Share via


Credentials for OMA DM

OEMs are required to provision or bootstrap the phone with appropriate credentials to communicate with the mobile operator’s OMA DM server.

The following sample shows how to use the settings for configuring OMA DM credentials. Add appropriate values and any other settings you need.

<Settings Path="DeviceManagement/Accounts/$(AccountId)">
    <Setting Name="ServerId" Value="" />
    <Setting Name="Address" Value="" />
    <Setting Name="AddressType" Value="" />
    <Setting Name="Port" Value="" />
    <Setting Name="Role" Value="" />
</Settings>

Settings

The following settings are used to configure credentials for OMA DM.

  • $(AccountId)
    Replace $(AccountID) with the unique identifier for an OMA DM server account that uses the OMA DM version 1.2 protocol. This is the hexadecimal representation of the 256-bit SHA-2 hash of the server identifier. The OMA DM server can change this node name in subsequent OMA DM sessions.

  • ServerID
    Required. Specifies the OMA DM server's unique identifier for the current OMA DM account. This value is case-sensitive.

  • Name
    Optional. Specifies the displayable name of the management server.

  • PreferredConnectivityReference
    Optional. Specifies the preferred connectivity for the OMA DM account.

    This element contains either a URI to a NAP management object or a connection GUID used by Connection Manager. If this element is missing, the device uses the default connection that is provided by Connection Manager.

  • Address
    Required. Specifies the address of the OMA DM server. The type of address stored is specified by the AddressType element.

  • AddressType
    Required. Specifies the format and interpretation of the Addr node value. The default is "URI".

    The default value of "URI" specifies that the OMA DM server address in Address is a URI address. A value of "IPv4" specifies that the OMA DM server address in Address is an IP address.

  • Port
    Required. Specifies the port number of the OMA DM server address. This must be a decimal number that fits within the range of a 16-bit unsigned integer.

  • AuthenticationPreference
    Optional. Specifies the SyncML authentication type to use for this OMA DM account.

    A value of "BASIC" specifies that the client attempts BASIC authentication. A value of "DIGEST' specifies that the client attempts MD5 authentication.

    If this value is empty, the client attempts to use the authentication mechanism negotiated in the previous session if one exists. If the value is empty, no previous session exists, and MD5 credentials exist, clients try MD5 authorization first. If the criteria are not met then the client tries BASIC authorization first.

  • Authentication/ClientCredentials/Level
    Required (either ClientCredentials or ServerCredentials). This must be set to “CLCRED”, which indicates that the credentials client will authenticate itself to the OMA DM server at the OMA DM protocol level.

  • Authentication/ClientCredentials/Type
    Required (either ClientCredentials or ServerCredentials). Specifies the authentication type. Supported values are "BASIC" and "DIGEST".

  • Authentication/ClientCredentials/Name
    Optional. Specifies the authentication name.

  • Authentication/ClientCredentials/Secret
    Optional. Specifies the password or secret used for authentication.

  • Authentication/ClientCredentials/Data
    Optional. Specifies the next nonce used for authentication.

    "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.

  • Authentication/ServerCredentials/Level
    Required (either ClientCredentials or ServerCredentials). This must be set to “SRVCRED”, which indicates that the credentials server will authenticate itself to the OMA DM client at the OMA DM protocol level.

  • Authentication/ServerCredentials/Type
    Required (either ClientCredentials or ServerCredentials). Specifies the authentication type. Supported value is "DIGEST".

  • Authentication/ServerCredentials/Name
    Optional. Specifies the authentication name.

  • Authentication/ServerCredentials/Secret
    Optional. Specifies the password or secret used for authentication.

  • Authentication/ServerCredentials/Data
    Optional. Specifies the next nonce used for authentication.

    "Nonce" refers to a number used once. It is often a random or pseudo-random number issued in an authentication protocol to ensure that old communications cannot be reused in repeat attacks.

  • Role
    Required. Specifies the role mask that the OMA DM session runs with when it communicates with the server.

    If this parameter is not present, the DM session is given the role mask of the OMA DM session that the server created. The following list shows the valid security role masks and their values.

    • 8 = Mobile Operator

    • 32 = Enterprise

    The acceptable access roles for this node cannot be more than the roles assigned to the DMAcc object.

  • ProtocolVersion
    Optional. Specifies the OMA DM Protocol version that the server supports. There is no default value.

