constructed from the email address of the user For example Contoso sets up https discovery managementservice contoso com but some employees email addresses are in a different domain e g user europe contoso com Certificate enrollment policy web service Description Policy service is optional By default if no policies are specified the minimum key length is 2k and the hash algorithm is SHA 1 This web service implements the X 509 Certificate Enrollment Policy Protocol MS XCEP specification that allows customizing certificate enrollment to match different security needs of enterprises at different times cryptographic agility The service processes the GetPolicies message from the client authenticates the client and returns matching enrollment policies in the GetPoliciesResponse message MICROSOFT Re
124. If users want to fully disassociate from the enterprise they should do both of the following e Remove the workplace account which removes management sever applied company policies settings and installed enterprise applications and associated enterprise token e Delete the company Outlook Exchange account or other corporate email account in order to delete corporate email and policies set by Exchange if the account isn t created by MDM server In addition to device lock polices Windows Phone also supports other Exchange ActiveSync polices The following table shows the summary of polices supported via a dedicated management server and Exchange Sip passo O y Moroner SY Minimum password length Y Minimum passord coniecta N e Device inactivity time out Remote wipe full device Require device encryption new in Windows Phone 8 Disable storage card new in Windows Phone 8 Remote update of LOB apps new in Windows Phone 8 es ve te te te te Ne ve fre w e o MAM enabled cnge seners s No ee vas w fe Yes es es es es es Yes es es es es es es n a apps data amp MDM server applied enterprise policies and configuration updated in Windows Phone Windows Phone 8 1 Remote or local delete of MDM association removes all LOB n a Allow developer unlock new in Windows Phone 8 1 n a a Allow using Microsoft account for non email related connection n authentication and services new in Windows
125. Install and Update Line of Business LOB applications A workplace can automatically install and update Line of Business applications during a management session Line of Business applications support a variety of file types including XAP 8 0 and 8 1 AppX and AppXBundles A workplace can also update applications from XAP file formats to Appx and AppxBundle formats through the same channel See the Examples section below for more detailed information Uninstall Line of Business LOB applications A workplace can also remotely uninstall Line of Business applications on the device See the Examples section below for more detailed information It is not possible to use this mechanism to uninstall Store applications on the device or Line of Business applications that are not installed by the enrolled workplace for side loaded application scenarios Query installed Store application It is possible to query if a Store application is installed on a system First the Store application GUID should be known This can be discovered by going to windowsphone com and finding the application GUID in the URL for the Store application For example the Microsoft Store application has a WindowsPhone com URL of http www windowsphone com en us store app microsoft store d5dc 1ebb a7f1 df1 1 9264 00237de2db9e The Microsoft Store application has a GUID of d5dc1ebb a7f1 df11 9264 00237de2db9e Use the following syncml format to query to see if the applicat
126. It is strongly recommended that during every management session the management server queries the ChannelURI value to ensure that it has received the latest value This will ensure that the management server will not attempt to use a ChannelURI that has expired e Push is not a replacement for having a polling schedules e PFNscan be revoked by WNS if improper use of PFNs and Push is detected Any devices being managed using this PFN will cease to have Push initiated device management support Please note that Push does not support configuration using WAP Provisioning XML and cannot be configured during an enrollment session Configuration of Push should occur during a management session Getting Push credentials through Windows Store For utilizing Push in production please follow the steps for creating a raw notification listed at http msdn microsoft com en us library windows apps xaml jj676791 aspx Acquiring application based WNS credentials for MDM Push Start by visiting https appdev microsoft com StorePortals en us Home Index and sign in with your MSDN developer account MICROSOFT EE Windows Dev Center Windows Store apps DASHBOARD GET STARTED My apps Dashboard Submit an app Explore Store trends Financial summary Profile Account Payout Tax Subscription News Free Phone developer account Add Windows 8 1 packages Increase in app roaming limits Age ratings Latest Windows ACK Create a Windows applic
127. L certificate The SSL wildcard server certificate is supported for enrollment and MDM session The web server certificate must also have certain X 509 v3 extensions before the phone accepts it The discovery and enrollment phases could have more relaxed criteria for the certificate but the SyncML Post must have an exact set of extensions present The following table shows the required extensions Key Usage Lists the permitted uses of this Digital Signature Key Encipherment PK a certificate Extended Extended Key Usage Usage Extensions for the Extensions for the key usage usage TLS TLS Web Server Authentication Server Authentication Subject Alternative Name Alternative subjects for this DNS entries for each subdomain you re certificate Used for listing the using this certificate for For example alternate domains for which DNS secure mydmpoc net the certificate can be used DNS enterpriseenrollment mydiscovery net To avoid the need to manually install server certificates it is best if the certificates for the web server MDM server and client chain to the same root CA as those that are installed during enrollment or to another root CA already trusted by the phone Signed client certificate The client certificate that is provisioned to the client in the provisioning XML should also have certain X 509 v3 extension The following extensions are required Key Usage Lists the permitted uses of this particular Digital S
128. LMENTWEBSERVICE SVC lt a To gt lt wsse Security s mustUnderstand 1 gt lt wsse UsernameToken u Id uuid cc1ccc1f 2fba 4bcf b063 ffc0cac77917 4 gt lt wsse Username gt user contoso com lt wsse Username gt lt wsse Password wsse Type http docs oasis open org wss 2004 01 oasis 200401 wss username token profile 1 0 PasswordText gt mypassword lt wsse Password gt lt wsse UsernameToken gt lt wsse Security gt lt s Header gt lt s Body xmlns xsi http www w3 0rg 2001 XMLSchema instance xmlns xsd http www w3 0rg 2001 XMLSchema gt lt GetPolicies xmlns http schemas microsoft com windows pki 2009 01 enrollmentpolicy gt lt client gt lt lastUpdate xsi nil true gt lt preferredLanguage xsi nil true gt lt client gt lt requestFilter xsi nil true gt lt GetPolicies gt lt s Body gt lt s Envelope gt For Federated authentication policy The security token credential is provided in a request message using the lt wsse BinarySecurityToken gt element WSS The security token is retrieved as described in the discovery response section The authentication information is as follows MICROSOFT wsse Security The enrollment client implements the lt wsse Security gt element defined in WSS section 5 The lt wsse Security gt element MUST be a child of the lt s Header gt element wsse BinarySecurityToken The enrollment client implements the lt wsse BinarySecurityToken gt element defined in
129. M enrollment server The client certificate enrolled during MDM enrollment process could be used by native MDM client and native app download agent to do certificate based client authentication to MDM server and corporate server that host enterprise applications MDM server could also query and delete SCEP enrolled client certificate or trigger a new enrollment request before the current certificate is expired Refer Client Certificate Enrollment via SCEP section for more details Additionally S MIME signing certificate could also be enrolled via SCEP protocol Lastly for organization that has higher security request Windows Phone s virtual smart card VSC APIs will allow 3 party to build an application to do VSC certificate provisioning and management MICROSOFT Note that the CertificateStore CSP also accepts OMA CP WAP provisioning XML as used in enrollment provisioning For a WAP provisioning XML sample see the Response section of the Certificate enrollment policy web service section earlier in this document For more information about the configuration service provider see CertificateStore configuration service provider later in this document Enroll Client Certificate via Simple Certificate Enrollment Protocol Windows Phone supports auto installing client certificates to enable Wi Fi VPN Email Browser certificate based authentication needs via Simple Certificate Enrollment Protocol SCEP This method could also be used to enrol
130. MS configuration service providers to ensure the management client has a single place to retrieve the current server address The initial value for this node is the same server address value as bootstrapped via the w7 APPLICATION configuration service provider Supported operations are Get and Replace lt ProviderID gt Poll Optional Polling schedules in Windows Phone 8 1 must now utilizes the DMClient CSP The Registry paths previously associated with polling using the Registry CSP are now deprecated Supported operations are Get Add There are three schedules managed under the Poll node which enable a rich polling schedule experience to provide greater flexibility in managing the way in which devices poll the management server There are a variety of ways polling schedules may be set If an invalid polling configuration is set the device will correct or remove the schedules in order to restore the polling schedules back to a valid configuration Valid poll schedule signoid initial polling schedule with infinite schedule RECOMMENDED Schedule Name Schedule set by Actual value gueried on Server Device IntervalForFirstSetOfRetries 15 15 NumberOfFirstRetries 5 5 IntervalForSecondSetOfRetries 60 60 NumberOfSecondRetries 10 10 IntervalForRemainingScheduledRetries 1440 1440 MICROSOFT NumberOfRemainingScheduledRetries 0 0 Valid poll schedule initial enrollment only no infinite schedule Schedule Name Schedule set by Actual sc
131. MSFT EMAIL2 7BC556E16F 56C4 4edb 9C64 D9469EE1FBE0 7D lt LocURI gt lt Target gt ACCOUNTICON Optional Returns the location of the icon associated with the account Supported operations are Get Add Replace and Delete The account icon can be used asa tile in the Start list or an icon in the applications list under Settings email amp accounts Some icons are already provided on the phone The suggested icon for POP IMAP or generic ActiveSync accounts is at res AccountSettingsSharedRes ScreenResolution s genericmail png Custom icons can be added if desired For information about adding icons see Additional accounts on the phone ACCOUNTTYPE Required Specifies the type of account Supported operations are Get and Add Valid values are e Email normal email e VVM visual voice mail AUTHNAME Required Character string specifies the name used to authorize the user to a specific email account also known as the user s logon name Supported operations are Get Add and Replace AUTHREQUIRED Optional Character string specifies whether the outgoing server requires authentication Supported operations are Get Add Replace and Delete A value of 0 specifies that server authentication is not required A value of 1 specifies that server authentication is required AUTHSECRET Optional Character string specifies the user s password The same password is used for SMTP authentication Supported operations are Get Add Repla
132. MTP and IPOUSB are disabled when policy enforced Connectivity Allow or 0 not Most MDM AllowCellularData disallow allowed restricted Roaming cellular data 1 default value is 0 roaming allowed Camera Disable Enabl O Use Most MDM AllowCamera e camera camera is restricted disallowed value is 0 MICROSOFT 1 default Use camera is allowed Search AllowSearc Specify 0 not Most MDM hToUseLocation whether allowed restricted search could 1 default value is O leverage allowed location information Search SafeSearch Specify what 0 Strict Most MDM Permissions level of safe highest restricted search filtering value is 0 not supported filtering adult against content is adult reguired content 1 default Note This is Moderate not supported moderate in Windows filtering Phone 8 1 against adult content valid search results will not be filtered Search AllowStori Specify 0 not Most MDM nglmagesFromVisi whether allow allowed restricted onSearch BingVision to 1 default value is 0 store the allowed contents of the images captured when performing Bing Vision search Experience Specify 0 not Most MDM AllowVoiceRecord whether voice allowed restricted ing recording is 1 default value is 0 allowed allowed Experience AllowS aveAsOfOfficeFiles 0 not allowed 1 default allowed Specify whether the user is allowed to save file in the de
133. ManualRoot whether the allowed restricted Certificatelnstallati user is allowed 1 default value is O on to manually allowed install root and intermediate CAP certificates Security Allow 0 default Most MDM EAS ReguireDeviceE RequireDeviceEnc enterprise to encryption restricted ncryption ryption turn on is not value is 1 internal reguired storage 1 encryption encryption Note that is reguired once turned on it cannot be turned off via policy Security AntiTheft Allows 0 do not Most MDM Mode new for enterprise to allow Anti restricted GDR2 preventing Theft mode value is 0 user from to be enabling the enabled Anti Theft mode Note 1 Default if user already allow anti enabled the theft mode Anti Theft mode for the device before the policy applied they will have to manually disable the Anti Theft mode for this policy to take effect ApplicationManag Specify 0 not Most MDM MICROSOFT ement AllowStore whether app allowed restricted store is 1 default value is 0 allowed at the allowed device 2 ApplicationManag A xml blob Chr The MDM ement Application specify the information Restrictions application for restrictions PolicyManag company want er is opaque to put to the PolicyManag device lt er doesn t do could be app most allow list app restricted disallow list value allowed evaluation
134. Menultems Optional Disables all menu items on modern shell including long press on applications to prevent menu items from being displayed Disable Menu Items Sample XML Excerpt Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt MenuItems gt lt DisableMenuItems gt lt MenuItems gt lt Default gt lt HandheldLockdown gt MICROSOFT Start Screen size Three Start screen configurations are supported small medium large Medium and large represent 3 column start views which enable six small tiles to be pinned in one row The main difference between medium and large start screen scaling is resolution and keyboard scaling Medium is recommended for all 720P and lower screen resolutions Large is recommended for 1080P screen resolutions StartScreenSize Required Supports values of Small Medium or Large Start Screen Size Sample XML Excerpt Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt StartScreenSize gt Small lt StartScreenSize gt lt Default
135. OneOrMore Vendor MSFT PolicyManager Device lt area name gt lt name gt Description The node specifies a name value pair used in the policy Format string Supported operations Get Occurrence OneOrMore MICROSOFT Windows Phone 8 1 supported company policies The following table shows Windows Phone 8 1 company policies that are configurable by MDM server add or Exchange servers Area Policy name Description Supported Value Supported via EAS policy value evaluation MDM or EAS name rule DeviceLock Specifies 1 default Min policy MDM EAS DevicePasswor DevicePasswordE whether Not values is dEnabled nabled device lock is required most enabled 0 restricted Required value DeviceLock Specifies if 0 Not Min policy MDM EAS AllowSimpleDe AllowSimpleDevic password like allowed values is vicePassword ePassword 1111 or 1 default most 1234 are Allowed restricted allowed value DeviceLock Specifies the An integer X Max policy MDM EAS MinDevicePass MinDevicePasswo minimum where values is wordLength rdLength number or 4 lt X lt most characters 16 restricted required in the 0 not value PIN enforced Default 4 DeviceLock Determines 0 Min policy MDM EAS AlphanumericD AlphanumericDev the type of Alphanumer values is evicePasswordR icePasswordRequir password ic password most equired ed required This required restricted policy only 1 nu
136. PPID of w7 is used for bootstrapping a phone with an OMA DM account Although this configuration service provider is used to set up an OMA DM account it is managed over OMA Client Provisioning NOTE 1 All parm name and characteristic types are case sensitive and must use all uppercase NOTE 2 Both APPSRV and CLIENT credentials must be provided in provisioning XML The following image shows the configuration service provider in tree format as used by OMA DM APPLICATION APPADDR ADDR ADDRTYPE PORT PORTNBR APPAUTH AAUTHDATA AAUTHLEVEL AAUTHNAME AAUTHSECRET AAUTHTYPE APPID BACKCOMPATRETRYDISABLED CONNRETRYFREQ DEFAULTENCODING INIT INITIALBACKOFFTIME MAXBACKOFFTIME NAME PROTOVER PROVIDER ID ROLE SSLCLIENTCERTSEARCHCRITERIA TO NAPID USEHWDEVID APPADDR This characteristic is used in the w7 APPLICATION characteristic to specify the DM server address MICROSOFT APPADDR ADDR Optional The ADDR parameter is used in the APPADR characteristic to get or set the address of the OMA DM server This parameter takes a string value APPADDR ADDRTYPE Optional The ADDRTYPE parameter is used in the APPADDR Characteristic to get or set the format of the ADDR parameter This parameter takes a string value In OMA DM XML if there are multiple instances of this parameter the first valid parameter value is used APPADDR PORT This characteristic is used in the APPADDR characteristic to specify port information APPADDR PORT PORTNBR
137. PasswordEnabled lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 6 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node 0001 ExpectedValue lt LocURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8 lt CmdID gt MICROSOFT lt Item gt lt Target gt lt LOcURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node_0002 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Add gt lt Add gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LOcURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node_0002 NodeURI lt LocURI gt lt Target gt lt Data gt Vendor MSFT DeviceLock Provider MDMSRV1 AlphanumericDevicePasswordRequired lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 10 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node 0002 ExpectedValue lt LocURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Add gt Getting nodes under Provider ID MDMSRV1 cache version changed nodes node expected value lt Get gt lt CmdID gt 18 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 lt LocURI gt lt Target gt lt Item gt lt Get gt lt Get gt lt CmdID gt 19 lt CmdID gt lt Item gt lt Target gt
138. Phone 8 1 Allow adding non Microsoft Accounts manually new in Windows n a Allow app store new in Windows Phone 8 1 n a Nes MICROSOFT Yes Yes Yes Yes Yes Yes Yes Yes Yes No Yes Yes Yes Yes Yes Yes Yes Yes Yes Enterprise Mgmt Server Policy Specify application restrictions new in Windows Phone 8 1 Allow NFC new in Windows Phone 8 1 Allow manual root certificate installation new in Windows Phone 8 1 Allow Wi Fi offloading new in Windows Phone 8 1 Allow Wi Fi hotspots reporting new in Windows Phone 8 1 Allow manual Wi Fi configuration new in Windows Phone 8 1 Allow Telemetry new in Windows Phone 8 1 Allow Wi Fi hotspots reporting new in Windows Phone 8 1 Allow Copy and Paste new in Windows Phone 8 1 Allow Bluetooth new in Windows Phone 8 1 Allow Internet sharing new in Windows Phone 8 1 Allow Camera new in Windows Phone 8 1 Allow Data Protection under PIN Lock new in Windows Phone 8 1 GDR2 Enable Fully managed VPN Settings on Devices new in Windows No Phone 8 1 GDR2 Allow Enterprise Over ride of Anti theft Mode Allow customization of Cellular App Download Limit Allow customization of Wi Fi Scan Frequency Disable Task Switcher Control on Devices MICROSOFT Logging support for Enterprise server creation New in Windows Phone 83 1 MDM logging is enabled in Windows Phone 8 1 in order to help MDM ISV self debugging issues during development cycle The log file f
139. SD card or near field communication NFC Tag the device connects to the company Wi Fi that is defined in the provisioning file and then initiates the enrollment to the MDM server 2 The device sends unique and constant device IDs to the MDM server as part of the enrollment information 3 The server then authenticates the device OMA client provisioning examples The XML examples in this section show how to perform various tasks by using OMA client provisioning MDM enrollment example The following example shows how to enroll a device lt characteristic type EnterpriseExt gt lt characteristic type MDM gt lt parm value contoso com 443 name Server gt lt parm value contoso com name Username gt username lt parm value password name Password gt lt parm value TRUE name EnableDeviceEnrollment gt lt characteristic gt OMA DM examples These XML examples show how to perform various tasks using OMA DM Device restart example lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Exec gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt DeviceReboot WaitTime lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Exec gt lt SyncBody gt lt SyncM1 gt MICROSOFT Maintenance window examples Set the maintenance window schedule In this
140. Supported value o False device cellular is not in roaming o True device cellular is in roaming Vendor MSFT DevicelnstanceService Identity Identity2 PhoneNumber e Description Present device phone number for SIM2 e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity2 IMSI e Description Present first 6 digits of device IMSI number for SIM2 e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity2 IMEI e Description Present device IMEI number for SIM2 e Format chr MICROSOFT e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity2 Roaming e Description Present device cellular roaming status In case of dual SIM mode when the device supports two different phone numbers present roaming status for SIM2 e Format bool e Supported operations Get e Occurrence One e Supported value o False device cellular is not in roaming o True device cellular is in roaming Examples The following sample shows how to query roaming status and phone number on the device lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT DeviceInstanceService Roaming lt LocURI gt lt Target gt lt Item gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT DeviceInstanceService PhoneNumber lt LocURI gt lt Target gt
141. Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp Xx22 amp X3E amp x3C Deny amp X3E amp x3C Deny App MixRadio amp x3E amp x3C App ProductId amp x22 5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Deny Publisher Microsoft Corporation amp Xx3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Corporation Facebook amp x3E amp x3C AllowApp ProductId amp x22 82a23635 5bd9 df11 a844 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp Xx3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp xE2 amp x201E amp xA2 Halo SA Lite amp x3E amp x3C AllowApp ProductId amp x22 cf3f117d d5a6 4e81
142. URI gt lt Source gt lt Data gt 1 0 0 0 lt Data gt lt Item gt lt Item gt MICROSOFT lt Source gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Title lt LOCURI gt lt Source gt lt Data gt Sample2 lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D Publisher lt LOCURI gt lt Source gt lt Data gt Contoso lt Data gt lt Item gt lt Item gt lt Source gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB0322158 C3C2 44EB 8A31 D14A9FEC450E 7D InstallDate lt LOCURI gt lt Source gt lt Data gt 2012 10 31T21 23 31Z lt Data gt lt Item gt lt Results gt Install and Update an enterprise application Install or Update the installed app with product ID B316008A 141D 4A79 810F 8B764C4CFDFB To perform an XAP update create the Name URL Version and Downloadlnstall nodes first then perform an execute on the DownloadInstall node all within an Atomic operation If the application does not exist the application will be silently installed without any user interaction If the application cannot be installed the user will be notified with an Alert dialog NOTE1 that if a previous app update node existed for this product I
143. WKmX2 7SwAEAeYDBjANBgkqhkiG9w BAQUF ADAFMR wGwYDVQQDEXRNU LUTEVudGVycHJ pc 2UgQ0EgMj AeFw xNDA2MDMyMTQ2 NDVaFwO xNTA2MDMyMT Q2NDVaMAAwgZ8wDQY JKoZ Ihv cNAQEBBQADgY AMIGIJAOGB AKOVtILZXCuz4gNufhaRIzJ4SnibgSvyyZw5i3cyOpWxrKQ NTKk4xhAjW9QZMhev Ic2DtjF1mm7HhELQXmn vmccUKH Gj ZKoxh5iQRZOUBkarPsRWVdbojFHsCedbz uDTR980gHM63VhNhO0Z5a1mGJg8r4EbUXuOMgh gfFYP bAgMBAAGjggJ MIICezA9 BgkrBgEEAYI3FQcEMDAUBiYrBgEEAYI3FQiDz41NrfIChaGfDIL6yn2B4FtOgu C pMQ2g8 eawI BZAIBBDAT BgNVHSUEDDAKBggrBgEFBQcDAjALBgNVHQ8EBAMCBaAw GwYJKwYBBAGCNxUKBA4wDDAKBggrBgEFBOcDAjAuBgNVHREBAT8EJDAigiBkcm9p ZC5yZWRtb25kLmNvcnAubW1jcm9zb2Z0LmNvbTAdBgNVHQ4EF gQUVwITpPT7GXdAU pxCsSn6eE6t9rdfcwHwYDVR0jBBgwFoAU N8R9KB9Uwu81LF6HKRQgYvolyUwgelIG A1UdHwSB2jCB1zCB1KCB0aCBzoY80aHRO0cDovL2NvcnBwa2kvY3JsL01TSVO1Mj BF bnRlcnByaXN1JTIw00E1MjAyKDMpLmNybIZLaHROcDovL21zY3JsLm1pY3Jvc29m dC5jb20vcGtpL21zY29ycC9jcmwv TVNIVCUyMEVudGVycHJ pc 2U1Mj BDQSUyMDIo MykuY3JshklodHRw0i8vY3JsLm1pY3Jvc29mdC5jb20vcGtpL21zY29ycC9jcmwv TVNJVCUyMEVUudGVycHJpc2U1MjBDQSUyMDIoMykuY3JsMIG1BggrBgEFBQcBAQSB mDCB1TBABggrBgEFBOcwAoY80aHR80cDovL2NvcnBwa2kvYN1hL01TSVO1MjBFbnR1 cnByaXN1JTIWQ0E1MjAyKDQpLmNydDBRBggrBgEFBQcwAoZFaHR cDovL3d3dy5t aWNyb3NvZnQuY29tL3BraS9tc2NvcnAvTVNJIVCUyMEVudGVycHJ pc2U1MjBDQSUy MDIONCkuY3J MAQ GCSqGSTb3DQEBBQUAA4 IBAQAiY6S6Tmo6ZGbn44VxHGzDzXWM 2qhUS2ZxR1xFoGSkxXYvnYMThsgEaTPSfyJg2KEQ GoOWAj dGGVWqoPdBh thSVLz vc6L7LBYn22nM3 cO5yRGUZj IQ zqKm Hdh6acayEqQz3nS Ec jOO Lb3B B Yo9S AIxFTAggGjtEmECw5Ylye4jSztUhXzTj118cem
144. WLAN Profiles to apply and what MDM server to connect with WLAN profiles may contain credentials to an enterprise Wi Fi access point MDM server information contains the username and password that are used to enroll with the enterprise management server The data is generated and encrypted by the management server and transferred to the device such as using an SD card After the data is encrypted it is base64 encoded Once data is un encrypted during WEH OOBE it is stored as clear text on the MainOS partition in the enterprise shared data location Standards and protocols The relevant standards that are used by the feature are AES encryption with a key length of 128 and 256 bit SHA hashing Crypto related APIs The following is a sequence of Crypto API calls made on the server to encrypt the provisioning file The output of this sequence is then copied to the SD card Important note The pbData parameter passed to CryptEncrypt should point to UTF 16 WCHAR characters and not UTF 8 ones CryptAcquireContext amp hProv NULL MS ENH RSA AES PROV PROV_RSA_AES CRYPT VERIFYCONTEXT CryptCreateHash hProv CALG SHA 256 8hHash The data being hashed is a password provided by an IT administrator externally e g when using SCCM CryptHashData hHash pbKey nKeySize 0 CryptDeriveKey hProv CALG AES 128 hHash amp hKey CryptDestroyHash hHash CryptGetKeyParam hKey KP_BLOCKLEN BYTE amp dwBlockLen amp dwL
145. When this setting is enabled any web requests to resources in the intranet zone will not be sent to the proxy When this is false the setting should be disabled and all requests should go to the proxy When this is true the setting is enabled and intranet requests will not go to the proxy Type bool Supported Operations Get Add Replace and Delete Default Value false Example true SECUREDRESOURCES A collection of configuration objects that will define the inclusion and exclusion resource lists for what should be secured over VPN Allowed lists are applied only when POLICIES SPLITTUNNEL node is set to true VPN Exclusions are applied only when POLICIES SPLITTUNNEL node is set to false SECUREDRESOURCES APPALLOWEDLIST Optional node This will be one or many PackageFamilyNames for Enterprise LoB applications built for Windows Phone When defined all traffic sourced from defined apps will be secured over VPN assuming protected networks defined allows access They will not be able to connect directly bypassing the VPN connection When the profile is auto triggered VPN will get triggered automatically by these apps Type chr Supported Operations Get Add Replace and Delete Example F 5DC613 E223 4 AD ABA9 CCCE 4277CD9 Example ContosoCorp ContosoApp jlsnulm3s397u SECUREDRESOURCES NETWORKALLOWEDLIST Optional node but reguired when POLICIES SPLITTUNNEL is set to true for IKEv2 profile This will be one or many IP ranges de
146. Wi Fi connection MDM enrollment and profile lockdown Note Formatting in this sample file uses escaped characters such as amp lt in place of lt as a result of XML embedded in XML Do not replace the escaped characters lt wap provisioningdoc gt lt characteristic type WiFi gt lt characteristic type Profile gt lt characteristic type Open gt lt parm name WlanXml datatype string value amp 1t xml version amp quot 1 0 amp quot amp gt amp lt WLANProfile xmlns amp quot http www microsoft com networking WLAN profile v1 amp quot amp gt amp lt name amp gt WIFI_OPEN amp lt name amp gt amp l1t SSIDConfig amp gt amp lt SSID amp gt amp lt name amp gt WIFI_OPEN amp 1t name amp gt amp lt SSID amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1lt connectionType amp gt amp lt connectionMode amp gt auto amp 1t connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt open amp lt authentication amp gt amp lt encryption amp gt none amp lt encryption amp gt amp lt authEncryption amp gt amp lt sec urity amp gt amp lt MsM amp gt amp 1lt WLANProfile amp gt gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type EnterpriseExt gt lt characteristic type MDM gt lt parm name Server value https localhost 443 gt MICROSOFT lt parm name Username value userna
147. Window MWMandatory lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt SyncBody gt lt SyncM1 Get the current values of MWNotificationDuration MWMinimumDuration and MWMandatory values from the device lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Get gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt MICROSOFT lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MWNotificationDuration lt LOCURI gt lt Target gt lt Item gt lt Get gt lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MWMinimumDuration lt LocURI gt lt Target gt lt Item gt lt Get gt lt Get gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MWMandatory lt LocURI gt lt Target gt lt Item gt lt Get gt lt SyncBody gt lt SyncM1 gt Schema for the maintenance ScheduleXML parameters lt xml version 1 0 encoding utf 16LE gt lt In memory format is Little Endian and hence the encoding of this file has to be little endian to be in the native format Make sure that this file s encoding is Unicode 16 LE Unicode Codepage 1200 gt lt xs schema xmlns xs http www w3 0rg 2001 XMLSchema elementFormDefault
148. Windows Phone 8 1 Enterprise Device Management Protocol Proprietary Notice 2015 Microsoft All rights reserved This document is provided as is Information and views expressed in this document including URL and other Internet website references may change without notice You bear the risk of using it Some examples depicted herein are provided for illustration only and are fictitious No real association or connection is intended or should be inferred This document does not provide you with any legal rights to any intellectual property in any Microsoft product You may copy and use this document for your internal reference purposes This document is confidential and proprietary to Microsoft It is disclosed and can be used only pursuant to a non disclosure agreement Contents Windows Phone 8 1 Enterprise Device Management Protocol ccssesssssessessssesssessssessssssssssssesesseseessesseneeseseesteeeesee 1 rn 1 Connecting to the management infrastructure eNFollMEnt iiiiie ei 2 Conceptual incl 2 Eno Men O Lesia Re E S TENCO 4 Launch workplace control panel from hyperlink iiiii ee 5 SUPPSFEd Prooco SSU MM dida 6 Discovery request Steps 23 Aisku i iii i i i i i a i a a i o adi 6 Certificate enrollment policy Steps 4 5 we esssssssessssssssessesssssesscsscssssessscssessecesssecsssscsessssesessssuesacesesssseesseesesatseseseeass 6 Certificate enrollment Steps 6 7 ccessssssssssssssssssss
149. Writer dataWwriter UnicodeEncoding Windows Storage Streams UnicodeEncoding Utf8 dataWriter WriteString provXMLFile var chunkPubId proximityDevice PublishBinaryMessage Windows WriteTag WEH PreStageProv Chunk dataWriter DetachBuffer NFC enabled device tag components Provisioning from an NFC enabled source device allows for larger provisioning XML files than can be transferred using an NFC tag When provisioning from an NFC enabled device the total file size must not exceed 128 KB Be aware that the larger the NFC file is the longer it will take to transfer the provisioning file Depending on your NFC hardware the transfer time for a 128 KB file will vary between 2 5 seconds and 10 seconds To provision from an NFC enabled source device use ProximityDevice class API to write your own custom tool that transfers your provisioning XML file in chunks to your target Handheld 8 1 powered device The tool must publish binary messages transmit a Header message followed by one or more Chunk messages The Header specifies the total amount of data that will be transferred to the target device the Chunks must contain UTF 8 formatted provisioning data where the BOM is removed as shown in the NFC tag components section The following table shows the header format Required field Description Type Windows WEH PreStageProv Header Data A string that is two UTF 8 semicolon delimited data value pairs that identify the header version
150. a a 238 OMA BNS ANIC labiale 238 Schema for the maintenance ScheduleXML parametersS iiii ein 241 EnterpriseExtFileSystem configuration service provider Handheld 8 1 ccccsesssssssessessssessecsesseseseseesesseeseeseenes 243 OMADMGamples acre e laici a a i a i S 246 RE IST SNC Giselda eni 247 CLORO OO O AEA 247 APPEND lla 250 XSD for ApplicationRestriction policy in PolicyManager cessessssssssessessssssssessssssssessessesssssecsessesseseeeseeseeesesseseeseees 250 XML samples for ApplicationRestriction policy in POlICYMANAGETS ccccssesesesecsessesesecsessesseseessesseseseseeseeseens 252 ale iai bia 264 Summary Windows Phone 8 provides an enterprise management solution to help IT pros manage company security policies and business applications while avoiding compromise of the users privacy on their personal phones A built in management component can communicate with the management server There are two parts to the Windows Phone 8 1 management component e The enrollment client which enrolls and configures the phone to communicate with the enterprise management server e The phone management client which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT A custom Windows Phone app that can be downloaded during enrollment is an optional component to create an end to end phone management experience This custom app can be created s
151. ace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry Aux2NumRetries path that previously utilized the Registry CSP Note that RemainingScheduledRetries is used for long run device polling schedule IntervalForRemainingScheduledRetries shouldn t be set small than 1440 minutes 24 hours in Windows Phone 8 1 device Windows Phone 8 1 support MDM server push lt ProviderlD gt Push Optional Not configurable during wapprovisioining XML If removed DM sessions triggered by Push will no longer be supported Supported operations are Add Delete lt ProviderlD gt Push PFN Required A string provided by the Windows and Windows Phone ecosystem for a Mobile Device Management solution Used to register a device for Push Notifications The server must use the same PFN as the devices it is managing Supported operations are Add Get Replace lt ProviderlD gt Push ChannelURI Required A string that contains the channel that the WNS client has negotiated for the OMA DM client on the device based on the PFN that was provided If no valid PFN is currently set ChannelURI will return null Supported operation is Get lt ProviderlD gt Push Status Required An integer that maps to a known error state or condition on the system Status error Mapping is listed below Supported operation is Get Status Description Success Failure invalid PEN o Failure invalid or expired device authentication with MSA F
152. ailable Columns Visible Name Aggregation Sort a Annotation V Provider Name None None x Channel C Provider kd None None z Count Coe Yi Task Name None None v etw Activityld V Opcode Name None v None v etwSessionid ves ia PPRPIIESA m ersion None one Event Name Yi Process None v None v Field 1 id O Thread Name None v None v Keyword CO Thread Activity Tag None kd None v Level C Annotation None None Message s Zs Event Name None None v Opcode Name Opcode Type Cl Provider Type None None v Process SZ Message None None X Process Name ti Cpu N o a 2 Mow td ae bal 5 In Generic Events View Editor window make sure Message check box is checked Click Apply button 6 message field in Analysis window provides MDM specific log message under various providers You could copy paste information in the sheet to other file for further analysis File Trace Profiles Window Help Series b Provider Name 3b9602ff e MM Provider Name Microsoft b Provider Name Microsoft MM b Provider Name SysConfigEx IMM b Provider Name f36f2574 a MM Line Provider Name Task Name OpcodeN ld 1 3b9602ff e09b 4c6c bc19 1a3df b Microsoft WindowsPhone Enrol win Info Opening a connection to se P Unkr Opening a connection to se P Unkr Leaving CMachineEnroller Unkr Leaving CMachineEnroller Unkr 2 28 M a e i m gt Yv gt ON OW a WEE ETW
153. ailure WNS client registration failed due to an invalid or revoked PFN Failure no Channel URI assigned _ Failure Channel URI has expired __ Failure Channel URI failed to be revoked poem es Failure push notification received but unable to establish an OMA DM session due to power or connectivity limitations Unknown error EMAIL2 configuration service provider The following diagram shows the EMAIL2 configuration service provider in tree format MICROSOFT Vendor MSFT E OMA DM only L OMA DM and OMA Client Provisioning EMAIL2 ACCOUNTICON ACCOUNTTYPE AUTHNAME AUTHREQUIRED AUTHSECRET DOMAIN DWNDAY INSERVER LINGER NAME OUTSERVER REPLYADDR SERVICENAME SERVICETYPE SMTPALTAUTHNAME SMTPALTDOMAIN SMTPALTENABLED SMTPALTPASSWORD TAGPROPS 81280006 812C000B EMAIL2 The configuration service provider root node Supported operation is Get MICROSOFT GUID Defines a specific email account A globally unique identifier GUID must be generated for each email account on the phone Provisioning with an account that has the same GUID as an existing one does not create the new account and Add command will fail in this case Supported operations are Get Add and Delete The braces around the GUID are required in the EMAIL2 configuration service provider For OMA DM Sync XML the braces must be sent by using ASCII values of 7B and 7D respectively For example lt Target gt lt LocURI gt Vendor
154. ame Password ServerName UserName Options UseSSL Schedule MailAgeFilter Logging ContentTypes Enabled Name Vendor MSFT ActiveSync The root node for ActiveSync CSP Supported operation Get Accounts The root node for all ActiveSync accounts Supported operations Get MICROSOFT lt GUID gt Defines a specific ActiveSync account A globally unique identifier GUID must be generated for each ActiveSync account on the phone Supported operations Get Add and Delete When managing over OMA DM make sure to always use a unique GUID When an account is deleted creating a new account with the same email is a different account from the previous one Different accounts should have different GUIDs Braces are required around the GUID in the EMAIL2 configuration service provider In OMA Client Provisioning you can type the braces For example lt characteristic type C556E16F 56C4 4EDB 9C64 D9469EE1FBE0 gt For OMA DM you must use the ASCII values of 7B and 7D for the opening and closing braces respectively For example if the GUID is C556E16F 56C4 4EDB 9C64 D9469EE1FBEO you would type lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7BC556E16F 56C4 4EDB 9C64 D9469EE1FBEQ 7D lt LocURI gt lt Target gt EmailAddress Required A character string that specifies the email address associated with the Exchange ActiveSync account Supported operations Get Replace Add
155. ame Location type tile location t minOccurs 1 gt lt xs all gt lt xs complexType gt lt COMPLEX TYPE SETTING TYPE gt lt xs complexType name setting t gt lt xs attribute name name type xs string use required gt lt xs complexType gt lt COMPLEX TYPE BUTTON TYPE gt lt xs complexType name button_t gt lt xs sequence minOccurs 0 maxOccurs 1 gt lt xs element name ButtonEvent type button_event_t minOccurs 0 maxOccurs 2 gt lt xS sequence gt lt xs attribute name name type supported button t use required gt lt xs complexType gt lt COMPLEX TYPE BUTTON EVENT TYPE gt lt xs complexType name button event t gt lt xs all minOccurs 0 maxOccurs 1 gt lt xs element name Application type application t minOccurs 0 maxOccurs 1 gt lt xs all gt lt xs attribute name name type supported button event t use required gt lt xs complexType gt lt COMPLEX TYPE START TILE TYPE gt lt xs complexType name tile location_t gt lt xs sequence minOccurs 0 maxOccurs 1 gt lt xs element name LocationX type xs unsignedLong gt MICROSOFT lt xs element name LocationY type xs unsignedLong gt lt XS seguence gt lt xs complexType gt lt SIMPLE TYPE SUPPORTED BUTTON TYPE gt lt xs simpleType name supported button t gt lt xs restriction base xs string gt lt xs enumeration value Start gt lt xs enumeration
156. amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List one denied publisher with one allowed application exception and one denid publisher with two allowed application exceptions lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp xX22 amp x3E amp x3C Allow app published by denied publisher Microsoft Corporation Facebook amp x3E amp x3C AllowApp ProductId amp x22 82a23635 5bd9 df11 a844 Q0237de2db9e amp X22 5 amp X3E amp x3C
157. amp x22 amp x3E amp x3C Allow Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E amp x3C Allow Publisher Microsoft Studios amp xE2 amp X201E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 amp X201E amp amp XA2 amp X22 amp X3E amp Xx3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt MICROSOFT Allow List Two allowed applications one allowed publisher with one denied application exception and one allowed publisher with two denied applications exceptions lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Al low amp x3E 3 amp x3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01
158. amp gt amp 1t Apps amp gt amp lt Buttons amp gt amp lt ButtonLockdownList amp gt amp 1t Lockdown all buttons except Search amp gt amp lt Button name amp quot Search amp quot amp gt amp lt Button amp gt amp lt Button name amp quot Camera amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp lt Button amp gt amp lt Button name amp quot Custom1 amp quot amp gt amp 1t ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp 1t Button amp gt amp lt Button name amp quot Custom2 amp quot 8gt amp 1t ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp 1t Button amp gt amp lt Button name amp quot Custom3 amp quot amp gt amp 1t ButtonEvent name amp quot Press amp quot amp gt amp 1t ButtonEvent name amp quot PressAndHold amp quot amp gt amp 1t Button amp gt amp lt ButtonLockdownList amp gt amp lt ButtonRemapList amp gt amp lt Button name amp quot Search amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt TicTapToe amp gt MICROSOFT amp lt Application productId amp quot 08179793 ED2E 45EA BA12 BDE3EE9C3CE3 amp quot parameters amp quot amp quot amp gt amp 1t ButtonEvent amp gt amp
159. an gt lt xs simpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 23 gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt lt xs attribute name DaySpan gt lt xs SimpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 31 gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt lt xs complexType gt lt COMPLEX TYPE Schedule TYPE gt lt xs complexType name schedule t gt lt xs sequence gt lt xs element name Duration type duration_t minOccurs 1 maxOccurs 1 gt lt xs element name Recurrence type recurrence_t minOccurs maxOccurs 1 gt lt xs Sequence gt lt xs attribute name StartDate type xs dateTime use required gt lt xs attribute name IsUTC type xs boolean use required gt lt xs complexType gt lt COMPLEX TYPE PROP TYPE gt lt xs complexType name prop_t gt lt xs attribute name Name type xs string gt lt xs attribute name Value type xs string gt lt xs attribute name Datatype gt lt xs simpleType gt lt xs restriction base xs string gt lt xs pattern value integer string boolean gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt MICROSOFT lt xs complexType gt lt COMPLEX TYPE PropList TYPE gt lt xs complexType name
160. ap envelope gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows management 2012 01 enrollment IDiscoveryService Discover lt a Action gt lt a MessageID gt urn uuid 748132ec a575 4329 b01b 6171a9cf8478 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https ENROLLTEST CONTOSO COM EnrollmentServer Discovery svce lt a To gt lt s Header gt lt s Body gt lt Discover xmlns http schemas microsoft com windows management 2012 01 enrollment gt lt request xmlns i http www w3 0rg 2001 XMLSchema instance gt lt EmailAddress gt user contoso com lt EmailAddress gt lt RequestVersion gt 2 0 lt RequestVersion gt lt Updated Windows Phone 8 1 gt lt DeviceType gt WindowsPhone lt DeviceType gt lt Added in Windows Phone 8 1 gt lt request gt lt Discover gt lt s Body gt lt s Envelope gt Response The discovery response is in the XML format and includes the following fields e Enrollment service URL EnrollmentServiceUrl Specifies the URL of the enrollment endpoint that is exposed by the management service The phone should call this URL after the user has been authenticated This field is mandatory e Authentication policy AuthPolicy Indicates what type of authentication is required For the MDM server OnPremise is the supported
161. app and upload your rating certificates Learn more 5 minutes Cryptography Declare whether your app uses cryptography and enable package upload Q Learn more 5 minutes Click on the Live Services link App name Selling details Services Age rating Cryptography Packages Description Notes to testers News Free Phone developer account Add Windows 8 1 packages Increase in app roaming limits Age ratings Latest Windows ACK Services Add services to bring connected integrated experiences to your app and make it more engaging dynamic and appealing to your customers You can also provide in app offers to let customers make additional purchases from within your app Windows Azure Mobile Services You can use Mobile Services to send push notifications authenticate and manage app users and store app data in the cloud Learn more Sign in to your Windows Azure account Or sign up now to add services to up to ten apps for free If you have an existing WNS solution or need to update your current client secret visit the In app offers You can use in app offers to sell additional features and products for this app through the Windows Store Learn more Enter a unique product ID for each offer The product ID is the internal reference to the offer that you use in the app s program code Your customers won t see the product ID but they will see the offer s description that you enter on the Description page later You can t
162. ation certificates In Windows Phone 8 1 the user can manually install Root CA client authentication certificates and S MIME encryption certificates To be done in M3 e The root and CA certificates are installed in the such way that any application could leverage it e The client certificate could be used by application that has the shared certificate name to be updated security capability e The encryption certificate is used by S MIME client to encrypt outgoing message Refer S MIME Secure email doc for detailed description on S MIME support Management of user installed certificate MDM server could inventory and delete user installed certificate via CertificateStore CSP except S MIME encryption certificate which isn t visible to MDM server e User installed root certificates are quer iable delete able via Vendor MSFT CertificateStore Root System path e User installed CA certificates are quer iable delete able via Vendor MSFT CertificateStore CA System path e User installed client certificates are quer iable delete able via Vendor MSFT CertificateStore User My NOTE 1 There is no device setting control panel to view installed certificates NOTE 2 There is no build certificate renew process for user installed certificates The user needs to install an updated certificate before the current is expired to enable un interrupt usage of certificates MICROSOFT Company policy to disallow user manually install Root and CA certificate
163. ation via WAB Header HTTP 1 1 200 OK Content Length 865 Content Type application soap xml charset utf 8 Server EnterpriseEnrollment Contoso com Date Tue 02 Aug 2012 00 32 56 GMT lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 org 2005 08 addressing gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows management 2012 01 enrollment IDiscoveryService DiscoverR esponse lt a Action gt lt ActivityId gt d9eb2fdd e38a 46ee bd93 aea9dc86a3b8 MICROSOFT lt ActivityId gt lt a RelatesTo gt urn uuid 748132ec a575 4329 b01b 6171a9cf8478 lt a RelatesTo gt lt s Header gt lt s Body xmlns xsi http www w3 0rg 2001 XMLSchema instance xmlns xsd http www w3 0rg 2001 XMLSchema gt lt DiscoverResponse xmlns http schemas microsoft com windows management 2012 01 enrollment gt lt DiscoverResult gt lt AuthPolicy gt Federated lt AuthPolicy gt lt EnrollmentPolicyServiceUrl gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt EnrollmentPolicyServiceUrl gt lt EnrollmentServiceUrl gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt EnrollmentServiceUrl gt lt AuthenticationServiceUrl gt https portal manage contoso com LoginRedirect aspx lt AuthenticationServiceUrl gt lt DiscoverResult gt lt DiscoverResponse gt lt s Body gt lt s Envelope gt
164. ation with a reserved application name DESIGN DEVELOP MARKET Apps in progress Release 1 SUPPORT Delete Edit Release 1 x w Delete Edit Make sure you never delete this application or your push notification credentials will be invalidated Submit an app App name Selling details Services Age rating Cryptography Packages Description Notes to testers Once the application name is reserved click on Services App name Give your app a unique name Learn more Selling details Pick your app s price listing categories and where you want to sell it Learn more Services Add push notifications authenticate users enable cloud storage and define in app offers Learn more MICROSOFT App name Selling details Services Age rating Cryptography Packages Description Notes to testers News Free Phone developer account Add Windows 8 1 packages Increase in app roaming limits Age ratings Latest Windows ACK App name You reserved an app name You can reserve other names for your app to use in different languages orto change your app s name Learn more Selling details Pick your app s price listing categories and where you want to sell it Learn more 5 minutes Services Q Add push notifications authenticate users enable cloud storage and define in app offers Learn more 5 minutes Age rating and rating certificates Describe the audience for your
165. authentication with HMAC at application level SSL level certificate based client server authentication encryption and data integrity check In the OMA DM tree the following rules apply for the node name e can be part of the node name e Thenode name cannot be empty e The node name cannot be only the asterisk character Provisioning Provisioning XML must be well formed and follow the definition in SyncML files Representation Protocol specification If an XML element that is not a valid OMA DM command is under SyncBody the status code 400 is returned for that element Note To represent a Unicode string as a URI first encode the string as UTF 8 Then encode each of the UTF 8 bytes using URI encoding WBXML Windows Phone supports sending and receiving SyncML in both XML format and support encoded WBXML format This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment For more information about WBXML encoding see section 8 of the SyncML Representation Protocol specification OMA DM protocol common elements Common elements are used by other OMA DM element types The following table lists the OMA DM common elements that are used to configure Windows Phones For more information about OMA DM common elements see SyncML Representation Protocol Device Management Usage OMA SyncML DMRepPro V1_1_2 20030613 A available from the OMA website Element Description Specif
166. ave been extended for Windows Phone For more information see DevDetail configuration service provider and Devinfo configuration service provider later in this document Wi Fi configuration Windows Phone 8 1 The Wi Fi configuration is supported in Windows Phone 8 1 The WiFi configuration service provider CSP provides functionality to add or delete Wi Fi networks on a Windows Phone device The CSP accepts a SyncML XML input and converts it to a network profile that is installed on the device This profile enables the phone to connect to the Wi Fi network when it is in range for Open WEP WPA2 PEAP MSCHAPv2 and EAP TLS TTLS SIM AKA Some Wi Fi policies are configurable by MDM using PolicyManager configuration service provider VPN configuration Windows Phone 8 1 VPN is supported in Windows Phone 8 1 MDM servers can configure VPN profile via VPN configuration service provider A few VPN policies are configurable by MDM using PolicyManager configuration service provider MDM server could also configure IE intranet zone settings for VPN single sign on feature via registry key MICROSOFT Email configuration An Exchange Outlook account can be configured by using the ActiveSync configuration service provider Other Internet email accounts can be configured by using the EMAIL2 configuration service provider Exchange Outlook account configuration Note that when creating an Exchange Outlook account the commands for individual nodes should
167. ay in how they want to organize certificates issued to devices running Handheld 8 1 If the SUBJECT Name is guaranteed to be unigue the CA administrator may choose to use the SUBJECT Name from the reguest when issuing the certificate Custom Extension Providing the DevicelD as a custom extension also gives the CA administrator the ability to assign the SUBJECT Name from Active Directory Domain Services AD DS essentially using the bulk enrollment account username instead of the SUBJECT Name from the reguest which is less secure By having the DevicelD in a custom extension the CA administrator can still identify the management certificate for a specific device running Handheld 8 1 The object identifier also known as OID used for the custom extension must be 1 3 6 1 4 1 311 66 1 0 The first seven parts are the Microsoft standard object identifier The 66 1 0 is made up and does not collide with the known object identifiers found at http support microsoft com kb 287547 SOAP response The SOAP response returns the fulfilled X509 Certificate for the client The following sample shows a complete SOAP response from the service lt s Envelope xmlns s http www w3 org 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility 1 0 xsd gt lt s Header gt lt a Action MICROSOFT s mustUnderstand 1 gt http schemas microsoft
168. ayouts on a device For example the administrator can lock down a device so that only applications specified in an Allow list are available Apps not on the Allow list remain installed on the device but are hidden from view MICROSOFT Formatted Heading 2 h2 Important note This CSP applies only to Windows Embedded 8 1 Handheld devices The following image shows the EnterpriseAssignedAccess configuration service provider in tree format as used by both the Open Mobile Alliance OMA Device Management DM and OMA Client Provisioning Vendor MSFT EenterpriseAssignedAccess AssignedAccess AssignedAccessXml LockscreenWallpaper BGFieldName Theme ThemeBackground ThemeAccentColorlD ThemeAccentColorValue PeristProvisionedData PeristData Clock TimeZone Locale Language OMA DM only E OMA DM and OMA Client Provisioning Vendor MSFT EnterpriseAssignedAccess The root node for the EnterpriseAssignedAccess configuration service provider Supported operations Add Replace and Get AssignedAccess The parent node of assigned access XML AssignedAccess AssignedAccessXml The XML code that controls the assigned access settings that will be applied to the device MICROSOFT Supported operations Add Replace and Get The Apps and Settings sections of Prov xml constitute an Allow list Any app or setting that is not specified in AssignedAccessXML will not be available on the device to users The following table
169. be enclosed in an Atomic command For more information and samples see ActiveSync configuration service provider later in this document Note In Windows Phone 8 1 the AccountName is not properly set To set the email account name use ContentTypes lt GUID gt Name This issue has been fixed for Windows Phone 8 1 GDR1 release Internet email account configuration You can use the EMAIL2 configuration service provider to configure Internet POP3 and IMAP4 email accounts Note that you can also use this configuration service provider to enable Secure Sockets Layer SSL for incoming and outgoing email servers To do so use an unnamed tag lt parm name 8128000B value 1 gt for the incoming server and lt parm name 812C000B value 1 gt for the outgoing server Inventory cache handling Some policies such as device lock configured by the enterprise management server can be changed by other entities such as Exchange servers The enterprise needs a way to ensure that the phone complies with company policies at all times Instead of frequently querying all enterprise policy values to check for changes which may cause battery drain and waste cellular bandwidth Windows Phone 8 provides a tracking mechanism on the phone to allow the server to easily discover what has changed since its last query The server manages the client s cache to be in sync with the server side cache by using the NodeCache configuration service provider For mo
170. ble for use or install by the user Here is a sample lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp x3E amp X3C Al low amp x3E amp x3C Allow App 1 with a WindowsPhone com GUID of f5f53dbf c7bd 4b26 aibf e1cf8d69b9d5 amp X3E amp x3C App ProductId amp x22 f5f53dbf c7bd 4b26 albf e1cf8d69b9d5 amp amp x22 amp x3E amp x3C Allow Publisher Contoso amp x3E amp x3C Publisher PublisherName amp xX22 Contoso amp x22 amp x3E amp x3C Allow Publisher Fabrikam amp x3E amp x3C Publisher PublisherName amp x22 Fabrikam amp x22 amp x3E amp x3C Deny FabrikamApp 1 with a WindowsPhone com GUID of b79fb25e ea4a 4dda bbba 66c282377105 amp x3E amp x3C DenyApp ProductId amp x22 b79fb25e ea4a 4dda bbba 66c282377105 amp x22 amp x3E amp x3C Publisher amp x3E amp Xx3C AllLow amp x3E amp x9 amp x3C AppPolicy amp x3E lt Data gt In this example application App01 and any applications published by Contoso will be allowed to be installed and run Additionally all applications published by Fabrikam except for FabrikamApp01 can also be installed and run All other Line of Business applications and Windows Phone Store applications cannot be run For the latest XML schema definition for Application Restrictions XML please visit http schemas microsoft com phone 20
171. bled CONNRETRYFREQ Optional The CONNRETRYFREQ parameter is used in the APPLICATION characteristic to specify how many retries the DM client performs when there are Connection Manager level or Winlnet level errors This parameter takes a numeric value in string format The default value is 3 You can set this parameter DEFAULTENCODING Optional The DEFAULTENCODING parameter is used in the APPLICATION characteristic to specify whether the DM client should use WBXML or XML for the DM package when communicating with the server You can get or set this parameter The valid values are e application vnd syncml dm xml Default e application vnd syncml dm wbxml INIT Optional The INIT parameter is used in the APPLICATION characteristic to indicate that the management server wants the client to initiate a management session immediately after settings approval INITIALBACKOFFTIME Optional The INITIALBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the initial wait time in milliseconds when the DM client retries for the first time The wait time grows exponentially This parameter takes a numeric value in string format The default value is 16000 You can set this parameter MAXBACKOFFTIME Optional The MAXBACKOFFTIME parameter is used in the APPLICATION characteristic to specify the maximum number of milliseconds to sleep after package sending failure This parameter takes a numeric value in string format The d
172. bnZ33kGhkqev HJH6F0 Mrm7d2 P9LigZ4q8mshX4Df3p rdOMXalTPcKpz3Ge TjBKBbB31rEzw9W5BkkhgWvU deL J zT95x AC104df1f2b rzhlhhE92vVzMUIvA Ymv3YAhAFvHUILDI1Ww6nime lt EncodedCertificate gt lt System gt lt CA gt lt CertificateStore gt lt Wifi CSP gt lt WiFi gt lt Profile name Wifi MSFTOPEN gt lt WlanXml gt amp 1t xml version amp quot 1 0 amp quot amp gt amp lt WLANProfile xmlns amp quot http www microsoft com networking WLAN profile vi amp quot amp gt amp lt name amp gt MSFTOPEN amp lt name amp gt amp lt SSTDConfig amp gt amp lt SSIDRgt amp lt name amp gt MSFTOPEN81t name amp gt amp 1t SSID amp gt amp 1t S SIDConfig amp gt amp 1t connectionType amp gt ESS amp lt connectionType amp gt amp lt connectionMode amp gt auto amp lt co nnectionMode amp gt amp lt MSM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt open amp lt s authentication amp gt amp lt encryption amp gt none amp lt encryption amp gt amp lt authEncryption amp gt amp lt secur ity amp gt amp lt MsM amp gt amp lt WLANProfile amp gt lt WlanXml gt lt Profile gt MICROSOFT lt WiFi gt lt OOBE Settings gt lt Oobe gt lt AcceptTermsOfUse gt true lt AcceptTermsOfUse gt lt SkipSettings gt true lt SkipSettings gt lt SkipOnlineConsumerRegistration gt true lt SkipOnlineConsumerRegistration gt lt Oobe gt lt Time Zone Settings for I
173. by MinuteSpan MinuteSpan Reguired if the type is Interval Specifies the interval recurrence in minutes 0 through 59 HourSpan Reguired if the type is Interval Specifies the interval recurrence in hours 0 through 23 DaySpan Reguired if the type is Interval Specifies the interval recurrence in days 0 through 31 MaintenanceWindow MWNotificationDuration Gets the duration of pop up windows in minutes Sets the pop up window duration in minutes The default duration is 5 minutes MICROSOFT Supported operations Get Set MaintenanceWindow MWminimumDuration Gets the minimum duration to be considered as a valid MaintenanceWindow Sets the minimum duration of maintenance window to be considered a valid window by the device The default minimum duration is 5 minutes Supported operations Get Set DeviceUpdate The parent node for device update settings DeviceUpdate DateTimeStamp Specifies when to start a new device update session This number can be any integer greater than zero but to start a new session the value must be greater than the value that is on the device Supported operations Add Replace DeviceUpdate UpdateResultXml Specifies the update information that is on the device Supported operations Add Get MDM The parent node for MDM settings MDM Server A string that specifies the MDM server to enroll the device to MDM Username A string that specifies the username of the person to enroll To enroll
174. by the server before the client certificate renewal is triggered lt ProviderlD gt ExchangelD Optional Character string that contains the unique Exchange device ID used by the Outlook account This is useful for the enterprise management server to correlate and merge records for a phone that is managed by exchange and natively managed by a dedicated management server Supported operation is Get The following is a Get command sample TestMDMServer should be replaced with actual configured Provider ID lt Get gt lt CmdID gt 12 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT DMClient TestMDMServer ExchangeID lt LocURI gt lt Target gt lt Item gt lt Get gt lt ProviderlD gt PublisherDevicelD Optional The PublisherDevicelD is a device unique ID created based on the enterprise Publisher ID Publisher ID is created based on the enterprise application token and enterprise ID via MICROSOFT Vendor MSFT EnterpriseAppManagement lt enterprise id gt EnrollmentToken It is to ensure that for one enterprise each phone has a unique ID associated with it For the same phone if it has multiple enterprises applications each enterprise is identified differently Supported operation is Get lt ProviderlD gt SignedEntDMID Optional Character string that contains the device ID This node and the nodes CertRenewTimeStamp and SignedCertRenewTimeStamp can be used by the mobile device management server to verif
175. cML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess TimeZone lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 500 lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt The following example shows how to set the time zone to Pacific Standard Time UTC 08 00 without observing daylight savings time UTC 01 00 lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess TimeZone lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 400 lt Data gt MICROSOFT lt Item gt lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt Language The following example shows how to set the language lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess Locale Language lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1033 lt Data gt lt Item gt lt Replace gt lt Final gt lt S
176. cannot Add after the account is created This email address is entered by the user during setup and must be in the fully qualified email address format for example someone example com Domain Optional for Exchange Specifies the domain name of the Exchange server Supported operations Get Replace Add and Delete Accountlcon Reguired A character string that specifies the location of the icon associated with the account Supported operations Get Replace Add cannot Add after the account is created The account icon can be used as a tile in the Start list or an icon in the applications list under Settings gt Email accounts Some icons are already provided on the phone The suggested icon for POP IMAP or generic ActiveSync accounts is at res AccountSettingsSharedRes ScreenResolution s genericmail png The suggested icon for Exchange Accounts is at res AccountSettingsSharedRes ScreenResolution s office outlook png Custom icons can be added if desired AccountTypes Required A character string that specifies the account type Supported operations Get Add cannot Add after the account is created This value is entered during setup and cannot be modified once entered An Exchange account is indicated by the string value Exchange AccountName Required A character string that specifies the name that refers to the account on the phone Supported operations Get Replace Add cannot Add after the account is created
177. cations during a management session This behavior is supported for all application file format types including XAP AppX and AppXBundle Note that you cannot install company hub apps to an SD card This is not supported in Windows Phone 8 1 Enterprise application restrictions New in Windows Phone 8 1 As part of the PolicyManager CSP management servers have the ability to configure a list of applications or set of applications from publishers that can be allowed or denied This solution provides full flexibility to block both 3 party applications from the Windows Phone Store and Line of Business applications on the device There is no support for blocking native 1 party applications published by Microsoft through application restrictions The two exceptions include Internet Explorer and Store which can be blocked through the PolicyManager CSP directly There are two pre defined sets of XML schemas that are utilize for defining application restrictions Please note that previously running applications in the back stack may not be immediately terminated upon successful setting of the ApplicationRestrictions policy Application Restrictions Allow List An allow list contains a set of applications defined by a set of application GUIDs and application publisher names that are allowed to be installed and run on the device Any applications that are not explicitly MICROSOFT listed or published underneath an allowed publisher will not availa
178. ccess settings The following example shows how to lock down a device lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess AssignedAccess AssignedAccessXml lt LocURI gt lt Target gt lt Data gt amp lt xml version amp quot 1 0 amp quot encoding amp quot utf 8 amp quot amp gt amp 1t HandheldLockdown version amp quot 1 0 amp quot amp gt amp Ilt Default amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5615 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5612 amp quot pinToStart amp quot 2 amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp lt System name amp quot Microsoft About amp quot amp gt amp lt Settings amp gt amp 1t Buttons amp gt amp lt Button name amp quot Start amp quot disableEvents amp quot PressAndHold amp quot amp gt amp lt Button name amp quot Camera amp quot disableEvents amp quot A11 amp quot amp gt amp lt Button name amp quot Search amp quot disableEvents 8guot A118guot amp gt amp l1t Buttons amp gt amp lt MenuItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Default amp gt amp lt RoleList amp gt amp lt Role guid amp
179. ce All other applications can be installed and run on the device For the latest XML schema definition for Application Restrictions XML please visit http schemas microsoft com phone 2013 policy ApplicationRestrictions XSD is also provided in the Appendix MICROSOFT Guide to debugging allow deny lists XMLs A number of allow and deny list samples are provided in the Appendix for easy reference When debugging why an allow deny list please ensure the following e Remove all line feeds return characters carriage returns in the lt Data gt payload Additionally Ensure that the beginning of the lt Data gt field always is followed by lt CDATA without a return or line feed in between This may cause schema validation to reject the payload e Ensure an lt Atomic gt tag is used to wrap the lt Replace gt It isn t strictly required but it is the recommended and test approach to successfully configuring Application Restrictions e Ensure that lt AllowApp gt is only used within a lt Deny gt List following a lt Publisher gt and proceeding a lt Publisher gt Tag e Productld is case sensitive Ensure that the d is lowercase e The value of Productld is case sensitive Ensure that characters are all in lowercase e Always wrap Productlds in curly braces For example Productld lt product id gt e The PublisherName includes all punctuation WindowsPhone com may omit punctuation from being displayed on the website As a resul
180. ce and Delete DOMAIN Optional Character string specifies the user s domain name Supported operations are Get Add Replace and Delete DWNDAY Optional Character string specifies how many days worth of email should be downloaded from the server Supported operations are Get Add Replace and Delete The allowed values are e 1 specifies that all email currently on the server should be downloaded MICROSOFT e 7 specifies that seven days worth of email should be downloaded e 14 specifies fourteen days worth of email should be downloaded e 30 specifies thirty days worth of email should be downloaded INSERVER Required Character string specifies the name of the messaging service s incoming email server Supported operations are Get Add and Replace LINGER Optional Character string specifies the length of time between email send receive updates in minutes The default is 15 Supported operations are Get Add Replace and Delete Allowed values are e 0 email updates must be performed manually e 15 wait for fifteen minutes e 30 wait for thirty minutes e 60 wait for sixty minutes e 120 wait for one hundred and twenty minutes NAME Optional Character string specifies the name of the sender displayed on a sent email It should be set to the user s name Supported operations are Get Add Replace and Delete OUTSERVER Required Character string specifies the name of the messaging service s outgoing emai
181. ce certificates DM client configuration RSs Cee See eS E COE SER CELSO S T a Z 8 Enrolled Enrollment Flow The user clicks on the enrollment application and inserts their credentials 2 The phone sends a discover reguest to the discovery service The reguest includes the domain part of the email address 3 The discovery service returns a response that contains the management service URL and optionally an authentication policy The authentication policy includes information on the authentication method and reguired authentication steps 4 The phone contacts the management service and asks for a certificate policy The management service returns a certificate policy The returned certificate issuers provide an X 509 v3 security token by using MS WSTEP settings The phone installs the certificate an enterprise application token optional a link to an enterprise application optional and initiates a DM request to the MDM server 80 The phone notifies the user that enrollment is finished 5 6 7 Based on the authentication policy data step 3 and the certificate policy the phone creates an enrollment request The management service generates a phone certificate and provides DM client MICROSOFT Enrollment UI The following mockup shows the user experience of enrollment Notice that this user experience is the enrollment client s built in Ul there is no third party extensibility unless the server sup
182. ce downloads it from the shared network and then sets it as the lock screen wallpaper Supported operations Add Replace and Get Theme The parent node of theme related parameters Theme ThemeBackground Indicates whether the background color is light or dark Set to 0 for light set to 1 for dark Theme ThemeAccentColorlD The accent color to apply as the foreground color for tiles controls and other visual elements on the device The following table shows the possible values Value Description 0 Lime 1 Green 2 Emerald 3 Teal Viridian 4 Cyan Blue 5 Cobalt 6 Indigo 7 Violet Purple MICROSOFT 8 Pink 9 Magenta 10 Crimson 11 Red 12 Orange Mango 13 Amber 14 Yellow 15 Brown 16 Olive 17 Steel 18 Mauve 19 Sienna 101 through 104 Optional colors as defined by the OEM 151 Custom accent color for Enterprise For more information about accent colors see Themes for Windows Phone Supported operations Add Replace and Get Theme ThemeAccentColorValue A 6 character string for the accent color to apply to controls and other visual elements To use a custom accent color for Enterprise enter 151 for ThemeAccentColorlD before ThemeAccentColorValue in Prov xml ThemeAccentColorValue configures the custom accent color using hex values for red green and blue in RRGGBB format For example enter FF0000 for red PersistData The parent node of whether to persist data that has been provisioned on th
183. certificates it should add multiple lt unique id gt nodes which has different ID MICROSOFT E NOTE The CertThumbPrint should be retrieved only after the status code success 3 Update client certificate before SCEP enrolled certificate expires For SCEP enrolled certificates before they are expired a new certificate with same cert property but new expiration date should be enrolled in the device reneweded This is achieved by MDM server sending a new challenge and Exec command to the to be expired cert path Partially the server should send following command to the device before the certificate indexed by lt provider id 1 gt is expired e Send Add cmd to set a new challenge on Vendor MSFT CertificateStore My SCEP lt unique id 1 gt Install Challenge node as the previous challenge is removed shortly after first Exec command is accepted by the device e Send Exec cmd on Vendor MSFT CertificateStore My SCEP lt unigue id 1 gt Install Enroll node Add and Exec command should be wrapped in the same DM message After the new certificate is installed in the device the old certificate will be deleted by the device and query on the Vendor MSFT CertificateStore My SCEP lt unique id 1 gt CertThumbPrint node will return new certificate s thumbprint NOTE To make sure the Exec command is properly accepted and process at the device side in this case the MDM server should check Vendor MSFT CertificateStore My SCEP lt un
184. com windows pki 2009 01 enrollment RSTRC wstep lt a Action gt lt a RelatesTo gt urn uuid 66cddf7d 0227 48c7 a270 935fdfd27359 lt a RelatesTo gt lt o Security s mustUnderstand 1 xmlns o http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt u Timestamp u Id _0 gt lt u Created gt 2013 08 27T15 32 33 256Z lt u Created gt lt u Expires gt 2013 08 27T15 37 33 256Z lt u Expires gt lt u Timestamp gt lt o Security gt lt s Header gt lt s Body gt lt ReguestSecurityTokenResponseCollection xmlns http docs oasis open org ws sx ws trust 200512 gt lt ReguestSecurityTokenResponse gt lt TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt TokenType gt lt RequestedSecurityToken gt lt BinarySecurityToken ValueType http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollme ntProvisionDoc EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 0asis 200401 wsS wssecurity secext 1 0 xsd gt Binary Encoded Enrollment Response lt BinarySecurityToken gt lt RequestedSecurityToken gt lt ReguestID xmlns http schemas microsoft com windows pki 2009 01 enrollment gt 9 lt ReguestID gt lt ReguestSecurityTokenResponse gt lt ReguestSecurityTokenResponseCollection gt lt s Body gt
185. d Delete Replace NOTE Windows Phone 8 1 only supports configuring the following AlternativeName types XCN CERT ALT NAME RFC822 NAME 2 XCN CERT ALT NAME DNS NAME 3 XCN CERT ALT NAME URL 7 XCN CERT ALT NAME REGISTERED ID 9 XCN CERT ALT NAME USER PRINCIPLE NAME 11 All other types are unsupported and will result in an error My SCEP lt UniguelD gt Install ValidPeriod Optional Specify the units for valid period Valid values are Days Default Months Years Format is chr Supported operations are Get Add Delete Replace NOTE The device only sends the MDM server expected certificate validation period ValidPeriodUnits ValidPerio the SCEP server as part of certificate enrollment request It is the server s decision on how to use this valid period to create the certificate My SCEP lt UniquelD gt Install ValidPeriodUnits Optional Specify desired number of units used in validity period Subjected to SCEP server configuration Default is 0 The units are defined in ValidPeriod node Note the valid period specified by MDM will overwrite the valid period specified in cert template For example if ValidPeriod is days and ValidPeriodUnits is 30 it means the total valid duration is 30 days Format is int Supported operations are Get Add Delete Replace NOTE The device only sends the MDM server expected certificate validation period ValidPeriodUnits ValidPerio the SCEP server as part of certificate enrollment
186. d operations are Get Add Replace and Delete SMTPALTENABLED Optional Character string specifies if the user s alternate SMPT account is enabled Supported operations are Get Add Replace and Delete MICROSOFT A value of FALSE means SMTP uses the same user name password for authentication A value of TRUE means SMTP uses its own user name password SMTPALTAUTHNAME and SMTPALTPASSWORD SMTPALTPASSWORD Optional Character string specifies the password for the user s alternate SMPT account Supported operations are Get Add Replace and Delete TAGPROPS Optional Defines a group of properties with non standard element names Supported operation is Get 8128000B Optional Character string specifies if the incoming email server uses SSL Supported operations are Get and Replace A value of 0 specifies that SSL is not enabled A value of 1 specifies that SSL is enabled 812C000B Optional Character string specifies if the outgoing email server uses SSL Supported operations are Get and Replace A value of 0 specifies that SSL is not enabled A value of 1 specifies that SSL is enabled Remarks When an application removal or configuration roll back is provisioned the EMAIL2 configuration service provider passes the request to Configuration Manager which handles the transaction externally When a MAPI application is removed the accounts that were created with it are deleted and all messages and other properties that th
187. d Replace Examples 208 23 45 130 or vpn contoso com TUNNELTYPE Optional node but required if deploying an IKEv2 VPN profile Only a value of IKEv2 or L2TP is supported for this release Type chr Supported Operations Get and Add THIRDPARTY Optional node but required if deploying a 3 party SSL VPN plugin profile Defines a group of settings applied to SSL VPN profile provisioning Supported operations are Get and Add THIRDPARTY NAME Required node if THIRDPARTY is defined for SSL VPN profile provisioning Supported operations are Get and Add Valid values are e JunOS Pulse e SonicWall Mobile Connect e F5 Big IP Edge Client e Checkpoint Mobile VPN THIRDPARTY APPID Optional node but reguired if enterprise is pushing ae party SSL VPN plugin app from the private enterprise storefront This would be a ProductID associated with the store application The client will use this ProductID to ensure that only the enterprise approved plugin is initialized Supported operations are Get Add Replace and Delete This is a String type node THIRDPARTY CUSTOMCONFIGURATION Optional node This is an XML blob for SSL VPN plugin specific configuration that s pushed to the device to make available for SSL VPN plugins Supported operations are Get Add Replace and Delete This is XML format of type CHAR THIRDPARTY CustomStoreURL Optional node but required if enterprise is pushing 3 party SSL VPN plugin app from the private enterpr
188. d a Handheld 8 1 powered device during the OOBE phase Components of an NFC tag and an NFC enabled device tag This section describes the components of an NFC tag and an NFC enabled device tag Use an NFC tag for minimal provisioning and use an NFC enabled device tag for larger provisioning XML files NFC tag components NFC tags are suitable for very light applications where minimal provisioning is required The size of NFC tags that contain provisioning XML files is typically 4 KB to 10 KB To write to an NFC tag you will need to use an NFC Writer tool or you can use the ProximityDevice class API to write your own custom tool to transfer your provisioning XML file to your NFC tag The tool must publish a binary message write a Chunk data type to your NFC tag The following table describes the information that is required when writing to an NFC tag Required field Description Type Windows WEH PreStageProv Chunk The receiving device uses this information to understand information in the Data field Data Tag data in UTF 8 format that has the Byte Order Mark BOM removed The following example shows how to write to an NFC tag This example assumes that the tag is already in range of the writing device private void WriteProvXMLFileToTag String provXMLFile proximityDevice Windows Networking Proximity ProximityDevice GetDefault if proximityDevice null MICROSOFT var dataWriter new Windows Storage Streams Data
189. d gt lt CmdID gt 10 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D Options UseSSL lt LOCURI gt lt Target gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Replace gt lt CmdID gt 11 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt MICROSOFT Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D Options Schedule lt LOCURI gt lt Target gt lt Data gt 15 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 12 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D Options MailAgeFilter lt LOCURI gt lt Target gt lt Data gt 3 lt Data gt lt Item gt lt Replace gt lt Atomic gt CertificateStore configuration service provider Updated in Windows Phone 8 1 The following diagram shows the CertificateStore configuration service provider management object in tree format MICROSOFT j MICROSOFT Root System Defines the certificate store that contains root or self signed certificates Supported operation is Get CA System Defines the certificate store that contains cryptographic information including intermediary certification authorities Supported operation is Get My User Defines the certif
190. dded 8 1 Handheld devices File contents are embedded directly into the syncML message so there is a limit to the size of the file that can be retrieved from the device The default limit is 100000 1 MB You can configure this limit by using the following registry key Software Microsoft Provisioning CSPs Vendor MSFT EnterpriseExtFileSystem MaxFileReadSize The following image shows the EnterpriseExtFileSystem configuration service provider in tree format as used by the Open Mobile Alliance OMA Device Management DM MICROSOFT Vendor MS FT EnterpriseExtFileSystem Persistent filename File directory filename File directory Non persistent filename File directory filename Fue directory E oMaDMony oma Dm and OMA Client Provisioning Size Type TS tamp Name Format Msft SystemAttributes TStamp Name Format m Mstt ystemAttributes Type TStamp Name Format Msft SystemAttributes TStamp Format Msft SystemAttributes MICROSOFT Vendor MSFT EnterpriseExtFileSystem The root node for the EnterpriseExtFileSystem configuration service provider Supported operations add and get Persistent The EnterpirseExtFileSystem CSP allows an enterprise to read write delete and list files in this folder Anything stored in the persistent folder can be backed up before a device is wiped If it is backed up it will be restored when the device boots again
191. de MICROSOFT Example lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt ActionCenter enabled false gt lt Apps gt lt Settings gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 gt lt PinToStart gt lt Size gt Large lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt lt LocationyY gt lt Location gt lt PinToStart gt lt Application gt lt Phone Apps gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5611 gt lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 2 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Apps gt lt Buttons gt lt ButtonLockdownList gt lt Button name Start gt lt ButtonEvent name Press gt lt Button gt lt Button name Back gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Search gt lt ButtonEvent name A11 gt lt Button gt lt Button name Camera gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Custom1 gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Custom2 gt lt ButtonEvent name Press gt lt ButtonEvent name Pres
192. de characters without the necessary escaping are not supported NOTE 8 The lt name gt name goes here lt name gt lt SSIDConfig gt must match lt SSID gt lt name gt name_goes_here lt name gt lt SSID gt NOTE 9 Windows Phone does not support EapHostUserCredentials for Enterprise Wi Fi WlanXml blob MICROSOFT The following diagram shows the Wi Fi configuration service provider in tree format Vendor MSFT WlanXml Profile Each Wi Fi network configuration is represented by a profile object This network profile includes all the information required for the phone to connect to that network for example the SSID authentication and encryption methods and passphrase in case of WEP or WPA2 networks Supported operation Get lt SSID gt The SSID of the Wi Fi network maximum length 32 bytes case sensitive This can be represented in ASCII Supported operations Get SSID is added when WlanXML node is added and deleted when WlanXml is deleted WlanXml This is the XML describing the network configuration and follows the Windows WLAN profile Schema MSDN documentation Supported operations Get Add Delete Replace Proxy A proxy server host and port can be specified per connection for Windows Phone The format is host port where host can be one of the following e a registered host name such as server name FQDN or Single Label Name SLN such as myweb instead of myweb contoso com e IPv4address e IPv6 IPvFuture addr
193. define the correct Representing your app to Live Connect identity values in your app s manifest The Store created these values when you reserved your app s name Make sure they are set correctly in users your app s manifest before you test your app with WNS or Live Connect services or upload it to the Store If you uploaded your app to the Store already your app s identity values are already set correctly After your app s identity values have been set correctly go to Authenticating your service un at un ci ity v chy E ce 2073 Windoawe et your app s identity values by using Visual Studio Express 2013 for Windows With your project open in Visual Studio go to Solution Explorer and right click the project node the node that has your project s name Then point to Store click Associate App with the Store and finish the wizard un et your app s identity values manually Open your app s AppManifest xml file in a text editor and set these attributes of the lt identity gt element using the values shown here Identity Name Pub lish cr O gt Authenticating your service In Visual Studio select Build gt Deploy Solution If you previously did not get your Developer License you may be prompted to do so again at this point In the console output there will be a reference to the Package Full Name This is the superset of the PFN that you should send to the device MICROSOFT Appl gt c users lt username gt docu
194. dition to the policy for RequireProtectionUnderLockConfig the management server must also define a list of email domains associated with their enterprise email infrastructure This will ensure that the protection policy only applies to corporate accounts and private email accounts will not be affected Note that this policy breaks the conversation view on EAS version older that 14 0 If you want to use this policy on EAS versions older than 14 0 then you should disable the conversation view The following SyncML sample shows how to enable email data protection under Lock lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My DataProtection RequireProtectionUnderLockConfig lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt The following SyncML sample shows how to provision the required protected domains that will define the set of accounts on the device that would be protected under lock lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My DataProtection EnterpriseProtectedDomainNames lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt email
195. e This feature may cause the device to fail or lose connectivity and require that the device be serviced at a Nokia authorized repair center to reset to factory settings Microsoft is not liable for any damage to the device or any loss of productivity that results from use of this feature Microsoft requires that software vendors provide disclaimers to users when their products expose this feature and capabilities PLEASE READ ALL NOTES ASSSOCIATED WITH ASSIGN ACCESS BEFORE PROCEEDING e Assigned access should be used together with application allow deny lists and restrictive policy controls You may be able to deep link into settings or applications based on file handling The combination of PolicyManager settings management application management and lockdown helps create the most secure locked down experience e Once an EnterpriseAssignedAccess has been provisioned to a device the only way to remove this functionality is to reset the device to factory settings through Settings gt about gt reset or through hardware key combinations e Itis possible that specific combinations of EnterpriseAssignedAccess and device policies through PolicyManager may render the device unusable For example if hardware key reset combinations are disabled the device must be sent to a factory authorized repair center for repair to remove EnterpriseAssignedAccess functionality e Onevery reboot the AssignedAccess XML will be reapplied and any user settings or opt
196. e notification will expire after the time has passed Please see this MSDN article for more details on Push notification service request and response headers For more information and sample code to build the server side components that initiate raw push notifications please see these MSDN articles on Push notification overview and Sending a push notification Please note the following restrictions as related to push notifications and WNS e All push notifications are delivered by best effort The notification is not guaranteed to be delivered to the device e Push for device management uses raw push notifications This means that these raw push notifications do not support or utilize push notification payloads e Each ChannelURI has a limit of 150 push notifications per hour e Receipt of push Notifications are sensitive to the Battery Sense and Data Sense settings on the device For example if the battery drops below certain thresholds the device s persistent connection with WNS will be terminated Additionally if the user is utilizing Data Sense and has exceeded their monthly altoment of data the device s persistent connection with WNS will also be terminated e A ChannelURI provided to the management server by the device is only valid for 30 days and can be revoked prior to the lapse of the 30 days The device will automatically renew the ChannelURI after 15 days and trigger a management session on successful renewal of the ChannelURI
197. e all Windows Phone supported enterprise policies for both new policies added in Windows Phone 8 1 and previous policies supported by Windows Phone 8 and handled by other CSPs It is recommended that MDM server should use this centralized CSP to configure any company policies The CSP has two major sub categories PolicyManager My lt Area gt lt policy name gt path handles the policy configuration request coming from the server PolicyManager Device lt Area gt lt policy name gt is read only path to reflect the policy values that are enforced at the device Please note that configuration of policies for the same lt Area gt must be wrapped within Atomic command Refer Examples section for some sample xmls The following diagram shows the PolicyManager configuration service provider in tree format Vendor MSFT PolicyManager e Description Policy Manager CSP root node e Format node e Supported operations Get e Occurrence One e Type This is a predefined MIME type to identify this managed object in OMA DM syntax com microsoft 1 0 WindowsPhone PolicyManagerMO Vendor MSFT PolicyManager My MICROSOFT Description An interior node that indicates that policies provisioned by a specific provider are to be retrieved modified or deleted Format node Supported operations Get Occurrence One Vendor MSFT PolicyManager My lt area name gt Description An interior node grouping all policies that can be configured by
198. e device PersistData PersistProvisionedData Indicates whether to retain provisioned data when the user resets a device Set to 0 if you do not want to persist provisioned data set to 1 to persist it Note PersistProvisionedData works with the RemoteWipe configuration service provider on Windows Phone OS When executed PersistProvisionedData backs up the persistent store folder so that the RemoteWipe configuration service provider can wipe the device The information that was backed up is restored to the device when it resumes Clock TimeZone A string that specifies the time zone of the device The following table shows the possible values Value Time zone 0 UTC 12 International Date Line West 100 UTC 13 Samoa 110 UTC 11 Coordinated Universal Time 11 200 UTC 10 Hawaii 300 UTC 09 Alaska 400 UTC 08 Pacific Time US amp Canada 410 UTC 08 Baja California 500 UTC 07 Mountain Time US amp Canada MICROSOFT 510 520 600 610 620 630 700 710 720 800 810 820 830 840 850 900 910 920 930 940 950 960 1000 1010 1100 1110 1200 1210 1220 1230 1300 1310 1320 1330 1340 1350 1360 1400 1410 1420 1430 1440 1450 1460 1470 1480 UTC 07 Chihuahua La Paz Mazatlan UTC 07 Arizona UTC 06 Saskatchewan UTC 06 Central America UTC 06 Central Time US amp Canada UTC 06 Guadalajara Mexico City Monterrey UTC 05 Eastern Time US amp Canada UTC 05 Bogota Lima Quito UTC 05 Indiana East UT
199. e exists Exec Invokes an executable on the phone Get Retrieves data from the phone for interior nodes the child node names in the Data element are returned in URI encoded format Replace Overwrites data on the phone Result Returns the data results of a Get command to the DM server Sequence Specifies the order in which a group of commands must be processed Status Indicates the completion status success or failure of an operation If an XML element that is not a valid OMA DM command is under one of the following elements the status code 400 is returned for that element e SyncBody e Atomic e Sequence If no CmdlD is provided in the DM command the client returns blank in the status element and the status code 400 If Atomic elements are nested the following status codes are returned e The nested Atomic command returns 500 e The parent Atomic command returns 507 Note Performing an Add command followed by Replace on the same node within an Atomic element is not supported LocURI cannot start with Meta XML tag in SyncHdr is ignored by the phone OMA DM e Devinfo standard e DevDetail objects e OMA DM DMS account objects OMA DM version 1 2 MICROSOFT OMA DM standard that is supported Security Authenticate DM server initiation notification SMS message not used by enterprise management Application layer Basic and MD5 client authentication Authenticate server with MD5 credential at application level Data integrity and
200. e provided Device ID Subject Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 EnterpriselD Status Required The integer value that indicates the current status of the application enrollment Valid values are 0 ENABLED 1 INSTALL_DISABLED 2 REVOKED and 3 INVALID Scope is dynamic Supported operation is Get EnterpriselD CRLCheck Optional Character value that specifies whether the phone should do a CRL check when using a certificate to authenticate the server Valid values are 1 CRL check required 0 CRL check not required Scope is dynamic Supported operations are Get Add and Replace EnterpriselD EnterpriseApps Required The root node to for individual enterprise application related settings Scope is dynamic this node is automatically created when EnterpriselD is added to the configuration service provider Supported operation is Get EnterpriseApps Inventory Required The root node for individual enterprise application inventory settings Scope is dynamic this node is automatically created when EnterpriselD is added to the configuration service provider Supported operation is Get Inventory ProductlD Optional A node that contains s single enterprise application product ID in GUID format Scope is dynamic Supported operation is Get Inventory ProductID Version Required The character string that contains the current version of the installed enterprise application Scope is dynamic Supported
201. e that information to identify Phone 8 or Windows Phone 8 1 whether it is Windows Phone 8 or Windows Phone 8 1 device Appendix XSD for ApplicationRestriction policy in PolicyManager lt xml version 1 0 encoding utf 8 gt lt xs schema id AppPolicy_xsd attributeFormDefault ungualified elementFormDefault qualified xmlns xs http www w3 0rg 2001 XMLSchema targetNamespace http schemas microsoft com phone 2013 policy xmlns http schemas microsoft com phone 2013 policy xmlns m http schemas microsoft com phone 2013 policy gt lt Non empty string must have a non whitespace character at the beginning and end gt lt xs simpleType name ST_NonEmptyString gt lt xs restriction base xs string gt lt xs minLength value 1 gt lt xs maxLength value 32767 gt lt xS pattern value NS Ts XS lt xs restriction gt lt xs simpleType gt lt xs simpleType name ST_Publisher gt lt xs restriction base xs string gt MICROSOFT lt xs maxLength value 256 gt lt xs restriction gt lt xs simpleType gt lt xs simpleType name CT LowerCaseGuid gt lt xs annotation gt lt xs documentation gt GUID must use lowercase letters lt xs documentation gt lt xs annotation gt lt xs restriction base ST_NonEmptyString gt lt xs pattern value 0 9a f 8 0 9a f 4 0 9a f 4 0 9a F 4 0 9a f 12 gt lt xs restriction gt lt xs simpleType gt lt xs complexType name CT_
202. e transport for example Short Message Service SMS Post Office Protocol POP or Simple Mail Transfer Protocol SMTP might have stored are lost If an attempt to create a new email account is unsuccessful the new account is automatically deleted If an attempt to edit an existing account is unsuccessful the original configuration is automatically rolled back restored For OMA DM the EMAIL2 configuration service provider handles the Replace command differently from most other configuration service providers Configuration Manager implicitly adds the missing part of the node to be replaced or any segment in the path of the node if it is left out in the lt LocURI gt lt LocURI gt block There are separate parameters defined for the outgoing server logon credentials The following are the usage rules for these credentials e The incoming server logon credentials are used AUTHNAME AUTHSECRET and DOMAIN unless the outgoing server credentials are set e f some but not all of the outgoing server credentials parameters are present the EMAIL2 configuration service provider will be considered in error The phone supports Transport Layer Security TLS but this cannot be explicitly enabled through this configuration service provider and the user cannot enable TLS through the UI If the connection to the mail server is initiated with deferred SSL the mail server can send STARTTLS as a server capability and TLS will be enabled The following
203. eStore CSP s ROBOSupport node under CertificateStore My WSTEP Renew URL For information about Renew related configuration settings refer CertificateStore configuration service provider Updated in Windows Phone 8 1 Note 3 Unlike manual certificate renew where there is an additional b64 encoding for PKCS 7 message content with automatic renew the PKCS 7 message content isn t b64 encoded separately Note 4 During the automatic cert renew process if the root certificate isn t trusted by the device the authentication will fail Make sure using one of device pre installed root certificates or provision the root cert over a DM session via CertificateStore Configuration Service Provider Note 5 During the automatic cert renew process the device will deny HTTP redirect request from the server unless it is the same redirect URL that the user explicitly accepted during the initial MDM enrollment process MICROSOFT Note 6 The renewal process follows the same steps as device enrollment which means that it starts with Discovery service followed by Enrollment policy service and then Enrollment web service Here is a sample to illustrate the details of an automatic certificate renewal request lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility 1 0 xsd gt lt s Header gt lt a Action s mustUnd
204. ed as part of the XML unlike the following sample excerpt which does not show include other top level fields MICROSOFT lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt Settings gt lt System name Microsoft About gt lt Application name Microsoft Phone gt lt Settings gt lt Default gt lt HandheldLockdown gt Action Center Action Center includes both quick settings and notifications that users can quickly access You can manage this feature ActionCenter Required Supports enabled true or enabled false Action Center Sample XML Excerpt Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt ActionCenter enabled true gt lt Default gt lt HandheldLockdown gt Menu items The start screen allows for a menu to be shown to help the user configure and customize their start screen The menu can be triggered by pressing and holding start screen applications or tiles This includes resizing tiles moving their placement and pinning additional tiles to start To prevent this experience from being exposed in order to more fully lockdown this experience Menu Items can be disabled Menultems Required Menultems Disable
205. efault value is 86400000 You can set this parameter NAME Optional The NAME parameter is used in the APPLICATION characteristic to specify a user readable application identity This parameter is used to define part of the registry path for the APPLICATION parameters You can set this parameter The NAME parameter can be a string or null no value If no value is specified the registry location will default to lt unnamed gt MICROSOFT PROTOVER Optional The PROTOVER parameter is used in the APPLICATION characteristic to specify the OMA DM Protocol version the server supports No default value is assumed The protocol version set by this node will match the protocol version that the DM client reports to the server in SyncHdr in package 1 If this node is not specified when adding a DM server account the latest DM protocol version that the client supports is used In Windows Phone this is 1 2 This is a Microsoft custom parameter You can set this parameter PROVIDER ID Optional The PROVIDER ID parameter is used in the APPLICATION characteristic to differentiate OMA DM servers It specifies the server identifier for a management server used in the current management session This parameter takes a string value You can set this parameter ROLE Optional The ROLE parameter is used in the APPLICATION characteristic to specify the security application chamber the DM session should run with when communicating with the DM server For enterp
206. em gt lt Get gt VPN configuration service provider New in Windows Phone 8 1 Windows Phone 8 1 supports both IKEv2 VPN and SSL VPN profiles Refer http technet microsoft com en us library ff687731 28v ws 10 29 aspx for server IKEv2 IPSec configuration Note 1 For VPN that requires client certificate the server MUST enroll needed client certificate first before push down VPN profile to ensure a functional VPN profile at the device This is particularly critical for Forced channel VPN Note 2 VPN configuration commands should be wrapped with Atomic DM command Refer example in this section Note 3 Only one VPN profile provisioning per one OMA request is supported Multiple VPN profiles per one OMA message request is not support Note 4 Name based trigerring of VPN connections is not supported Note 5 You can only use the Replace command if the setting is already configured For first time configurations use the Add command MICROSOFT MICROSOFT Vendor MSFT VPN Configuration Service Provider Root node Vendor MSFT VPN Unique alpha numeric Identifier for the profile Supported operations include Get Add Replace and Delete Note that profile name must not include forward slash SERVER Required node Public routable IP address or DNS name for the VPN gateway server farm It can point to the external IP of a gateway a virtual IP for a server farm Type chr Supported Operations Get Add an
207. en 0 CryptEncrypt hKey TRUE pData amp nInputSize nBufferSize CryptDestroyKey hKey CryptReleaseContext hProv 8 Base64Encode pbEncrypted nEncryptedSize LPSTR pbOutput amp nEncodedSize MICROSOFT Similarly the following sequence of Crypto API calls is used on the device to decrypt the provisioning file which is encrypted by the server Important note The pbData parameter passed to CryptEncrypt should point to UTF 16 WCHAR characters and not UTF 8 ones The data is first base64 decoded pbInput is a pointer to the raw bytes of the encrypted file Base64Decode LPCSTR pbInput nInputSize pbDecoded amp nDecodedSize Next a sequence of CryptoAPIs CryptAcquireContext amp hProv NULL MS ENH RSA AES PROV PROV RSA AES CRYPT VERIFYCONTEXT CryptCreateHash hProv CALG SHA 256 8hHash The data being hashed is a password provided via a Splash password box by the user CryptHashData hHash pbKey nKeySize 0 CryptDeriveKey hProv CALG AES 128 hHash amp hKey CryptDestroyHash hHash CryptDecrypt hKey TRUE pData amp nPlainSize CryptDestroyKey hKey CryptReleaseContext hProv 80 Set time to sync automatically over Wi Fi Handheld 8 1 If you are building a Wi Fi only image or if you plan to provision your devices without SIM cards you cannot use the Network Identity and Time Zone NITZ method for setting and synching the time NITZ is a commo
208. eneee 156 Pampa Seia a a a a i a a lil ai 157 VPN configuration service provider New in Windows Phone 8 1 158 EXaMplosssi leali ici iii a i I a E abs o a ah 165 VPN Single sior onmconig ration serseri a ee ee a E 171 WiFi configuration service provider New in Windows Phone 8 1 ecsssssssesssssececsessesssssessessessessccseeseeseeseeneeseens 172 DES LIK AC Elo S gt asa ini CR TRENT a i a a Ua rr a a S 173 EXP saaa a ao a ni i i a i i aa i o a ua a a pal 174 RemoteLock configuration service provider New in Windows Phone 8 1 cccssssessessessecsecsessessseseesesseenseseenes 178 EaD a ziali T 180 RemoteRing configuration service provider New in Windows Phone 8 1 181 Example Suseni a a a vous citer cause a a a o a a i a i a i a a a a a a a a a lacie 181 DevicelnstanceService configuration service provider rien 181 EADS sedated ses A o is i o a i a ld 185 EnterpriseAssignedAccess configuration service provider New in Windows Phone 8 1 185 First party application Products dla liacle 187 BULLOMIOCKGOWN EreMmapsi licei i i i aa a I a t a 189 Settings System Application settings lockdown cesesssssssssssssssssssssssssssessssssscsessssssssssessssssessseesssessesseeseesseeseess 190 AGUONCE Earn eR Tee Orne Tee a EEN O a NSE SU r a A 192 Ma ia e rr 192 Starke EN SIZE Sin riai is a aa a i ia a a i a a i A a N nT 193 Sample AssignedAccess Miei ia a a i i a isa
209. enewPeriod lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 60 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My WSTEP Renew RetryInterval lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 4 lt Data gt lt Item gt lt Replace gt lt Atomic gt DevDetail configuration service provider This CSP is based on the OMA DM standard management object DevDetail we extend it to provide more useful phone information for the management server The following diagram shows the DevDetail configuration service provider management object in tree format All nodes in this CSP support only the Get command MICROSOFT DevDetail SwV Hw LrgObj Ext Microsoft MobilelD LocalTime OSPlatform ProcessorType RadioSwV Resolution Commercialization Operator Processor Architecture DeviceName WLANMACAddress VoLTEServiceSetting WlanlIPv4Address WlanlPv6Address WlanDnsSuffix WlanSubnetMask MICROSOFT E DevTyp Required Returns the phone model name as a string OEM Required Returns the name of the Original Equipment Manufacturer OEM as a string as defined in the specification SyncML Device Information version 1 1 2 FwV
210. entication Method lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt EAP lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8005 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapMsChapv2 Authentication EAP lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt MICROSOFT lt Data gt amp 1t EapHostConfig xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot xmlns eapCommon amp quot http www microsoft com provisioning EapCommon amp quot xmlns baseEap amp quot http www microsoft com provisioning BaseEapMethodConfig amp quot xmlns msChapV2 amp quot http www microsoft com provisioning MsChapV2ConnectionPropertiesV1 amp quot 5 amp gt amp l1t EapMethod amp gt amp 1t eapCommon Type amp gt 26 amp 1t eapCommon Type amp gt amp 1t eapCommon AuthorId amp gt 081t eapCommon AuthorId amp gt amp lt EapMethod amp gt amp l1t Config xmlns baseEap amp quot http www microsoft com provisioning BaseEapConnectionPropertiesV1 amp quot xmlns msPeap amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV1 amp quot xmlns msChapV2 amp quot http www microsoft com provisioning MsChapV2ConnectionPropertiesV1 amp quot s amp gt amp lt baseEap Eap amp gt amp lt baseEap Type amp gt
211. equired The root node for all settings that belong to a single management server Scope is permanent Supported operation is Get Provider lt ProviderlD gt Required This node contains the URI encoded value of the bootstrapped device management account s Provider ID Scope is dynamic Supported operations are Get and Add As a best practice use text that doesn t require XML URI escaping lt ProviderlD gt EntDeviceName Optional Character string that contains the user friendly device name used by the IT admin console The value is set during the enrollment process by way of the DMClient configuration service provider You can retrieve it later during an OMA DM session Supported operations are Get and Add lt ProviderlD gt EntDMID Optional Character string that contains the unique enterprise device ID The value is set by the management server during the enrollment process by way of the DMClient configuration service provider You can retrieve it later during an OMA DM session Supported operations are Get and Add Note 1 Although hardware device IDs are guaranteed to be unique there is a concern that this is not ultimately enforceable during a DM session The device ID could be changed through the w7 APPLICATION configuration service provider s USEHWDEVID parm by another management server So during enterprise bootstrap and enrollment a new device ID is specified by the enterprise server Note 2 This node is required and must be set
212. er needs to delete the old account used by another user and add a new account Unenrollment disassociation seems to Server push support is not supported in Windows Phone 8 happen during a normal maintenance session can an unenrollment command be pushed to the phone Server push via WNS is supported in Windows Phone 8 1 Are the enterprise apps installed through the MDM server removed when the phone is unenrolled Can a user be prevented from Not supported in Windows Phone 8 The user has the final unenrolling or unregistering authority to decide whether to disassociate the phone from company use For Windows Phone 8 1 the MDM server could push down a policy to disallow the user to unenroll the created workplace account from Ul What is the behavior when the phone The device lock will not prevent the phone from connecting back is locked Is it going to connect to the to the MDM server at the scheduled sync interval So yes you MDM server when it is locked at a sync can push settings to the phone when the phone is locked interval If so can we push enterprise profiles when the phone is locked What kinds of errors are reported by During a DM session the phone reports various error codes the phone while the MDM server depending on which DM command is sent by the server For configures the phone information about common errors the phone could send see the OMA DM representation doc Most are very straightforward Is t
213. erations are Get Add and Delete Remarks Typical OMA DM Session with the NodeCache CSP 1 Phoneconnects to a DM server 2 Server queries the NodeCache version by issuing a GET operation for Nendor MSFT NodesCache lt ProviderIb gt CacheVersion LocURI 3 If the phone s CacheVersion and the server side cache differ due to reasons such as a phone crash or server crash the server can clear the server side cache and go to step 5 4 Server updates the server side cache a Sends GET operation for Vendor MSFT NodeCache lt Provider D gt ChangedNodes LocURI b Response isa list of changed node IDs Each ID in the list corresponds to a node under Vendor MSFT NodeCache lt ProviderID gt Nodes root c For each node in the invalid nodes list server sends a GET command to retrieve the actual value of the node GET lt NodeURI gt where NodeURI is a full device LocURI that correspond to the invalid cache node d Nodes in the server side cache are updated with the actual values received from the phone e For each updated node a REPLACE command is sent to the phone to update the phone side cache REPLACE Vendor MSFT NodesCache lt ProviderID gt Nodes lt NodelD gt ExpectedValue gt ActualValue f A new cache version is created and sent to the phone REPLACE Vendor MSFT NodesCache lt ProviderID gt CacheVersion gt new version 5 Management server retrieves the corresponding value from the server side cache T
214. erentUsername amp gt 8lt PerformServerValidation xmlns 8guot http www microsoft com provisioning EapTlsConnectionPropertiesV28guot 8gt true81l t PerformServerValidation amp gt amp lt AcceptServerName xmlns amp quot http www microsoft com provisioning EapTlsConnectionPropertiesV2 amp quot amp gt false amp lt AcceptServerName amp gt amp l1t EapType amp gt amp l1t Eap amp gt amp lt Config amp gt amp lt EapHostConfig amp gt lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8006 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT VPN EapTls Policies ConnectionType lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt Manual lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8007 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls SecuredResources NetworkAllowedList Networks0080 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt MICROSOFT lt Data gt 192 168 0 0 16 lt Data gt lt Item gt lt Add gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt VPN profile using EAP TLS authentication method lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 8000 lt CmdID gt lt Add gt lt CmdID gt 8001 lt CmdID gt lt Item gt lt Target g
215. error code during renew process Datatype of this node value is int Supported option is Get MICROSOFT E Examples Adding a root certificate via the MDM server lt Add gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT CertificateStore Root System lt CertificateHashInsertedhere gt EncodedCertificate lt LOCURI gt lt Target gt lt Data gt B64EncodedCertInsertedHere lt Data gt lt Meta gt lt Format xmlns syncml metinf gt b64 lt Format gt lt Meta gt lt Item gt lt Add gt Iterating all installed client certificates lt Get gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT CertificateStore My User list StructData lt LOCURI gt lt Target gt lt Item gt lt Get gt Deleting a root certificate lt Delete gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore Root System lt CertificateHashInsertedHere gt lt LocURI gt lt Target gt lt Item gt lt Delete gt Configuring the device to enroll a client certificate via SCEP Please note SCEP certification enrollment configuration request DM commands should be wrapped within Atomic command to make sure enrollment execution isn t triggered till all settings are configured MICROSOFT lt Atomic gt lt CmdID gt 100 lt CmdID gt lt Add gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt
216. ers xsi nil true gt lt privateKeyAttributes gt lt supersededPolicies xsi nil true gt lt privateKeyFlags xsi nil true gt lt subjectNameFlags xsi nil true gt lt enrollmentFlags xsi nil true gt lt generalFlags xsi nil true gt lt hashAlgorithmOIDReference gt 0 lt hashAlgorithmOIDReference gt lt rARequirements xsi nil true gt lt keyArchivalAttributes xsi nil true gt lt extensions xsi nil true gt lt attributes gt lt policy gt lt policies gt lt response gt lt CAS xsi nil true gt lt OIDS gt lt oID gt lt value gt 1 3 14 3 2 29 lt value gt lt group gt 1 lt group gt lt oIDReferenceID gt 0 lt oIDReferenceID gt lt defaultName gt sz0ID OIWSEC sha1RSASign lt defaultName gt lt oID gt lt oIDs gt lt GetPoliciesResponse gt lt s Body gt lt s Envelope gt SOAP faults If the web service cannot process the request a SOAP fault is returned with specific fault code and reason MessageFormatFault GetPolicies format is invalid AuthenticationFault Failed authentication AuthorizationFault Failed authorization InternalServerFault Internal error such as SQL down ClientVersionFault Unsupported version of client Certificate enrollment web service Description This web service implements the MS WSTEP protocol It processes the RequestSecurityToken RST message from the client authenticates the client requests the certificate from the
217. erstand 1 gt http schemas microsoft com windows pki 2009 01 enrollment RST wstep lt a Action gt lt a MessageID gt urn uuid 61a17f2c 42e9 4a45 9c85 f15c1c8baee8 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https dm contoso com EnrollmentService DeviceEnrollmentService svc lt a To gt lt o Security s mustUnderstand 1 xmlns o http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt u Timestamp u Id 0 gt lt u Created gt 2011 07 117T19 49 08 579Z lt u Created gt lt u Expires gt 2011 07 117T19 54 08 579Z lt u Expires gt lt u Timestamp gt lt o UsernameToken u Id uuid 2a734df6 b227 4e60 82a8 ed53c574b718 5 gt lt o Username gt user dcontoso com lt o Username gt lt o Password o Type http docs oasis open org wss 2004 01 oasis 200401 wss username token profile 1 0 PasswordText gt lt o Password gt lt o UsernameToken gt lt o Security gt lt s Header gt lt s Body gt lt ReguestSecurityToken xmlns http docs oasis open org ws sx ws trust 200512 gt lt TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt TokenType gt lt ReguestType gt http docs oasis open org ws sx ws trust 200512 Renew lt RequestType gt lt BinarySecurityToken ValueType http docs oasis open org
218. ervice provider New in Windows Phone 8 1 The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set The following diagram shows the RemoteLock configuration service provider in a tree format MICROSOFT RemoteLock LockAndResetPIN NewPINValue RemoteLock Lock Reguired The node accepts reguests to lock the device screen The device screen will lock immediately if a PIN has been set If no PIN is set the lock reguest is ignored and the OMADM 405 Forbidden error is returned over the management channel All OMADM errors are listed here in the protocol specification The supported operation is Exec Description Meaning Standard 200 OK Device was successfully locked The command and the associated Alert action are completed _ successfully 405 Device could not be locked The requested command is not because there is no PIN allowed on the target currently set on the device 500 Command failed Device was not locked for Non specific errors were created some unknown reason by the recipient while attempting to complete the command RemoteLock LockAndResetPIN This node can be used to lock and reset the PIN on the device It is used in conjunction with the NewPINValue node After lt Exec gt has been called on this node and succeeds the previous PIN will no longer work or be recoverable in any way The supported operatio
219. es a string value You can set this value APPAUTH AAUTHSECRET Required The AAUTHSECRET parameter is used in the APPAUTH characteristic to get or set the authentication secret used to authenticate the user This parameter takes a string value APPAUTH AAUTHTYPE Optional The AAUTHTYPE parameter of the APPAUTH characteristic is used to set the method of authentication This parameter takes a string value The valid values are listed below e BASIC specifies that the SyncML DM syncml auth basic authentication type e DIGEST specifies that the SyncML DM syncml auth md5 authentication type MICROSOFT e When AAUTHLEVEL is CLIENT AAUTHTYPE must be DIGEST When AAUTHLEVEL is APPSRV AAUTHTYPE can be BASIC or DIGEST APPID Required The APPID parameter is used in the APPLICATION characteristic to differentiate the types of available application services and protocols This parameter takes a string value The only valid value to configure the OMA Client Provisioning bootstrap APPID is w7 BACKCOMPATRETRYDISABLED Optional The BACKCOMPATRETRYDISABLED parameter is used in the APPLICATION characteristic to specify whether to retry resending a package with an older protocol version for example 1 1 in the SyncHdr not including the first time NOTE This parameter doesn t contain a value The existence of this parameter means backward compatibility retry is disabled If the parameter is missing it means backward compatibility retry is ena
220. ess If it is an IPvFuture address then it must be specified as an IP literal as IP v6 address IPvFuture such as 2441 4880 28 3 204 76ff f43f 6eb 8080 Supported operations Get Add Delete Replace Best Practices NOTE The lt name gt name goes here lt name gt lt SSIDConfig gt must match the lt SSID gt lt name gt name goes here lt name gt lt SSID gt MICROSOFT Examples Adding an open network with SSID MyNetwork and no proxy lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LoOcURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt xml version 8guot 1 08guot 8gt 81t NLANProfile xmlns amp quot http www microsoft com networking WLAN profile v1 amp quot amp gt amp lt name amp gt MyNetwork amp lt name amp gt amp l1t SSIDConfig amp gt amp lt SSID amp gt amp 1t name amp gt MyNetwork amp 1t name amp gt amp 1t SSID amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1t connectionType amp gt amp lt connectionMode amp gt manual amp lt s connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt ope n amp lt authentication amp gt amp lt encryption amp gt none amp lt encryption amp gt amp lt au
221. estricted tReporting Hotspot not allowed value is 0 information 1 default reporting to HotSpot Microsoft reporting is Once allowed disallowed the user cannot turn it on WiFi Allow or 0 no WiFi Most MDM AllowManualWiFi disallow connection restricted Configuration connecting to outside of value is 0 Wi Fi outside MDM of MDM provisioned server is allowed installed 1 default networks adding new network SSIDs beyond the already MICROSOFT MDM provisioned ones is allowed Connectivity Allow or 0 not Most MDM AllowNFC disallow NFC allowed restricted Only MDM 1 default value is 0 server can set allowed Connectivity AllowBluetooth Connectivity AllowBluetoothSh aring new for GDR2 Connectivity AllowVPNRoamin gOverCellular jo Set Bluetooth mode Could be set by Exchange EAS policy as well definition be the same as Exchange Set to allow Bluetooth sharing This policy when enforced will prevent the device from connecting VPN when the device roams 0 disallow Bluetooth 1 not supported in Windows Phone 8 1 Disable Bluetooth but allow the configuratio n of hands free profiles NOTE value 1 isn t supported in Windows Phone 8 1 for MDM and EAS 2 default allow Bluetooth 0 do not allow Bluetooth sharing 1 default allow Bluetooth sharing 0 not allowed 1 default allowed Secure o
222. ete the auth server SHOULD return an HTML form document with a POST method action of appid identified in the query string parameter For example HTTP 1 1 200 OK Content Type text html charset UTF 8 Vary Accept Encoding Content Length 556 lt DOCTYPE gt lt html gt lt head gt lt title gt Working lt title gt lt script gt function formSubmit document forms submit window onload formSubmit lt script gt lt head gt lt body gt lt appid below in post command must be same as appid in previous client https request gt lt form method post action ms app appid gt lt p gt lt input type hidden name wresult value token value gt lt p gt lt input type submit gt lt form gt lt body gt lt html gt The server has to send a POST to a redirect URL of the form ms app string the URL scheme is ms app as indicated in the POST method action The security token value is the base64 encoded string http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd base64binary contained in the lt wsse BinarySecurityToken gt EncodingType attribute Windows Phone 8 1 does the binary encode when it sends it back to enrollment server in the form it is just HTML encoded This string is opaque to the enrollment client the client does not interpret the string The following example shows a response received from the discovery web service which requires authentic
223. ettings application items can be managed to configure whether those options can be viewed in the settings page Note that OEMS can configure additional settings CPLs and these are not included in this list NOTE the list of settings applications are an allow list This means if no settings are included in the AssignedAccess XML then no settings applications will be listed Settings page Settings name name System about Microsoft About System ease of access Microsoft Accessibility System email accounts Microsoft Accounts System advertising id Microsoft Advertisingld System airplane mode Microsoft AirplaneMode System battery saver Microsoft BatterySaver System Bluetooth Microsoft Bluetooth System brightness Microsoft Brightness System Cellular SIM Microsoft CellularConn System backup Microsoft CloudStorageCpl System workplace Microsoft CompanyAccount System date time Microsoft DateTime System quiet hours Microsoft DoNotDisturb System driving mode Microsoft DrivingMode MICROSOFT System System System System System System System System System System System System System System System System System System System System System System System Application Application Application Application Application Application Application Application Application Application Application Settings Required field Settings System feedback find my phone kids corner language location project my sc
224. evel use client certificate based authentication The server MD5 nonce must be renewed in each DM session for the next DM session The DM client sends the new server nonce for the next session to the server by using the Status element in every DM session The MD5 binary nonce is sent over XML in B64 encoded format But the octal form of the binary data should be used when the server calculates the hash For more information about Basic or MD5 client authentication MD5 hash generation and MD5 nonce see the OMA Device Management Security specification OMA TS DM Security V1 2 1 20080617 A and OMA Device Management Protocol specification OMA TS DM Protocol V1 2 1 20080617 A available from the OMA website MICROSOFT Enterprise OMA DM supported configuration service providers The following configuration service providers are supported via OMA DM See Configuration service provider reference for detailed descriptions of each configuration service provider e CertificateStore configuration service provider updated in Windows Phone 8 1 e DMS configuration service provider e DMClient configuration service provider updated in Windows Phone 8 1 e EnterpriseAppManagement configuration service provider e DeviceLock configuration service provider superseded by PolicyManager configuration service provider e Storage configuration service provider superseded by PolicyManager configuration service provider e Devlnfo configuration se
225. faster better Default is 0 WiFi but 0 discoverbility interpreted as normal interval System Disable enabl 0 SD Most MDM EAS AllowStorageCa AllowStorageCard e SD card cared use is restricted rd not allowed value is 0 1 default SD cared use is allowed System Allow the 0 not Most MDM AllowTelemetry device to send allowed restricted telemetry 1 allowed value is 0 information except for such as SQM Secondary Watson Data Reguests 2 default allowed Experience Specify 0 not Most MDM AllowCopyPaste whether copy allowed restricted and paste is 1 default value is 0 allowed allowed Experience AllowT This policy 0 disable Mos MDM askSwitcher new allows the task restricted for GDR2 company to switcher value is 0 disable the task switcher 1 Default competely It enable task does not switcher effect the back button action just the visual switcher trigger by the hold back button action Accounts Specify 0 not Most MDM AllowMicrosoftAc whether allow allowed restricted countConnection using MSA 1 default value is 0 account for allowed non email related connection authentication MICROSOFT and services Accounts Specify 0 not Most MDM AllowAddingNon whether user allowed restricted MicrosoftAccounts is allowed to 1 default value is 0 Manually add non MSA allowed email accounts Security Specify 0 not Most MDM Allow
226. fined such that all traffic to these IP ranges will be secured over VPN Applications connecting to protected resources that match this list will be secured over VPN Otherwise they ll continue to connect directly IP ranges are defined in the format 10 0 0 0 8 Type chr Supported Operations Get Add Replace and Delete Example 172 31 0 0 16 SECUREDRESOURCES NAMESPACEALLOWEDLIST Optional node This will be one or many namespaces defined such that all requests to the configured namespaces will be secured over VPN Applications connecting to namespaces defined will be secured over VPN Otherwise they ll continue to connect directly Namespaces are defined in the format corp contoso com Restrictions such as or or com are not allowed MICROSOFT NETWORKALLOWEDLIST is still required for IKEv2 profiles for routing the traffic correctly over split tunnel Type chr Supported Operations Get Add Replace and Delete Example corp contoso com SECUREDRESOURCES DNSSUFFIXSEARCHLIST Optional node This will be one or many DNS suffixes that will be appended to shortname URLs for DNS resolution and connectivity Type chr Supported Operations Get Add Replace and Delete Example corp contoso com POLICIES Optional node A collection of configuration objects to enforce profile specific restrictions POLICIES SPLITTUNNEL Optional node When this is false all traffic goes to VPN gateway in force tunnel mode When this i
227. g your app To use push notifications from the Windows Push Notification Service WNS orto use Live Connect services you must define the correct identity values in your app s manifest The Store created these values when you reserved your app s name Make sure they are set correctly in your app s manifest before you test your app with WNS or Live Connect services or upload it to the Store If you uploaded your app to the Store already your app s identity values are already set correctly After your app s identity values have been set correctly go to Authenticating your service Set your app s identity values by using Visual Studio Express 2013 for Windows With your project open in Visual Studio go to Solution Explorer and right click the project node the node that has your project s name Then point to Store click Associate App with the Store and finish the wizard Set your app s identity values manually Open your app s AppManifest xml file in a text editor and set these attributes of the lt identity gt element using the values shown here lt Identity Name I Publisher SEE NUJMS e mm m Authenticating your service The following information will be required in order to authenticate the server sending a raw Push notification request to the device once you lt Get gt the ChannelURI from the device MICROSOFT gt Push notifications and Live Connect services info Overview sre di your app Authenticating your service Aut
228. ger My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E amp x3C Deny App Bing News amp x3E amp x3C App ProductId amp x22 9c3e8cad 6702 4842 8f61 b8b33cc9cafi1 amp x22 amp X3E amp x3C Deny App Skype amp x3E amp x3C App ProductId amp x22 c3f8e570 68b3 4d6a bdbb c0a3f4360a51 amp Xx22 amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List One denied application and one denied publisher with two allowed application exceptions lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt MICROSOFT lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp
229. gt amp lt MenuItems amp gt amp lt Settings amp gt amp lt System amp 1t System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System amp lt System name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft About amp quot amp gt Accessibility amp quot amp gt Accounts amp quot amp gt AdvertisingId amp quot amp gt AirplaneMode amp quot amp gt BatterySaver amp quot amp gt Bluetooth amp quot amp gt Brightness amp quot amp gt CellularConn amp quot amp gt CloudStorageCpl amp quot CompanyAccount amp quot amp gt DateTime amp quot amp gt DoNotDisturb amp quot amp gt DrivingMode amp quot amp gt Feedback amp quot amp gt FindMyPhone amp quot amp gt FlashAppSetting amp quot KidZone amp quot amp gt MICROSOFT amp gt amp gt amp gt
230. gt lt Button name Search gt lt ButtonEvent name A11 gt lt Button gt lt Button name Camera gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Custom1 gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Custom2 gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt Button name Custom3 gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt ButtonLockdownList gt lt ButtonRemapList gt MICROSOFT Menultems Tiles lt Buttons gt lt MenuItems gt lt DisableMenuItems gt lt MenuItems gt lt Settings gt lt System name Microsoft About gt lt System name Microsoft FlashAppSetting gt lt System name Microsoft CompanyAccount gt lt System name Microsoft WiFi gt lt Application name Microsoft Search gt lt Application name Microsoft IE gt lt Application name Microsoft Maps gt lt Application name Microsoft Messaging gt lt Application name Microsoft OfficeMobile gt lt Application name Microsoft Contacts gt lt Application name Microsoft Phone gt lt Settings gt lt Tiles gt lt EnableTileManipulation gt lt Tiles gt lt StartScreenSize gt Small lt StartScreenSize gt lt Default gt lt HandheldLockdown gt Use
231. gt lt Data gt Contoso IMAP lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 6 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 47B1BC45B68 A51F 4AF1 B6C1 BC22746DAE8247D INSERVER lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt imap contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 7 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D DOMAIN lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 8 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 47B1BC45B68 A51F 4AF 1 B6C1 BC22746DAE82 7D AUTHNAME lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt MICROSOFT lt Data gt user lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF 1 B6C1 BC22746DAE82 7D AUTHSECRET lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt ThisIsAPassword lt Data gt lt Item gt
232. gt lt LocURI gt Vendor MSFT PolicyManager Device Security RequireDeviceEncryption lt LOCURI gt lt Target gt lt Item gt lt Get gt Enabling internal storage encryption To enable internal storage encryption the enterprise management server can set the following PolicyManager My Security RequireDeviceEncryption value Note the emulator does not support encryption e The following sample shows how to enable internal storage encryption via SyncML XML command lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Security RequireDeviceEncryption lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt Remote wipe The RemoteWipe configuration service provider is used by the server to remotely wipe the phone The phone s internal user storage is wiped including all user s personal content as apps emails contacts media files if any Consequently the phone also loses the information about connecting to the enterprise For more information see RemoteWipe configuration service provider later in this document Storage card policy configuration In Windows Phone 8 1 the PolicyManager configuration service provider s My Security AllowStorageCard policy allows the management server to remotely disable or enable the storage card itself For more
233. gt lt SyncBody gt lt query a device OS system version gt lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt DevDetail SwV lt LocURI gt lt Target gt lt Item gt lt Get gt lt Update device policy gt lt Final gt lt SyncBody gt lt SyncML gt For more information about the header and body see SyncHdr and SyncBody on MSDN SyncHdr element SyncHdr includes the following information e Document Type Definition DTD and protocol version numbers e Session and message identifiers Note that each message in the same DM session must have a different MsgID e Message source and destination Uniform Resource Identifiers URIs e Credentials for authentication This information is used to by the phone to properly manage the DM session MICROSOFT Code example The following example shows the header component of a DM message In this case OMA DM version 1 2 is used as an example only Note The lt LocURI gt node value for the lt Source gt element in the SyncHdr of the phone generated DM package should be the same as the value of DevInfo DevID For more information about DevID see Devinfo configuration service provider lt SyncHdr gt lt VerDTD gt 1 2 lt VerDTD gt lt VerProto gt DM 1 2 lt VerProto gt lt SessionID gt 1 lt SessionID gt lt MsgID gt 1 lt MsgID gt lt Target gt lt LocURI gt unique device ID lt LocURI gt lt Target gt l
234. gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01 a74a0433fcea amp amp x22 8 amp Xx3E amp X3C Allow App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow List Two allowed applications and one allowed publisher lt SyncML xmlns SYNCML SYNCML1 2 gt MICROSOFT lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b0731ce2 cdee 4cad af01 a74a0433fcea amp x22 8 amp Xx3E amp Xx
235. gt DM 1 2 lt VerProto gt lt SessionID gt 1 lt SessionID gt lt MsgID gt 1 lt MsgID gt lt Target gt lt LocURI gt unique device ID lt LocURI gt lt Target gt lt Source gt lt LocURI gt https www thephone company com mgmt server lt LocURI gt lt Source gt lt SyncHdr gt lt SyncBody gt lt update device setting gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT PolicyManager My DeviceLock MinDevicePasswordLength lt LocURI gt lt Target gt lt Meta gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 6 lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt Server reguirements for OMA DM The following are the general server reguirements for using OMA DM to manage Windows Phones The OMA DM server must support the OMA DM v1 1 2 or later protocol Secure Sockets Layer SSL must be on the OMA DM server and it must provide server certificate based authentication data integrity checking and data encryption If the certificate is not issued by a commercial certification authority whose root certificate is preinstalled in the phone you must provision the company s root certificate in the phone s ROOT store To authenticate the client you must use either Basic or MD5 client authentication at the application level At the SSL l
236. hPolicy gt lt EnrollmentPolicyServiceUrl gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt EnrollmentPolicyServiceUrl gt lt EnrollmentServiceUrl gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt EnrollmentServiceUrl gt lt DiscoverResult gt lt DiscoverResponse gt lt s Body gt lt s Envelope gt Web Authentication Broker Support in enrollment process New in Windows Phone 8 1 Windows Phone 8 1 adds the support of a Federated as supported AuthPolicy value When authentication policy is set to be Federated Web Authentication Broker WAB will be leveraged by the enrollment client to get a security token The WAB start page URL is provided by the discovery service in the response message The enrollment client will call the WAB API within the response message to start the WAB process WAB pages are server hosted web pages The server should build those pages to fit the phone screen nicely and be as consistent as possible to other builds in the MDM enrollment UI The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call A new XML tag AuthenticationServiceUrl is introduced in the DiscoveryResponse XML to allow the server to specify the WAB page start URL For Federated authenticaitonauthentication this XML tag must exist For OnP
237. he new_version value is stored by the server MICROSOFT a Ifa value already exists in the server side cache retrieve the value from server side cache instead of going to the phone b Ifa value does not exist in the server side cache then i Create a new entry with a unique lt Node D gt in the server side cache il Query the phone to retrieve the actual value of the URI ill Create a new node under Vendor MSFT NodesCache lt ProviderID gt Nodes with lt NodelD gt value iv Set up NodeURI and ExpectedValue for the Vendor MSFT NodesCache lt ProviderIb gt Nodes lt NodelD gt node v Update the CachedNodes version Examples Creating settings for node caching lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Add gt lt Add gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node 0001 lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Add gt lt Add gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt LOcURI gt Vendor MSFT NodeCache MDMSRV1 Nodes Node_0001 NodeURI lt LocURI gt lt Target gt lt Data gt Vendor MSFT DeviceLock Provider MDMSRV1 Device
238. he time until the next sync is performed in minutes Supported operations Get Replace The default value of 1 specifies that a sync will occur as items are received Other valid values are e Ospecifies that all syncs must be performed manually e 15 sync every 15 minutes e 30 sync every 30 minutes e 60 sync every 60 minutes MailAgeFilter Reguired A character string that specifies the time window used for syncing email items to the phone The default is 3 Supported operations Get Replace The valid values are e O Noage filter is used and all email items are synced to the phone e 2 Only email up to three days old is synced to the phone e 3 The default value Email up to a week old is synced to the phone e 4 Emailuptotwo weeks old is synced to the phone e 5 Emailup to a month old is synced to the phone Logging A character string that specifies whether diagnostic logging is enabled and at what level The default is 0 disabled Supported operations Get Replace Add cannot Add after the account is created The default value of 0 specifies that logging is disabled off A value of 2 enables advanced logging The only supported values are 0 and 2 Logging is set to off by default The user might be asked to set this to Advanced when having a sync issue that customer support is investigating MICROSOFT ContentTypes lt GUID gt Defines the type of content to be individually enabled disabled for sync Suppo
239. hedule set on Server Device IntervalForFirstSetOfRetries 15 15 NumberOfFirstRetries 5 5 IntervalForSecondSetOfRetries 60 60 NumberOfSecondRetries 10 10 IntervalForRemainingScheduledRetries 0 0 NumberOfRemainingScheduledRetries 0 0 Invalid poll schedule disable all poll schedules NOTE Disabling poll schedules results in UNDEFINED behavior and enrollment may fail if poll schedules are all set to zero Schedule Name Schedule set by Actual value gueried on Server Device IntervalForFirstSetOfRetries NumberOfFirstRetries IntervalForSecondSetOfRetries NumberOfSecondRetries IntervalForRemainingScheduledRetries NumberOfRemainingScheduledRetries OO 0 0 0 0 OO 0 0 0 0 Invalid poll schedule two infinite schedules Schedule Name Schedule set Actual Actual Experience by Server schedule set on Device Interval ForFirstSetOfRetries 15 15 Device polls NumberOfFirstRetries 5 5 IntervalForSecondSetOfRetries 1440 1440 Device polls server NumberOfSecondRetries 0 0 once 24 hrs IntervalForRemainingScheduledRetries 1440 0 Third schedule is NumberOfRemainingScheduledRetries 0 0 disabled NOTE 1 If the device was previously MDM enrolled with polling schedule configured via registry key values directly for example MDM enrolled Windows Phone 8 device upgrade to Windows Phone 8 1 MDM server that supports using DMClient CSP to update polling schedule MUST first send Add command to add Vendor MSFT DMClient Provider lt ProviderlD gt Poll n
240. henticating your service i ae _ To protect your app s security Windows Push Notification Services WNS and Live Connect services use client secrets to authenticate the communications from your server namie Security Identifier SID Client secret Representing your app to Live Connect users If your client secret has been compromised or your organization requires that you periodically change client secrets create a new client secret here After you create a new client secret both the old and the new client secrets will be accepted until you activate the new secret Create a new client secret If your app uses Live Connect services go to Representing your app to Live Connect users otherwise you can return to the Advanced features page Representing your app to Live Connect users For more information on sending Push notifications please visit this site Generate your PFN Open Visual Studio and create a new solution for a Windows Store application You may be prompted to sign into your MSDN developer account In the Package appmanifest file modify the lt Identity gt field to include the Name and Publisher from above from Set your app s identity values manually Push notifications and Live Connect services info Overview Identifying your app Identifying your app Authenticating your service To use push notifications from the Windows Push Notification Service WNS or to use Live Connect services you must
241. here any way we can send user Not supported in Windows Phone 8 and 8 1 facing messages to the user Can the MDM server get the location Not supported in Windows Phone 8 1 of the phone from the MDM client MICROSOFT When a certificate expires the client can be offline or the phone can be turned off Does letting the certificate expire require the user to wipe the MDM relationship along with all the apps and settings Is it possible to get an application inventory of the entire phone or just enterprise deployed apps Is it possible to get logs for enrollment or an MDM session through either tethering or over the air Can the DM interval synch policy certificate renewal period be changed after enrollment Is there an alert outside company apps settings to warn the user about required renewal What happens to the settings or apps installed through the DM client after the certificate is expired Other than one mandatory app pushed at the end of enrollment is there a way to push certain applications on the phone Automatically push certain apps from the Company Hub When the certificate expires the relationship is not wiped But the user cannot launch the installed enterprise app and the client cannot communicate with the server client authentication will fail until the certificate is renewed if manual renew is supported by the server or the user needs to unenroll and re enroll to be MDM managed again if a
242. icate store that contains public key for client certificate This is only used by enterprise server to push down the public key of the client cert The client cert is used by the phone to authenticate itself to the enterprise server for device management and enterprise app downloading Supported operation is Get lt CertHash gt Defines the SHA1 hash for the certificate The 20 byte value of the SHA1 certificate hash is specified as a hexadecimal string value Supported operations are Add Delete and Get lt CertHash gt EncodedCertificate Required Specifies the X 509 certificate as a Base64 encoded string Supported operation is Add Get The Base 64 string value cannot include extra formatting characters such as embedded linefeeds etc lt CertHash gt IssuedBy Reguired Returns the name of the certificate issuer Supported operation is Get This is eguivalent to the ssuer member in the CERT INFO data structure lt CertHash gt IssuedTo Required Returns the name of the certificate subject Supported operation is Get This is equivalent to the Subject member in the CERT_INFO data structure lt CertHash gt ValidFrom Required Returns the starting date of the certificate s validity Supported operation is Get This is equivalent to the NotBefore member in the CERT_INFO structure lt CertHash gt ValidTo Required Returns the expiration date of the certificate Supported operation is Get This is equivalent to the NotAfter member in
243. id amp quot 8ABB8A10 4418 4467 9E18 99D11FA54E30 amp quot name amp quot Manager amp quot amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5612 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp 1lt Settings amp gt amp lt Buttons amp gt amp lt ButtonLockdownList amp gt amp lt Button name amp quot Start amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp l1t Button amp gt amp lt ButtonLockdownList amp gt amp lt ButtonRemapList amp gt amp 1lt Buttons amp gt amp lt Men uItems amp gt amp 1lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Role amp gt amp lt RoleList amp gt amp 1t Handhe ldLockdown amp gt gt lt characteristic gt lt characteristic gt lt wap provisioningdoc gt MICROSOFT Language The following example shows how to specify the language to display on the device lt wap provisioningdoc gt lt characteristic type EnterpriseAssignedAccess gt lt characteristic type Language gt lt parm name Language datatype string lt parm name Language value 1033 gt lt characteristic gt lt wap provisioningdoc gt OMA DM examples These XML examples show how to perform various tasks using OMA DM Assigned a
244. ider Supported operations Add Replace and Get DeviceReboot The root node for the device reboot command Supported operations Exec DeviceReboot WaitTime The number of seconds from 0 to 86400 to wait before restarting the device after the exec command is received for DeviceReboot The following table shows the possible values and actions Value Action 0 Restart immediately 1 to 300 The device will be restarted silently after the specified amount of time elapses 300 to 86400 The user will be prompted 5 minutes 300 seconds prior to restart with an option to restart now e lf the user chooses Cancel the device will restart after waiting for 5 minutes e lf the user chooses OK the device restarts immediately MaintenanceWindow The root node for the maintenance window The MDM server queries the device to see if it is in a maintenance window so that it can be updated If the device is not in a maintenance window the server blocks maintenance actions that might shut down or restart the device If the device is in a maintenance window the server does not block the actions Before a maintenance window begins on the device the user is notified that it will soon begin Because the scheduler manages the notification window and only one instance of the scheduler can run a command that an IT administrator pushes to the device will be run after the notification window is closed To change the duration of a maintenance window whi
245. ider in tree format RemoteRing RemoteRing Ring Required The node accepts requests to ring the device The supported operation is Exec Examples The following sample shows how to initiate a remote ring on the device lt Exec gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT RemoteRing Ring lt LocURI gt lt Target gt lt Item gt lt Exec gt DevicelnstanceService configuration service provider DevicelnstanceService CSP provides some device inventory information that could be useful for enterprise Additionally this CSP supports querying two different phone numbers in the case of dual SIM The URIs for SIM 1 and SIM 2 are Vendor MSFT DevicelnstanceService Identity Identity1 and Vendor MSFT DevicelnstanceService Identity Identity2 respectively The following diagram shows the DevicelnstanceService configuration service provider in tree format MICROSOFT DevicelnstanceService I Roaming PhoneNumber Roaming PhoneNumber Identity Identity1 IMSI PhoneNumber Identity2 IMEI Roaming Vendor MSFT DevicelnstanceService e Description DevicelnstanceService CSP root node e Format node e Occurrence One Vendor MSFT DevicelnstanceService Roaming e Description Present device cellular roaming status In case of dual SIM mode when the device supports two different phone numbers querying SIM 1 explicitly with Vendor MSFT DevicelnstanceService Identify
246. ies an authentication challenge The server or client can send a challenge to the other if no credentials or inadeguate credentials were given in the original request message Specifies the name of an OMA DM command referenced in a Status element CmdlD Specifies the unigue identifier for an OMA DM command CmdRef Specifies the ID of the command for which status or results information is being returned This element takes the value of the CmdiD element of the corresponding request message Specifies the authentication credential for the originator of the message Indicates that the current message is the last message in the package Specifies the display name in the Target and Source elements used for sending a user ID for MD5 authentication MICROSOFT Element Description LocURI Specifies the address of the target or source location MsgID Specifies a unique identifier for an OMA DM session message MsgRef Specifies the ID of the corresponding request message This element takes the value of the request message MsgID element RespURI Specifies the URI that the recipient must use when sending a response to this message Specifies the identifier of the OMA DM session associated with the containing message Specifies the message source address SourceRef Specifies the source of the corresponding request message This element takes the value of the request message Source element and is returned in the Status or Results eleme
247. ies path that previously utilized the Registry CSP Note that second set of retries is also optional and temporarily retries that the total duration should be last for more than a day And the IntervalForSecondSetOfRetries of should be longer than IntervalForFirstSetOfRetries RemainingScheduledRetries is used for long run device polling schedule lt ProviderlD gt Poll IntervalForRemainingScheduledRetries Optional The waiting time in minutes for the initial set of retries as specified by the number of retries in lt ProviderlD gt Poll NumberOfRemainingScheduledRetries Default value is 0 If IntervalForRemainingScheduledRetries is set to 0 then this schedule is disabled Supported operations are Get Replace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry Aux2RetryInterval path that previously utilized the Registry CSP MICROSOFT lt ProviderlD gt Poll NumberOfRemainingScheduledRetries Optional The number of times the DM client should retry connecting to the server when the client is initially configured enrolled to communicate with the server Default value is 0 If the value is set to 0 and IntervalForRemainingScheduledRetries AND first and second set of retries aren t set as infinite retries then schedule will be set to repeat an infinite number of times However if either or both of first and second set of retries are set as infinite then this schedule will be disabled Supported operations are Get Repl
248. ignature i Extended Extended Key Usage Usage Extensions for the Extensions for the key usage usage TLS TLS Web Client Authentication Client Authentication Subject Key Identifier Provides a means for identifying certificates that contain a particular public key Note that you should also specify the subject of the certificate in such a way that you can reference the certificate in the provisioning XML s SSLCLIENTCERTSEARCHCRITERIA parameter Note that when creating a certificate the server should set meaningful distinguished common name instead of some well known GUIDs For more information about how to embed the certificate to the provisioning XML see the Response section of the Certificate enrollment web service section earlier in this document MICROSOFT Disconnecting from the management infrastructure unenrollment Disconnecting may be initiated either locally by the user from the phone or remotely by the IT admin via management server User initiated disconnection is performed much like the initial connection and it is initiated from the same location in the Setting Control Panel as creating the workplace account Users may choose to disconnect for any number of reasons including leaving the company or getting a new phone and no longer needing access to their LOB apps on the old phone When an admin initiates a disconnection the enrollment client performs the disconnection during its next regular maintenance session
249. ime Returns the client local time in ISO 8601 format OSPlatform Returns the OS platform of the phone ProcessorType Returns the processor type of the phone RadioSwV Returns the radio stack software version number MICROSOFT Resolution Returns the UI screen resolution of the phone example 480x800 CommercializationOperator Returns the name of the mobile operator ProcessorArchitecture Returns the processor architecture of the phone as arm or x86 DeviceName Returns the user specified phone name WLANMACAddress The MAC address of the active WLAN connection as a 12 digit hexadecimal number VoLTEServiceSetting This is only exposed to Mobile Operator based OMA DM servers Supported operation is Get WlanlPv4Address The IPv4 address of the active Wi Fi connection This is only exposed to Mobile Operator based OMA DM servers Supported operation is Get WlanlPv6Address The IPv6 address of the active Wi Fi connection This is only exposed to Mobile Operator based OMA DM servers Supported operation is Get WlanDnsSuffix The DNS suffix of the active Wi Fi connection This is only exposed to Mobile Operator based OMA DM servers Supported operation is Get WlanSubnetMask The subnet mask for the active Wi Fi connection This is only exposed to Mobile Operator based OMA DM servers Supported operation is Get DeviceLock configuration service provider This CSP will be deprecated post Windows Phone 8 1 It is
250. ing response 32 unknown 16 action failed My SCEP lt UniquelD gt ErrorCode Optional The integer value that indicates the HRESULT of the last enrollment error code Supported operation is Get My SCEP lt UniguelD gt CertThumbprint Optional Specify the current cert s thumbprint if certificate enrollment succeeds It is a 20 byte value of the SHA1 certificate hash specified as a hexadecimal string value Format is chr Supported operation is Get My WSTEP Required for MDM enrolled device The parent node that hosts MDM enrollment enrolled client certificate related settings that is enrolled via WSTEP The nodes under WSTEP are mostly for MDM client certificate renew request Format is node Supported operation is Get My WSTEP CertThumbprint Optional Return the current MDM client certificate s thumbprint If renew succeeds it shows renewed cert s thumbprint If renew doesn t succeed or in progress it shows the thumbprint of cert that needs to be renewed Format is chr Supported operation is Get My WSTEP Renew Optional Parent node to group renew related settings Supported operation is Get My WSTEP Renew ServerURL Optional Specify the cert renewal server URL If this node doesn t exist the client will use the initial certificate enrollment URL Supported operations are Add Get Delete Replace Note The renewal process follows the same steps as device enrollment which means that it starts with Discovery service foll
251. ion is installed on a managed device lt Get gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7B D5DC1EBB A7F1 DF11 9264 00237DE2DB9E 7D lt LOCURI gt lt Target gt lt Item gt lt Get gt Response from the phone it contains list of subnodes if this app is installed in the device lt Results gt lt CmdID gt 3 lt CmdID gt lt MsgRef gt 1 lt MsgRef gt MICROSOFT lt CmdRef gt 2 lt CmdRef gt lt Item gt lt Source gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7B D5DC1EBB A7F1 DF11 9264 00237DE2DB9E 7D lt LocURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Type xmlns syncml metinf gt lt Type gt lt Meta gt lt Data gt Version Title Publisher InstallDate lt Data gt lt Item gt lt Results gt Node Values All node values under the ProviderID interior node represent the policy values that the management server wants to set e AnAdd or Replace command on those nodes returns success in both of the following cases e The value is actually applied to the phone e The value isn t applied to the phone because the phone has a more secure value set already From a security perspective the phone complies with the policy request that is at least as secure as the one requested e A Get command on those nodes re
252. ions will be overridden This includes Start Screen size if the user selected more tiles for 6 column start and the EnterpriseAssignedAccess feature requires 4 column start then on reboot the user s Start screen will be forced back to a 4 column start and their start screen arrangement will be converted down back to a 4 column start e Email accounts cannot be managed and those will always be displayed on the All Apps page when EnterpriseAssignedAccess is configured This can be addressed by blocking provisioning of email accounts using PolicyManager e Family Rooms cannot be blocked from view if they are previously pinned to the Start Screen This can be addressed by blocking provisioning of a Microsoft Account connection using PolicyManager e Itis only possible to block the Store through the tile If a user searches their apps list an item is shown that lets the user to Search Store which enables the user to deep link into the Store directly even though the application does not exist Additionally this allows users to purchase against any provisioned Microsoft Account This can be addressed by blocking access to the MICROSOFT Store and blocking provisioning of a Microsoft Account using PolicyManager e All settings can be accessed through deep links This includes apps that deep link into settings pages and QR codes NFC Tags that can deep link into apps or settings pages Users can be blocked from changing deep linked settings
253. iption on intranet settings configuration NOTE 2 using registry key to configure intranet zone is a temporarily solution and subject to be replaced with a new structured OMA URL path in future release The following example configures any URLs under internal contoso com to be intranet URL that IE could leverage via VPN channel lt Atomic gt lt CmdID gt 8 lt CmdID gt lt Add gt lt CmdID gt 8001 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT Registry HKCU Software Microsoft Windows CurrentVersion Internet 20Settings Zone Map Domains contoso com internal lt LOCURI gt MICROSOFT lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Atomic gt WiFi configuration service provider New in Windows Phone 8 1 The Wi Fi configuration service provider CSP provides functionality to add or delete Wi Fi networks on a Windows Phone device The CSP accepts a SyncML input and converts it to a network profile that is installed on the device This profile enables the phone to connect to the Wi Fi network when it is in range If the authentication method needs a certificate e g EAP TLS requires client certificates this must be configured through the certificate store CSP first The WiFi CSP does not provide that functionality instead the Wi Fi profile can specify characteristics of the certificate t
254. ique id 1 gt Status node value indicating the finishment of previous enrollment succeed or fail before sending Exec command again e g the updating of certificate should start only after the previous certificate enrollment is done Inventory and Delete SCEP enrolled certificates MDM server could query and delete SCEP enrolled certificate via CertificateStore CSP e Send Get cmd to Vendor MSFT CertificateStore My User node The device will return the list of SCEP and or user installed client certificates thumbprint hash Send Get cmd to Vendor MSFT CertificateStore My User lt Certhash gt node will return more detailed information for that certificate For more details refer CertificateStore configuration service provider e Send Delete cmd to Vendor MSFT CertificateStore My SCEP lt unigue id gt node The device will delete the certificate that has thumbprint lt unique id gt Enroll and manage MDM DM client certificate As described in Connecting to the management infrastructure enrollment section a MDM client certificate is enrolled via WSTEP protocol during MDM enrollment The WSTEP enrolled certificate could be used by device as client certificate when do client cert based authentication to MDM server and to enterprise app content server for downloading LOB applications The certificate needs to be renewed before it is expired In Windows Phone 8 the renew was done manually by user entering a valid corporate password at set
255. ired to 0 the user can still use simple passwords The work around is to also set MinDevicePasswordComplexCharacters to a value greater than 1 The combination the these three settings can prevent the user from using simple passwords such as 5555 Example The following sample shows how to set some device lock policies lt Atomic gt lt CmdID gt 13 lt CmdID gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT DeviceLock Provider TestMDMServer MaxDevicePasswordFailedAttempts lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 4 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt MICROSOFT lt LocURI gt Vendor MSFT DeviceLock Provider TestMDMServer DevicePasswordEnabled lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT DeviceLock Provider TestMDMServer AllowSimpleDevicePassword lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt L
256. ise storefront This node specifies 3 party SSL VPN plugin app s store URL link Supported operations are Get Add Replace and Delete This is a String type node MICROSOFT AUTHENTICATION Optional node for ThirdParty VPN profiles but required for IKEv2 A collection of configuration objects to ensure that the correct authentication policy is used on the device based on the chosen TunnelType Supported operations are Get and Add AUTHENTICATION CERTIFICATE Optional node A collection of nodes that enables simpler authentication experiences for end users when using VPN Supported operations are Get and Add This and its subnodes should not be used for IKEv2 profiles AUTHENTICATION CERTIFICATE ISSUER Optional node This will be of type String and will be used to filter out the installed certificates with private keys stored in registry or TPM This can be used in conjunction with EKU for more granular filtering Supported operations are Get Add Delete and Replace AUTHENTICATION CERTIFICATE EKU Optional node This Extended Key Usage node is of type String and will be used to filter out the installed certificates with private keys stored in registry or TPM This can be used in conjunction with ISSUER for more granular filtering Supported operations are Get Add Delete and Replace AUTHENTICATION EAP Required node if IKEv2 is selected This will define the EAP blob to be used for IKEv2 authentication It could be either EAP MSCHAPv2 o
257. ist One allowed publisher lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt MICROSOFT lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp X3C A110w amp x3E amp X3C Allow Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp X3E amp x3C Allow amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Allow List Two allowed applications lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data
258. l S MIME signing certificate NOTE 1 the SCEP enrolled certificate isn t protected by PIN If you need PIN protected certificate use virtual smart card certificate provision NOTE 2 MDM server could configure the device to store the certificate private key to Trusted Platform Module TPM to further protect the private key NOTE 3 The SCEP enrolled client certificate cannot be used for access secure website for application downloads Instead MDM enrolled client certificate could be used for access secure website for application downloads NOTE 4 the server should enroll SCEP client certificate first before sending other configuration to prevent configuring the device with no working profiles E g only after certificate enroll succeeds for example polling enroll status value from Vendor MSFT CertificateStore My SCEP lt unique id gt Status via DM session the server pushes down Wi Fi VPN Email settings that requires client certificate NOTE 5 SCEP certificates with keylengths of 4096 is not supported To start with MDM server will configure the device to enroll a specific certificate with SCEP server via CertificateStore CSP The device will then initiate the certificate enrollment request The following steps shows the high level work flow of enrolling certificate via SCEP Certificate Enrollment precondition Before MDM server sends the cert enroll request to the device following tasks should be done IT admin has MDM server a
259. l server Supported operations are Get Add and Replace REPLYADDR Optional Character string specifies the user s reply email address usually the same as the user s email Send email will fail without it Supported operations are Get Add Delete and Replace SERVICENAME Required Character string specifies name of the email service to create or edit 32 characters maximum The EMAIL2 configuration service provider does not support the OMA DM Replace command on the parameters SERVICENAME and SERVICETYPE To replace either the email account name or the account service type the existing email account must be deleted and then a new one must be created Supported operations are Get Add Replace and Delete SERVICETYPE Required Character string specifies the type of email service to create or edit for example IMAP4 or POP3 The EMAIL2 configuration service provider does not support the OMA DM Replace command on the parameters SERVICENAME and SERVICETYPE To replace either the email account name or the account service type the existing email account must be deleted and then a new one must be created Supported operations are Get and Add SMTPALTAUTHNAME Optional Character string specifies the display name associated with the user s alternative SMTP email account Supported operations are Get Add Replace and Delete SMTPALTDOMAIN Optional Character string specifies the domain name for the user s alternative SMTP account Supporte
260. le a device is in the maintenance window the IT administrator must delete the existing maintenance window configuration and then apply the new maintenance window configuration to the device The new configuration can change the duration of the current maintenance window but the device will remain in a maintenance window even if the new configuration includes a later start time The state of being in a maintenance window cannot be cancelled while it is in progress MaintenanceWindow MaintenanceAllowed Specifies whether maintenance is allowed on the device a value of 1 indicates that maintenance is allowed because the device is either in a maintenance window or no maintenance window is scheduled A value of 0 indicates that no maintenance is allowed because the device is outside of the scheduled maintenance window Supported operations Get MaintenanceWindow MWMandatory MICROSOFT Returns 1 if a maintenance window is mandatory or 0 if a maintenance window is optional from an end user perspective This is a global setting that affects all the scheduled maintenance windows on the device Sets the value for Boolean flag that indicates whether a maintenance window is mandatory and whether a user should be able to cancel the maintenance window The default value is 1 which indicates that the maintenance window is cannot be cancelled by user This is a global setting that affects all the scheduled maintenance windows on the device Supported
261. leMenuItems minOccurs 0 maxOccurs 1 gt lt XS seguence gt lt xs complexType gt lt COMPLEX TYPE DEFAULT TYPE gt lt xs complexType name default basic t gt lt xs sequence minOccurs 1 gt lt xs element name ActionCenter type actioncenter t minOccurs 1 gt lt xs element name Apps type application list t minOccurs 1 gt lt xs unigue name duplicateAppsForbidden gt lt xs selector xpath Application gt lt xs field xpath productId gt lt xs unigue gt lt xs element gt lt xs element name Buttons minOccurs 1 gt lt xs complexType gt lt xs all gt lt xs element name ButtonLockdownList type button list t minOccurs 0 gt lt xs element name ButtonRemapList type button list t minOccurs 0 gt lt xs all gt lt xs complexType gt lt xs element gt lt xs element name CSPRunner minOccurs 0 gt lt xs element name MenuItems type menu item list t minOccurs 1 gt lt xs element name Settings minOccurs 1 gt lt xs complexType gt lt xs Sequence gt lt xs element name System type setting t minOccurs 0 maxOccurs unbounded gt lt xs element name Application type setting t minOccurs 0 maxOccurs unbounded gt lt XS seguence gt lt xs complexType gt lt xs element gt lt XS seguence gt lt xs complexType gt MICROSOFT lt COMPLEX TYPE ROLE TYPE gt lt xs complexType name role t gt lt xs complexContent gt
262. lete gt lt Final gt lt SyncBody gt lt SyncML gt NodeCache configuration service provider The following diagram shows the NodeCache configuration service provider in tree format The management could leverage this CSP to ask the device to track CSP node value change by setting NodeURI to be monitored By checking ChangedNodes node the server will know which node s value is changed Note 1 Using NodeCache CSP to track WiFi profile update isn t supported Note 2 Node cache information is deleted when the device is upgrade from one version to another version The MDM server should re establish nodes to be tracked including adding all nodes under NodeCache CSP root node including ProviderlD node Vendor MSFT NodeCache ProvideriD CacheVersion ChangedNodes NodelD NodeURI ExpectedValue NodeCache Required The root node for the NodeCache object In Windows Phone 8 1 this configuration service provider is used for enterprise device management only Supported operation Is Get This is a predefined MIME type to identify this managed object in OMA DM syntax The value in Windows Phone 8 1 is com microsoft 1 0 WindowsPhone NodeCache lt ProviderlD gt Optional Group settings per DM server Each group of settings is distinguished by the server s Provider ID It should be the same DM server ProviderlD value that was supplied through the w7 APPLICATION configuration service provider XML duri
263. lment which means that it starts with Discovery service followed by Enrollment policy service and then Enrollment web service For more information about the parameters see CertificateStore configuration service provider Updated in Windows Phone 8 1 Note Unlike manually cert renew the device will not perform an automatic MDM client cert renewal if the cert is already expired To make sure that the device has enough time to perform an automatic renewal we recommend that you set a renewal period a couple months 40 60 days before the certificate expires and set the renewal retry interval to be every few days such as every 4 5 days instead every 7 days weekly to increase the chance that the device will a connectivity at different days of the week Updateability consideration When the user updates their MDM enrolled Windows Phone 8 device to Windows Phone 8 1 for backward compatibility devices enrolled with OnPremise authentication will continue to use the user manual certificate renew method unless the MDM server configure the updated the device to support automatic cert renew later The only difference is instead of prompting the user only one time for account updating the device will use default renew retry interval once a week to remind the user multiple times till cert is renewed If the certificate is already expired when the user updates the Windows Phone 8 device to Windows Phone 8 1 unlike in Windows Phone 8 there is no mo
264. lt Item gt lt Get gt Response from the phone lt Results gt lt CmdID gt 3 lt CmdID gt lt MsgRef gt 1 lt MsgRef gt lt CmdRef gt 2 lt CmdRef gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT DeviceInstanceService Roaming lt LocURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt bool lt Format gt lt Meta gt lt Data gt false lt Data gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT DeviceInstanceService PhoneNumber lt LocURI gt lt Source gt lt Data gt 14254458055 lt Data gt lt Item gt lt Results gt EnterpriseAssignedAccess configuration service provider New in Windows Phone 8 1 The EnterpriseAssignedAccess configuration service provider enables the IT administrator to provision the device into a state with locked down user experience You can customize the start screen with a variety of MICROSOFT pinned applications disable system buttons configure buttons to have custom launch actions and customize the settings panel to have only specific settings options available to the user WARNING This feature should only be used on devices that are owned or provided by the enterprise company or organization or on a user owned device where the user allowed the device to be fully managed by the enterprise company As a Mobile Device Management Solutions Vendor you must provide the following disclaimer to the IT administrator prior to the use of the featur
265. lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt InsertUpdaedTokenHere lt Data gt lt Item gt lt Replace gt Query installed applications Query all installed applications that belong to enterprise id 4000000001 lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory list StructData lt LOCURI gt lt Target gt lt Item gt lt Get gt Response from the phone it contains two installed applications lt Results gt lt CmdID gt 3 lt CmdID gt lt MsgRef gt 1 lt MsgRef gt lt CmdRef gt 2 lt CmdRef gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory lt LOCURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Type xmlns syncml metinf gt lt Type gt lt Meta gt lt Item gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D lt LocURI gt lt Source gt lt Meta gt MICROSOFT lt Format xmlns syncml metinf gt node lt Format gt lt Type xmlns syncml metinf gt lt Type gt lt Meta gt lt Item gt lt Item gt lt Source gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 40
266. lt Replace gt lt Replace gt lt CmdID gt 26 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D TAGPROPS 812C000B lt LOCURI gt MICROSOFT lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Atomic gt EnterpriseAppManagement configuration service provider added functionality for Windows Phone 8 1 The following diagram shows the EnterpriseAppManagement configuration service provider in tree format MICROSOFT Vendor MSFT EnterpriseAppManagement Enterprise D EnrollmentToken StoreProductID StoreUri CertificateSearchCriteria Status CALCheck EnterpriseApps Inventory Download EnterpriselD Version Title Publisher Install Date Version Name URL Status LastError LastErrorDesc ms Cownloadinstall Optional A dynamic node that represents the EnterpriselD as a GUID It is used to enroll or unenroll enterprise applications Supported operations are Add Delete and Get EnterpriselD EnrollmentToken Required Used to install or update the binary representation of the application enrollment token AET and initiate phone home token validation Scope is dynamic Supported operations are Get Add and Replace MICROSOFT EnterpriselD StoreProductID Required The string that contains the ID of the first enterprise application usually a Company Hub
267. lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp 1lt Button amp gt amp lt ButtonLockdownList amp gt amp lt ButtonRemapList amp gt amp 1t Buttons gt 81t Men uItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp l1t Default amp gt amp lt RoleList amp gt amp lt Role guid amp quot 76C01983 A872 4C4E B4C6 321EAC709CEA amp quot name amp quot Associate amp quot amp gt amp lt Apps amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5615 amp quot pinToStart amp quot 1 amp quot amp gt amp lt Apps amp gt amp lt Settings amp gt amp lt System name amp quot Microsoft Themes amp quot amp gt amp lt System name amp quot Microsoft About amp quot amp gt amp 1lt Settings amp gt amp lt Buttons amp gt amp lt ButtonLockdownList amp gt amp lt Button name amp quot Start amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp lt Button amp gt amp lt Button name amp quot Camera amp quot amp gt amp lt ButtonEvent name amp quot Press amp quot amp gt amp lt ButtonEvent name amp quot PressAndHold amp quot amp gt amp l1t Button amp gt amp lt ButtonLockdownList amp gt amp lt ButtonRemapList amp gt amp 1lt Buttons amp gt amp lt Men uItems amp gt amp lt DisableMenuItems amp gt amp lt MenuItems amp gt amp lt Role amp gt amp lt Role gu
268. lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install ValidPeriodUnits lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 11 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP MICROSOFT 1 Install EKUMapping lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 1 3 6 1 4 1 311 10 3 12 1 3 6 1 4 1 311 10 3 4 1 3 6 1 4 1 311 20 2 2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 12 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install KeyProtection lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 3 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 13 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install ServerURL lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt https contoso com certsrv ctcep dll lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 14 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vend
269. lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D AUTHREQUIRED lt LOCURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt MICROSOFT lt Replace gt lt Replace gt lt CmdID gt 15 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D SMTPALTENABLED lt LOCURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 21 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D RETRIEVE lt LOCURI gt lt Target gt lt Data gt 2048 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 22 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D KEEPMAX lt LOCURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Add gt lt CmdID gt 24 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D TAGPROPS lt LOCURI gt lt Target gt lt Item gt lt Add gt lt Replace gt lt CmdID gt 25 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D TAGPROPS 8128000B lt LocURI gt lt Target gt lt Data gt 1 lt Data gt lt Item gt
270. lue lt LocURI gt lt Target gt lt Data gt 2 lt Data gt lt Item gt lt Replace gt MICROSOFT RemoteWipe configuration service provider The following diagram shows the RemoteWipe configuration service provider management object in tree format as used by DM client Vendor RemoteWipe E ora Div only RR oma DM and OMA Client Provisioning doWipe Specifies that a remote wipe of the phone should be performed When used with OMA Client Provisioning a dummy value of 1 should be included for this element Supported operation is Exec Storage configuration service provider The following diagram shows the Storage configuration service provider in tree format This CSP will be deprecated post Windows Phone 8 1 It is recommended to use PolicyManger CSP to configure storage card policy starting from Windows Phone 8 1 Vendor Storage Disable E ama Div only RR oma DM and OMA Client Provisioning Disable Required Specifies whether to enable or disable a storage card A Boolean value of true disables the storage card The default value is False The value is case sensitive The supported operations are Get and Replace Note that if the phone returns a 404 error code when the server applies the Get command to Nendor MSFT Storage Disable it means that the phone doesn t have an SD card MICROSOFT w APPLICATION configuration service provider The APPLICATION configuration service provider that has an A
271. ly needs to have the new certificate issued by the CA Note that the HTTP server response must not be chunked it must be sent as one message lt wap provisioningdoc version 1 1 gt lt characteristic type CertificateStore gt lt Root certificate provision is only needed here if it is not in the device already gt lt characteristic type Root gt lt characteristic type System gt lt characteristic type EncodedRootCertHashInsertedHere gt lt parm name EncodedCertificate value EncodedCertInsertedHere gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type My gt lt characteristic type User gt lt characteristic type EncodedClientCertHashInsertedHere gt lt parm name EncodedCertificate value EncodedCertInsertedHere gt lt characteristic type PrivateKeyContainer gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type APPLICATION gt lt parm name PROVIDER ID value TestMDMServer gt lt characteristic gt lt wap provisioningdoc gt Note that the client receives a new certificate instead of renewing the initial certificate The administrator controls which certificate template the client should use The templates may be different at renewal time than the initial enrollment time Issuing a new certificate using the template at renewal time honors the administrator s latest in
272. m gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List Two denied applications one denied publisher with one allowed application exception and one denied publisher with one allowed application exception lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp Xx22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp x22 amp X3E amp x3C Deny amp X3E amp x3C Deny App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b 731ce2 cdee 4cad afe1 a74a0433fcea amp amp x22 8 amp x3E amp Xx3C Deny App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp x3E 5 amp x3C Allow app published by denied publisher Microsoft Corporation YouTube amp x3E amp x3C AllowApp ProductId amp x22 dcbb1lac6 a
273. me contoso com gt lt parm name Password value password gt lt parm name EnableDeviceEnrollment value false datatype boolean gt lt characteristic gt lt characteristic gt lt characteristic type EnterpriseAssignedAccess gt lt characteristic type AssignedAccess gt lt parm name AssignedAccessXml datatype string value amp 1t xml version amp quot 1 0 amp quot encoding amp quot utf 8 amp quot amp gt amp 1t HandheldLockdown version amp quot 1 0 amp quot amp gt amp lt Default amp gt amp lt ActionCenter enabled amp quot true amp quot amp gt amp 1t Apps amp gt amp 1t Phone App amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5611 amp quot amp gt amp lt PinToStart amp gt amp 1t Size amp gt Medium amp lt Size amp gt amp lt Location amp gt amp lt LocationX amp gt 0 amp lt LocationX amp gt amp lt LocationY amp gt 0 amp lt LocationY amp gt amp 1t Location amp gt amp 1t PinToStart amp gt amp 1t Application amp gt amp lt Settings amp gt amp lt Application productId amp quot 5B04B775 356B 4AA0 AAF8 6491FFEA5601 amp quot amp gt amp lt PinToStart amp gt amp 1t Size amp gt Medium amp lt Size amp gt amp 1t Location amp gt amp lt LocationX amp gt 2 amp lt LocationX amp gt amp lt LocationY amp gt 0 amp lt LocationY amp gt amp lt Location amp gt amp lt PinToStart amp gt amp 1t Application
274. ment The structure and content of the document is defined in the OMA DM Representation Protocol OMA SyncML DM_RepPro V1_2_1 20080617 A pdf available from the OMA website Each message is composed of a header specified by the SyncHdr element and a message body specified by the SyncBody element The following table shows the OMA DM versions that are supported in Windows Phone 8 MICROSOFT Version Fermat OMA DM version 1 1 2 lt SyncML xmlns SYNCML SYNCML1 1 gt lt SyncML gt OMA DM version 1 2 lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncML gt File format The following example shows the general structure of the XML document sent by the server using OMA DM version 1 2 1 for demonstration purposes only The initial XML packages exchanged between client and server could contain additional XML tags For a detailed description and samples for those packages see the OMA Device Management Protocol 1 2 1 specification NOTE XML encoding tag lt xml version 1 0 encoding UTF 8 gt should not be included in the XML message lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncHdr gt lt VerDTD gt 1 2 lt VerDTD gt lt VerProto gt DM 1 2 lt VerProto gt lt SessionID gt 1 lt SessionID gt lt MsgID gt 1 lt MsgID gt lt Target gt lt LocURI gt unique device ID lt LocURI gt lt Target gt lt Source gt lt LocURI gt https www thephone company com mgmt server lt LocURI gt lt Source gt lt SyncHdr
275. ment RST wstep lt a Action gt lt a MessageID gt urn uuid 0d5a1441 5891 453b becf a2e5f6ea3749 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt MICROSOFT lt a ReplyTo gt lt a To s mustUnderstand 1 gt https enrolltest contoso com 443 ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC lt a To gt lt wsse Security s mustUnderstand 1 gt lt wsse UsernameToken u Id uuid cc1ccc1f 2fba 4bcf b063 ffc0cac77917 4 gt lt wsse Username gt user contoso com lt wsse Username gt lt wsse Password wsse Type http docs oasis open org wss 2004 01 oasis 200401 wss username token profile 1 0 PasswordText gt mypassword lt wsse Password gt lt wsse UsernameToken gt lt wsse Security gt lt s Header gt lt s Body gt lt wst ReguestSecurityToken gt lt wst TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt wst TokenType gt lt wst RequestType gt http docs oasis open org ws sx ws trust 200512 Issue lt wst ReguestType gt lt wsse BinarySecurityToken ValueType http schemas microsoft com windows pki 2009 01 enrollment PKCS10 EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary gt DER format PKCS 10 certificate request in Base64 encoding Insterted Here lt wsse BinarySecurityToken gt lt ac AdditionalContext xmlns http schemas x
276. ment domain com Description The discovery web service provides the configuration information necessary for a user to enroll a phone with a management service The service is a restful web service over HTTPS server authentication only Request The phone s automatic discovery flow uses the domain name of the email address that was submitted to the Workplace settings screen during sign in The automatic discovery system constructs a URI that uses this hostname by appending the subdomain enterpriseenrollment to the domain of the email address and by appending the path EnrollmentServer Discovery svc For example if the email address is sample contoso com the resulting URI for first Get request would be http enterpriseenrollment contoso com EnrollmentServer Discovery svc The first reguest is a standard HTTP GET reguest MICROSOFT DI The following example shows a request via HTTP GET to the discovery server given user contoso com as the email address Request Request Full Url http EnterpriseEnrollment contoso com EnrollmentServer Discovery svc Content Type unknown Header Byte Count 153 Body Byte Count 0 Header GET EnrollmentServer Discovery svc HTTP 1 1 User Agent Windows Phone 8 Enrollment Client Host EnterpriseEnrollment contoso com Pragma no cache Response Request Full Url http EnterpriseEnrollment contoso com EnrollmentServer Discovery svc Content Type text html Header Byte Cou
277. ment for next request For more information about Basic or MD5 client authentication MD5 server authentication MD5 hash and MD5 nonce see the OMA Device Management Security specification OMA TS DM_Security V1_2_1 20080617 A authentication response code handling and step by step samples in OMA Device Management Protocol specification OMA TS DM_Protocol V1_2_1 20080617 A available from the OMA website Step aion pesiin O The phone task schedule invokes At the scheduled time the DM client is invoked the DM client periodically to call back to the enterprise management server over HTTPS The phone sends a message over This message includes phone information and credentials an IP connection to initiate the The client and server do certificate based authentication session over an SSL channel The DM server responds overan The server sends initial device management commands if IP connection HTTPS any The phone responds to server This message includes the results of performing the management commands specified device management operations 5 The DM server terminates the The DM session ends or step 4 is repeated session or sends another command OMA DM provisioning files OMA DM commands are transmitted between the server and the phone in messages A message can contain one or more commands For a list of commands supported in Windows Phone see the table in OMA DM standards A DM message is an XML docu
278. ments visual studio 2013 Projects App1 App1 bin Debug App1 exe Deploy started Project App1 Configuration Debug Any CPU Creating a new clean layout Copying files Total lt 1 mb to layout Registering the application to run from layout Deployment complete Full package name THIS IS YOUR PFN The PFN should come in some format like XXXXXXXXXXXXX NameOfApp 1 1 1 1 neutral XXXXXXXXXXXX Please remove the section with the app version and instead just use this portion in this format XXXXXXXXXXXXX NameOfApp XXXXXXXXXXXX Please see the section below on DMClient configuration provider for setting the PFN on the device Enterprise app management over DM server The EnterpriseAppManagement configuration service provider is used to handle enterprise application management tasks such as installing an enterprise application token the first auto downloadable app link querying installed enterprise applications name and version auto updating already installed enterprise applications and removing all installed enterprise apps including the enterprise app token during unenrollment For more information and sample commands see EnterpriseAppManagement configuration service provider later in this document Enterprise application install update uninstall Update in Windows Phone 8 1 As part of the EnterpriseAppManagment CSP management servers have the ability to install update and uninstall Line of Business appli
279. meric value applies if password DevicedPassw reguired ordEnabled 2 default policy is set to users can 0 reguired choose Numeric Password or Alphanumer ic Password DeviceLock Specifies when An integer X If all policy MDM EAS DevicePasswor DevicePasswordE the password where values 0 dExpiration xpiration expires in WML 2 then 0 else days 720 Min policy 0 default values is Passwords most secure do not value expire DeviceLock Specifies how An integer X Max policy MDM EAS DevicePasswor DevicePasswordH many where values is dHistory MICROSOFT istory DeviceLock MaxDevicePassw ordFailedAttempts passwords can be stored in the history that can t be used The number of authentication failures before the device will be wiped A value of 0 disables device wipe functionality 0 lt X lt 50 Default 0 An integer X where Or X 999 Default 0 device will not get wiped after enter any times of wrong password most restricted value If all policy values 0 then 0 else Min policy values is most restricted value MaxDevicePass wordFailedAtte mpts DeviceLock Max InactivityTim eDeviceLock DeviceLock MinDevicePasswo rdComplexCharact ers Specifies the amount of time in minutes after the device is idle that will cause the device to become password locked The number of complex element types uppercase
280. mlsoap 0rg ws 2006 12 authorization gt lt ac ContextItem Name DeviceType gt lt ac Value gt WindowsPhone lt ac Value gt lt ac ContextItem gt lt ac ContextItem Name ApplicationVersion gt lt ac Value gt 8 0 9846 0 lt ac Value gt lt ac ContextItem gt lt ac AdditionalContext gt lt wst RequestSecurityToken gt lt s Body gt lt s Envelope gt Here is a sample RST message for Federated auth policy to illustrate the details Header POST EnrollmentServer DeviceEnrollmentWebService svc HTTP 1 1 Content Type application soap xml charset utf 8 User Agent Windows Phone 8 Enrollment Client Host enrolltest contoso com Content Length 3242 Cache Control no cache lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility TO XS xmlns wsse http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns ac http schemas xmlsoap 0rg ws 2006 12 authorization gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollment RST wstep MICROSOFT lt a Action gt lt a MessageID gt urn uuid 0d5a1441 5891 453b becf a2e5f6ea3749 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address
281. must be on the same server that is they must have the same host name NOTE In Windows Phone 8 and Windows Phone 8 1 s enrollment client PKCS 10 cert request the CN value has a zero terminator e g B1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 The server must replace this value in the supplied client certificate If your server returns a client certificate containing the same Subject value this can cause unexpected behavior The server should always override the subject value and not use the default device provided Device ID Subject Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 Here is a sample RST message for OnPremise auth policy to illustrate the details Header POST EnrollmentServer DeviceEnrollmentWebService svc HTTP 1 1 Content Type application soap xml charset utf 8 User Agent Windows Phone 8 Enrollment Client Host enrolltest contoso com Content Length 3242 Cache Control no cache lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity utility 1 0 xsd xmlns wsse http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns ac http schemas xmlsoap 0rg ws 2006 12 authorization gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enroll
282. n Scope is dynamic Supported operation is Get Download ProductID URL Optional The character string that contains the URL for the updated version of the installed application The phone will download application updates from this link Scope is dynamic Supported operations are Get Add and Replace Download ProductlD Status Reguired The integer value that indicates the status of the current download process The following table shows the possible values 4 INSTALLING Handed off for installation 5 INSTALLED Successfully installed 6 FAILED Application was rejected not signed properly bad XAP format not enrolled properly etc 7 DOWNLOAD FAILED unable to connect to server file doesn t exist etc Scope is dynamic Supported operation is Get MICROSOFT Download ProductlD LastError Reguired The integer value that indicates the HRESULT of the last error code If there are no errors the value is 0 S OK Scope is dynamic Supported operation is Get Download ProductlD LastErrorDesc Required The character string that contains the human readable description of the last error code Download ProductID DownloadInstall Required The character string that contains the command to the phone to trigger the download and installation The server must query the phone later to determine the status For each product ID the status field is retained for up to one week Scope is dynamic Supported operation is Exec Remarks
283. n is Exec This node will return the following status All OMADM errors are listed here in the protocol specification Status Description Meaning 200 OK Device has been locked witha The command and the associated new password which has been Alert action are completed reset _ successfully 500 Command failed N A Non specific errors created by the recipient while attempting to complete the command MICROSOFT RemoteLock NewPINValue This node contains the PIN after Exec has been called on RemoteLock NewPINValue If LockAndResetPIN has never been called the value will be null If Get is called on this node after a successful Exec call on RemoteLock NewPINValue then the new PIN will be provided If another Get command is called on this node the value will be null If the IT admin needs to reset the PIN again then another LockAndResetPIN lt Exec gt can be communicated to the device to generate a new PIN The PIN value will conform to the minimum PIN complexity requirements of the merged policies that are set on the device If no PIN policy has been set on the device the device will generate an 8 digit numeric PIN and set the device to have this PIN The data type returned is a string The supported operation is Get A Get operation on this node must follow an Exec on the RemoteLock LockAndResetPIN node in the proper order and in the same syncml message The Sequence tag can be used to guarantee the order in which commands are p
284. n lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt Task switcher control new for GDR2 In Windows Phone 8 1 GDR2 the Device Experience AllowTaskSwitcher policy is added to allow an enterprise that is concerned about data leak to prevent the user from using the task switcher Note that it does not effect the normal back button function because only the visual switcher is disabled The following SyncML sample shows how to disable Task Switcher lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Experience AllowTaskSwitcher lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt MICROSOFT lt Item gt lt Replace gt WLAN scan frequency customization new tor GDR2 In Windows Phone 8 1 GDR2 the Connectivity WLANScanMode policy is added to allow an enterprise to control the WLAN scanning behavior and how aggressively devices should be actively scanning for Wi Fi networks to get devices connected The following SyncML sample shows how to customize the WLAN scan frequency lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My Wifi WLANScanMode lt LocURI gt lt Target gt lt Meta gt l
285. n mechanism for setting time via a cellular network and is the standard way to set time on a Windows Phone but it does not work without a cellular network To set and sync the time on a device without a cellular network Wi Fi only image or Wi Fi only profile you can use the built in support for Network Time Protocol NTP which can be set by an NTP server as long as the device has a data IP connection This connection can be either cellular or Wi Fi data Network Time Protocol NTP is a networking protocol for clock synchronization between computer systems over packet switched variable latency data networks NTP is intended to synchronize all participating computers to within a few milliseconds of Coordinated Universal Time UTC NTP can usually maintain time to within tens of milliseconds over the public Internet and can achieve better than one millisecond of accuracy in local area networks under ideal conditions Note NTP doesn t support Time Zone and Day Light savings information Users will have to manually update the time zone To configure NTP in OOBE To use NTP to automatically update the time on your device you configure the NTP server and the Time Sync Interval To do this you add an MCSF characteristic to the prov xml file lt characteristic type MCSF gt lt characteristic type AutomaticTime gt lt parm name NTPRegularSyncInterval value 1 datatype integer gt lt parm name NTPServers value time cont
286. nXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt xml version amp quot 1 0 amp quot amp gt amp 1t WLANProfile xmlns amp quot http www microsoft com networking WLAN profile vi amp quot amp gt amp lt name amp gt MyNetwork amp 1t name amp gt amp 1t SSTDConfig amp gt amp 1lt SSTID amp gt 81t name amp gt MyNetwork amp lt name amp gt 81t SSID amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1t connectionType amp gt amp lt connectionMode amp gt manual amp lt s connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt ope n amp lt authentication amp gt amp lt encryption amp gt none amp lt encryption amp gt amp lt authEncryption amp gt amp 1t s ecurity amp gt amp lt MsM amp gt amp lt WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 302 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT WiFi Profile MyNetwork Proxy lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt test 80 lt Data gt lt Item gt lt Add gt lt Atomic gt Note Addition of proxy to networks with any other authentication type also works in the same way as this example Adding a WPA2 PSK network with SSID My Net
287. nd CA Services setup IT admin has hooked up enterprise CA with the SCEP server MDM is configured to connect to SCEP server Certificate templates are already stored in CA oF ae Des i 2 SCEP server is configured with Certificate Templates for each Key Usage Decipherment Signature Both o The end user s phone is enrolled to be managed by MDM server 7 SCEP server must use the same CA cert for signing SCEP client cert and SCEP RA cert And CA cert thumbprint should be provisioned as part of SCEP parameter configuration during MDM session Certificate Enrollment Steps 1 The MDM server generates the initial cert enroll DM request including challenge password SCEP server URL and other enrollment related parameters 2 The policy is converted to the OMA DM request and sent to the device via the exposed MICROSOFT CertificateStore CSP interface through DM session Trusted CA certificate should be installed directly during MDM request via CertificateStore CSP At the device side CertificateStore CSP accepts cert enroll request invokes SCEP cert enroll client with parameters it received from the server Note the actual enroll process is an asynchronous process from MDM enroll request The devices generates private public key pair and SCEP request payload The device connects to Internet facing point exposed by SCEP server SCEP server creates the certificate that is signed with proper CA certificate and returns it to device e The
288. nd no proxy lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt xml version amp quot 1 0 amp quot amp gt amp 1t WLANProfile xmlns amp quot http www microsoft com networking WLAN profile v1 amp quot amp gt amp lt name amp gt MyNetwork amp lt name amp gt amp l1t SSIDConfig amp gt amp lt SSID amp gt amp 1t name amp gt MyNetwork amp 1t name amp gt amp 1lt SSID amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1lt connectionType amp gt amp lt connectionMode amp gt manual amp lt s connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt WPA PSK amp lt authentication amp gt amp lt encryption amp gt TKIP amp lt encryption amp gt amp lt authEncryption amp gt amp lt sharedKey amp gt amp 1lt keyType amp gt passPhrase amp lt keyType amp gt amp lt protected amp gt false amp lt protected amp gt amp lt keyMaterial amp gt 123456789 amp lt keyMaterial amp gt amp lt sharedKey amp gt amp lt security amp gt amp 1lt MSM amp gt 3 amp 1t WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Atomic gt Adding PEAP MSCHAPv2 network with SSID MyNetwork and no proxy Default i
289. nd out installation result as well The following SyncML sample shows the message the device will send to the DM server when SCEP cert is installed successfully lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncHdr gt lt VerDTD gt 1 2 lt VerDTD gt lt VerProto gt DM 1 2 lt VerProto gt lt SessionID gt 1 lt SessionID gt lt MsgID gt 1 lt MsgID gt lt Target gt lt LocURI gt unique device ID lt LocURI gt lt Target gt lt Source gt lt LocURI gt https www thephone company com mgmt server lt LocURI gt lt Source gt lt SyncHdr gt lt SyncBody gt lt Alert gt lt CmdID gt 1 lt CmdID gt lt Data gt 1201 lt Data gt lt client initiated session gt lt Alert gt lt Genric Alert for SCEP cert install result gt lt Alert gt lt CmdID gt 1 lt CmdID gt MICROSOFT Ei lt Data gt 1226 lt Data gt lt generic alert gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT CertificateStore My SCEP lt unique id gt Install Enroll lt LocURI gt lt Source gt lt Meta gt lt Type xmlns syncml metinfo gt com microsoft mdm SCEPCertinstall result lt Type gt lt Format xmlns syncml metinfo gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Alert gt lt Basic DevInfo CSP information truncated for simplicity gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Source gt lt LocURI gt Devinfo Man lt LocURI gt lt Source gt
290. ndia gt lt AutomaticTime gt lt TimeZonePriority1 gt 0x6B8 lt TimeZonePriority1 gt lt AutomaticTime gt lt System Time CSP gt lt MCSF gt lt AutomaticTime gt lt NTPRegularSyncInterval gt 1 lt NTPRegularSyncInterval gt lt NTPServers gt time windows com amp xF000 time nist gov amp xF000 amp xF000 lt NTPServers gt lt AutomaticTime gt lt MCSF gt lt Language Settings gt lt BootUILanguage gt en us lt BootUILanguage gt lt MDM Settings lt EnterpriseExt gt lt MDM gt lt Server gt p manage beta microsoft com lt Server gt lt MDM gt lt EnterpriseExt gt gt lt Common gt lt Settings gt lt Customization gt Certificate contiguration Updated in Windows Phone 8 1 Windows Phone supports root CA and client certificate to be configured via MDM CertificateStore configuration service provider is used to directly add delete query root and CA certificates configure the device to enroll client certificate with certificate enrollment server that supports Simple Certificate Enrollment Protocol SCEP SCEP enrolled client certificates are used by Wi Fi VPN email and browser for certificate based client authentication Each application has its own cert search criteria to allocate proper client cert for application usage Additionally the MDM enrollment client support enrolling the enterprise client certificate that contains the public key via the CertificateStore CSP with MD
291. ng illustration mi 14 Nag SU 7 ri 13635 5bd9 df1 f i de 4 a d a ai L l a L L ao e l Ei L ed se http wawew windowsphone com en us store app Tacebook You can find the product ID for a locally developed app in the AppManifest xml file of the app Include PinToStart to display an app on the Start screen For apps pinned to the Start screen identify a tile size small medium or large and a location The size of a small tile is 1 column x 1 row a medium tile is 2 x 2 and a large tile is 4 x 2 For the tile location the first value indicates the column and the second value indicates the row A value of 0 indicates the first column a value of 1 indicates the second column and so on Include autoRun as an attribute to configure the application to run automatically Example lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 autoRun true gt MICROSOFT Applnstall Settings Buttons lt PinToStart gt lt Size gt Large lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt Provide the installation type SDCard or Network product ID application file path and license file path to install an application during the OOBE provisioning Applications can be installed during OOBE from an SD card or from a shared network location Example lt characteristic type Ap
292. ng the enrollment process In Windows Phone 8 only one enterprise management server is supported That is there should be only one ProviderID node under NodeCache Scope is dynamic Supported operations are Get Add and Delete lt ProviderID gt CacheVersion Optional Character string value is set by the server when the set of nodes or their expected values changes Scope is dynamic Supported operations are Get Add and Replace MICROSOFT lt ProviderID gt ChangedNodes Optional List of nodes whose values do not match their expected values as specified in lt NodelD gt ExpectedValue Scope is dynamic Supported operation is Get lt ProviderlD gt Nodes Required Root node for cached nodes Scope is dynamic Supported operation is Get Nodes lt NodelD gt Optional Information about each cached node is stored under lt NodelD gt as specified by the server This value must not contain a comma Scope is dynamic Supported operations are Get Add and Delete lt NodelD gt NodeURI Required This node s value is a complete OMA DM node URI It can specify either an interior or leaf node in the device management tree Scope is dynamic Supported operations are Get Add and Delete lt NodelD gt ExpectedValue Required This is the value that the server expects to be on the phone When the configuration service provider initiates a session it checks the expected value against the node s actual value Scope is dynamic Supported op
293. ngth Required for enrollment Specify private key length RSA Format is int Valid value 1024 2048 4096 Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install HashAlgorithm Required for enrollment Hash algorithm family SHA 1 SHA 2 SHA 3 specified by MDM server If multiple hash algorithm families are specified they must be separated via Format is chr Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install CAThumbprint Required Specify root CA thumbprint It is a 20 byte value of the SHA1 certificate hash specified as a hexadecimal string value When client authenticates SCEP server it checks CA cert from SCEP server whether match with this cert If not match fail the authentication Format is chr Supported operations are Get Add Delete Replace My SCEP lt UniguelD gt Install SubjectName Reguired Specify the subject name Format is chr Supported operations are Get Add Delete Replace MICROSOFT My SCEP lt UniquelD gt Install SubjectAlternativeNames Optional Specify subject alternative name Multiple alternative names could be specified by this node Each name is the combination of name format actual name Refer name type definition in MSDN Each pair is separated by semicolon E g multiple SAN are presented in the format of lt nameformat1 gt lt actual name1 gt lt name format 2 gt lt actual name2 gt Format is chr Supported operations are Get Ad
294. ns amp quot http www microsoft com provisioning BaseEapConnectionPropertiesv1 amp quot amp gt amp I1t T ype amp gt 26 amp 1t Type amp gt amp lt EapType xmlns amp quot http www microsoft com provisioning MsChapV2ConnectionPropertiesV1 amp quot amp gt amp 1lt UseWinLogonCredentials amp gt false amp lt UseWinLogonCredentials amp gt amp lt EapType amp gt amp lt Eap amp gt amp 1t EnableQuarantineChecks amp gt false amp lt EnableQuarantineChecks amp gt amp lt RequireCryptoBinding amp gt fals e amp lt RequireCryptoBinding amp gt amp lt PeapExtensions amp gt amp lt PerformServerValidation xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV2 amp quot amp gt true amp l t PerformServerValidation amp gt amp lt AcceptServerName xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV2 amp quot amp gt False amp lt AcceptServerName amp gt amp lt PeapExtensionsV2 xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV2 amp quot amp gt amp 1t Al lowPromptingWhenServerCANotFound xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV3 amp quot amp gt true amp l t AllowPromptingWhenServerCANotFound amp gt amp lt PeapExtensionsV2 amp gt amp 1t PeapExtensions amp gt amp 1t EapType amp gt amp 1t Eap amp gt amp lt Config amp gt amp 1t EapHostConfig amp gt amp 1t EAPConfig
295. nt Specifies the address of the node in the DM Tree that is the target of the OMA DM command TargetRef Specifies the target address in the corresponding request message This element takes the value of the request message Target element and is returned in the Status or Results element VerDTD Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message VerProto Specifies the major and minor version identifier of the OMA DM protocol specification used with the message Device management session A device management DM session consists of a series of commands exchanged between a DM server and a phone The server sends commands indicating operations that must be performed on the phone s management tree The phone responds by sending commands that contain the results and any requested status information An example of a short DM session would be the following A server sends a Get command to a phone to retrieve the contents of one of the nodes of the management tree The phone performs the operation and responds with a Result command that contains the requested contents A DM session can be divided into two phases e Setup phase In response to a trigger event a phone sends an initiating message to a DM server The phone and server exchange needed authentication and phone information This phase is represented by steps 1 2 and 3 in the following table
296. nt 248 Body Byte Count 0 Header HTTP 1 1 200 OK Connection Keep Alive Pragma no cache Cache Control no cache Content Type text html Content Length 0 After the phone gets a response from the server the phone sends a POST request to enterpriseenrollment domain name EnrollmentServer Discovery svc After it gets another response from the server which should tell the phone where the enrollment server is the next message sent from the phone is to enterpriseenrollment domain name to the enrollment server The following logic is applied 1 The phone first tries HTTPS If the server cert is not trusted by the phone the HTTPS fails 2 If that fails the phone tries HTTP to see whether it is redirected e If the phone is not redirected it prompts the user for the server address e Ifthe phone is redirected it prompts the user to allow the redirect The following example shows a request via an HTTP POST command to the discovery web service given user contoso comas the email address https EnterpriseEnrollment Contoso com EnrollmentServer Discovery svc Header POST EnrollmentServer Discovery svc HTTP 1 1 Content Type application soap xml charset utf 8 User Agent Windows Phone 8 Enrollment Client Host EnterpriseEnrollment Contoso com Content Length xxx Cache Control no cache MICROSOFT lt xml version 1 0 gt lt s Envelope xmlns a http www w3 0rg 2005 08 addressing xmlns s http www w3 0rg 2003 05 so
297. nt of time in minutes that the phone can remain idle before it is password locked Valid values are 0 to 999 A value of 0 indicates no time out is specified In this case the maximum screen time out allowed by the UI applies Invalid values are treated as a configuration failure The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt MinDevicePasswordComplexCharacters Optional An integer value that specifies the number of complex element types uppercase and lowercase letters numbers and punctuation required for a strong password Valid values are 1 to 4 The default value is 1 Invalid values are treated as a configuration failure Scope is dynamic Supported operations are Get Add and Replace DeviceValue Required A permanent node that groups the policy values applied to the phone The server can query this node to discover what policy values are actually applied to the phone Scope is permanent Supported operation is Get DeviceValue DevicePasswordEnable MinDevicePasswordComplexCharacters Required This node has the same set of policy nodes as the ProviderlD node All nodes under DeviceValue are read only permanent nodes Each node represents the current device lock policy For detailed descriptions of each policy see the ProviderlD subnode descriptions How to implement complex password requirement When you set AllowSimpleDevicePassword to 0 not allowed and AlphanumericDevicePasswordRequ
298. o be used for choosing the right certificate for that network And the server should successfully enroll needed client certificate first before push down WiFi network configuration Note 1 Since Windows Phone Emulators do not have Wi Fi radio support Wi Fi network configuration cannot be tested end to end with an emulator A Wi Fi network can still be provisioned using the WiFi CSP and the network should be visible in the Wi Fi Settings page but connectivity to that network cannot be tested Note 2 For WEP WPA and WPA2 based networks the passkey must be included in the network configuration in plaintext It will be encrypted automatically while storing on the device Note 3 WlanXml blob is sent in OMA SyncML XML message as chr The profile XML content needs to be XML escaped in OMA message Note 4 keyMaterial if exists in the wlanxml blob needs to come after keyType and protected elements like documented in MSDN http msdn microsoft com en us library windows desktop aa370032 v vs 85 aspx Note 5 For EAP TLS profile the server must successfully configure and enroll the reguired client certificate first before push down WiFi profile Note 6 Self signed server certificate works for EAP TLS PEAP MSCHAPv2 but it isn t supported in EAP TILS Note 7 The SSID of the Wi Fi networks part of the LocURI node which must be a valid URI based on RFC 2396 This requires that all non ASCII characters must be escaped using a character Unico
299. o detect the corporate wireless network Type bool Supported Operations Get Add Replace and Delete Default value false Example true POLICIES CONNECTIONTYPE Optional node Valid values are e Triggering VPN automatically connects as applications require connectivity to protected resource Life cycle of VPN is based on applications using the VPN Recommended setting for optimizing usage of power resources e Manual User must manually connect disconnect VPN e new for GDR2 AlwaysOn VPN is always connected when there is network connection Type chr Supported Operations Get Add Replace Default value Triggering Example Manual POLICIES APPIDLETIMEOUT new for GDR2 Optional node For use in VPN with triggering connection type The connection manager automatically disconnects the VPN if the application is idle with not connectivity request The idle time out setting ranges from 30 seconds to 86400 seconds 24 hours with a default value of 600 seconds 10 minutes Type int Supported Operations Get Add Replace Default value 600 10 min Example 30 DNSSUFFIX Optional node Required setting to push down the primary connection specific DNS suffix Type chr Supported Operations Get Add Replace and Delete Example corp contoso com MICROSOFT Examples IKEv2 VPN profile using EAP TLS as authentication method with Server certificate validation turned on lt SyncML xmlns SYNCML SYNCML1 2 gt
300. ocURI gt Vendor MSFT DeviceLock Provider TestMDMServer MinDevicePasswordLength lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 5 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 6 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT DeviceLock Provider TestMDMServer AlphanumericDevicePasswordReguired lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 7 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT DeviceLock Provider TestMDMServer DevicePasswordExpiration lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt MICROSOFT lt Data gt 2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT DeviceLock Provider TestMDMServer DevicePasswordHistory lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 50 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 9 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT DeviceLock Provider TestMDMServer MaxInactivityTimeDeviceLock lt LOCURI gt lt Ta
301. ocuses on logging transaction errors during MDM enrollment DM session and SCEP certificate enrollment The corresponding ETW logs is exposed via Windows Phone Developer Power Tools 8 1 in Windows Phone 8 1 SDK Retrieve MDM logs The following steps describe how to use Windows Phone 8 1 SDK Power Tools to get MDM logs 1 Install Windows Phone 8 1 SDK launch Power tools 2 Under Performance Recorder check Enterprise Management under Extra category 3 Select a device emulator image or dev unlocked retail device connected to PC 4 Tap Start button to start log 5 Run enterprise scenarios 6 Tap Stop button to save ETW log to a local location Ig Windows Phone Developer Power Tels 1 a EI Application Venher mi Pertoemance Montas Perfonmance Recorder Record system information This teal will gather information abaut the interaction si the programs and hasdvanr running on the connected phone for amabis Salt Rete not ibed tart Cancel Satheci peobilit bor perionmance ricorda L Pie L airal L Rasgr bry LC cirat LJ Nebegrionag VO actas O Heap usage O Poel usage C Wirtuelioc usage Power usage C GPU activeny L Mindi usage rerusin Analyus a Extras L KALI a irety C BTML activity C Desktop composition activity C KAML application analysis D HTML application analysis L Resident Set analysis Getaoh Developer Profile T Ta View ETW logs Use Windows Performance Analyzer to view the l
302. ode before it sends Get Replace command to query or update polling parameters via DMClient CSP NOTE 2 when use DMClient CSP to configure polling schedule parameters the server must not set all 6 polling parameters to 0 or set all 3 number of retries nodes to 0 doing so will cause configuration failure MICROSOFT lt ProviderlD gt Poll IntervalForFirstSetOfRetries Optional The waiting time in minutes for the initial set of retries as specified by the number of retries in lt ProviderlID gt Poll NumberOfFirstRetries If IntervalForFirstSetOfRetries is not set then the default value is used The default value is 15 If the value is set to 0 this schedule is disabled Supported operations are Get Replace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry AuxRetryInterval path that previously utilized the Registry CSP lt ProviderlD gt Poll NumberOfFirstRetries Optional The number of times the DM client should retry connecting to the server when the client is initially configured enrolled to communicate with the server If the value is set to 0 and IntervalForFirstSetOfRetries value isn t 0 then schedule will be set to repeat an infinite number of times and second set and this set of schedule will not set in this case The default value is 10 Supported operations are Get Replace Replaces the deprecated HKLM Software Microsoft Enrollment OmaDmRetry AuxNumRetries path that previously utilized the Registry CSP
303. odingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt B64EncodedSampleBinarySecurityToken lt BinarySecurityToken gt lt ReguestedSecurityToken gt lt ReguestID xmlns http schemas microsoft com windows pki 2009 01 enrollment gt 0 lt ReguestID gt lt ReguestSecurityTokenResponse gt lt RequestSecurityTokenResponseCollection gt lt s Body gt lt s Envelope gt Sample provisioning XML presented in the preceding package as a security token lt wap provisioningdoc version 1 1 gt lt characteristic type CertificateStore gt lt characteristic type Root gt lt characteristic type System gt lt characteristic type 031336C933CC7E228B88880D78824FB2909A0A2F gt lt parm name EncodedCertificate value B64 encoded cert insert here gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type My gt lt characteristic type User gt lt characteristic type F9A4F20FC50D990FDD0E3DB9AFCBF401818D5462 gt lt parm name EncodedCertificate value B64EncodedCertInsertedHere gt lt characteristic gt lt characteristic type PrivateKeyContainer gt lt This tag must be present for XML syntax correctness gt lt characteristic gt lt characteristic type WSTEP gt lt characteristic type Renew gt l
304. oft com ConfigurationManager Enrollment DeviceEnrollmentProvisionDoc because the token is more than an X 509 v3 certificate The provisioning XML contains e mandatory The requested certificates e mandatory The DM client configuration e optional An enterprise application token and an enterprise app download link to allow the enrollment client to download a Company Hub or enterprise app at the end of enrollment The client will install the client certificate the enterprise root certificate and intermediate CA certificate if there is one The DM configuration includes the name and address of the DM server which client certificate to use and schedules when the DM client calls back to the server NOTE 1 Enrollment provisioning XML should contain a maximum of one root certificate and one intermediate CA certificate that is needed to chain up the MDM client certificate Additional root and intermediate CA certificates could be provisioned during an OMA DM session NOTE 2 When provisioning root and intermediate CA certificates the supported CSP node path is CertificateStore Root System for root certificate provisioning CertificateStore CA System for intermediate CA certificate provisioning Here is a sample RSTR message and a sample of OMA client provisioning XML within RSTR For more information about the configuration service providers CSPs used in provisioning XML see the Enterprise settings policies and app management section
305. oft com networking OneX v1 amp quot amp gt amp lt authMode amp gt user amp lt auth Mode amp gt amp lt EAPConfig amp gt amp lt EapHostConfig xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot amp gt amp lt EapMethod amp gt amp 1t Type xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 25 amp 1t Type amp gt amp lt Vendor Id xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt VendorId gt 81t Ven dorType xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp 1t VendorType amp gt amp 1t A uthorId xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt AuthorId amp gt amp lt Ea pMethod amp gt amp lt Config xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot amp gt amp lt Eap xmlns amp quot http www microsoft com provisioning BaseEapConnectionPropertiesVi1 amp quot amp gt amp lt T ype amp gt 25 amp 1t Type amp gt amp lt EapType xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV1 amp quot amp gt amp lt Se rverValidation amp gt amp lt DisableUserPromptForServerValidation amp gt true amp lt DisableUserPromptForSer verValidation amp gt amp lt ServerNames amp gt amp 1t ServerNames amp gt amp 1t TrustedRootCA amp gt InsertCertThumbPrintHere amp 1t TrustedRo
306. og The logging information is saved in ETL file The MDM developer should use the Win8 1 Windows Performance Analyzer WPA to view the log Windows 7 or 8 machine is required to use this tool WPA is part of Windows Performance Toolkit Included in the Windows Assessment and Deployment Kit Windows ADK and the Windows Software Development Kit SDK Windows Performance Analyzer MICROSOFT WPA is a tool that creates graphs and data tables of Event Tracing for Windows ETW events that are recorded by Windows Performance Recorder WPR Xperf or an assessment that is run in the Assessment Platform MSDN reference link for WPA http msdn microsoft com en us library windows desktop hh4481 70 aspx The 8 1 version of WPA tool that support all fields we need ISV to view MDM logs It can be downloaded here http www microsoft com en us download details aspx id 39982 Steps to use WPA tool to view MDM log file 1 Use Windows Performance Analyzer to open the etl file 2 In WPA s Graph Explorer window expand System Activity A Generic Events sub window will be displayed File Trace Profiles Window Help e Analysis 3 Double click the graphic bars in Generic Events window An Analysis window will show up at right side File Trace Profiles Window Help 4 In Analysis window click Open View Editor Icon A Generic Events View Editor window will pop Up MICROSOFT Av
307. oleList amp gt amp 1t HandheldLockdown amp gt lt Data gt lt Item gt lt Add gt lt Final gt lt SyncBody gt lt SyncML gt Theme MICROSOFT The following example shows how to change the accent color to one of the standard colors lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess Theme ThemeAccentColorID lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt zero based index of available theme colors gt lt Data gt 7 lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt The following example shows how to change the theme lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess Theme ThemeBackground lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt 0 for light 1 for dark gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt lt SyncML gt The following example shows how to set a custom theme accent color for the enterprise environment lt SyncBody gt lt Replace gt lt CmdID gt 1 lt CmdID gt lt Item g
308. ols that are used in the enrollment flow Discovery request Steps 2 3 The discovery request is a simple HTTP post call that returns XML over HTTP The returned XML includes the authentication URL the management service URL and the user credential type Certificate enrollment policy Steps 4 5 The certificate enrollment policy configuration is an implementation of the MS XCEP protocol which is described in MS XCEP X 509 Certificate Enrollment Policy Protocol Specification Section 4 of the specification provides an example of the policy request and response The X 509 Certificate Enrollment Policy Protocol is a minimal messaging protocol that includes a single client request message GetPolicies with a matching server response message GetPoliciesResponse Certificate enrollment Steps 6 7 The certificate enrollment is an implementation of the MS WSTEP protocol Management configuration Step 8 The server sends provisioning XML that contains a server certificate for SSL server authentication a client certificate issued by enterprise CA DM client bootstrap information for the client to communicate with the management server an enterprise application token for the user to install enterprise applications and the link to download the Company Hub application Discovery web service Updated in Windows Phone 8 1 Prerequisite The administrator of the discovery service must create a host with the address enterpriseenroll
309. on management for Custom1 Custom2 Custom3 lt xs schema xmlns xs http www w3 0rg 2001 XMLSchema elementFormDefault qualified lt COMPLEX TYPE ROLE LIST TYPE gt lt xs complexType name role list _t gt lt xs sequence minOccurs 1 maxOccurs 1 gt lt xs element name Role type role t minOccurs 1 maxOccurs unbounded gt MICROSOFT lt XS seguence gt lt xs complexType gt lt COMPLEX TYPE START SCREEN SIZE TYPE gt lt xs simpleType name startscreen size t gt lt xs restriction base xs string gt lt Small 4 columns gt lt xs enumeration value Small gt lt Large 6 columns gt lt xs enumeration value Large gt lt xs restriction gt lt xs simpleType gt lt COMPLEX TYPE APPLICATION LIST TYPE gt lt xs complexType name application list t gt lt xs sequence minOccurs 0 maxOccurs 1 gt lt xs element name Application type application_t minOccurs 0 maxOccurs unbounded gt lt xS Sequence gt lt xs complexType gt lt COMPLEX TYPE BUTTON LIST TYPE gt lt xs complexType name button_list_t gt lt xs sequence minOccurs 0 maxOccurs 1 gt lt xs element name Button minOccurs 0 maxOccurs 6 type button_t gt lt XS seguence gt lt xs complexType gt lt COMPLEX TYPE MENU ITEM LIST TYPE gt lt xs complexType name menu item list t gt lt xs sequence minOccurs 0 maxOccurs 1 gt lt xs element name Disab
310. on page Click Done After the customization is applied to the phone you can remove the SD card Add a certificate file Here s an example lt Certificate Store CSP gt lt CertificateStore gt lt CA gt lt System ThumbPrint 92F6A5FF349A519F26C8D863758904380FB97F97 gt lt EncodedCertificate gt EncodedCertificate gt lt System gt lt CA gt lt CertificateStore gt The System ThumbPrint is the actual thumbprint for the certificate The EncodedCertificate contains the Base 64 encoded x 509 certificate You can export the certificate through the certmgr app from the Windows Control Panel using one of the following methods Certificate export method 1 1 Select a certificate and then right click 2 Select All Tasks gt Export 3 Select Export File format Base 64 encoded x 509 4 Copy the encoded certificate to the customizations xml file Certificate export method 2 Select a certificate and then right click Select All Tasks gt Export Select Export File format DER encoded binary Use the WEH 8 1 Prov Encryption BASE64 Tool from CodePlex to convert it to Base 64 Copy the encoded certificate to the customizations xml file B DI Ds For additional information see CryptHashCertificate and X509Certificate2 Thumbprint Add a Wi Fi profile Here s an example lt Wifi CSP gt lt WiFi gt lt Profile name Wifi_Contoso gt lt WlanXml gt amp lt xml version 8guot 1 08guot P
311. ons on the device that you can lock down in ButtonLockdownList When a user taps a button that is in the lockdown list nothing will happen e Start Note Lock down of the Start button only prevents the press and hold MICROSOFT event e Back e Search e Camera e Custom e Custom e Custom3 Note Custom buttons are hardware buttons that can be added to devices by OEMs Example lt Buttons gt lt ButtonLockdownList gt lt Lockdown all buttons gt lt Button name Search gt lt Button gt lt Button name Camera gt lt Button gt lt Button name Custom1 gt lt Button gt lt Button name Custom2 gt lt Button gt lt Button name Custom3 gt lt Button gt lt ButtonLockdownList gt The Search and custom buttons can be remapped or configured to open a specific application Button remapping takes effect for the device and applies to all users Note The lockdown settings for a button per user role will apply regardless of the button mapping Caution Button remapping can enable a user to open an application that is not in the Allow list Use button lock down to prevent application access for a user role To remap a button in Prov xml you supply the button name the button event typically press and the product ID for the application the button will open Example lt ButtonRemapList gt lt Button name Search gt lt ButtonEvent name Press gt lt Alarms gt lt A
312. operation is Get MICROSOFT Inventory ProductID Title Required The character string that contains the name of the installed enterprise application Scope is dynamic Supported operation is Get Inventory ProductID Publisher Required The character string that contains the name of the publisher of the installed enterprise application Scope is dynamic Supported operation is Get Inventory ProductID InstallDate Required The time in the character format YYYY MM DD HH MM SS that the application was installed or updated Scope is dynamic Supported operation is Get EnterpriseApps Download Reguired This node groups application download related parameters Note that for Windows Phone 8 the enterprise server can only automatically update currently installed enterprise applications The end user controls which enterprise applications to download and install Scope is dynamic Supported operation is Get Download ProductlD Optional This node contains the GUID for the installed enterprise application Each installed application has a unigue ID Scope is dynamic Supported operations are Get Add and Replace Download ProductlD Version Optional The character string that contains version information set by the caller for the application currently being downloaded Scope is dynamic Supported operations are Get Add and Replace Download ProductID Name Required The character string that contains the name of the installed applicatio
313. operations Get Set MaintenanceWindow ScheduleXML Gets the list of maintenance window schedules as XML Replaces the current schedule with a new set of schedules or adds new schedules if there are no existing schedules Replace is destructive and will erase the old schedule Supported operations Add Replace and Get Use the parameters in the following table to specify the schedule for the maintenance window Parameter Description Enabled Specify true to enable the maintenance window otherwise specify false Schedule Specifies the date to start the scheduled maintenance window including the year StartDate month day T as a separator hour minute and second YYYY MM DDTHH mm ss format For example 2013 10 27T02 00 00 ISUTC Specify true if the time should be interpreted as UTC time otherwise specify false Duration Required Specifies the duration of the scheduled maintenance window Parameter Description Days An integer that specifies the number of days 01 through 31 Hours An integer that specifies the number of hours for the maintenance window 0 through 23 Minutes An integer that specifies the number of minutes in addition to the hours for the maintenance window 0 through 59 Recurrence Required Specifies the recurrence schedule for the maintenance window Parameter Description Type Required A string that specifies the recurrence schedule e None one time instance only e Interval occursata specified interval as defined
314. or MSFT CertificateStore My SCEP CertSCEP 1 Install Challenge lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt Chal LengeInsertedHere lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 15 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install CAThumbprint lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt CAThumbprintInsertedHere lt Data gt lt Item gt lt Add gt lt Exec gt lt CmdID gt 16 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My SCEP CertSCEP 1 Install Enroll lt LocURI gt lt Target gt lt Item gt MICROSOFT lt Exec gt lt Atomic gt Configuring the device to automatically renew MDM client certificate with specified renew period and retry interval lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My WSTEP Renew ROBOSupport lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt bool lt Format gt lt Meta gt lt Data gt true lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT CertificateStore My WSTEP Renew R
315. osso com amp xF000 time windows com amp xF000 amp xF000 datatype multiplestring gt lt characteristic gt lt characteristic gt NTPRegularSynciInterval The value in terms of hours and ranges from 1 to 168 The default value is 24 MICROSOFT NTPServers The value is a multistring The example shows amp xF000 being used as a delimiter NTPServer values should always end in amp xF000 amp xF000 double NULL Note If no value is specified the default value is time windows com The strings shown here are examples only Enable near field communication Handheld 8 1 Near field communication NFC enables a Windows Embedded 8 1 Handheld powered device to communicate with an NFC tag or another NFC enabled transmitting device This section describes the components of an NFC tag that you should follow so that the tag works with your devices The NFC plug in enables the administrator to provide a provisioning XML file during the out of box experience OOBE phase The NFC plug in allows an administrator to transfer provisioning information to persistent storage by tapping an unprovisioned Handheld 8 1 powered device to an NFC tag or NFC enabled device To use NFC for pre provisioning a device you must either prepare your own NFC tags by writing your provisioning XML file to a tag in the manner described in this section or build the infrastructure needed to transmit a provisioning XML file between an NFC enabled device an
316. otCA amp gt amp lt ServerValidation amp gt amp lt FastReconnect amp gt true amp lt FastReconnect amp gt amp 1t InnerEapOptional amp gt false amp lt InnerEapOptional amp gt amp lt Eap xmlns amp quot http www microsoft com provisioning BaseEapConnectionPropertiesVi1 amp quot amp gt amp lt T ype amp gt 26 amp 1t Type amp gt amp lt EapType xmlns amp quot http www microsoft com provisioning MsChapV2ConnectionPropertiesV1 amp quot amp gt amp 1lt UseWinLogonCredentials amp gt false amp lt UseWinLogonCredentials amp gt amp lt EapType amp gt amp lt Eap amp gt amp 1t EnableQuarantineChecks amp gt false amp lt EnableQuarantineChecks amp gt amp lt RequireCryptoBinding amp gt fals e amp lt RequireCryptoBinding amp gt amp lt PeapExtensions amp gt amp lt PerformServerValidation xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV2 amp quot amp gt true amp l t PerformServerValidation gt 81t AcceptServerName xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV2 amp quot amp gt false amp lt AcceptServerName amp gt amp lt PeapExtensions amp gt amp lt EapType amp gt amp lt Eap amp gt amp lt Config amp gt amp lt EapHostConfig amp gt amp lt EAPConfig amp gt amp lt 0OneX amp gt amp lt security amp gt amp lt MSsM amp gt amp 1t WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Atomic gt RemoteLock configuration s
317. owed by Enrollment policy service and then Enrollment web service My WSTEP Renew ROBOSupport Optional Notify the client whether MDM enrollment server supports ROBO auto certificate renew The datatype for this node is bool For MDM enrolled with On premise authentication method by default the device will use manual certificate renew If the server sets this value to true the device will use ROBO as renew method at background no user action is needed For MDM enrolled with federated authentication ROBO is the only supported renewal method If the server sets this node value to be false or delete this node for federated enrolled device the configuration will fail Supported operations are Add Get Delete Replace NOTE when set renew schedule over SyncML DM commands to ROBOSupport RenewalPeriod and RetryInterval those command should be wrapped in Atomic command MICROSOFT E My WSTEP Renew RenewalPeriod Optional The time in days before the MDM certificate is expired to trigger the client to initiate the MDM client certificate renew process The MDM server could set and update the renew period This parameter applies to both manual cert renewal and ROBO cert renewal It is recommended that renew period should be set a couple months before cert expire to ensure the cert get successfully renewed with data connectivity Supported operations are Add Get Delete Replace Default value is 42 Datatype of this node value is int
318. p Attention required Enter password tap Done Cert expiring warning dialog In detail the client creates a GetPolicies request and processes the GetPoliciesResponse as before Then the client creates an RST renewal request to retrieve a new certificate from the enrollment web service The renewal request specifies a different RequestType from the initial enrollment request Renew instead of Issue It also uses a different BinarySecurityToken ValueType PKCS 7 instead of PKCS 10 Here is a sample to illustrate the details of a manual renewal request lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity utility 1 0 xsd gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollment RST wstep lt a Action gt lt a MessageID gt urn uuid 61a17f2c 42e9 4a45 9c85 f15c1c8baee8 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https dm contoso com EnrollmentService DeviceEnrollmentService svc lt a To gt lt o Security s mustUnderstand 1 xmlns o http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt u Timestamp u Id _0 gt lt u Created gt 2011 07 11T19 49 08 579Z lt u Created g
319. pInstall gt lt characteristic type SDCard gt lt parm name ProductID value 912627c8 174c 4a49 ac53 a2b8e4a5be37 gt lt parm name AppXPath value Appx ReliabilityAppxV1 appx gt lt parm name LicensePath value AppxNReliabilityAppxV1 license xml gt lt characteristic gt lt characteristic type Network gt lt parm name ProductID value 912627c8 174c 4a49 ac53 a2b8e4a5be37 gt lt parm name AppXPath value SharedFolder ReliabilityAppxV1 appx gt lt parm name LicensePath value SharedFolder ReliabilityAppxV1_license xml gt lt characteristic gt lt characteristic gt The following example shows how to use an XAP package lt characteristic type AppInstall gt lt characteristic type SDCard gt lt parm name ProductID value F8240AA8 B1C7 4a9c 8914 79BA6A466475 gt lt parm name XAPPath value MEGSLTestGame xap gt lt parm name LicensePath value MEGSLTestGame License xml gt lt characteristic gt lt characteristic gt Provide the setting name that will be available on the device Example lt Settings gt lt System name Microsoft Themes gt lt Application name Microsoft Search gt lt Settings gt Important note If the Microsoft DateTime setting is not locked down users can change the time on the device This can cause scheduled maintenance and communication with the MDM server to occur at the wrong time The following list identifies the hardware butt
320. pany s AET token MICROSOFT Is there a unique identifier that could Yes During enrollment the server sends down an AET be retrieved by both company application enrollment token to the phone for application applications and the MDM server distribution from that enterprise The AET contains the Enterprise ID also known as Publisher ID This publisher ID is used to form a publisher specific phone ID The MDM server can retrieve the publisher specific phone ID by querying the following property URI vendor MSFT DMClient Provider lt provider id gt PublisherDevicelD Applications can use publisher specific API to retrieve the same value that the MDM server retrieved right after enrollment DeviceExtendedProperties DeviceUnigueld To support push notification for No MDM ISVs get one set of credentials from Microsoft for Windows Phone do MDM ISVs need MDM Push for Windows and Windows Phone by going and to get separate credential for Windows getting one from Windows and Windows push notification How to differentiate MDM enrollment The lt RequestVersion gt tag in MDM discovery request message request between Windows Phone 8 1 contains version information For Windows Phone 8 1 the value and Windows Phone 8 is 2 0 For Windows Phone 8 the value is 1 0 How could MDM management server The MDM management server could query DevDetail SwV node know whether the device is Windows _ to find the device OS version and us
321. phone update no updates found workplace add a company account Tap close to acknowledge system settings screen workplace settings screen Contoso removed Contoso removed Enterprise settings policies and app management The actual management interaction between the phone and server is done via the DM client The DM client communicates with the enterprise management server via DM v1 2 SyncML syntax The OMA website provides the protocol details Windows Phone 8 1 currently supports one MDM server The DM client that is configured via the enrollment process is granted access to enterprise related settings Enterprise MDM settings are exposed via various configuration service providers to the DM client and described in this section The DM client is also configured during the enrollment process to be invoked by the task scheduler to periodically poll the MDM server Additionally the end user can use Sync the button in Windows Phone settings under the company app detail page to force the DM client to connect to the server immediately The following diagram shows the work flow between server and client MICROSOFT Web service n n L Enrollment Server Enterprise Mgmt Server App Content Management Work Flow This protocol defines an HTTPS based client server communication with DM SyncML XML as the package payload that carries management requests and execution results The configuration request is addressed via
322. ports web authentication broker for authentication during enrollment The user enters a corporate email address The phone tries to auto discover the server and start the enrollment process If no discovery enrollment server is found the phone presents a screen to allow the user to enter the server address Depending on which authentication is supported by the server the user will be presented to enter some requested credential Once enrollment is complete a workplace account will be added to the workplace setting control panel SETTINGS SETTINGS system applicati workplace workplace Airplane mode Some companies offer policies Email address turned of certificates and apps that help you connect to your business What s a workplace account Bluetooth turned off Your email address will be saved Once you adda workplace account your company will be able to collect Cellular SIM personal information disable apps or CarrierA features prevent you from resetting your phone or removing your workplace NFC account andremotely modify or delete allyour content and settings You can talk with your company s support person to find out what your company s policy allows turned off VPN set up workplace add a workplace account If federated WAB based authentication is used a server authentication page is displayed MICROSOFT WAB hosted web page 1 SETTINGS O WO rkplace Contoso cOnoso Some companies offer
323. pplication productId 08179793 ED2E 45EA BA12 BDE3EE9C3CE3 parameters gt lt ButtonEvent gt lt Button gt lt ButtonRemapList gt Disabling navigation buttons To disable navigation buttons such as Home or Back in prov xml you supply the name for example Start and button event typically press MICROSOFT The following section contains a sample WEHLockdown xml file that shows how to disable navigation buttons Example lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt ActionCenter enabled false gt lt Apps gt lt Settings gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5601 gt lt PinToStart gt lt Size gt Large lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt lt LocationyY gt lt Location gt lt PinToStart gt lt Application gt lt Phone Apps gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5611 gt lt PinToStart gt lt Size gt Small lt Size gt lt Location gt lt LocationX gt 2 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Apps gt lt Buttons gt lt ButtonLockdownList gt lt Button name Start gt lt ButtonEvent name Press gt lt Button gt lt Button name Back gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button
324. pplication productId CBB8C3BD 99E8 4176 AD8C 95EC6A3641C2 gt lt Bing News gt lt Application productId 9C3E8CAD 6702 4842 8F61 B8B33CC9CAF1 gt lt Bing Sports gt lt Application productId 0F4C8C7E 7114 4E1E A84C 50664DB13B17 gt lt Bing Travel gt lt Application productId 19CD0687 980B 4838 8880 5F68ABA1671E gt lt Bing Weather gt MICROSOFT lt Application productId 63C2A117 8604 44E7 8CEF DF10BE3A57C8 gt lt Calculator gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5603 gt lt Calendar gt lt Application productId 36F9FA1C FDAD 4CF0 99EC C03771ED741A gt lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 4 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Camera gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5631 gt lt Cortana gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA568C gt lt PinToStart gt lt Size gt Medium lt Size gt lt Location gt lt LocationX gt 0 lt LocationX gt lt LocationY gt 2 lt LocationY gt lt Location gt lt PinToStart gt lt Application gt lt Data Sense gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5646 gt lt Email gt lt Application productId 5B04B775 356B 4AA0 AAF8 6491FFEA5614 gt
325. proplist_t gt lt xs sequence gt lt xs element name Prop type prop_t minOccurs 0 lt xs Sequence gt lt xs complexType gt maxOccurs unbounded gt lt COMPLEX TYPE MW TYPE gt lt xs complexType name mw_t gt lt xsS Sequence gt lt xs element name Schedule type schedule_t minOccurs 1 gt lt xs Sequence gt lt xs attribute name Enabled type xs boolean use required gt lt xs complexType gt lt SCHEMA gt lt xs element name MWList gt lt xs complexType gt lt xS sequence gt lt xs element name PropList type proplist_t minOccurs 0 maxOccurs unbounded gt lt xs element name MW type mw_t minOccurs 0 lt xs Sequence gt lt xs attribute name version use required type xs decimal gt lt xs complexType gt lt xs element gt maxOccurs unbounded gt lt xs schema gt EnterpriseExtFileSystem configuration service provider Handheld 8 1 The EnterpriseExtFileSystem configuration service provider CSP allows Information Technology IT administrators to add retrieve or change files in the file system through the Mobile Device Management MDM service For example you can use this configuration service provider to push a provisioning XML file or a new lock screen background image file to a device through the MDM service and also retrieve logs from the device in the enterprise environment Important note This CSP applies only to Windows Embe
326. qualified gt lt COMPLEX TYPE Duration gt lt xs complexType name duration_t gt lt xs attribute name Days gt lt xs SimpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 31 gt lt xs restriction gt lt xs SimpleType gt lt xs attribute gt lt xs attribute name Hours gt lt xs SimpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 23 gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt lt xs attribute name Minutes gt lt xs SimpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 59 gt lt xs restriction gt lt xs simpleType gt MICROSOFT lt xs attribute gt lt xs complexType gt lt COMPLEX TYPE Recurrence gt lt xs complexType name recurrence t gt lt xs attribute name Type use reguired gt lt xs SimpleType gt lt xs restriction base xs string gt lt xs pattern value None Interval gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt lt xs attribute name MinuteSpan gt lt xs SimpleType gt lt xs restriction base xs unsignedInt gt lt xs minInclusive value 0 gt lt xs maxInclusive value 59 gt lt xs restriction gt lt xs simpleType gt lt xs attribute gt lt xs attribute name HourSp
327. quest For the OnPremise authentication policy the UsernameToken in GetPolicies contains the user credential whose value is based on the authentication policy in discovery A sample of the request can be found on the MSDN website the following is another sample with user contoso com as the user name and mypassword as the password Header POST ENROLLMENTSERVER DEVICEENROLLMENTWEBSERVICE SVC HTTP 1 1 Content Type application soap xml charset utf 8 User Agent Windows Phone 8 Enrollment Client Host enrolltest contoso com Content Length xxxx Cache Control no cache lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 org 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity utility 1 0 xsd xmlns wsse http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1000 xmlns wst http docs oasis open org ws sx ws trust 200512 xmlns ac http schemas xmlsoap org ws 2006 12 authorization gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows pki 2009 01 enrollmentpolicy IPolicy GetPolicies lt a Action gt lt a MessageID gt urn uuid 72048B64 0F19 448F 8C2E B4C661860AA0 lt a MessageID gt lt a ReplyTo gt lt a Address gt http www w3 org 2005 08 addressing anonymous lt a Address gt lt a ReplyTo gt lt a To s mustUnderstand 1 gt https enrolltest contoso com ENROLLMENTSERVER DEVICEENROL
