3.6 XML Provisioning Document Schema
As described in section 3.4.4.1.1.3, the <RequestSecurityTokenResponseCollection><wsse:BinarySecurityToken> element contains an XML provisioning document. The entire XML provisioning document is base64-encoded in the RequestSecurityTokenResponseCollection message (section 3.4.4.1.1.3). The document contains:
The requested client certificate, the trusted root certificate, and intermediate certificates.
The provisioning information for the device management client.
The enrollment client installs the client certificate, as well as the trusted root certificate and intermediate certificates. The provisioning information includes content such as the location of the DMS and various properties that the device management client uses to communicate with the DMS.
The following schema is an example of the XML required for the provisioning document<4>. The explanation for each field in the document appears inline in the example as XML comments.
-
<wap-provisioningdoc version="1.1"> <!-- This contains information about issued and trusted certificates. --> <characteristic type="CertificateStore"> <!-- This contains trust certificates. --> <characteristic type="Root"> <characteristic type="System"> <!--The thumbprint of the certificate to be added to the trusted root store --> <characteristic type="5BE128213D05DC6CB87A059469130FC6686992EF"> <!-- Base64 encoding of the trust root certificate --> <parm name="EncodedCertificate" value="MIIB2TCCAUagAwIBAgIQyRjUagpgKYJP1AZXnPL4SDAJBgUrDgMCHQUAMBwxGjAYBgNVBAMTEVNDX09ubGluZV9Jc3N1aW5nMB4XDTA4MTEyNjAyMDAzMloXDTE0MDMyNjAyMDAzMlowHDEaMBgGA1UEAxMRU0NfT25saW5lX0lzc3VpbmcwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAM6CkO62YpeXEl8cwkN7ycAfl/L2Z9bdbyfqxGLx89zwSiUBrvoEDtnt9fWGkTQ5LVz+lJy/k/TRLiM/3h94FT00QzBkE6yICLq7UCX5z8LRFEHSsGGaBgkotrkPsX3pG6agczNqF2h4Bngq+4BVbsA2PMpsXiVtWUtVHt45PD/JAgMBAAGBEQBawy5oQj84R6nsmIFiEHNpghEAWsMuaEI/OEep7JiBYhBzaTAJBgUrDgMCHQUAA4GBAC331598+rVBg+ipGb0Q4rreQFBlkFWa2Xv4EaOOxInq0PMtRxCxMCuLJIkSeg8IMSaAU0xGZYPaHSNHF1vUqrUkLEjjyXNa5URbo322KCR2iTu5URddxD1FCE5SXwzZ/YHD3U9GvKfSQXZNDiF+VI8mtNll5jUhjzaIFtWL4dMe" /> </characteristic> </characteristic> </characteristic> <!-- This contains intermediate certificates. --> <characteristic type="CA"> <characteristic type="System"> <!—the thumbprint of the intermediate certificate <characteristic type="5DF7DE78255449CFEBD82CD626011982378F40F1"> <parm name="EncodedCertificate" value="MIIEwzCCA6ugAwIBAgIQAnwmjIOWnIlJSqpCJpUIrzANBgkqhkiG9w0BAQUFADBIMRMwEQYKCZImiZPyLGQBGRYDY29tMRkwFwYKCZImiZPyLGQBGRYJbWljcm9zb2Z0MRYwFAYDVQQDEw1TQ09ubGluZS1GQUtFMB4XDTEzMDkyNDE5NTcyOVoXDTE0MDkyNTE5NTcyOVowHzEdMBsGA1UEAwwUbWFuYWdlLm1pY3Jvc29mdC5jb20wggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQC6EU35UODG4AncmJ4k8HAUzzRDNgcbntgznnBmurOzmRa2TrFZzabsMCT6TYjjejQsu0jDXfa8iKx7798T9RLo7/h79+DJHOCR7VRtA5PxYXu/s3ps9desic6RrKDibC0o/r7Mdo5CMcytSyk74DrNR6JzYGqY7Ge77OUx1zsev/9qRRx36nU6ZVgIIFnJtFm7y7rozPPWj9mKdXD3pBGqq3x6MiwBfvBwH3oCukRDAHBz/wmNoSQb+HjWwyuEhUNmn6KwrMmaArfCQTT2I8FyjMMpUaE+iVosk1uHI5L8dUHFS5aseNV3+yBwMTY2RVah/3/Sp8l913qmTfqDHLENAgMBAAGjggHQMIIBzDCCAYcGA1UdEQSCAX4wggF6gh1sb2dpbi5taWNyb3NvZnRvbmxpbmUtaW50LmNvbYIZbG9naW4ubWljcm9zb2Z0b25saW5lLmNvbYIkRW50ZXJwcmlzZUVucm9sbG1lbnQuV0lOLThCQkc5RzBTUUIygiZFbnRlcnByaXNlRW5yb2xsbWVudC1zLldJTi04QkJHOUcwU1FCMoIdbG9naW4ubWljcm9zb2Z0b25saW5lLWludC5jb22CGWxvZ2luLm1pY3Jvc29mdG9ubGluZS5jb22CIkVudGVycHJpc2VFbnJvbGxtZW50Lm1pY3Jvc29mdC5jb22CJEVudGVycHJpc2VFbnJvbGxtZW50LXMubWljcm9zb2Z0LmNvbYIpRW50ZXJwcmlzZUVucm9sbG1lbnQubWFuYWdlLm1pY3Jvc29mdC5jb22CK0VudGVycHJpc2VFbnJvbGxtZW50LXMubWFuYWdlLm1pY3Jvc29mdC5jb22CFG1hbmFnZS5taWNyb3NvZnQuY29tMB0GA1UdDgQWBBTUvgeWP3R8TpdNrqZ++ixKnJspLjATBgNVHSUEDDAKBggrBgEFBQcDATALBgNVHQ8EBAMCBLAwDQYJKoZIhvcNAQEFBQADggEBAJaVYeqsejoM3INNi11nvPnS+ttodnQweeCiv+U6EoTGIEsTztwqsdSRhc0PnfssfuegjqgdkKN/lAkysSqretYvEj/wIgKmrX0JqFFIkLjFRp3PrD5MFLLdlnxCZ65bVBLo607UlLe+tBlHhdebJEvwZF72RalYvPG33SU3pssSMczN3Mte6BbjtCpFUDSIwDEX+aUBs8kx35tiLNg8GpGtrVGem3MW3d5dOVvuYuWrgB86Yug09WHwsDGnck0cEyoJlsmoavkeYR5OYJnCylPDjZ5LX+ewlWFlWiUf8pD9Ph6fx292bE6/B5eVWxHXjxdvswYklJWNfbBis47mXRI=" /> </characteristic> </characteristic> </characteristic> <characteristic type="My" > <characteristic type="User"> <!-- Client certificate thumbprint. --> <characteristic type="B692158116B7B82EDA4600FF4145414933B0D5AB"> <!-- Base64 encoding of the client certificate --> <parm name="EncodedCertificate" value="MIIDFDCCAoGgAwIBAgIQ4DQRvmm9g7NKpQ7Tnb0HyjAJBgUrDgMCHQUAMBwxGjAYBgNVBAMTEVNDX09ubGluZV9Jc3N1aW5nMB4XDTEzMDQwMzIzMDYwM1oXDTE0MDQwMzIzMTEwM1owLzEtMCsGA1UEAxMkZTRjNmI4OTMtMDdhNy00YjI0LTg3OGUtOWQ4NjAyYzNkMjg5MIIBIjANBgkqhkiG9w0BAQEAAAOCAQ8AMIIBCgKCAQEAvwSr/T+vRwucCDor5XBN+bEFdsdCGzU3DWMhnfQKAv1j70THsEgm90yo8x6XwNBI/DO/3qU0J4Ns8eXK6aRN64IyisfciKZn1gXnboFsZVbxf4Y8ADqprfilCU2k/0oFEHuNDCpmYDZWwyuNOirtK/Yu/SbVyZMPmCpdZwu5iXZnwAj5GvSpgyzqVfOanhHFNCHZ4M9qHRFy3sDUoQTF1UPHLkiIbT9TwQt8+MFUlI7EwqjFQJTa1WI7hfPb9J8jKY8gfYjEbAlT4z6iqdFHaXM9bCeKOHI/cgFloE/TRuAkEspsk0m1ph7mgsHFhUKLtQ5J7SITMIDqy3KnDThq/QIDAQABgREAWsMuaEI/OEep7JiBYhBzaYIRAJO4xuSnByRLh46dhgLD0omjgaEwgZ4wDAYDVR0TAQH/BAIwADAcBggqhkiG9xQFBgQQNcMmZjkH+kSlhNkaw23C2TAcBggqhkiG9xQFAwQQBikH6Jq4/0+cSMjvuzoazjAcBggqhkiG9xQFBAQQk7jG5KcHJEuHjp2GAsPSiTAWBgNVHSUBAf8EDDAKBggrBgEFBQcDAjAcBggqhkiG9xQFCgQQSnqw5rqYgkOz+p8pEAnLFzAJBgUrDgMCHQUAA4GBAMWTO5MPoRRn+/LMo+hgF06h8EMiyLG2t81BOI72440vyJzE9Xsb1uej0miHOFqBRi/jedYvbJ0G3K3R7HYtH49lhVSZ2v6vA9WduKh1CaGnXdkvseZiHe7AAr+EXyafcQwjTWGDEB53/87qIlnkslw35DS+LaRGrpCvRvG3Y9Cn" /> <characteristic type="PrivateKeyContainer"> <parm name="KeySpec" value="2"/> <parm name="ContainerName" value="ConfigMgrEnrollment"/> <parm name="ProviderType" value="1"/> </characteristic> </characteristic> </characteristic> </characteristic> </characteristic> <!-- Contains information about the management service and configuration for the management agent --> <characteristic type="APPLICATION"> <parm name="APPID" value="w7"/> <!-- Management Service Name. --> <parm name="PROVIDER-ID" value="Contoso Management Service"/> <parm name="NAME" value="BecMobile"/> <!-- Link to an application that the management service may provide eg a Windows Store application link. The Enrollment Client may show this link in its UX.--> <parm name="SSPHyperlink" value="http://go.microsoft.com/fwlink/?LinkId=255310" /> <!-- Management Service URL. --> <parm name="ADDR" value="https://ContosoManagementService.com/MDMHandler"/> <parm name="ServerList" value="https://ContosoManagementService.com/MDMHandler" /> <parm name="ROLE" value="4294967295"/> <!-- Discriminator to set whether the client should do Certificate Revocation List checking. --> <parm name="CRLCheck" value="0"/> <parm name="CONNRETRYFREQ" value="6" /> <parm name="INITIALBACKOFFTIME" value="30000" /> <parm name="MAXBACKOFFTIME" value="120000" /> <parm name="BACKCOMPATRETRYDISABLED" /> <parm name="DEFAULTENCODING" value="application/vnd.syncml.dm+wbxml" /> <!-- Search criteria for client to find the client certificate using subject name of the certificate --> <parm name="SSLCLIENTCERTSEARCHCRITERIA" value="Subject=CN%3de4c6b893-07a7-4b24-878e-9d8602c3d289&Stores=MY%5CUser"/> <characteristic type="APPAUTH"> <parm name="AAUTHLEVEL" value="CLIENT"/> <parm name="AAUTHTYPE" value="DIGEST"/> <parm name="AAUTHSECRET" value="dummy"/> <parm name="AAUTHDATA" value="nonce"/> </characteristic> <characteristic type="APPAUTH"> <parm name="AAUTHLEVEL" value="APPSRV"/> <parm name="AAUTHTYPE" value="DIGEST"/> <parm name="AAUTHNAME" value="dummy"/> <parm name="AAUTHSECRET" value="dummy"/> <parm name="AAUTHDATA" value="nonce"/> </characteristic> </characteristic> <!-- Extra Information to seed the management agent’s behavior . --> <characteristic type="Registry"> <characteristic type="HKLM\Security\MachineEnrollment"> <parm name="RenewalPeriod" value="363" datatype="integer" /> </characteristic> <characteristic type="HKLM\Security\MachineEnrollment\OmaDmRetry"> <!-- Number of retries if client fails to connect to the management service. --> <parm name="NumRetries" value="8" datatype="integer" /> <!--Interval in minutes between retries. --> <parm name="RetryInterval" value="15" datatype="integer" /> <parm name="AuxNumRetries" value="5" datatype="integer" /> <parm name="AuxRetryInterval" value="3" datatype="integer" /> <parm name="Aux2NumRetries" value="0" datatype="integer" /> <parm name="Aux2RetryInterval" value="480" datatype="integer" /> </characteristic> </characteristic> <!-- Extra Information about where to find device identity information. This is redundant in that it is duplicative to what is above, but it is required in the current version of the protocol. --> <characteristic type="Registry"> <characteristic type="HKLM\Software\Windows\CurrentVersion\MDM\MachineEnrollment"> <parm name="DeviceName" value="" datatype="string" /> </characteristic> </characteristic> <characteristic type="Registry"> <characteristic type="HKLM\SOFTWARE\Windows\CurrentVersion\MDM\MachineEnrollment"> <!--Thumbprint of root certificate. --> <parm name="SslServerRootCertHash" value="5BE128213D05DC6CB87A059469130FC6686992EF" datatype="string" /> <!-- Store for device certificate. --> <parm name="SslClientCertStore" value="MY%5CSystem" datatype="string" /> <!-- Common name of issued certificate. --> <parm name="SslClientCertSubjectName" value="CN%3de4c6b893-07a7-4b24-878e-9d8602c3d289" datatype="string" /> <!--Thumbprint of issued certificate. --> <parm name="SslClientCertHash" value="B692158116B7B82EDA4600FF4145414933B0D5AB" datatype="string" /> </characteristic> <characteristic type="HKLM\Security\Provisioning\OMADM\Accounts\037B1F0D3842015588E753CDE76EC724"> <parm name="SslClientCertReference" value="My;System;B692158116B7B82EDA4600FF4145414933B0D5AB" datatype="string" /> </characteristic> </characteristic> </wap-provisioningdoc>