Hi all, I have already developed windows phone enrollment process as my fast track training project.and now I have to implement phone management client part which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.and push notification service.Below I briefly describe the project.
*Description* Windows phone’s built in management component can communicate with Management Server.There are two parts to the Windows Phone 8.1 management component: - The enrollment client, which enrolls and configures the phone to communicate with the enterprise management server. - The phone management client, which periodically synchronizes with the management server to check for updates and apply the latest policies set by IT.and push notification service. *Enrollment Client* Overview of the windows mobile device enrollment process. *Windows phone -*there is company App(Workplace) *Proxy* -apache2 server configure as a Proxy server *WAB * -Web Authentication Broker,Windows Phone 8.1 adds the support of a Federated as supported AuthPolicy value. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. *MDM* -Mobile device management third party server. [image: MyWindows Phone.png] * Requirement Task* 1.Configure the device Environment so that device can securely communicate with Mobile management server. 2.Provide Configurable Service and policy end points from the Discovery web service. 3.Generate binary security token value for the specific user and persist. 4.Persist Device Information and Enroll Device *Sub task* 4.1 :Handle WSTEP endpoint's Client response message 4.2 :Check the syncml message comes from the device as a response 4.3 :Use Syncml engine for generate syncml payloads and parse them. 4.4 :Authenticate Syncml Messages. *Requirement Task 1:* Configure Apache2 as a Proxy server. *Problem:* - Proxy configurations are changed according to the apache server version and operating system. - Rewrite engine rules and reverse proxy rules are invoked in separately. - Apache2 SSL configurations are essential for the discovery end point. *Solution:* Detail description about the configuration.Click here <https://docs.google.com/document/d/1es2U5BPjmxWhjYw5ekULpkMCYS_TWf_FIPhyCsDdBJ4/edit> * Requirement Task 2:* *Problem* Mobile device client get the Enrollment policy URL and Enrollment service URL from the Discovery service(above no4 line in the diagram).The automatic discovery service constructs a URI that uses this host name by appending the sub domain “EnterpriseEnrollment” to the domain of the email address, and by appending the path “/EnrollmentServer/Discovery.svc”. For example, if the email address is “ad...@wso2.com”, the resulting URI for first Get request would be: https://EnterpriseEnrollment.wso2.com/EnrollmentServer/Discovery.svc *Solution* Add (domain) child element to the windows plugin properties.xml file.Servletcontext listener initialize the domain value and set the specific value as a servlet context attribute.Discovery service get the domain of the Email using servlet context attribute. *Requirement Task 3:* *Problem* The opaque security token that is returned from WAB(Web authentication leverage) as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call.Enrollment policy endpoint needs to provide policy template after authenticate the user by credentials and also Enrollment service end point needs to authenticate using same binary security token. *Solution* AuthBST service endpoint generate binary security token for the user using UUID java class.The UUID is generated using a cryptographically strong pseudo random number generator.That 128 bit value persist in cache as it is temporary token for enrollment. Cache Entry: binary security token(Key)|device identifier,UserName(Cache Entry value) * Enrollment Process Detail* in XCEP The security token credential is provided in a SOAP request message header in XCEP for get policy template. just after coming to the XCEP, CXF validator class extract the soap header values and authenticate Binary security token with the persist token. *Requirement Task 4*: Sub Task 4.1: *WSTEP Detail*: MS-WSTEP(WS-Trust X.509v3 Token Enrollment Extensions) process the request security token from the the client.Certificate sign request (CSR) is provided according to the XCEP policy template.Service get the request and update it if needed, sends the PKCS#10 requests to the CA, processes the response from the CA,constructs an OMA Client Provisioning XML format, and returns it in the RequestSecurityTokenResponse(RSTR) *Authenticate user request* WSTEP,SOAP header contains Binary security token as above XCEP request.At that point I used apache cfx method to read SOAP header.Resultant Apache.cfx.Header type object list contains the Header xml child elements.It will easier to extract child element binary security token under parent security by using DOM parser.Then authenticate user request. *Create Bootstrap XML file* OMA DM(Object Mobile alliance Device Management) specifications define how a management session is established and maintained. However, in order for a device to be able to initiate a management session it must be provisioned with OMA DM settings. Bootstrap is a process of provisioning the DM client to a state where it is able to initiate a management session to a new DM server. Bootstrap can move a device from an un-provisioned, empty state, to a state where it is able to initiate a management session to a DM server. DM clients that have already been bootstrapped can be further bootstrapped to enable the device to initiate a management session to new DM servers. the xml file should contain Root certificate,User Signed certificate,Device manager client configurations and An enterprise application token and an enterprise app download link to allow the enrollment client to download a Company Hub or enterprise app at the end of enrollment.Last information is optional.Both Device and Server must be authenticated.Those credentials are configured in the Bootstrap file. Sub Task 4.2: *Syncml protocol*: An XML-based representation protocol which is for data synchronization and device management.This link provide more details about the syncml.Click here <http://wacha.ch/wiki/_media/projects:syncml_sync_protocol_v11_20020215.pdf> After completed the WSTEP,device send initial Syncml message to the syncml service endpoint which is provided in the bootstrap xml.There are two parts in the syncml message.SyncHeader and syncBody.First initial syncml message contains client’s credentials in the CRED tag in the SyncHeader. example: <Cred> <Meta> <Format xmlns="syncml:metinf">b64</Format> <Type xmlns="syncml:metinf">syncml:auth-md5</Type> </Meta> <Data>Fy80ofqnfKLFLWD+rzm9tQ==</Data> </Cred> Search Note : CRED data tag According to the OMA DM Security specification.The digest supplied in the Cred element is computed as follows: Let H = the MD5 Hashing function. Let Digest = the output of the MD5 Hashing function. Let B64 = the base64 encoding function. Digest = H(B64(H(username:password)):nonce) these data is related with the client credentials of the bootstrap xml.Then MDM server syncml service endpoint authenticate Device request.Task 3 also completed by identifying specific user from persist data. Sub Task:4.3: Re implement the syncml engine according to the syncml message chain. Sub Task 4.4:authenticate device client using cred data which is calculated by using client credentials in the bootstrap xml file.MDM server respond to the device using server credentials in the Bootstrap xml file. For more details Click here <https://docs.google.com/document/d/1tyI2K_uzMq8cvrU8OhReRXKYg2fr0hEVqgm437nYt6E/edit> -- *Hasunie Adikari* Software Engineer WSO2 Inc.; http://wso2.com lean.enterprise.middleware blog http://hasuniea.blogspot.com Mobile:+94715139495
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture