Understanding Windows 8.1 MDM

Windows 8.1 has gone gold, or RTM as the more official term is, and while GA is a month away it has at least become available through TechNet and MSDN. The whole Start-button debacle has possibly garnered most of the attention even if Microsoft is trying to focus primarily on other features of the upgrade. A new feature that hasn’t really been talked about a lot is the inclusion of Mobile Device Management (MDM).

Granted, most consumers don’t care about MDM, so I can understand that. But some of us care, and I’m one of them 🙂

About six months ago I covered MDM in Windows Phone 8:
http://mobilitydojo.net/2013/03/31/understanding-windows-phone-8-mdm/

You might want to skim through that article as most of the things there apply to Windows 8.1 as well. The underlying protocol is OMA DM here as well, and the enrollment part of it is basically the same. There are a couple of differences to be aware of though, so I thought I’d walk through a couple of those.

Now some of you might be thinking where MDM fits into the picture since we’ve had management of Windows clients for a long time, both with System Center Configuration Manager as a first-party product, (and SMS before that), and third-party products like Sybase Afaria and a dozen others. If you have invested in an SCCM infrastructure I don’t suggest you throw that out just because MDM has arrived on the scene. It will still work with Windows 8.1. The purpose of supporting OMA DM is to solve bring-your-own-device scenarios. If the employee owns the device, and it’s not joined to your domain SCCM isn’t necessarily the weapon of choice.

MDM support in Windows 8.1 solves the scenarios where the device needs to be managed, but in a non-intrusive and "scaled-down" version. Sure, that means less support for advanced scenarios, but it wasn’t designed for that either.

As I said there are some differences between the enrollment server for Windows Phone 8 and Windows 8.1, but most of those are details like how the SOAP messages and XML being passed back and forth looks like. Do note that while Windows Phone 8 will let you run through the process with a certificate issued by a non-trusted root CA that is not the case for the 8.1 agent. (You can of course install the root CA cert quite easily so it’s less of an issue, but the agent will not prompt you during the enrollment process to accept the untrusted root.) I’d recommend getting a certificate from a trusted root for both device types, but often when I’m doing development I’m using my own CA or going with self-signed if I can get away with it.

For Windows Phone it is recommended to keep the server at the FQDN specified by autodiscovery, and if you use some other address you will get to enter the correct address manually. For Windows 8.1 you need the specific DNS entry present – it will not prompt you to provide a different address and will simply fail if DNS is not configured to it’s liking. (Ypu have to option of editing your hosts file for dev purposes which isn’t an option on the phone bits.)

The authentication part is also different as it’s browser-based, and you can do things like passive federation, signing in with Google/Facebook/whatnot whereas the phone enrollment does not allow for such scenarios.

These details are not deal-breakers if you’ve got an enrollment server developed already, but it does mean you can’t use your existing enrollment server without some minor tweaks.

Anyhow, an actual enrollment looks like this:
Locate the "Network"-tab in "PC Settings". (New name for Control Panel.)
W8_MDM_01

Go to the "Workplace"-tab and type in your email address, before hitting "Turn on".
W8_MDM_02

The email address will be used to compose the FQDN where an enrollment server is expected to be found. (So "andreas@contoso.com" as the email address means there must be something listening at https://enterpriseenrollment.contoso.com.) The "Join"-button refers to the Workplace Join feature I touched on here:
http://mobilitydojo.net/2013/08/30/windows-server-2012-r2-workplace-join-from-mobile-devices/

You will probably be prompted to provide some credentials in a pop-up window, but I skipped the authentication part for this walkthrough 🙂 Which means we go straight to the "Allow"-message.
W8_MDM_03

Windows 8.1 does not enforce or provide any means of authentication. This is entirely up to the provider of the MDM solution to determine.

Once you’ve agreed the enrollment will complete. There’s no fanfare or any indicator it was a success, and you’ll just notice the button has switched to saying "Turn off" instead in case you want to unenroll your device.
W8_MDM_04

You can check the registry afterwards as well to verify settings were applied.
W8_MDM_05

The relevant keys reside in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM. There seems to be a bug in the MSDN documentation as the sample there omits “Microsoft” from the registry hive, so be aware that a copy-paste might not work.

So, what can do you with an enrolled device? Well, much like enrolling regular phones you can apply policies, push applications, query inventory, etc. (Funny fact: the "device" reports that the operating system is "Windows NT Workstation 6.3".)

For the reference of all settings available check this MSDN link:
SyncML Request Commands: http://msdn.microsoft.com/en-us/library/dn365313.aspx

And when you’re tired of being managed you just press the "Turn off"-button.
W8_MDM_06

18 thoughts on “Understanding Windows 8.1 MDM”

  1. Thanks Andreas for the link. As per the link we can fetch device name using CSP
    ./cimv2/MDM_Client/MDM_Client.DeviceClient=0/DeviceName. Can I get any other information other than Device Name using ./cimv2/MDM_Client/MDM_Client.DeviceClient=0/ ?

  2. Hi, Andreas
    I completed enrollment for a win8.1 device sucessfully, and got first SyncML message from device, but in the of such message, the of was NOT the url of mdm server, but “http://localhost:8000/handler.ashx”, while the of was 0, actually it should be the device Id. I responsed a SyncML message to the device, but got no reponse from device any more. I’ve checked all registries after enrollment, all registries were well applied like the screenshot you posted. Can give me some hints for such issue. Looking forward to your reply. Thanks a lot.

    The first message got from win8.1 device after enrollment is:
    1.2DM/1.211http://localhost:8000/handler.ashx0203./DevInfo/DevId13036580./DevInfo/ManMicrosoft Corporation./DevInfo/ModMicrosoft Windows NT Workstation 6.3 (Tablet Edition)./DevInfo/DmV1.2./DevInfo/Langzh-CN

    The message sent to device which got no reponse from device is:

    1.2
    DM/1.2
    1
    1

    13036580

    https://EnterpriseEnrollment.mdm-server.com:443/mdm

    syncml:auth-md5
    b64

    Bd/LQk7BWrvbmo3E7ihrYg==

    1
    1
    0
    SyncHdr
    212

    2
    1
    2
    Alert
    200

    3
    1
    3
    Replace
    200

    4

    ./cimv2/MDM_Client

    5

    ./cimv2/MDM_SideLoader/MDM_SideLoader

  3. Hi, Andreas
    Tags in the comment I’ve just submitted were omitted. Post my question again:
    I completed enrollment for a win8.1 device sucessfully, and got first SyncML message from device, but in the “SyncHdr” of such message, the “LocURI” of “Target” was NOT the url of mdm server, but “http://localhost:8000/handler.ashx”, while the “LocURI” of “Source” was 0, actually it should be the device Id. I responsed a SyncML message to the device, but got no reponse from device any more. I’ve checked all registries after enrollment, all registries were well applied like the screenshot you posted. Can give me some hints for such issue. Looking forward to your reply. Thanks a lot.

  4. WordPress takes some security precautions and automatically strips away most xml and html tags. (Which is a good thing in itself, but makes posting relevant xml snippets a bit harder.)
    So, it’s kinda hard checking the SyncML for correctness – I can only assume you’re using CmdId and CmdRef tags in the right places.
    Windows Phone is fuzzy when it comes to single and double quotes in the xml so check what you’re using. (Had to use single in the header, but double is ok in the body it seems.)
    When you’re ACKing the SyncHdr with a 212 and an Alert 200 you can actually skip the nonce/auth part in your reply which makes troubleshooting easier.

  5. Hi, Andreas
    Thanks for your reply. I’ve checked my SyncML message response to client many times and it should be ok. What really confused me is that in the initial SyncML message sent by client to server after sucessful enrollment, the LocURI of Target was NOT the url of mdm server, but http://localhost:8000/handler.ashx, while the LocURI of Source was 0, actually it SHOULD be the device Id, and Alert code is 0 that should be 1200(SERVER-INITIATED
    MGMT) or 1201(CLIENT-INITIATED MGMT) according to OMA protocol.
    BTW, could you please leave your email for me so I can discuss with you in more details?
    Thanks again.

