MS-WSTEP certificate enrollment OMA-DM sync

Andrea A 96 Reputation points
2021-06-22T15:43:34.167+00:00

Hi everyone,

I'm implementing a server side support for Windows MDM.

Following Microsoft guides and protocols I was able to perform Discovery, GetPolicies and Enrollment phases; however right after the enrollment success (confirmed by UI and admin Event Viewer) the device sends an "empty" OMA-DM request to the endpoint I provided with wap provisioning (in node <characteristic type="APPLICATION"><parm name="ADDR" ..... ).

When I say "empty" I mean that in the request headers I have the MS-SIGNATURE I requested in the provisioning, the get parameters are "mode" and "Platform", but the request doesn't have a payload.

Here is the log of the message creation:

<EventData>
<Data Name="Message1">B42A7BD0-3935-4A2A-AD2E-78BC15622925</Data>
<Data Name="Message2">MyMDMserver</Data>
<Data Name="Message3">NULL</Data>
<Data Name="Message4">1.2</Data>
<Data Name="HexInt1">0x23</Data>
<Data Name="HexInt2">0x5</Data>
<Data Name="HexInt3">0x0</Data>
<Data Name="HexInt4">0x2</Data>
<Data Name="UInt1">1</Data>
<Data Name="UInt2">3</Data>
</EventData>

The endpoint I provided is, temporarily, a simple script that logs the request and its payload,

Now, I'm sorry for the newbie questions, but:

  1. Is it correct that the first request I receive from the device has no payload? (According to the OMA-DM protocol, section 8.3 the client MUST send device info in the first message) If not could you suggest me where the problem could be?
  2. What operations should the endpoint perform?

P.S. I obtained application identity, SID and secret from Windows Developer Account and I am able to get a token of WNS, but I think I'm missing something

Windows 10
Windows 10
A Microsoft operating system that runs on personal computers and tablets.
10,559 questions
Windows 10 Setup
Windows 10 Setup
Windows 10: A Microsoft operating system that runs on personal computers and tablets.Setup: The procedures involved in preparing a software program or application to operate within a computer or mobile device.
1,899 questions
0 comments No comments
{count} votes

Accepted answer
  1. Andrea A 96 Reputation points
    2021-06-25T09:06:14.777+00:00

    Hi guys,

    thanks for the support you provided.

    I was able to solve the issue I was facing, turned out there was an invalid character in the response I was sending from the server; the process I followed is correct and the wap provisioning I posted works.

    Thanks again

    0 comments No comments

3 additional answers

Sort by: Most helpful
  1. Vicky Wang 2,646 Reputation points
    2021-06-23T09:50:31.477+00:00

    Hi,
    Thank you for posting in our forum.
    Can give me some time to study this issue.
    We will update you as soon as we have the results.
    Hope this information can help you
    Best wishes
    Vicky

    0 comments No comments

  2. Vicky Wang 2,646 Reputation points
    2021-06-24T07:39:47.963+00:00

    How are you signing the request? I have found with both Active Directory Certificate Services and Open SSL that simply enrolling the request and returning the resulting certificate chain is enough.

    The Auth Secret is what the client will later use during OMA DM sessions to authenticate the server.

    For Auth name, simply place in their the identifying credential you wish to use to identify requests from the client. In our case we use email address or username so that we can identify who the request is from.

    I don't think you need UPN but I wouild suggest at that point instead setting the EntDMID as that is required before ROBO or manual renewal of the enrollment will be triggered later on.

    0 comments No comments

  3. Andrea A 96 Reputation points
    2021-06-24T08:43:59.407+00:00

    @Vicky Wang

    The request I receive from the device is signed with Open SSL, the only changes I make to it are:

    • Change the subject CN to a custom string that I later insert in SSLCLIENTCERTSEARCHCRITERIA
    • Add some alternative names to the subject

    I verified trough an online tool that CSR and signed certificate have the same public key; I sign the CSR with a CA that I later include in the wap provisioning in Root/System node.