328. r ExchangelD DMClient Provider lt Provide rlD gt EntDeviceName Unenroll EntDMID SignedEntDMID CertRenewTimeStamp SignedCertRenewTimeStamp PublisherDevice ID ManagementService Address IntervalForFirstSetOfRetries NumberOfFirstRetries IntervalForSecondSetOfRetries NumberOfSecondRetries IntervalForRemainingScheduledRetries NumberOfRemainingScheduledRetries Push ChannelURI Status Unenroll Required The node accepts unenrollment requests by way of the OMA DM Exec command and calls the enrollment client to unenroll the phone from the management server whose provider ID is specified in the lt Data gt tag under the lt Item gt element Scope is permanent Supported operations are Get and Exec The following sample SyncML shows how to remotely unenroll the phone Note that this command should be inserted in general DM packages sent from the server to the phone lt Exec gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt MICROSOFT lt LOCURI gt Vendor MSFT DMClient Unenroll lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt TestMDMServer lt Data gt lt Replace TestMDMServer with the real MDM provider ID value The value must be the same as the one specified in the DMClient Provider lt ProviderID gt node gt lt Item gt lt Exec gt Provider R
329. r EAP TLS EAP blob is HTML encoded XML as defined in EAP Host Config schemas You can find the schemas on msdn at http msdn microsoft com en us library cc233018 aspx and http msdn microsoft com en us library cc233016 aspx Type chr Supported Operations Get Add and Replace AUTHENTICATION METHOD Required node for IKEv2 profiles Not used for ThirdParty profiles This specifies the authentication provider to use for VPN client authentication Only EAP method is supported for IKEv2 profiles Note that for EAP use AUTHENTICATION EAP instead Type chr Supported Operations Get and Add PROXY Optional node A collection of configuration objects to enable a post connect proxy support for VPN The proxy defined for this profile will be applied when this profile is active and connected PROXY MANUAL Optional node A collection of configuration objects to enable a manual proxy with required server and port details PROXY MANUAL SERVER Optional node This should be set together with PORT Its value proxy server address as a fully qualified hostname or an IP address Type chr Supported Operations Get Add Replace and Delete Example proxy contoso com MICROSOFT PROXY MANUAL PORT Optional node This should be set together with SERVER Its value is the proxy server port number in the range of 1 65535 Type int Supported Operations Get Add Replace and Delete Example 8080 PROXY BYPASSPROXYFORLOCAL Optional node
330. rageCard CSP and Registry CSP for phone encryption status It enables the management service to configure device lock related policies disable enable the storage card and query phone encryption status The RemoteWipe CSP allows IT pros to remotely fully wipe the internal user data storage The DeviceLock and StorageCard CSPs are only accessible by the enterprise service e Enterprise application management This is addressed via the EnterpriseAppManagement CSP It is used to install the enterprise token query installed business application names and version etc This CSP is only accessible by the enterprise service MICROSOFT e Certificate management This is supported via the CertificateStore CSP to install new ROOT and CA certificates e Basic phone inventory and asset management Some basic phone information can be retrieved via the DevInfo and DevDetail CSPs These provide basic phone information such as OEM name phone model hardware version OS version processor types etc This is for asset management and phone targeting The NodeCache CSP enables the phone to only send out delta inventory settings to the server to reduce over the air data usage The NodeCache CSP is only accessible by the enterprise service DM SyncML functionality support This section describes the OMA DM functionalities that the Windows Phone DM client supports in general Note that for enterprise device management not all OMA DM client functions are needed For e
331. rder Most restricted value is 0 0 2 Most restricted value is 0 AllowBluetooth MICROSOFT over cellular networks Connectivity This policy 0 VPNis Most MDM specifies what not allowed restricted AllowVPNOverCel type of over cellular value is 0 lular underline 1 default connections VPN could VPN is use any allowed to use connection including cellular Connectivity Allow This policy O0 AII VPN Most MDM ManualVPNConfig allows the settings are restricted uration new for enterprise to disabled for value is 0 GDR2 enforce a VPN end user protection by from device disabling all side VPN settings 1 Default lt prevents the all VPN user from settings are manually enabled for configuring user from VPN settings device side that does not comply with company security policy Connectivity This policy 0 Boolean specifies the value of 0 CellularAppDownl maximum app interpreted oadMBLimit new file sizeinMB as 20MB for GDR2 allowed for 1 downloading interpreted through as mobile celluar operator connection imposed limit Default value 0 Wifi WLANScanM This policy Integer ode new for defines the policy GDR2 frequency 0 Default mode for active Wi Fi 100 scanning normal trigger when interval screen is off and on High 500 low setting would interval MICROSOFT result in
332. re information and examples see NodeCache configuration service provider later in this document Coexistence of Exchange servers and enterprise Management server Windows Phone can be configured with one or more Exchange servers and one enterprise management server The Exchange server s and enterprise management server could push down device lock policies and send remote wipe command to the phone To make sure the phone is maintained as secured via those polices the phone applies most secure wins logic if different policy values are set by various servers the phone ensures that the most secure value is applied This design prevents a server from loosening the secure policies set by the other server It also prevents a malicious sever from altering legitimate company server policies The client also ensures that if one server account is removed from the phone the next most secure policy value that is set by other servers is applied MICROSOFT All this logic is built in at the client side The server only needs to push down whatever policy values are set by IT administration The phone will ensure that either the exact value or a more secure value is enforced on the phone The enterprise management server can also use the PolicyManager CSP to query either actual policy values applied to the phone or policy values pushed down by the server Notice that this query function is only available to enterprise management server not via Exchange
333. re warning dialog However the user may still go to company apps to provide an updated password and try renew again Windows Phone 8 1 will prompt a dialog warning the user the certificate is expiring and user should provide updated password to try to renew again The enrollment server can make a decision on whether accepting a manual renew request For Windows Intune managed devices if the certtificate is already expired when the user updates the Windows Phone 8 device to Windows Phone 8 1 automatic cert renew would kick in and send renew request to the server on behalf of the user If the server accepts the request the certificate will be installed Note this is only for updating case and is different from normal Windows Phone 8 1 automatic certificate renew which stops sending renew request if certificate is expired Response for certificate renewal When RequestType is Renew the web service verifies the following in additional to initial enrollment e The signature of the PKCS 7 BinarySecurityToken is correct e Theclient s certificate is in the renewal period e The certificate was issued by the enrollment service e The requester is the same as the requester for initial enrollment e For standard client s request the client hasn t been blocked MICROSOFT After validations the web service retrieves the PKCS 10 content from the PKCS 7 BinarySecurityToken The rest is the same as initial enrollment except that the Provisioning XML on
334. reen notifications actions lock screen region sync my settings screen rotation internet sharing ringtones sounds speech storage sense start theme keyboard phone update VPN Wi Fi NFC USB data sense internet explorer maps messaging Office people phone Photos camera search store wallet cortana Microsoft Feedback Microsoft FindMyPhone Microsoft KidZone Microsoft Language Microsoft Location Microsoft MirrorUX Microsoft NocenterSettings Microsoft PhoneLock Microsoft Regional Microsoft RoamingCpl Microsoft RotationLock Microsoft SoftAP Microsoft Sounds Microsoft Speech Microsoft StorageSettings Microsoft Themes Microsoft TouchKeyboard Microsoft Updates Microsoft VPN Microsoft WiFi Microsoft NFC Microsoft USB Microsoft DataSmart Microsoft lE Microsoft Maps Microsoft Messaging Microsoft OfficeMobile Microsoft Contacts Microsoft Phone Microsoft Photos Microsoft Search Microsoft Marketplace Microsoft Wallet Microsoft AssistUX Optional field Used as an allow list of allowed settings that are displayed under System Settings Application Optional An allow list of allowed settings that show up under Application See the previous table Settings Sample XML Excerpt The following sample AssignedAccess XML locks down the settings page to only show two settings items in the Settings application system about and application phone Note that all top level fields under lt Default gt must be includ
335. remise authentication this XML tag must not exist Note that the enrollment client is agnostic with regards to the protocol flows for authenticating and returning the security token While the server might prompt for user credentials directly or enter into a federation protocol with another server and directory service the enrollment client is agnostic to all of this To remain agnostic all protocol flows pertaining to authentication that involve the enrollment client are passive that is browser implemented The following are the explicit requirements for the server e The lt DiscoveryResponse gt lt AuthenticationServiceUrl gt element MUST support HTTPS e The auth sever must use a device trusted root certificate Otherwise the WAP call will fail e WP doesn t support Window Integrated Authentication WIA for ADFS during WAB authentication ADFS 2012 R2 if used needs to be configured to not attempt WIA for Windows Phone 8 1 device The enrollment client issues an HTTPS request as follows AuthenticationServiceUrl Pappru lt appid gt amp login hint lt User Principal Name gt MICROSOFT I e lt appid gt is of the form ms app string e lt User Principal Name gt is the name of the enrolling user for example user constoso com as inputted by the user in an enrollment sign in page The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication After authentication is compl
336. rget gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 10 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT DeviceLock Provider TestMDMServer MinDevicePasswordComplexCharacters lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 2 lt Data gt lt Item gt lt Add gt lt Atomic gt Devinto configuration service provider This CSP is based on the OMA DM standard management object DeviInfo It provides some basic phone information to the OMA DM server The following diagram shows the DevInfo configuration service provider management object in tree format All nodes in this CSP support only the Get command MICROSOFT Devinto Devid Required Returns an application specific global unique phone identifier Man Required Returns the name of the OEM Mod Required Returns the name of the hardware phone model as specified by the mobile operator DmV Reguired Returns the current management client revision of the phone Lang Required Returns the current user interface UI language setting of the phone as defined by RFC1766 DMClient configuration service provider Updated in Windows Phone 8 1 The following diagram shows the DMClient configuration service provider in tree format MICROSOFT N endo
337. rise management role value 32 Enterprise is supported This is a Microsoft custom parameter This parameter takes a numeric value in string format TO NAPID Optional The TO NAPID parameter is used in the APPLICATION characteristic to specify the Network Access Point the client will use to connect to the OMA DM server If multiple TO NAPID parameters are specified only the first TO NAPID value will be stored This parameter takes a string value You can set this parameter USEHWDEVID Optional The USEHWDEVID parameter is used in the APPLICATION characteristic to specify use of phone hardware identification It does not have a value e Ifthe parameter is not present the default behavior is to use an application specific GUID used rather than the hardware device ID e Ifthe parameter is present the hardware device ID will be provided at the DevInfo DevID node and in the Source LocURI for the DM package sent to the server International Mobile Station Equipment Identity IMEI is returned for a GSM phone SSLCLIENTCERTSEARCHCRITERIA Optional The SSLCLIENTCERTSEARCHCRITERIA parameter is used in the APPLICATION characteristic to specify the client certificate search criteria This parameter supports search by subject attribute and certificate stores If any other criteria are provided it is ignored The string is a concatenation of name value pairs each member of the pair delimited by the amp character The name and values are delimi
338. rocessed NOTE It is possible though highly unprovable that alphanumeric PINs may contain offensive words It is at the discretion of the IT administrator to execute another LockAndPinReset if the alphanumeric PIN does not conform to the IT administrator s company policies Examples Initiate a remote lock of the device lt Exec gt lt CmdID gt 1 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT RemoteLock Lock lt LocURI gt lt Target gt lt Item gt lt Exec gt Initiate a remote lock and PIN reset of the device Please note that in order to retrieve the new device generated PIN successfully the commands must be executed together and in the proper sequence as listed below lt Sequence gt lt CmdID gt 1 lt CmdID gt lt Exec gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT RemoteLock LockAndResetPIN lt LocURI gt lt Target gt lt Item gt lt Exec gt lt Get gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT RemoteLock NewPINValue lt LocURI gt lt Target gt lt Item gt lt Get gt lt Sequence gt MICROSOFT RemoteRing configuration service provider New in Windows Phone 8 1 The RemoteRing CSP can be used to remotely trigger a device to produce an audible ringing sound regardless of the volume that is set on the device The following diagram shows the RemoteRing configuration service prov
339. rted operations Get Replace Delete Add The GUID values allowed are as follows e Email c6d47067 6e92 480e b0fc 4ba82182fac7 e Contacts 0dd8685c e272 4fcb 9ecf 2ead7ea2497b e Calendar 4a5d9fe0 f139 4a63 a5a4 4f3 1ceea02ad e Task 783ae4f6 4c 12 4423 8270 66361260d4f1 ContentTypes lt GUID gt Enabled Required A character string that specifies whether sync is enabled or disabled for the selected content type The default is 1 enabled Supported operations Get Replace Add cannot Add after the account is created A value of 0 specifies that sync for email contacts calendar or tasks is disabled The default value of 1 specifies that sync is enabled ContentTypes lt GUID gt Name Required Specifies the name of the content type as a string Supported operations Get Replace Add cannot Add after the account is created Example The following sample shows how to configure Outlook ActiveSync account settings lt Atomic gt lt CmdID gt 13 lt CmdID gt lt Add gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D Domain lt LOCURI gt lt Target gt lt Data gt contoso lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT ActiveSync Accounts 7Bac63781d 9bf2 4442 a7f2 77fb2b96c42d 7D AccountType lt LOCURI
340. rvice provider e DevDetail configuration service provider e RemoteWipe configuration service provider e Email2 configuration service provider e ActiveSync configuration service provider e NodeCache configuration service provider e Phone encryption via PolicyManager CSP e PolicyManager configuration service provider new in Windows Phone 8 1 e RemoteLock configuration service provider new in Windows Phone 8 1 e Wi Fi configuration service provider new in Windows Phone 8 1 e VPN configuration service provider new in Windows Phone 8 1 e RemoteRing configuration service provider new in Windows Phone 8 1 DM client configuration Updated in Windows Phone 8 1 The W7 APPLICATION CSP is built based on the standard OMA Client Provisioning W7 APPLICATION characteristic definition This CSP allows the enrollment server to configure the DM client to communicate with the server Windows Phone has extended it with a few more parameters to provide richer configuration capability For more information see w7 APPLICATION configuration service provider later in this document Windows Phone 8 1 allows the enrollment server to specify how frequently the DM client should call back to the management server This is configured by the server sending OMA Client Provisioning XML via the DMClient CSP Note that in Windows Phone 8 the enrollment server configures scheduled DM events pulling MDM server start MDM client certificate manual renew
341. s MDM server could send policy via OMA node Vendor MSFT PolicyManager My Security AllowManualRootCertificatelnstallation to disallow the user to install root or CA certificates Refer PolicyManager configuration service provider for detailed description for each policy If this policy is applied to the device the user downloaded certificate file that contains root or CA certificate will not be installed in the device event if the certificate file also contains non root CA certificates Virtual Smartcard Certificate Provisioning For an organization that has more strict security requirement such as two factor authentication with PIN protected TPM certificate Windows Phone provides a set of virtual Smart Card VSC certificate APIs to allow 3 party application to build a vSC certificate provision and management solution directly Such certificate could be used by browser and S MIME for client authentication and or securing email Note vSC certificates aren t managed by MDM server but 3 party vSC application and vSC certificate provisioning server Global Certificate Revocation support Windows Phone 8 1 has same certificate revocation support as Windows Phone 8 It supports both certificate revocation list CRL check and Online Certificate Status Protocol OCSP Phone configuration To get basic information about configuration settings of the phone the enterprise management server can use two configuration service providers which h
342. s true only specific traffic to defined secured resources will go to VPN gateway Type bool Supported Operations Get Add Replace and Delete Default value true Example true POLICIES REMEMBERCREDENTIALS Optional node When this is true VPN traffic will remember the user credentials and provide a sign on experience Type bool Supported Operations Get Add Replace and Delete Default value true Example true POLICIES BYPASSFORLOCAL Optional node When this setting is set to true requests to local resources that are available on the same Wifi network as the VPN client will bypass the VPN For example if enterprise policy for VPN requires force tunnel for VPN but enterprise intends to allow the remote user to connect locally to media center in their home then this option should be set to true The user will be able to bypass VPN for local subnet traffic When this is set to false the setting should be disabled and no subnet exceptions are allowed Type bool Supported Operations Get Add Replace and Delete Default value false Example true MICROSOFT POLICIES TRUSTEDNETWORKDETECTION Optional node When this setting is set to true VPN will not connect when the user is on their corporate wireless network where protected resources are directly accessible to the device When this is set to false VPN will connect over corporate wireless network This node has a dependency on node DNSSuffix to be set in order t
343. s to prompt the user for server certificate validation lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt MICROSOFT lt Data gt amp lt xml version amp quot 1 0 amp quot amp gt amp 1t WLANProfile xmlns amp quot http www microsoft com networking WLAN profile vi amp quot amp gt amp lt name amp gt MyNetwork amp 1t name amp gt amp 1t SSTDConfig amp gt amp 1lt SSTID amp gt amp lt name amp gt MyNetwork amp lt name amp gt 81t SSID amp gt amp 1t nonBroadcast amp gt false amp lt nonBroadcast amp gt amp lt SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1t con nectionType amp gt amp lt connectionMode amp gt manual amp lt connectionMode amp gt amp lt MSM amp gt amp 1t security amp gt amp lt authEncryption amp gt amp lt authentication amp gt WPA2 amp lt authentication amp gt amp lt encryption amp gt AES amp 1t s encryption amp gt amp lt use0neX amp gt true amp lt use0OneX amp gt amp lt authEncryption amp gt amp 1t 0OneX xmlns amp quot http www microsoft com networking OneX v1 amp quot amp gt amp lt authMode amp gt user amp lt auth Mode amp gt amp lt EAPConfig amp gt amp lt EapHostConfig xmlns amp quot http www microsof
344. sAndHold gt lt Button gt lt Button name Custom3 gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt lt Button gt lt ButtonLockdownList gt lt ButtonRemapList gt lt Buttons gt lt MenuItems gt MICROSOFT lt DisableMenuItems gt lt MenuItems gt lt Settings gt lt System name Microsoft About gt lt System name Microsoft FlashAppSetting gt lt System name Microsoft CompanyAccount gt lt System name Microsoft WiFi gt lt Application name Microsoft Search gt lt Application name Microsoft IE gt lt Application name Microsoft Maps gt lt Application name Microsoft Messaging gt lt Application name Microsoft OfficeMobile gt lt Application name Microsoft Contacts gt lt Application name Microsoft Phone gt lt Settings gt lt Tiles gt lt EnableTileManipulation gt lt Tiles gt lt StartScreenSize gt Small lt StartScreenSize gt lt Default gt lt HandheldLockdown gt LockscreenWallpaper The parent node of the lock screen related parameters that let adminstrators query and manage the lock screen image on devices Supported operations Add Replace and Get LockscreenWallpaper BGFileName The file name of the lock screen The image file for the lock screen can be in jpg or png format and must not exceed 2 MB The file name can also be in the Universal Naming Convention UNC format in which case the devi
345. soft AssistUX amp quot amp gt name amp quot Microsoft Contacts amp quot amp gt amp lt Application amp lt Application amp lt Application amp lt Application amp lt Application amp lt Application amp lt Application amp lt Application amp lt Application name amp quot Microsoft Maps amp quot amp gt Marketplace amp quot name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft name amp quot Microsoft Wallet amp quot amp gt name amp quot Microsoft IE amp quot amp gt Messaging amp quot amp gt OfficeMobile amp quot Phone amp quot amp gt Photos amp quot amp gt Search amp quot amp gt amp lt Settings amp gt amp lt Role amp gt amp lt RoleList amp gt amp lt HandheldLockdown amp gt gt lt characteristic gt lt characteristic gt lt wap provisioningdoc gt Troubleshooting A setting didn t provision properly during OOBE Make sure that you followed the format guidelines for each characteristic node in the Prov xml file An incorrect format could cause a step to be skipped during the provisioning process with no error occurring For information about correct formatting see the specific configuration service provider topic Cryptography for prov xml The enterprise IT administrator will provide the encryption password when encrypting
346. ssesssssssssssssssssesssssessssssssassasssssossassesssssossassassnssnssassassnssnssaseasenssnssaseass 6 Management configuration Step O Lusitania a a ii i aera 6 Discovery web service Updated in Windows Phone 8 1 ccsesssssssssesssseessesesscessesseenesecsesseesseseseeseseeseeseeneeeseesteneeneeee 6 PES cee in ean tance tot eka cup E iaia 6 DESE dle ie a asai ia i ii tet i i i i i S i a i i i A Trin neni etree ere err S 6 Web Authentication Broker Support in enrollment process New in Windows Phone 8 1 9 People 11 SEN TA ESI ACC aisiais iai ia i i a A i a i i i a a i a a 11 Certificate enrollment policy web SErViICE irriirereereeieeeeeeer ae ae ae aa ae ease aa ae aaa aa ae aaa aaa 11 DES EI DO IA sana is i i i i i i i i a i i a e a i i 11 58 ARTO ii ii i i Pode says i i i i E P i a enters enone 15 Certificate enrollment web SENIC siasnnionisiiniiansinisisstni tini iii iii i k i i i a i 15 DES CAM A ia ce a i a AN a i i a a i i i k i i EE T 15 Request for certificate reNeWAal ire 22 Automatic MDM client certificate renew via Renew On Behalf Of ROBO function in WSTEP 24 Certificate renew schedule configuration cececsessssssssesssssscssesssssssscsssssssusssessessssussucesssussusssssuccussuceacesccessucsseeseeuseneenss 26 Updateability COMSIC ST AUIOMN sani ironia 26 Response for certificate reNeWAal rire 26
347. ssssesssseeseeseseeseesecssseeseeseseeseeseeneeteseeateneseeees 101 EXAM D IE asa iai aaa ia a a i a a a a a a a a a i a a a rere 101 D vlnro comigurati m service Provider 20555 S ia dle rsa a a a iis 103 DMClient configuration service provider Updated in Windows Phone 8 1 ou esessessesecsecsessessecseesesseeseeseenes 104 EMAIL2 configuration service Provider sasas i i a aa i ia a a a 110 ROAT san a a aca a a a ia a a a i ia a a ia 114 EaD E S ais iii S a i a ai i i a i i i a a 115 EnterpriseAppManagement configuration service provider added functionality for Windows Phone 8 1 Sa e ia ao a i in Li O RT aa aa ak a A TO 123 Rema ES sn ii I it ei ee A Sa a S a 127 FEM ATM MDS S E a a a a aa a ag a a S a i a i EE a a a 128 NodeCache configuration service provider irrriiierie eee 133 Reali leer 134 ERA IS ai ik a a e net nu 135 RemoteWipe configuration service providet sensara a aa ease aa aa aaa aa aa a asa aa a aaa aaa aa 138 Storage confriguration Sernice providers ais a ia a i i a a a a as 138 w7 APPLICATION configuration Service provider iai a a a ella ai 139 PolicyManager configuration service provider New in Windows Phone 8 1 ccccsessessessessessesesseesessseseeseenes 143 Windows Phone 8 1 supported COMPANY policCieS rrrirrirririereeieeeieie rie aa ae asa e asas aaa 145 Company Owned Provided Liable Device POlICIES rrrrirerierieeirieeeriieeieieeiieiiiiiei
348. st is triggered Certificate manual renewal UI The user experience is the enrollment client s built in UI and there is no third party extensibility Before the client certificate expires the phone notifies the user to go to the workplace settings page to renew the account When the user navigates to the workplace setting page and taps the account name the account detail screen appears When the user provides the updated corporate password the enrollment client communicates with the enrollment server to get the updated certificate MICROSOFT SETTINGS workplace CONTOSO Re enter password Contoso requires you to re enter your password If you have company apps they ll stop working soon unless you do this Your lt account name gt account is expiring soon To keep it active and continue using company apps go to Settings gt workplace and re enter your password close Some companies offer policies certificates and apps that help you connect to your business What s a workplace account Once you adda workplace account your company will be able to collect personal information disable apps or features prevent you from resetting your phone or removing your workplace account andremotely modify or delete all your content and settings You can talk with your company s support person to find out what your company s policy allows Password Other apps Contoso Action reguired V x O O O O Ta
349. stic type APPAUTH gt lt parm name AAUTHLEVEL value CLIENT gt lt parm name AAUTHTYPE value DIGEST gt lt parm name AAUTHSECRET value password1 gt lt parm name AAUTHDATA value B64encodedBinaryNonceInsertedHere gt lt characteristic gt lt characteristic type APPAUTH gt lt parm name AAUTHLEVEL value APPSRV gt lt parm name AAUTHTYPE value BASIC gt lt parm name AAUTHNAME value testclient gt lt parm name AAUTHSECRET value password2 gt lt characteristic gt lt characteristic gt lt wap provisioningdoc gt NOTE 1 parm name and characteristic type in w7 APPLICATION CSP XML are case sensitive and must be all uppercase NOTE 2 In w7 APPLICATION characteristics both CLIENT and APPSRV credentials should be provided in XML For detailed description refer w7 APPLICATION configuration service provider Enterprise specific DM client configuration The DMClient configuration service provider is used to specify additional enterprise specific configuration settings for identifying the phone in the enterprise domain security mitigation for certificate renewal and server triggered enterprise unenrollment For more information see DMClient configuration service provider later in this document DM Client Push Support in Windows Phone 8 1 DMClient supports the ability to configure Push initiated device management sessions Utilizing Windows Notification Service WNS a management server can
350. t lt PinToStart gt lt Application gt lt Apps gt lt Default gt lt HandheldLockdown gt Button lockdown remap Buttons can be locked down to prevent the button from being executing or starting their normal functionality Additionally button functionality can be remapped to do specific functionality like launching an application Button on device Button XML name Press PressAndHold Can be remapped Block Override n Camera Camera Block and Override No Back Back Not supported No Start Windows Key Start Block and Override No Search Search Block and Override Yes App launch Volume Up Not supported No Volume Down Not supported No Power Not supported No In order to lock down all button presses all buttons must be added to lt ButtonLockDownList gt with both ButtonEvent types added Press and PressAndHold See the following sample Button Sample XML Excerpt Lockdown and remapping Note that all top level fields under lt Default gt must be included as part of the XML unlike the following sample excerpt which does not show include other top level fields lt xml version 1 0 encoding utf 8 gt lt HandheldLockdown version 1 0 gt lt Default gt lt Buttons gt lt ButtonLockdownList gt lt Lockdown all buttons gt lt Button name Search gt lt Button gt lt Button name Camera gt lt ButtonEvent name Press gt lt ButtonEvent name PressAndHold gt
351. t lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MaintenanceAllowed lt LocURI gt lt Target gt lt Item gt lt Get gt lt SyncBody gt lt SyncMl gt Set the MWNotificationDuration value to 3 minutes lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt MICROSOFT lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MWNotificationDuration lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 3 lt Data gt lt Item gt lt Replace gt lt SyncBody gt lt SyncM1 Set the MWMinimumDuration to 2 hours lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt MaintenanceWindow MWMinimumDuration lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 120 lt Data gt lt Item gt lt Replace gt lt SyncBody gt lt SyncM1 Set MWMandatory to 0 which means that the window can be cancelled by the device user lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExt Maintenance
352. t lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Download 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D Version lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt 2 0 0 0 lt Data gt lt Item gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Download 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D DownloadInstall lt LOCURI gt lt Target gt lt Data gt 1 lt Data gt lt Item gt lt Add gt lt Exec gt lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Download 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D Downloadinstall lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Exec gt lt Atomic gt Uninstall enterprise application Uninstall an installed enterprise application with product ID 7BB316008A 141D 4A79 810F 8B764C4CFDFB Y lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Delete gt lt CmdID gt 2 lt CmdID gt lt Item gt MICROSOFT lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnterpriseApps Inventory 7BB316008A 141D 4A79 810F 8B764C4CFDFB 7D lt LocURI gt lt Target gt lt Item gt lt De
353. t lt LocURI gt Vendor MSFT VPN EapTls Server lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt wp test com lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8002 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT VPN EapTls TunnelType lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt IKEv2 lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8004 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT VPN EapTls Authentication Method lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt EAP lt Data gt lt Item gt lt Add gt lt Add gt lt CmdID gt 8005 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT VPN EapTls Authentication EAP lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp 1t EapHostConfig xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot MICROSOFT xmlns eapCommon amp quot http www microsoft com provisioning EapCommon amp quot xmlns baseEap amp quot http www microsoft com provisioning BaseEapMethodConfig amp quot amp gt amp l1t EapMethod amp gt amp 1t eapCommon Type amp gt 13 amp 1t
354. t lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess Theme ThemeAccentColorID lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt set to Enterprise custom gt lt Data gt 151 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt MICROSOFT lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess Theme ThemeAccentColorValue lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt sets custom accent color of red gt lt Data gt FF0000 lt Data gt lt Item gt lt Replace gt lt Final gt lt SyncBody gt Lock screen Use the examples in this section to set a new lock screen and manage the lock screen features If using a UNC path format the LocURI as host share image jpg lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAssignedAccess LockScreenWallpaper BGFileName lt LocURI gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt c windows system32 lockscreen 480x800 Wallpaper_015 jpg lt Data gt lt Target gt lt Item gt lt Add gt The following example shows how to query the device for the file being used as the lock screen lt Get gt
355. t lt u Expires gt 2011 07 11T19 54 08 579Z lt u Expires gt lt u Timestamp gt lt o UsernameToken u Id uuid 2a734df6 b227 4e60 82a8 ed53c574b718 5 gt lt o Username gt user contoso com lt 0 Username gt lt o Password o Type http docs oasis open org wss 2004 01 oasis 200401 wss username token profile 1 0 PasswordText gt 7Apples lt o Password gt lt o UsernameToken gt lt o Security gt lt s Header gt lt s Body gt lt RequestSecurityToken xmlns http docs oasis open org ws sx ws trust 200512 gt lt TokenType gt http schemas microsoft com 5 0 0 0 ConfigurationManager Enrollment DeviceEnrollmentToken lt TokenType gt MICROSOFT lt ReguestType gt http docs oasis open org ws sx ws trust 200512 Renew lt RequestType gt lt BinarySecurityToken ValueType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd PKCS7 EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt BinarySecurityTokenInsertedHere lt BinarySecurityToken gt lt AdditionalContext xmlns http schemas xmlsoap org ws 2006 12 authorization gt lt ContextItem Name DeviceType gt lt Value gt WindowsPhone lt Value gt lt ContextItem gt lt ContextItem Name ApplicationVersion gt lt Value gt 5 0 7616 0 lt Value gt lt ContextItem gt lt
356. t If the datatype for ROBOSupport RenewPeriod and RetryInterval tags exist they must be set explicitly gt lt parm name ROBOSupport value true datatype boolean gt lt parm name RenewPeriod value 60 datatype integer gt lt parm name RetryInterval value 4 datatype integer gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic gt lt characteristic type APPLICATION gt lt parm name APPID value w7 gt lt parm name PROVIDER ID value TestMDMServer gt lt parm name NAME value Microsoft gt lt parm name ADDR value https DM contoso com 443 omadm WindowsPhone ashx gt MICROSOFT lt parm name CONNRETRYFREQ value 6 gt lt parm name INITIALBACKOFFTIME value 30000 gt lt parm name MAXBACKOFFTIME value 120000 gt lt parm name BACKCOMPATRETRYDISABLED gt lt parm name DEFAULTENCODING value application vnd syncml dm wbxml gt lt parm name SSLCLIENTCERTSEARCHCRITERIA value Subject DC 3dcom 2cDCX 3dmicrosoft X2cCN X3dUsers 2cCN 3dAdministrator amp amp Stores My 5CUser gt lt characteristic type APPAUTH gt lt parm name AAUTHLEVEL value CLIENT gt lt parm name AAUTHTYPE value DIGEST gt lt parm name AAUTHSECRET value password1 gt lt parm name AAUTHDATA value B64encodedBinaryNonceInsertedHere gt lt characteristic gt lt characteristic type APPAUTH gt lt parm name AAUTHLEVEL value APPSRV
357. t ac ContextItem gt lt ac ContextItem Name ApplicationVersion gt lt ac Value gt 8 0 9846 0 lt ac Value gt lt ac ContextItem gt lt ac AdditionalContext gt lt wst ReguestSecurityToken gt lt s Body gt lt s Envelope gt Response After validating the reguest the web service looks up the assigned certificate template for the client update it if needed sends the PKCS 10 requests to the CA processes the response from the CA constructs an OMA Client Provisioning XML format and returns it in the RequestSecurityTokenResponse RSTR Note 1 The HTTP server response must not be chunked it must be sent as one message Note 2 Do NOT use Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 The server must replace this value in the supplied client certificate If your server returns a client certificate containing the same Subject value this can cause unexpected behavior The server should always override the subject value and not use the default device provided Device ID Subject Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 MICROSOFT in the supplied client certificate and certificate search criteria provisioning nodes SSLCLIENTCERTSEARCHCRITERIA in APPLICATION Configuration Service Provider and in CertificateSearchCriteria node EnterpriseAppManagement configuration service provider Similar to the TokenType in the RST the RSTR will use a custom ValueType in the BinarySecurityToken http schemas micros
358. t chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity e Description parent node to group per SIM specific information in case of dual SIM mode e Format node e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity1 e Description parent node to group SIM 1 specific information in case of dual SIM mode e Format node e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity2 e Description parent node to group SIM2 specific information in case of dual SIM mode MICROSOFT e Format node e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity 1 PhoneNumber e Description Present device phone number for SIM1 e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity 1 IMSI e Description Present first 6 digits of device IMSI number for SIM1 e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity 1 IMEI e Description Present device IMEI number for SIM1 e Format chr e Supported operations Get e Occurrence One Vendor MSFT DevicelnstanceService Identity Identity1 Roaming e Description Present device cellular roaming status In case of dual SIM mode when the device supports two different phone numbers present roaming status for SIM1 e Format bool e Supported operations Get e Occurrence One e
359. t some publishers will have multiple PublisherNames that should be blocked Finding application GUIDs or application publisher name The primary way for finding an application GUID or application publisher name is through www windowsphone com In this example the Microsoft Store application is being represented as an application that the admin would like to use The application GUIDs are listed as part of the URL when an IT administrator finds an application they would like to include in their application restrictions list In this case the Microsoft Store application has an application GUID of d5dc1ebb a7f1 df11 9264 00237de2db9e The main window also shows the publisher for this application as Microsoft Corporation MICROSOFT Microsoft Store Microsoft Store Free For more information on how to send down Application Restrictions XMLs please see the samples in the PolicyManager CSP later in this document Additional samples are provided in Appendix Device lock policy configuration The DeviceLock configuration service provider allows the management server to configure device lock related policies The policies configured via this CSP are superseded by Windows Phone 8 1 new CSP PolicyManager CSP which not only configures device lock related policies but other Windows Phone 8 and Windows Phone 8 1 enterprise policies Note DeviceLock CSP will be deprecated post Windows Phone 8 1 It is recommended that MDM server should
360. t Format xmlns syncml metinf gt int lt Format gt lt Meta gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt Bulk enrollment new for GDR2 The IT administrator can provision Windows Phone devices using an SD card or a USB tether MTP file transfer First you create a customization file and then load it the phone using an SD card or copy it to the phone through a USB connection Windows Phone detects the customization file from the OOBE start up Here s the list of customizations you can configure e Adda certificate file e Adda Wi Fi profile e Set the system time server e Set the system time zone e Set the langua and locale e Set the OOBE configuration e Set the MDM server setting Apply the customization using a USB connection to the phone 1 Boot the Windows Phone into the first screen of the OOBE 2 Connect the phone to the PC using a USB The PC should automatically detect the Windows Phone and show the File Explorer 3 Copy the customizations xml file to the root folder of the phone The phone automatically detects the customization file and shows a confirmation page Click Done 5 Remove the USB connection MICROSOFT Apply the customization using an SD card 1 Copythe customization xm file to the root folder of the SD card 2 Insert the SD card into the Windows Phone 3 Boot the Windows Phone into the OOBE start screen 4 The phone automatically detects the customization file and shows a confirmati