  6. My “device” also connects with a LocURI of http://localhost:8000/handler.ashx and 0. The DeviceID should be found in the SyncBody though. I don’t know why these values are provided – haven’t digged into it. (Maybe something I’m not providing during enrollment?)
    I then reply with the sample XML here: http://msdn.microsoft.com/en-us/library/dn392664.aspx
    I assume that’s what you’re using too? (I obviously changed DeviceID and and source URI to reflect my actual settings.)
    I didn’t include a syncml-auth tag.
    And then the device posts back some info for me.

    My email is andreas@ the name of this site.

  7. Dear,
    I like to register my surface RT 8.1 to my MDM Server, my failed. Here is my steps: Go to PC Setting — Network — Workplace” tab and type in my email address, them hitting “Turn on” and it show failed that “Can’t use you login information….”. Could you please help me what I can do? Thanks in advance.

  8. Hard to tell; based on the description it could be a number of things like incorrectly configured DNS, SSL, and/or bugs. Do you see the device hitting the server in the IIS logs?

  9. Thanks Andreas,
    About windows 8.1 register, my email address isn’t a real address, I only use server address to register iOS/Andriod devices, so how can I use my MDM server to register Windows 8.1 devices? Thanks a lot.
    By the way, could you convenient give me your IM ? If not, it’s never mind.

  10. Hi Andreas,
    Really appreciate all your work here. It helps me a lot.
    I have read your coverage on MDM in Windows Phone 8, and glad you continue clarifying on MDM in Windows 8.1. My question is:
    Is it possible to have a third-party DM client on W8.1? Or even more precisely, is it possible to use browser in W8.1 as DM client to communicate my MDM server using OMA DM protocol? In my situation, my BYOD user MDM process starts with a CWP browser page which require user authentication itself. CWP page is hosted by my own Access Point which controls the device Internet access. My desired flow is that after user authenticate self in CWP, I like BYOD mobile browser continues MDM process like enrollment and management by communicating to MDM server using OMA DM protocol directly. I feel I don’t really need discovery stage in my flow.
    What do you think?
    Thanks a lot.

  11. Microsoft has specifically created a standard user experience for the MDM enrollment process, so I think it’s not going to be easy to create a customized experience.

    Since there is no official way to do it (that I’m aware of) you’d have to “hack” the OS to do it.

    But the authentication process can be customized to work pretty much like you want to in the browser, so as long as you setup the discovery server parts you have options as to what you want it to look like.

  12. Hi Andreas,
    I am able to communicate the device to the my MDM which I am developing internally. And device is joined workplace. The problem is after the discovery request I am not sure what should I do . Next request is that it will process for STS token. It will be great if you provide some pointers here. Thanks in advance.

  13. The discovery response should include an address for your STS. The STS is the component you use for authenticating your users, but it’s entirely up to you how you actually authenticate them. The STS will redirect back to the MDM server to complete the enrollment process.

    Not sure what your issue is though – are you trying to code up the STS, or do you have an STS that doesn’t work for some reason?

  14. Hi,
    I am trying to put up wp8.1 mdm server. this guide was helpful for initial understanding of enrollment process but am still not sure of how the device will poll to server i mean on which url will it poll to server for getting new policies / mdm commands.
    and m still bit confuse about the ca server setup and putting up webservice url on which wp8 is going to hit during enrollment
    can anyone help me on this?

  15. I am trying to implement enrollment for Windows 8.1, and have the same issue as William, i.e. SyncHdr->Source->LocURI is 0.
    I’ve tried to use DevId from SyncBody->Item [./DevInfo/DevId] with no luck. The number is something like -1167496992 or simlar (i.e. long int). and in response provide my server URI in SyncHdr->Source

    Did you do the same steps?

Leave a Reply

Your email address will not be published. Required fields are marked *

*