    Here is my wap provisioning (I changed the certificates parameters)

    <wap-provisioningdoc version="1.1">  
           <characteristic type="CertificateStore">  
              <characteristic type="Root">  
                 <characteristic type="System">  
                    <characteristic type="sha1Fingerprint">  
                       <parm name="EncodedCertificate" value="xxx" />  
                    </characteristic>  
                 </characteristic>  
              </characteristic>  
           </characteristic>  
           <characteristic type="CertificateStore">  
              <characteristic type="My">  
                 <characteristic type="User">  
                    <characteristic type="sha1FingeprintClient">  
                       <parm name="EncodedCertificate" value="xxx" />  
                    </characteristic>  
                    <characteristic type="PrivateKeyContainer" />  
                 </characteristic>  
                 <characteristic type="WSTEP">  
                    <characteristic type="Renew">  
                       <parm datatype="boolean" name="ROBOSupport" value="true" />  
                       <parm datatype="integer" name="RenewPeriod" value="60" />  
                       <parm datatype="integer" name="RetryInterval" value="4" />  
                    </characteristic>  
                 </characteristic>  
              </characteristic>  
           </characteristic>  
           <characteristic type="APPLICATION">  
              <parm name="APPID" value="w7" />  
              <parm name="PROVIDER-ID" value="MyMDMServer" />  
              <parm name="NAME" value="My MDM" />  
              <parm name="ADDR" value="https://my.endpoint.com/wns"/>  
              <parm name="CONNRETRYFREQ" value="6" />  
              <parm name="INITIALBACKOFFTIME" value="30000" />  
              <parm name="MAXBACKOFFTIME" value="120000" />  
              <parm name="BACKCOMPATRETRYDISABLED" />  
              <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" />  
              <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3DMyCustomCN&amp;Stores=My%5CUser" />  
              <characteristic type="APPAUTH">  
                 <parm name="AAUTHLEVEL" value="CLIENT" />  
                 <parm name="AAUTHTYPE" value="DIGEST" />  
                 <parm name="AAUTHSECRET" value="clientsecret" />  
                 <parm name="AAUTHDATA" value="MTY5MzIzNA==" />  
              </characteristic>  
              <characteristic type="APPAUTH">  
                 <parm name="AAUTHLEVEL" value="APPSRV" />  
                 <parm name="AAUTHTYPE" value="BASIC" />  
                 <parm name="AAUTHNAME" value="srvname" />  
                 <parm name="AAUTHSECRET" value="srvsecret" />  
                 <parm name="AAUTHDATA" value="MzQ4NTA3NA==" />  
              </characteristic>  
           </characteristic>  
           <characteristic type="DMClient">  
              <characteristic type="Provider">  
                 <characteristic type="MyMDMServer">  
                    <parm name="UPN" value="test@my.domain.com" datatype="string" />   
                    <characteristic type="Poll">  
                       <parm datatype="integer" name="NumberOfFirstRetries" value="8" />  
                       <parm datatype="integer" name="IntervalForFirstSetOfRetries" value="15" />  
                       <parm datatype="integer" name="NumberOfSecondRetries" value="5" />  
                       <parm datatype="integer" name="IntervalForSecondSetOfRetries" value="3" />  
                       <parm datatype="integer" name="NumberOfRemainingScheduledRetries" value="0" />  
                       <parm datatype="integer" name="IntervalForRemainingScheduledRetries" value="1560" />  
                       <parm datatype="boolean" name="PollOnLogin" value="true" />  
                    </characteristic>  
                    <parm datatype="string" name="EntDeviceName" value="DESKTOP-9KGB1SC" />  
                    <parm datatype="string" name="EntDMID" value="1501" />  
                    <parm datatype="boolean" name="RequireMessageSigning" value="true" />  
                    <parm datatype="string" name="HelpEmailAddress" value="support@my.domain" />  
                    <parm datatype="string" name="HelpWebsite" value="https://my.domain.com/support" />  
                 </characteristic>  
              </characteristic>  
           </characteristic>  
        </wap-provisioningdoc>  
    

    As I mentioned in my question the enrollment is successful; in the admin event viewer of Windows I have messages confirming the enrollment success.
    The device results managed by my MDM server, however right after enroll the device tries to contact the server with a OMA-DM message that has no device data in it, it is just a request with MS-SIGNATURE in headers and "mode" - "Platform" parameters as GET parameters; I receive the request at https://my.endpoint.com/wns but don't know how to answer because I have no data in it.

    https://my.endpoint.com/wns is protected by an SSL certificate, should I include the relative chain in wap provisioning?