Hi all,
I have already developed windows phone enrollment process as my fast track
training project.and now I have to implement phone management client part
which periodically synchronizes with the management server to check for
updates and apply the latest policies set by IT.and push notification
service.Below I briefly describe the project.
*Description*
Windows phone’s built in management component can communicate with
Management Server.There are two parts to the Windows Phone 8.1 management
component:
-
The enrollment client, which enrolls and configures the phone to
communicate with the enterprise management server.
-
The phone management client, which periodically synchronizes with the
management server to check for updates and apply the latest policies set by
IT.and push notification service.
*Enrollment Client*
Overview of the windows mobile device enrollment process.
*Windows phone -*there is company App(Workplace)
*Proxy* -apache2 server configure as a Proxy server
*WAB * -Web Authentication Broker,Windows Phone 8.1 adds
the support of a Federated as supported AuthPolicy value. When
authentication policy is set to be Federated, Web Authentication Broker
(WAB) will be leveraged by the enrollment client
to get a security token.
*MDM* -Mobile device management third party server.
[image: MyWindows Phone.png]
* Requirement Task*
1.Configure the device Environment so that device can securely
communicate with Mobile management server.
2.Provide Configurable Service and policy end points from the
Discovery web service.
3.Generate binary security token value for the specific user and
persist.
4.Persist Device Information and Enroll Device
*Sub task* 4.1 :Handle WSTEP endpoint's Client response message
4.2 :Check the syncml message comes from the
device as a response
4.3 :Use Syncml engine for generate syncml
payloads and parse them.
4.4 :Authenticate Syncml Messages.
*Requirement Task 1:*
Configure Apache2 as a Proxy server.
*Problem:*
- Proxy configurations are changed according to the apache server
version and operating system.
- Rewrite engine rules and reverse proxy rules are invoked in separately.
- Apache2 SSL configurations are essential for the discovery end point.
*Solution:*
Detail description about the configuration.Click here
<https://docs.google.com/document/d/1es2U5BPjmxWhjYw5ekULpkMCYS_TWf_FIPhyCsDdBJ4/edit>
* Requirement Task 2:*
*Problem*
Mobile device client get the Enrollment policy URL and Enrollment
service URL from the Discovery service(above no4 line in the diagram).The
automatic discovery service constructs a URI that uses this host name by
appending the sub domain
“EnterpriseEnrollment” to the domain of the email address, and by
appending the path “/EnrollmentServer/Discovery.svc”. For example, if the
email address is “ad...@wso2.com”, the resulting URI for first Get request
would be:
https://EnterpriseEnrollment.wso2.com/EnrollmentServer/Discovery.svc
*Solution*
Add (domain) child element to the windows plugin properties.xml
file.Servletcontext listener initialize the domain value and set the
specific value as a servlet context attribute.Discovery service get the
domain of the Email using servlet context attribute.
*Requirement Task 3:*
*Problem*
The opaque security token that is returned from WAB(Web
authentication leverage) as an endpage will be used by the enrollment
client as the device security secret during the client certificate
enrollment request call.Enrollment policy endpoint needs to
provide policy template after authenticate the user by credentials
and also Enrollment service end point needs to authenticate using same
binary security token.
*Solution*
AuthBST service endpoint generate binary security token for the user
using UUID java class.The UUID is generated using a cryptographically
strong pseudo random number generator.That 128 bit value persist in cache
as it is temporary token for
enrollment.
Cache Entry: binary security token(Key)|device
identifier,UserName(Cache Entry value)
* Enrollment Process Detail* in XCEP
The security token credential is provided in a SOAP request message
header in XCEP for get policy template.
just after coming to the XCEP, CXF validator class extract the soap
header values and authenticate Binary security token with the persist token.
*Requirement Task 4*:
Sub Task 4.1:
*WSTEP Detail*: MS-WSTEP(WS-Trust X.509v3 Token Enrollment
Extensions) process the request security token from the the
client.Certificate sign request (CSR) is provided according to the XCEP
policy template.Service get the request and update it
if needed, sends the PKCS#10 requests to the CA, processes the
response from the CA,constructs an OMA Client Provisioning XML format, and
returns it in the RequestSecurityTokenResponse(RSTR)
*Authenticate user request*
WSTEP,SOAP header contains Binary security token as above XCEP
request.At that point I used apache cfx method to read SOAP
header.Resultant Apache.cfx.Header type object list contains the Header xml
child elements.It will easier to extract
child element binary security token under parent security by using
DOM parser.Then authenticate user request.
*Create Bootstrap XML file*
OMA DM(Object Mobile alliance Device Management) specifications define
how a management session is established and maintained. However, in order
for a device to be able to initiate a management session it must be
provisioned with OMA DM
settings. Bootstrap is a process of provisioning the DM client to a
state where it is able to initiate a management session to a new DM server.
Bootstrap can move a device from an un-provisioned, empty state, to a state
where it is able to initiate a
management session to a DM server. DM clients that have already been
bootstrapped can be further bootstrapped to enable the device to initiate a
management session to new DM servers.
the xml file should contain Root certificate,User Signed
certificate,Device manager client configurations and An enterprise
application token and an enterprise app download link to allow the
enrollment client to download a Company Hub or enterprise app
at the end of enrollment.Last information is optional.Both Device
and Server must be authenticated.Those credentials are configured in the
Bootstrap file.
Sub Task 4.2:
*Syncml protocol*: An XML-based representation protocol which is for
data synchronization and device management.This link provide more details
about the syncml.Click here
<http://wacha.ch/wiki/_media/projects:syncml_sync_protocol_v11_20020215.pdf>
After completed the WSTEP,device send initial Syncml message to the
syncml service endpoint which is provided in the bootstrap xml.There are
two parts in the syncml message.SyncHeader and syncBody.First initial
syncml message contains client’s
credentials in the CRED tag in the SyncHeader.
example:
<Cred>
<Meta>
<Format xmlns="syncml:metinf">b64</Format>
<Type xmlns="syncml:metinf">syncml:auth-md5</Type>
</Meta>
<Data>Fy80ofqnfKLFLWD+rzm9tQ==</Data>
</Cred>
Search Note : CRED data tag
According to the OMA DM Security specification.The digest supplied in
the Cred element is computed as follows:
Let H = the MD5 Hashing function.
Let Digest = the output of the MD5 Hashing function.
Let B64 = the base64 encoding function.
Digest = H(B64(H(username:password)):nonce)
these data is related with the client credentials of the bootstrap
xml.Then MDM server syncml service endpoint authenticate Device
request.Task 3 also completed by identifying specific user from persist
data.
Sub Task:4.3:
Re implement the syncml engine according to the syncml message chain.
Sub Task 4.4:authenticate device client using cred data which is
calculated by using client credentials in the bootstrap xml file.MDM server
respond to the device using server credentials in the Bootstrap xml file.
For more details Click here
<https://docs.google.com/document/d/1tyI2K_uzMq8cvrU8OhReRXKYg2fr0hEVqgm437nYt6E/edit>
--
*Hasunie Adikari*
Software Engineer
WSO2 Inc.; http://wso2.com
lean.enterprise.middleware
blog http://hasuniea.blogspot.com
Mobile:+94715139495
_______________________________________________
Architecture mailing list
Architecture@wso2.org
https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture
