Regular readers of this blog, (although I don’t rank on the Google 500 index I believe there are at least some people out there feeding off my rss), may be tempted to believe I’m playing my records on repeat when I bring up even more OMA, and yet again mentioning Windows Mobile in the same sentence. But previously I’ve only briefly mentioned some of the challenges involved. This time I thought I’d try and tackle some of these challenges. Maybe even solve a few 
Ok, quick recap. OMA CP can be used to configure devices by sending SMS messages to them. But a lot of people have been struggling getting this to work on Windows Mobile. And since OMA CP is often used for setting up an OMA DM relationship that hasn’t really taken off on WM either. (Which does make it extra interesting that a product like System Center Mobile Device Manager from Microsoft uses OMA DM as it’s MDM engine.)
Read previous posts for more background info:
http://mobilitydojo.net/2008/10/10/whats-this-oma-dm-thingy-all-about/
http://mobilitydojo.net/2009/05/07/oma-dm-one-step-at-a-time/
So, with all the wonderful MDM platforms out there why spend time over this particular feature? Well, while I’ve previously explained why I don’t consider SMS messages a good method for continous MDM I do see how it might help in a couple of very specific scenarios:
- Initial client deployment
- Remote wipe
- Out-of-band communications channel for when you want to send credentials or something in separate channels.
I’d like to get one particular disclaimer out of the way first; I’m testing on Windows Mobile 6.1. I know that things are different of Windows Mobile 5.0, and possibly things described here will not work on those devices. WM 6.0 is similar to 6.1, and identical on many levels, but I’m not making any guarantees. WM 6.5? Haven’t tested it yet. I tested the HTC X7510 and HTC Touch Diamond 2 so it’s not a large sample pool I’ve tested with. (Lesson to take away – don’t trust anything until you have tested it on your particular device.)
This complexity has helped build a common misconception that OMA CP and OMA DM doesn’t work on Windows Mobile at all, and that MSFT are trying hard not to follow standards. And you’ll often observe that when seeing those annoying ring tone commercials they’ll list a plethora of different devices that are supported, but Windows Mobile is usually absent from that list. (OMA CP are often the basis for triggering download of content.) But at the same time you find references to OMA CP all over the MSDN documentation regarding the Configuration Service Providers. What gives?
Since Windows Mobile was designed primarily with the enterprise market in sight security was not an afterthought. Trust is a major concern in different aspects of the OS. You cannot install an unsigned application without being prompted that you acknowledge the installation. With a two-tier lock level on the device you may not even be able to install unsigned apps at all. If you want to synchronize with an Exchange server using SSL you need to trust the issuer of the SSL certificate. It kind of follows that bytes received from the Internet are not necessarily considered trustworthy either. So when receiving binary SMS messages containing configuration the device pays special attention to these (as opposed to a regular text message). If I send off random configuration messages to random devices these should not consider me trusted under most circumstances. In a very sane manner the logic states that to be able to perform configurations you must be trusted by the device. Who gets to define this trust, you say in a paranoid manner?
Nokia devices (and a whole lot of other manufacturers too of course) are simple in the sense that if you buy a Nokia it is a Nokia. With a Windows Mobile device the logo might say HTC, or Samsung, or xyz. And an HTC device might be branded to an operator like Orange, T-Mobile, etc in addition to the “straight” HTC models. Microsoft didn’t want to go into the hardware business with Windows Mobile, and that’s ok, but in the process they left a couple of implementation details to other players, while providing the overall design and guidelines from Redmond. At this point the concept of security roles, and security policies comes into play. Depending on what the policy definitions say on the device, different roles get to perform different things to my device.
For a primer on the security roles you should skim through:
http://msdn.microsoft.com/en-us/library/bb416273.aspx
And the relevant security policies:
http://msdn.microsoft.com/en-us/library/bb737247.aspx
(The interesting policies being: 4104, 4105, 4108, 4109, 4110, 4111, 4113, 4121, 4124, 4132, 4141, 4142 & 4143)
Now, this all makes sense. If I initiate something on the device it’s trusted. If I initiate something on the server side it may or may not be trusted. Orange devices have been “tampered with” so that the software certificate of Orange is preinstalled on the device. The SMSC of Orange is defined as a Trusted Provisioning Server. Pretty much all Qtek devices I saw in the European markets had Brightpoint and Dangaard root certs preinstalled. (Editor’s note: this would be the distributor of the non-operator branded devices.) Which means that whoever made the device available for me as a consumer had all the necessary rights to do whatever they want to my device. Which is nice. For them that is. Different models, and ROM builds, may have different settings. MSFT provides some default values, but the OEM is free to change the defaults. As a reference this is a registry snapshot of the emulator:
HKLM\SECURITY\Policies\Policies
(Values in hex, convert to decimal to line up with the SecurityPolicy DDF on MSDN.)
So how do I get the server initiated config to be trusted when I am not in a position where I get to decide the contens of the OS ROM? (I accept that MobilityDojo.net being a one-man operation does not have that power yet.) Finally we are getting to the point of the matter.
There’s disabling trust checking as much as possible on the device. I don’t know if all the checks can be disabled though. It would require you to touch the devices too, so while you’re at it you would probably be better off just enabling the trust relationship. And if you have access to touch every device before the user gets it there’s really not many limits to what you can do. But we want “zero touch deployments”.
A better solution would probably be to send the trust request in the first OMA CP message, have the user accept it interactively, and then you should be able to do your stuff. Let’s try that approach. A quick copy-paste from MSDN (msdn.microsoft.com/en-us/library/ms889523.aspx), and a minor adaptation, and we end up with the following xml:
<?xml version="1.0"?> <!DOCTYPE wap-provisioningdoc PUBLIC "-//WAPFORUM//DTD PROV 1.0//EN" "http://www.wapforum.org/DTD/prov.dtd"> <wap-provisioningdoc> <characteristic type="BOOTSTRAP"> <parm name="PROVURL" value="http://www.mobilitydojo.net/TPS" /> </characteristic> <characteristic type="PXLOGICAL"> <parm name="NAME" value="WAP Push Gateway"/> <parm name="PROXY-ID" value="10.10.10.10"/> <parm name="TRUST"/> <characteristic type="PXPHYSICAL"> <parm name="PHYSICAL-PROXY-ID" value="Push Gateway 1"/> <!-- The push gateway's SMS address --> <parm name="PXADDR" value="1234"/> <parm name="PXADDRTYPE" value="E164"/> <parm name="PUSHENABLED" value="1"/> <parm name="TO-NAPID" value="SMS NAP"/> </characteristic> </characteristic> <characteristic type="NAPDEF"> <parm name="NAPID" value="SMS NAP"/> <parm name="NAME" value="SMS Connection"/> <parm name="NAP-ADDRESS" value="1234"/> <parm name="BEARER" value="GSM-SMS"/> </characteristic> </wap-provisioningdoc>
A couple of pointers:
Type whatever you like in the dns name. (Apparently this does not matter as long as you’re only doing pushing from the server. If the device is to connect back to fetch data it probably would matter.)
The phone number is whatever you define as the from address in your Kannel. So once you bootstrap a device you should stick to the same phone number. It does not have to be an actual phone number, and the fictitious “1234″ above should work.
To test the procedure I sent out the following xml to disable WLAN (this one also requiring the user to accept it just be sure while testing):
<wap-provisioningdoc> <characteristic type="NetworkPolicy"> <characteristic type="WiFi"> <characteristic type="Settings"> <parm name="Disabled" value="1"/> </characteristic> </characteristic> </characteristic> </wap-provisioningdoc>
Hey, ho, that works!
Here’s a few screenshots showing it device side:
Accepting the message.
You’ll get a message in the SMS inbox saying that the config was applied.
Oh, yeah, maybe I should add a few lines regarding what I’m doing in Kannel as well. OMA CP for Windows Mobile works much the same way as for the Nokia I used for my previous test runs. Do an HTTP GET against http:/kannel:13000/sendota?etc. I use “userpin” for authentication here. You cannot bootstrap without a security mechanism. What’s the difference between userpin and networkpin you say? (If you’ve read some of the MSDN links content that is.) Userpin is a code you define, and the user has knowledge of. For instance the user is provided with the pin 1234 in a separate text message sent first, or provided on a self service portal. The network pin is not readily available as this is the IMSI of the SIM card (on GSM devices, on CDMA it’s the ESN). The IMSI can be acquired programatically, but that’s usually the only way you’re going to get it. Most SIM cards have a long number printed on them, and while that is an identifying number it is usually not the IMSI. If you are the mobile operator you can do a database lookup inputing either the phone number or the IMEI of the device, but for some reason the mobile operators usually don’t expose an API for this to the general public
The bonus of the network PIN is that it will let you do further actions silently, and without user interaction. (I had some problems with this. I managed to get the device to accept the message without prompting the user, but for some reason it wouldn’t accept the settings. Haven’t looked further into why this isn’t working.)
With OMA CP in place you should probably be able to bootstrap the OMA DM server too. Haven’t tested it yet though. Let me know if it’s of interest – I have no idea if these Kannel related articles are playing to an audience of more than a few geeks with similar niche interests
Brilliant! I’m sure there is a lot of people who will find this life-saving at some point.
I really liked your how-to’s to setup kannel! Setting up the Kannel server on WinXP (already done it with debian, but the usb drivers for my gsm modem arent good) was easy and sending sms works flawless!
) but all devices only receive a normal sms with text: “The content of that message cannot be displayed..” – no userpin or anything else is coming up
But now I’m stuck at the OMA CP for Windows Mobile. Ive tested several devices (HTC Diamond 2, Diamond 1, Elf even some chinese fakes
Do you have any advice for me?
I’m using Kannel 1.4.3, no openssl on cygwin installed, no errors in the box logs. Tried to deactivate the security checks for WAP OMA in the registry of the devices – no luck. played around with different xml files (im always sending via HTTP GET, XML String converted to UTF-8 URL)
thanks in advance,
stephan
I saw two problems that might be relevant to your scenario.
1. Kannel 1.4.3 uses UTF-8 instead of ISO-8859. You using UTF-8 is correct, but I had problems getting the encoding right. I ended up using Kannel 1.4.1
2. I could never get things to work without OpenSSL. SSL isn’t used for plain OMA CP, so I don’t know why it’s required, but it did make a difference.
While I can’t guarantee it’s the cause of your issues, it could be worth a try
Thank You! It worked!
Only three more dll files are needed in the sms-gw folder (for the SSL), but everyone should easily manage that when getting the “Missing File” error
Again, Thank You for the very good tutorials, keep up the good work! Now I’m going to enjoy some more of your Articles
Hi, just wanted to give you some Notes to my current Kannel Installation.
After getting Kannel to work under Win XP + cygwin, I ran into some troubles. After ~ 5 Minutes the sms- & wapbox was killed with some strange Error. Ive figured out the Problem comes from cygwin itself (looks like the C Compiler is generating some Bugs).
Now everything works fine with a Debian 5 Installation and Kannel 1.4.3 + OpenSSL. Just use “./configure –enable-ssl” while compiling Kannel and follow the instructions of Andreas’ Tutorial
And now it doesnt matter if you use UTF-8 or ISO-8859-1 Encoding, aslong as you set the charset you want (I use a small HTML-Form to generate the URL)
Now Kannel is running flawless and I’m ready to do some Provisioning with 400 Devices.
Ive been working on a similar solution to OTA provisioning of handsets without any interaction from the end user.
Your guide is invaluable for this – but I have the same problem when signing the XML with the netwpin – the settings are not stored.
Did you find a way around this?
Moz
Great that you are up and running with Kannel, Stephan
I have run into the same issue myself running Kannel on XP. Didn’t see it running Kannel on a Windows Server box as a service though so it could be a combination of Kannel and the OS causing the crash.
But apparently there is a fix/workaround. (I got the solution from my friend David Creedy – I didn’t figure it out myself.)
You need to edit a file – gateway-1.4.1\gwlib\thread.c
Comment out the following lines:
if (mutex->owner == gwthread_self())
panic(0, “%s:%ld: %s: Managed to lock the mutex twice! (Called from %s:%ld:%s.)”, \
__FILE__, (long) __LINE__, __func__, file, (long) line, func);
Moz, I didn’t pursue the matter further regarding use of the network PIN.
Mostly due to the fact that the IMSI has limited value for most people – you either need access to the data from an operator, or some other means of acquiring the number. For instance through an MDM solution, but if you’ve got MDM in place you’ve sort of provisioned them already.
That being said, if I were to investigate further I would take a closer look at the security policies referenced above. Even if the device accepts OTA it might have restrictions regarding network pin messages. Go over all the security settings in the registry on your test device, and see what you can find
Hi there Andreas,
First, thanks for all your posts, they are really helpful as there are not too much sources on Device Management.
I wanted to ask you, Do you know of any way to provisioning a DM Server that will be reachable trough Wifi ? (I know, sounds strange, no matter why I want it, just want to know if you came up with sth).
Right now I had no luck, in fact I think its not possible (at least on WM devices), I read on http://msdn.microsoft.com/en-us/library/aa455984.aspx that only GSM-CSD and GSM-GPRS (apart from GSM-SMS, on my understanding) are supported bearers.
What I tried till now is to deploy a CPF file with a WAP provisioning XML with some tests, but of course none work.
*****
On the other hand, could you please point me to an SMS service I could use for sending WBXML and WAP Push msgs ? I mean, I can run up a Kannel, but I need someone to provide me with the real SMS sending thing (no gsm-router wanted..).
I´ll appreciate any light you could bring over these subjects, thanks in advance man!
jrub
You’re right – it is a strange scenario to want to be able to do OMA DM via WLAN
I haven’t tested this, so I can’t say for sure, but I think I would have to agree with MSDN as far as the initial bootstrapping goes. The bootstrapping is intended to be done via SMS if it is initiated server side, and this has to do with security and authentication purposes.
You can do a bootstrap from the client side over a generic data connection because this means you are running in a different security context. Similarly when the device has been bootstrapped the actual OMA DM traffic can be run over a generic data connection. (It will be bound to one data connection though probably, so you’ll have to define this in the bootstrap.)
I don’t know if there is a specific reason you want to use OMA DM in your scenario, but as far as Windows Mobile goes maybe some other solution is more suited for your use. (Depending on budget and needs of course.)
While I am happy with the SMS provider I use, (a Norwegian one), I have not done any “benchmarks” comparing providers. NowSMS is a fairly known international provider, and Sybase365 claims to be the world leader. Both should be able to provide what you need. Your local mobile operator may also have a service offering.
Hi there, Firstly thanks for this post! It has proven very usefull. One question thou… is it possible to completely disable OMA CP on a WinMo 6.1 Pro device? I ask because I have manage to get OMA CP working just fine on any WinMo 6.1 Pro device, however, when specifically trying on a Motorola MC75 it simply doesn’t work. The device simply does nothing, no notification, no PIN verification, nothing.
I am not aware of a method for completely disabling OMA CP as it is a part of the OS. (Devices running WinCE are different – it is more modular so you can leave out specific features.) It is however possible to lock down OMA CP so tight it will feel like it’s disabled
On WM 5 the devices were often locked down so they would only accept OMA CP from trusted sources, meaning the mobile operator on a branded device. On unbranded devices you would often not have a way to do it out-of-the-box. If you can modify the security settings on the device, either by cradling them to pcs, or building custom extended ROMs you can open up OMA CP – either for a specific trust relationship you define or “open for all”. (You should of course still implement a PIN for accepting the message, or network PIN if you have the necessary infrastructure for silent provisioning.) This has the obvious drawback of having to touch all the devices before giving them to the users, and if you don’t burn it into ROM it will be gone if the user hard resets the devices.