361. t Item gt lt Target gt MICROSOFT lt LocURI gt Vendor MSFT PolicyManager My ApplicationManagement ApplicationRestrictions lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Data gt amp x3C AppPolicy Version amp x22 1 amp x22 xmlns amp x22 http schemas microsoft com phone 2013 policy amp X22 amp X3E amp x3C Deny amp X3E amp x3C Deny App Nokia Trailers amp x3E amp x3C App ProductId amp x22 b 731ce2 cdee 4cad afe1 a74a0433fcea amp amp x22 8 amp Xx3E amp X3C Deny App MixRadio amp x3E amp x3C App ProductId amp x22 f5874252 1f04 4c3f a335 4fa3b7b85329 amp x22 amp x3E amp x3C Deny Publisher Microsoft Corporation amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Corporation amp x22 amp X3E 5 amp x3C Deny Publisher Microsoft Studios amp xE2 amp x2 Q1E amp xA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp XE2 amp X201E amp XA2 amp X22 amp x3E amp x3C Allow app published by denied publisher Microsoft Studios amp XE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId 8 4x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 amp x3E amp x3C Publisher amp x3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Ite
362. t Source gt lt LocURI gt https www thephone company com mgmt server lt LocURI gt lt Source gt lt SyncHdr gt SyncBody element SyncBody contains one or more DM commands Note that SyncBody can contain multiple DM commands each command must have a different CmdiD value Code example The following example shows the body component of a DM message In this example SyncBody contains only one command Get This is indicated by the lt Final gt tag that occurs immediately after the terminating tag for the Get command lt SyncBody gt lt query device OS software version gt lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt DevDetail SwV lt LocURI gt lt Target gt lt Item gt lt Get gt lt Final gt lt SyncBody gt Note When using SyncML for OMA DM provisioning a LocURI in SyncBody can have a as a valid segment name only in the first segment However a is not a valid segment name for the other segments For example the following LocURI is not valid because the segment name of the seventh segment is a lt LocURI gt Vendor MSFT Registry HKLM System Test lt LocURI gt Update phone settings example The Replace command is used to update a phone setting MICROSOFT Code example The following example illustrates how to use the Replace command to update a phone setting lt SyncHdr gt lt VerDTD gt 1 2 lt VerDTD gt lt VerProto
363. t com provisioning EapHostConfig amp quot amp gt amp lt EapMethod amp gt amp 1t Type xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 25 amp 1t Type8gt 81t Vendor Id xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt VendorId amp gt amp lt Ven dorType xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp 1t VendorType amp gt amp 1t A uthorId xmlns amp quot http www microsoft com provisioning EapCommon amp quot amp gt 0 amp lt AuthorId amp gt amp 1t Ea pMethod amp gt amp lt Config xmlns amp quot http www microsoft com provisioning EapHostConfig amp quot amp gt amp 1lt Eap xmlns amp quot http www microsoft com provisioning BaseEapConnectionPropertiesVi1 amp quot amp gt amp lt T ype amp gt 25 amp 1t Type amp gt amp lt EapType xmlns amp quot http www microsoft com provisioning MsPeapConnectionPropertiesV1 amp quot amp gt amp lt Se rverValidation amp gt amp lt DisableUserPromptForServerValidation amp gt false amp lt DisableUserPromptForSe rverValidation amp gt amp lt ServerNames amp gt amp lt ServerNames amp gt amp lt TrustedRootCA amp gt InsertCert ThumbP rintHere amp lt TrustedRootCA amp gt amp lt ServerValidation amp gt amp lt FastReconnect amp gt true amp lt FastRecon nect amp gt amp lt InnerEapOptional amp gt false amp lt InnerEapOptional amp gt amp lt Eap xml
364. t gt lt xs all gt lt xs attribute name version use required type xs decimal gt lt xs complexType gt lt xs element gt lt xs schema gt MICROSOFT Windows Embedded 8 1 Handheld device management Windows Embedded 8 1 Handheld uses the same provisioning and device management model as Windows Phone so your knowledge of Windows Phone transfers directly to Handheld 8 1 In addition Handheld 8 1 introduces assigned access which is a suite of features that allows an enterprise to lock down the user experience of the device platform For more information about assigned access see the Administrator Guide for Windows Embedded 8 1 Handheld The provisioning XML file Handheld 8 1 The provisioning XML file Prov xml for Windows Embedded 8 1 Handheld contains the configuration settings and lockdown information for the enterprise devices lt can be pushed to a device by using the mobile device management MDM service and then restarting the device It can also be sideloaded by using a near field communication NFC tag SD card or other data source such as a bar code scanner and then applying during the out of box experience OOBE The Prov XML contains the following e Required The requested certificates e Required DM client configuration e Required Wireless must be provisioned e Optional An enterprise application token and an enterprise app download link to allow the enrollment client
365. t gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Item gt lt Add gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SERVICENAME lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt ExampleIMAP lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D SERVICETYPE lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt IMAP4 lt Data gt lt Item gt lt Replace gt lt Replace gt MICROSOFT lt CmdID gt 4 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D REPLYADDR lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt user contoso com lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82747D NAME lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta
366. ta gt MICROSOFT lt Item gt lt Replace gt lt Replace gt lt CmdID gt 25 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B1BC45B68 A51F 4AF1 B6C1 BC22746DAE82 7D TAGPROPS 812C000B lt LOCURI gt lt Target gt lt Data gt 1 lt Data gt lt Item gt lt Replace gt lt Atomic gt POP3 account configuration The following sample shows how to use SyncML commands to configure a POP3 email account It must be wrapped in a SyncML package sent from the server The GUID must be replaced with an appropriate unigue GUID lt Atomic gt lt CmdID gt 3 lt CmdID gt lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D lt LOCURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Type xmlns syncml metinf gt text plain lt Type gt lt Meta gt lt Item gt lt Add gt lt Replace gt lt CmdID gt 5 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D SERVICENAME lt LOCURI gt lt Target gt lt Data gt Servicel lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 6 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EMAIL2 7B4ebb5cb3 e382 4104 a04e 048b25e87216 7D SERVICETYPE lt LOCURI gt lt Target gt lt Data gt P0P3 lt
367. ted by the character If there are multiple values each value is delimited by the Unicode character U F000 If the name or value contains characters not in the UNRESERVED set as specified in RFC2396 then those characters are URI escaped per the RFC The supported names are Subject and Stores wildcard certificate search isn t supported Stores specifies which certificate stores the DM client will search to find the SSL client certificate The valid store value is My 5CUser The store name is not case sensitive Note EF 80 80 is the UTF8 encoded character U F000 Subject specifies the certificate to search for For example to specify that you want a certificate with a particular Subject attribute CN Tester 0 Microsoft use the following MICROSOFT lt parm name SSLCLIENTCERTSEARCHCRITERIA value Subject CN 3DTester 0 3DMicrosoft amp amp Stores My 5CUser gt NOTE Do NOT use Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 The server must replace this value in the supplied client certificate If your server returns a client certificate containing the same Subject value this can cause unexpected behavior The server should always override the subject value and not use the default device provided Device ID Subject Subject CN 3DB1C43CD0 1624 5FBB 8E54 34CF17DFD3A1 x00 PolicyManager configuration service provider New in Windows Phone 8 1 In Windows Phone 8 1 PolicyManager is the centralized component to handl
368. tention Configuration service providers supported during MDM enrollment and certificate renewal The following configuration service providers are supported during MDM enrollment and certificate renewal process See Configuration service provider reference for detailed descriptions of each configuration service provider e CertificateStore configuration service provider e w7 APPLICATION configuration service provider e DMClientconfiguration service provider e EnterpriseAppManagement configuration service provider SOAP faults If the web service cannot process the request a SOAP fault is returned with specific fault code and reason lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing xmlns u http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity utility 1 0 xsd gt lt s Header gt lt a Action s mustUnderstand 1 xmlns a http www w3 0rg 2005 08 addressing xmlns s http www w3 0rg 2003 05 soap envelope gt http www w3 org 2005 08 addressing soap fault lt a Action gt MICROSOFT lt a RelatesTo xmlns a http www w3 org 2005 08 addressing gt urn uuid 2d37bdb7 e4ac 4bb8 bca3 29cc9f5cf6b4 lt a RelatesTo gt lt o Security s mustUnderstand 1 xmlns o http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt lt u Timestamp u Id _0 gt lt u Created gt 2012 9 27T04 20 03 408Z lt u Created gt lt u Expires gt
369. thEncryption amp gt amp 1t s ecurity amp gt amp lt MsM amp gt amp lt WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Atomic gt Removing a network with SSID MyNetwork and no proxy lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Delete gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Item gt lt Delete gt lt Atomic gt Note Deletion for all authentication types of networks is the same Querying WiFi profiles SSID installed MDM server lt Get gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT WiFi Profile lt LocURI gt lt Target gt lt Item gt lt Get gt Response from the phone two SSID returned MICROSOFT lt Results gt lt CmdID gt 3 lt CmdID gt lt MsgRef gt 1 lt MsgRef gt lt CmdRef gt 301 lt CmdRef gt lt Item gt lt Source gt lt LocURI gt Vendor MSFT WiFi Profile lt LocURI gt lt Source gt lt Meta gt lt Format xmlns syncml metinf gt node lt Format gt lt Meta gt lt Data gt TestWLAN1 TestWLAN2 lt Data gt lt Item gt lt Results gt Adding an open network with SSID My Network and a proxy with url test and port 80 lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt lt LOCURI gt Vendor MSFT WiFi Profile MyNetwork Wla
370. the CERT_INFO structure lt CertHash gt TemplateName Required Returns the certificate template name Supported operation is Get My SCEP Required for SCEP certificate enrollment The parent node grouping the SCEP cert related settings Supported operation is Get My SCEP lt UniquelD gt Required for SCEP certificate enrollment A unique ID to differentiate different certificate enrollment requests Format is node Supported operations are Get Add Delete My SCEP lt UniquelD gt Install Required for SCEP certificate enrollment Parent node to group SCEP cert install related request Format is node Supported operation is Add Delete NOTE though the children nodes under Install support Replace commands once the Exec command is sent to the device the device will take the values which are set when the Exec command is accepted The server should not expect the node value change after Exec command is accepted will MICROSOFT E impact the current undergoing enrollment The server should check the Status node value and make sure the device is not at unknown stage before changing children node values My SCEP lt UniquelD gt Install ServerURL Required for SCEP certificate enrollment Specify the cert enrollment server The server could specify multiple server URLs separated by semicolon Format is chr Supported operations are Get Add Delete Replace My SCEP lt UniquelD gt Install Challenge Required for SCEP certificate enrollment
371. the provisioning file on the server side and the device user will enter the same password when prompted The password can be of any length no minimum length is enforced on the device side and is entered in a standard Windows Phone Splash password box The password that is entered is used to generate a hash using the standard Crypto APIs The internal algorithms are not exposed to the user and cannot be changed by the user MICROSOFT Cryptographic algorithms and key lengths Crypto APIs are used to encrypt and decrypt the provisioning file After the key is taken as input from the user Length 1 255 the hash key CryptCreateHash is generated using the SHA 256 algorithm and the key CryptDeriveKey is derived using the AES 128 algorithm Algorithm Key lengths CALG_AES_128 Range 1 255 CALG_SHA_256 Range 1 255 Key management The key is derived using the existing Crypto APIs The CSP is MS_ENH_RSA_AES_PROV and no container is needed dwFlags is CRYPT_VERIFYCONTEXT The key is derived using CryptDeriveKey where the algorithm is CALG_AES_128 and the hash is generated using CryptHashData where the algorithm is CALG_SHA_256 and the data being hashed is a password that is provided by the user This password is not stored anywhere on the device Data on which crypto is applied The data being encrypted is an XML file that is used to provision a WEH device It contains information such as additional certificates to provision what
372. ther file directory nodes For files the get command specifies application octet stream as the MIME MICROSOFT type of the file The configuration service provider treats all files as a binary data block TStamp Supported operations get The get command returns data about the last time the directory or file was changed The value is represented by a string that contains a UTC based ISO 8601 basic format complete representation of a date and time value For example 20120711T163817Z means July 11 2012 at 16 hours 38 minutes and 17 seconds Size Supported operations get This parameter is not supported in a file directory For files the get command returns the file content size in bytes For a binary file the size is for the unencoded file msft SystemAttributes Supported operations get and replace A custom property created by Microsoft that contains directory attributes The get command returns the file or file directory attributes The replace command changes the file attributes msft AccessRoles Not supported OMA DM examples The following example shows how to retrieve a file from the device lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseExtFileSystem C 3A data test bin file txt lt LocURI gt lt Target gt lt Item gt lt Get gt The following example shows the file name that is returned in the body of the response syncML code In this example
373. ting control panel s company account detail page In Windows Phone 8 1 an automatic certificate renew based on existing not expired client certificate is supported To support such automatic certificate renew enrollment server needs to be updated to support ROBO renew on behalf of part of WSTEP protocol The MDM server needs to be updated to be MICROSOFT E able to send a ROBOSupport flag to the device during DM session to notify the device to use automatic certificate renew instead of manual renew via CertificateStore CSP NOTE this ROBO based renew is only for certificate that is enrolled during MDM enrollment phase For user manually installed certificate no renew is built in For SCEP enrolled certificate refer Client Certificate Enrollment via Simple Certificate Enrollment Protocol SCEP section on how to provide updated certificate before current one is expired More detail for ROBO renew will be provided later User manually install certificates The end user could install a certificate via certificate file through email attachment or downloaded from browser Refer http www microsoft com en us download details aspx id 39262 to find out details on how the user could manually install a certificate The certificate installer in the device handles the actual installation It supports cer p7b pem and pfx files Usage of user installed certificates In Windows Phone 8 the user could install Root CA and client authentic
374. to download a Company Hub app or enterprise app at the end of enrollment e Optional Assigned access XML The following table shows how you can use configuration service providers to configure devices Configuration service provider Description EnterpriseExt configuration service provider Allows the enterprise to use the MDM service to enroll devices to the MDM server in an enterprise environment restart a device and manage the maintenance window schedule for devices so that they can perform device updates and other management tasks EnterpriseAssignedAccess configuration service Allows the enterprise to use Windows Embedded provider 8 1 Handheld features to configure custom layouts on a device For example the administrator can lock down a device so that only apps specified in an Allow list are available Apps not on the Allow list remain installed on the device but are hidden from view EnterpriseExtFileSystem configuration service Allows IT administrators to add retrieve or change provider files in the file system through the MDM service For example you can use this configuration service provider to push a provisioning MICROSOFT To create a Prov xml file to configure devices 1 Usinga text or XML editor copy the sample OMA Client Provisioning XML from this topic and save it to a new XML file 2 Using the examples in the Configuration service provider reference topics change the values to the appropriate values for yo
375. turns the value the server pushes down to the phone e Ifa Replace command fails the node value is set to be the previous value before Replace command was applied e lf an Add command fails the node is not created The value actually applied to the phone can be queried via the nodes under the DeviceValue interior node Examples The following samples show how the EnterpriseAppManagment CSP is used for various scenarios Enroll an Enterprise Enrollment Token Enroll enterprise ID 4000000001 for the first time in SyncML format lt Add gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnrollmentToken lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt InsertTokenHere lt Data gt lt Item gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 CertificateSearchCriteria lt LocURI gt lt Target gt lt Meta gt MICROSOFT lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt SearchCriteriaInsertedHere lt Data gt lt Item gt lt Add gt Update enrollment token Update the enrollment token for example to update an expired application enrollment token lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT EnterpriseAppManagement 4000000001 EnrollmentToken
376. uch that the user can discover and install available LOB apps from an enterprise app catalog This app can be created by an enterprise as a custom Company Hub or by the Mobile Device Management MDM vendor For more information about Company Hub apps see Developing a Company Hub app on MSDN Third party MDM servers can manage Windows Phone 8 1 by using the Enterprise Device Management protocol The built in management client is able to communicate with a third party server proxy that supports the protocols outlined in this document to perform enterprise management tasks The third party server will have the same consistent first party user experience for enrollment which also provides simplicity for Windows Phone users MDM servers do not need to create or download a client to manage Windows Phone The following diagram shows the overall Enterprise Device Management architecture A Enrollment Server anagement Point App Content Enterprise Device Management Architecture MICROSOFT Connecting to the management infrastructure enrollment The first thing to enable enterprise management is to configure the phone to communicate with the MDM server using security precautions This is done via the enrollment process described in this section The enrollment service verifies that only authenticated and authorized phones can be configured to be managed by their enterprise The enrollment process includes four steps 1 Discovery of the
377. ucssessssuscussseesesussucsscesecucssssseesecusescaueeusencesceneess 57 Task switchereontrolnewforGDRI irilca iaia 57 WLAN scan frequency customization new for GDR 58 Bullenrollm ntnewforGDR2 5a ca illale lied aliante 58 Apply the customization using a USB connection to the PAONE ee essessesesesseeseseeseesecseseeseeseesesteseeseeneeneseens 58 Appiytne customization Using an SD Cardarelli 59 AddiacenilcdelileaReliuc cca 59 Settnesystem time see 60 SOE TS Sy SECM LING ZOMG kais a i a i a a i A I L a a L Aaa a i 60 SOU TMG TAM Ua Ce Ad Ocalan nogi E a a a a A a a a EEE 62 Bel the MDMA CIV seting sia ia ees aaa i a a ai a a a a a ao 62 Sambpie customizationsxmi acri lilla E 63 Certificate configuration Updated in Windows Phone 8 1 u cesesssssssssssessessesssssessesnsssessccsesussuscsccsessceseeuceseesesseeseenss 64 Enroll Client Certificate via Simple Certificate Enrollment Protocol 0 ccccccsessssssssessessessessessessesssseeneessseeeseeneens 65 Enroll and manage MDM DM client Certificate irene 69 Usermangally Mista lc Ste Cates Fass ta stl tay ote cain e iii 70 Usageotuserminstalled certificatessue lalla 70 Management of user installed Certificate ccesssessessssssssessessssesssesssssssesssessesssssseseesesusssecsessecussacesseuseucesceneeusseceseeseess 70 Company policy to disallow user manually install Root and CA certificateS in 71 Virtual Smartcard Certificate Provisioning
378. uctId amp x22 82a23635 5bd9 d 11 a844 00237de2db9e amp x22 amp X3E 5 amp X3C Allow app published by denied publisher Microsoft Corporation YouTube amp x3E amp x3C AllowApp ProductId amp x22 dcbb1ac6 a89a df11 a490 00237de2db9e amp X22 5 amp X3E amp x3C Publisher amp x3E amp x3C Deny Publisher Microsoft Studios amp XE2 amp x201E amp XA2 amp x3E amp x3C Publisher PublisherName amp x22 Microsoft Studios amp xE2 5 amp x2O1E amp HXA2 5 amp HX22 5 amp HX3E 5 amp X3C Allow app published by denied publisher Microsoft Studios amp xE2 amp x201E amp xA2 Wordament amp x3E amp x3C AllowApp ProductId amp x22 c62201b4 e059 e011 854c 00237de2db9e amp x22 5 amp X3E 5 amp X3C Allow app published by denied publisher Microsoft Studios amp xE2 amp x201E amp xA2 Halo SA Lite amp x3E amp x3C AllowApp ProductId amp x22 cf3f117d d5a6 4e81 9786 56dd337b9b02 amp x22 amp x3E amp x3C Publisher amp xX3E amp x3C Deny amp x3E amp x3C AppPolicy amp x3E lt Data gt lt Item gt lt Replace gt lt Atomic gt lt Final gt lt SyncBody gt lt SyncML gt Deny List Two denied applications one denied publisher and one denied publisher with one allowed application exception lt SyncML xmlns SYNCML SYNCML1 2 gt lt SyncBody gt lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt l
379. uestType gt lt wsse BinarySecurityToken ValueType http schemas microsoft com windows pki 2009 01 enrollment PKCS10 EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary gt DER format PKCS 10 modified certificate request in Base64 encoding Inserted Here lt wsse BinarySecurityToken gt lt ac AdditionalContext gt MICROSOFT lt ac ContextItem Name DeviceType gt lt ac Value gt WindowsEmbeddedHandheld lt ac Value gt lt ac ContextItem gt lt ac ContextItem Name ApplicationVersion gt lt ac Value gt 8 1 0 0 lt ac Value gt lt ac ContextItem gt lt ac ContextItem Name DeviceId gt lt ac Value gt bdd19ca0 dfce 497a bea1 fda234e52b36 lt ac Value gt lt ac ContextItem gt lt ac AdditionalContext gt lt wst ReguestSecurityToken gt lt s Body gt lt s Envelope gt X509 certificate reguest The primary function of enrollment is for the enrollment service to fulfill an X509 Certificate reguest on behalf of the client The X509 Certificate reguest is the same format as Windows Mobile 6 5 with two exceptions Handheld 8 1 device certificate reguests must provide the following e The unique DevicelD as the SUBJECT Name in the request this is a fixed value in Windows Phone 8 1 e The unique DevicelD as a custom extension in the request SUBJECT Name Providing the DevicelD in the subject name gives a certification authority CA administrator leew
380. umeric password required and 2 users can choose a numeric password or alphanumeric password Invalid values are treated as a configuration failure The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt DevicePasswordExpiration Optional An integer value that specifies the number of days before password expiration Valid values are 1 to 730 The default value is 0 which indicates that the password does not expire Invalid values are treated as a configuration failure The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt DevicePasswordHistory Optional An integer value that specifies the number of passwords that can be stored in the history can t be reused Valid values are 0 to 50 The default value is 0 Invalid values are treated as a configuration failure Scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt MaxDevicePasswordFailedAttempts Optional An integer value that specifies the number of authentication failures allowed before the phone will be wiped Valid values are 0 to 999 The default value is 0 which indicates the phone will MICROSOFT not be wiped regardless of the number of authentication failures Invalid values are treated as a configuration failure The scope is dynamic Supported operations are Get Add and Replace lt ProviderlD gt MaxInactivityTimeDeviceLock Optional An integer value that specifies the amou
381. ur organization 3 Make sure that the provisioning file is encoded as UTF 8 or UTF 16LE including the byte order mark BOM 4 optional Using MDM encrypt Prov xml The encryption password will need to be provided during OOBE configuration The encryption password can use only the following characters e Uppercase letters of European languages A through Z with diacritic marks Greek and Cyrillic characters e Lowercase letters of European languages a through z sharp s with diacritic marks Greek and Cyrillic characters e Base 10 digits 0 through 9 e Nonalphanumeric characters amp _ 0 lt gt 2 5 Doone of the following e If you will push the Prov xml to devices by using the MDM service save the file to your development computer and then push it to a device e If you will use an SD card or other data source such as a bar code scanner save the Prov xml file to the root directory of the data source so that the IT administrator can sideload it and then apply it during OOBE e If you will use an NFC tag or device make sure that you followed the components of an NFC tag as described in Enable near field communication Save the Prov xml file to the NFC tag or device so that the IT administrator can sideload it and then apply it during OOBE Sample OMA Client Provisioning The following example shows a provisioning XML file Prov xml that is applied to a device during OOBE and that contains settings for a
382. use PolicyManager CSP to configure device lock policies for Windows Phone 8 1 device In Windows Phone to help safeguard device policies from being compromised by an untrusted authority the phone builds in the most secure logic for device lock polices For example if both Exchange and the management server push device lock policies to the phone the phone applies the most secure policy value If an account is removed from the phone the next most secure policy value set by the remaining accounts is applied For more information and sample commands see PolicyManager configuration service provider Encryption Windows Phone supports internal storage encryption The enterprise management server can enable the encryption The removable storage card is not encrypted Note that after encryption is enabled it cannot be disabled The Storage UI is the visual indicator of the encryption state Only those phones that have UEFI Secure Boot enabled support device encryption The emulator doesn t support device encryption MICROSOFT e Note that in Windows Phone 8 1 the PolicyManager csp is used to set and query device encryption status Querying device encryption status The server can query PolicyManager Device Security RequireDeviceEncryption node value to find out whether the phone is encrypted The following XML sample shows how to query encryption state via SyncXML command lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target
383. utomatic renew is supported by the server The MDM server can only inventory enterprise deployed apps However if the server knows the product ID of the app it could query to find out whether that app is installed in the device in Windows Phone 8 1 In Windows Phone 8 1 for developer unlocked phone there is a tool for ISV to get some enrollment and MDM session related log These are only set during enrollment in Windows Phone 8 0 In Windows Phone 8 1 MDM client renew retry interval and regular DM client polling schedule is configurable via DM session Yes two types of alerts are provided to the user Before the certificate expires the phone will prompt the user to go to the settings page to provide an updated password when the company apps account is about to expire If the user tries to launch an app installed via the Company Hub after the cert is expired the app cannot be launched and the user will get a notification to go to the settings page to update the company apps account Apps will remain on the phone but fail to launch Policies specified by the MDM server will remain as valid Reinstalling a valid cert will re enable the apps In Windows Phone 8 0 only a single app can be pushed which is at the end of enrollment The MDM server can push updates for LOB apps that have been installed by the user In Windows Phone 8 1 MDM server could install update delete and query enterprise applications that is signed with com
384. vXMLFile Length ToString proximityDevice PublishBinaryMessage Windows WEH PreStageProv Header dataWriter DetachBuffer Publish the data in chunks int maxMsgBytes int proximityDevice MaxMessageBytes while provXMLFile Length gt 0 Determine the maximum amount of data to send int transmitSize Math Min provXMLFile Length maxMsgBytes Prepare the chunk for transmission to peer device String fileChunk provXMLFile Substring 0 transmitSize dataWriter new Windows Storage Streams DataWriter dataWriter UnicodeEncoding Windows Storage Streams UnicodeEncoding Utf8 dataWriter WriteString fileChunk Publish chunk to peer proximityDevice PublishBinaryMessage Windows WHEH PreStageProv Chunk dataWriter DetachBuffer Reduce the source data provXMLFile provXMLFile Remove transmitSize For more information about the ProximityDevice class API see ProximityDevice class on the Developer Center Enable or disable NFC capabilities The administrator can control whether to enable NFC capabilities on the device When NFC is allowed the user can change several settings by using Settings NFC When disabled a message appears on the Settings page that NFC is disabled by company policy and the user cannot change the settings To disable NFC set AllowNFC to 0 otherwise set it to 1 The following example shows how to allow an NFC tag lt Add gt lt CmdID gt 3 lt CmdID
385. value which means that the user will be authenticated when calling the management service URL This field is mandatory e In Windows Phone 8 1 Federated is added as another supported value This allows the server to leverage the Web Authentication Broker to perform customized user authentication and term of usage acceptance Note that the HTTP server response must not be chunked it must be sent as one message The following example shows a response received from the discovery web service for OnPremise authentication Header HTTP 1 1 200 OK Content Length 865 Content Type application soap xml charset utf 8 Server EnterpriseEnrollment Contoso com Date Tue 02 Aug 2012 00 32 56 GMT lt s Envelope xmlns s http www w3 0rg 2003 05 soap envelope xmlns a http www w3 0rg 2005 08 addressing gt lt s Header gt lt a Action s mustUnderstand 1 gt http schemas microsoft com windows management 2012 01 enrollment IDiscoveryService DiscoverR esponse MICROSOFT I lt a Action gt lt ActivityId gt d9eb2fdd e38a 46ee bd93 aea9dc86a3b8 lt ActivityId gt lt a RelatesTo gt urn uuid 748132ec a575 4329 b01b 6171a9cf8478 lt a RelatesTo gt lt s Header gt lt s Body xmlns xsi http www w3 0rg 2001 XMLSchema instance xmlns xsd http www w3 0rg 2001 XMLSchema gt lt DiscoverResponse xmlns http schemas microsoft com windows management 2012 01 enrollment gt lt DiscoverResult gt lt AuthPolicy gt OnPremise lt Aut
386. vice as office file Most MDM restricted value is 0 MICROSOFT Experience AllowS haringOfOfficeFile S Note that this policy is for the Office Hub only Specify whether the user is allowed to share office file Note that this policy is for the Office Hub only 0 not allowed 1 default allowed Most restricted value is 0 MDM AboveLock AllowA Specify 0 not Most MDM ctionCenterNotific whether allow allowed restricted ations action center 1 default value is 0 notifications allowed above the device lock screen DeviceLock Allowl Force user to 0 user is Most MDM dleReturnWithout input not able to restricted Password password set the value is 0 every time the password device is grace returning from period idle state timer and the value is set as each time 1 default user is able to set the password grace period timer Experience AllowCo Specify 0 not Most MDM rtana whether allowed restricted Cortana is 1 default value is 0 allowed at the allowed device Experience Allow 0 roaming Most MDM AllowSyncMySettin enterprise to Is restricted gs disallow disallowed value is 0 roaming 1 default settings enterprise among don t devices enforce in from WP disallow MICROSOFT device If not roaming enforced whether roaming is allowed or not could depend on other factors depends on other factors
387. wed restricted the user to 1 default value is 0 factory reset allowed the phone from setting control panel and hardware key L combination asa Experience Allow Specify O not Most MDM ManualMDMUnenr whether allow allowed restricted ollment the user to 1 default value is 0 delete the allowed workplace account via workplace control panel The MDM server always could remotely delete the account Examples Disable Internet sharing and manual Wi Fi configuration lt Atomic gt lt CmdID gt 1 lt CmdID gt lt Replace gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My WiFi AllowInternetSharing lt LocURI gt lt Target gt MICROSOFT lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Replace gt lt CmdID gt 3 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager My WiFi AllowManualWiFiConfiguration lt LOCURI gt lt Target gt lt Data gt 0 lt Data gt lt Item gt lt Replace gt lt Atomic gt Query to find out what Camera policy value is applied to the device This is important in case multiple resource such as Exchange servers and MDM server could configure this policy lt Get gt lt CmdID gt 2 lt CmdID gt lt Item gt lt Target gt lt LocURI gt Vendor MSFT PolicyManager Device Camera AllowCamera lt LocURI gt lt Target gt lt It
388. work and no proxy lt Atomic gt lt CmdID gt 300 lt CmdID gt lt Add gt lt CmdID gt 301 lt CmdID gt lt Item gt lt Target gt MICROSOFT lt LocURI gt Vendor MSFT WiFi Profile MyNetwork WlanXml lt LocURI gt lt Target gt lt Meta gt lt Format xmlns syncml metinf gt chr lt Format gt lt Meta gt lt Data gt amp lt xml version amp quot 1 0 amp quot amp gt amp 1t WLANProfile xmlns amp quot http www microsoft com networking WLAN profile vi amp quot amp gt amp lt name amp gt MyNetwork amp lt name amp gt amp l1t SSIDConfig amp gt amp lt SSID amp gt amp 1t name amp gt MyNetwork amp 1t name amp gt amp lt SSID amp gt amp 1t SSIDConfig amp gt amp lt connectionType amp gt ESS amp 1lt connectionType amp gt amp lt connectionMode amp gt manual amp lt s connectionMode amp gt amp lt MsM amp gt amp lt security amp gt amp lt authEncryption amp gt amp lt authentication amp gt WPA 2PSK amp lt authentication amp gt amp lt encryption amp gt AES amp 1t encryption amp gt amp lt authEncryption amp gt amp lt sharedKey amp gt amp 1lt keyType amp gt passPhrase amp lt keyType amp gt amp lt protected amp gt false amp lt protected amp gt amp lt keyMaterial amp gt 123456789 amp lt keyMaterial amp gt amp lt sharedKey amp gt amp lt security amp gt amp 1t MSM amp gt 3 amp 1t WLANProfile amp gt lt Data gt lt Item gt lt Add gt lt Atomic gt Adding WPA PSK network with SSID MyNetwork a
389. wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd PKCS7 EncodingType http docs oasis open org wss 2004 01 0asis 200401 wss wssecurity secext 1 0 xsd base64binary xmlns http docs oasis open org wss 2004 01 oasis 200401 wss wssecurity secext 1 0 xsd gt BinarySecurityTokenInsertedHere lt BinarySecurityToken gt lt AdditionalContext xmlns http schemas xmlsoap org ws 2006 12 authorization gt lt ContextItem Name DeviceType gt lt Value gt WindowsPhone lt Value gt lt ContextItem gt lt ContextItem Name ApplicationVersion gt lt Value gt 5 0 7616 0 lt Value gt lt ContextItem gt lt AdditionalContext gt lt RequestSecurityToken gt lt s Body gt lt s Envelope gt MICROSOFT Certificate renew schedule configuration In Windows Phone 8 the renew period can only be set during the MDM enrollment phase Windows Phone 8 1 supports a certificate renew period and renew failure retry to be configurable by both MDM enrollment server and later by the MDM management server via CertificateStore CSP s RenewPeriod and Renewlnterval nodes The device could retry automatic certificate renew multiple time till the certificate is expired For manual certificate renew instead of only reminding the user once as in Windows Phone 8 the Windows Phone 8 1 device will remind the user with a prompt dialog at every renew retry time until the certificate is expired The renewal process follows the same steps as device enrol
390. xample lt System Time CSP gt lt MCSF gt lt AutomaticTime gt lt NTPRegularSyncInterval gt 1 lt NTPRegularSyncInterval gt lt NTPServers gt time windows com amp xF000 time nist gov amp xF000 amp amp xF000 lt NTPServers gt lt AutomaticTime gt lt MCSF gt To set the regular sync interval in hours set NTPRegularSyncInterval to a value between 1 and 168 hours inclusive The default sync internal is 12 hours Set the system time zone Here is an example for setting the time zone for India lt Time Zone Settings for India gt lt AutomaticTime gt lt TimeZonePriority1 gt 0x6B8 lt TimeZonePriority1 gt lt AutomaticTime gt Time zone priority list ID Time zone 0x0 UTC 12 International Date Line West 0x6E UTC 11 Coordinated Universal Time 11 0xC8 UTC 10 Hawaii 0x12C UTC 09 Alaska 0x190 UTC 08 Pacific Time US amp Canada 0x19A UTC 08 Baja California 0x1F4 UTC 07 Mountain Time US 8 Canada 0x1FE UTC 07 Chihuahua La Paz Mazatlan 0x208 UTC 07 Arizona 0x258 UTC 06 Saskatchewan 0x262 UTC 06 Central America 0x26C UTC 06 Central Time US 8 Canada MICROSOFT E 0x276 0x2BC 0x2C6 0x2D0 0x320 0x32A 0x334 0x33E 0x348 0x352 0x384 0x38E 0x398 0x3A2 0x3AC 0x3B6 0x3C0 0x3E8 0x3F2 0x44C 0x456 0x4B0 0x4BA 0x4C4 0x4CE 0x514 0x51E 0x528 0x532 0x53C 0x546 0x578 0x582 0x58C 0x596 0x5A0 Ox5AA 0x5B4 Ox5BE 0x5C8 0x5D2 x5DC Ox5E6 0x5F0 Ox5FA 0x60E 0x604 0x640
391. xample server notification over WAP Push via binary SMS is used by the mobile operator but isn t used by the enterprise server The full description of the OMA DM protocol v1 2 can be found at the OMA website OMA DM standards The following table shows the OMA DM standards that Windows Phone uses General area OMA DM standard that is supported Data transport e Client initiated remote HTTPS DM session over SSL and session Bootstrap XML e OMA Client Provisioning profile MICROSOFT OMA DM standard that is supported DM protocol The following list shows the commands that are used by the phone For further commands information about the OMA DM command elements see SyncML Representation Protocol Device Management Usage OMA SyncML DMRepPro V1_1_2 20030613 A available from the OMA website e Add Implicit Add supported e Alert DM alert server initiated management alert 1200 not used by enterprise management session abort 1223 UI Alerts 1100 1101 1102 1103 1104 not used by enterprise management generic alert 1226 only used by enterprise management client when the user triggers a MDM unenrollment action from the device Atomic Note that performing an Add command followed by Replace on the same node within an Atomic element is not supported Nested Atomic and Get commands are not allowed and will generate error code 500 Delete Removes a node from the DM tree and the entire subtree beneath that node if on
392. y client identity in order to update the registration record after the phone certificate is renewed The phone signs the EntDMID with the old client certificate during the certificate renewal process and saves the signature locally Supported operation is Get and Replace lt ProviderlD gt CertRenewTimeStamp Optional The time in OMA DM standard time format This node and the SignedCertRenewTimeStamp node are designed to reduce the risk of the certificate being used by another phone The phone records the time that the new certificate was created Supported operation is Get lt ProviderlD gt SignedCertRenewTimeStamp Optional The character string that contains the certificate creation time stamp The phone signs the certificate creation time stamp with the old certificate immediately after the certificate is renewed The signature can be retrieved by the server through this configuration service provider This helps to prevent a man in the middle attack The signature is valid for approximately 30 minutes Supported operation is Get lt ProviderlD gt ManagementServiceAddress Required The character string that contains the device management server address It can be updated during an OMA DM session by the management server to allow the server to load balance to another server in situations where too many devices are connected to the server The DMClient configuration service provider will save the address to the same location as the w7 and D
393. yncBody gt lt SyncML gt EnterpriseExt configuration service provider Handheld 8 1 The EnterpriseExt configuration service provider allows Information Technology IT administrators to use the Mobile Device Management MDM service to set up a device to enroll automatically to the MDM server in an enterprise environment restart a device and manage the maintenance window schedule for a device so that it can perform device updates and other management tasks IT administrators can also test updates with a small number of devices in their environment before deploying the same update to all devices Important note This CSP applies only to Windows Embedded 8 1 Handheld devices The following image shows the EnterpriseExt configuration service provider in tree format as used by both the Open Mobile Alliance OMA Device Management DM and OMA Client Provisioning MICROSOFT Vendor RASET Enterprise Eat DeviceNeboof Waitt im Ma erence Pere a MaintenanceAllawed MWMandatary Schedule hic MW MinimumDuration MV NotiticationDura tion GCevicelipaare DataTimes tianp ApprovedUlpdatexX ML UpdateResuhtX BAL CustamCantentURizXR4L APO Server User Nannie Passwore Enable DBevicecEnrollment Disabletnterprise Validation DELA DHI cole OM DAM and OMA Dienst Pryreisi gini uj MICROSOFT Vendor MSFT EnterpriseExt The root node for the EnterpriseExt configuration service prov
Download Pdf Manuals
Related Search