    Valid values are "1.1" and "1.2". The protocol version set by this element will match the protocol version that the DM client reports to the server in SyncHdr in package 1. If this element is not specified when adding a DM server account, the latest DM protocol version that the client supports is used. Windows Phone clients support version 1.2.

  • DefaultEncoding
    Optional. Specifies whether the OMA DM client will use WBXML or XML for the DM package when communicating with the server. The default is "application/vnd.syncml.dm+xml".

    The default value of "application/vnd.syncml.dm+xml" specifies that XML is used. A value of "application/vnd.syncml.dm+wbxml" specifies that WBXML is used.

  • UseHardwareDeviceID
    Optional. Specifies whether to use the hardware ID for the ./DevInfo/DevID element in the DM account to identify the device. The default is 0.

    The default value of 0 specifies that an application-specific GUID is returned for the ./DevInfo/DevID rather than the hardware device ID.

    A value of 1 specifies that the hardware device ID will be provided for the ./DevInfo/DevID element and the Source LocURI for the OMA DM package that is sent to the server. In this case:

    • For GSM phones, the IMEI is returned.

    • For CDMA phones, the MEID is returned.

    • For dual SIM phones, this value is retrieved from the UICC of the primary data line.

  • ConnectionRetries
    Optional. Specifies the number of retries the DM client performs when there are Connection Manager level or wininet level errors. The default is "3".

  • InitialBackOffTime
    Optional. Specifies the initial amount of time (in milliseconds) that the DM client waits before attempting a connection retry. After the initial wait, the wait time grows exponentially. The default is "16000".

  • MaxBackOffTime
    Optional. Specifies the maximum number of milliseconds to wait before attempting a connection retry. The default is "86400000".

  • BackCompatRetryDisabled
    Optional. Specifies whether to retry resending a package with an older protocol version (for example, 1.1) in the SyncHdr on subsequent attempts (not including the first time). The default is 0.

    The default value of 0 indicates that backward-compatible retries are enabled. A value of 1 indicates that backward-compatible retries are disabled.

  • UseNonceResync
    Optional. Specifies whether the OMA DM client should use the nonce resynchronization procedure if the server trigger notification fails authentication. The default is 0.

    If the authentication fails because the server nonce does not match the server nonce that is stored on the device, then the device can use the backup nonce as the server nonce. For this procedure to be successful, if the device did not authenticate with the preconfigured nonce value, the server must then use the backup nonce when sending the signed server notification message.

    The default value of 0 specifies that the client does not try to authenticate the notification with the backup server nonce if authentication to the stored nonce fails. A value of 1 specifies that the client initiates a DM session if the backup server nonce is received after authentication failed.

  • CRLCheck
    Optional. Specifies whether a CRL check should be performed.

  • DisableOnRoaming
    Optional. Specifies whether the client will connect while cellular roaming. A value of 0 means the client will connect. A value of 1 means it is disabled while roaming.

  • SSLClientCertSearchCriteria
    Optional. The SSLCLIENTCERTSEARCHCRITERIA parameter specifies the client certificate search criteria. This parameter supports search by subject attribute and certificate stores. If any other criteria are provided, it is ignored.

    The string is a concatenation of name/value pairs, each member of the pair delimited by the "&" character. The name and values are delimited by the "=" character. If there are multiple values, each value is delimited by the Unicode character "U+F000". If the name or value contains characters not in the UNRESERVED set (as specified in RFC2396), then those characters are URI-escaped per the RFC.

    The supported names are Subject and Stores; wildcard certificate search isn’t supported.

    Stores specifies which certificate stores the DM client will search to find the SSL client certificate. The valid store value is My%5CUser. The store name is not case sensitive.

    Note  

    %EF%80%80 is the UTF8-encoded character U+F000.

    Subject specifies the certificate to search for. For example, to specify that you want a certificate with a particular Subject attribute (“CN=Tester,O=Microsoft”), use the following:

    <Setting Name="SSLClientCertSearchCriteria" Value="Subject=CN%3DTester,O%3DMicrosoft&amp;Stores=My%5CUser" />
    

In addition, the following configuration may be needed:

  • Add any security policy settings that are needed for the network, as described in Security policy.

  • If the OMA DM server's SSL root certificate is not already in the phone's default root certificate store, you must add it as described in Adding certificates to the phone.

OMA DM protocol support

Security policy

Adding certificates to the phone

 

 

Send comments about this topic to Microsoft