Windows Phone 8.1 – MDM & Enterprise

The cat is finally out of the bag – even though the rumors have been making the rounds on the interwebs for some time now Microsoft just confirmed details officially for the update to Windows Phone codenamed Blue, which will bring the version number to 8.1.

Lot’s of new stuff of course, and you can expect seeing MSDN articles, sessions on Channel 9, and a bunch of blog posts covering the OS from A to Z. I’m not going to duplicate all those efforts, and as per usual I’ll rather try to cover some of the enterprisy stuff like for instance Mobile Device Management (MDM) since that’s kinda my cup of tea.

I’m not going to run through the entire history of the Windows Mobile/Phone operating system line, but Windows Phone is finally starting to look like it did in the good old days before switching to the Metro-era. (Behind the covers that is, not the parts you see up front in the UI.)

I have previously looked at Windows Phone 8.0, and if you need to catch up on that you can find that here:
http://mobilitydojo.net/2013/03/31/understanding-windows-phone-8-mdm/

Let’s take a look at some of the additions and changes coming with WP 8.1 in this department.

MDM settings/policies/restrictions
These are the “classic” MDM settings which fits into two categories (at least in my book);
– Policies
– Restrictions

The available policies are Lock, Exchange ActiveSync configuration, WiFi Settings, VPN configuration.

The settings for Lock/Power-on-Password and Exchange ActiveSync are the same as they were in Windows Phone 8.0 so there’s nothing new there.

WiFi settings were introduced in Windows Phone 8.0 GDR3 – see previous article for more details:
http://mobilitydojo.net/2013/11/28/windows-phone-8-gdr3-adds-mdm-wifi/

VPN settings is a new feature, and it’s a natural extension of a native VPN client being included in the operating system that an MDM server will be able to configure this. I’ll go into further details a couple of paragraphs down the page.

As for restrictions (allow/disallow type of settings) there were some in Windows Phone 8.0, but the list of available settings have been extended in Windows Phone 8.1. I’m guessing a lot of companies will not be bothered to actually use all of the settings available, but there is at least an option for locking down plenty of things now πŸ™‚

Blue_01

The Application Restrictions is what we usually call whitelist/blacklist and can be applied per app or per publisher.

MDM / Server Push
There was a glaring omission from MDM in WP 8.0 in the regard that all MDM actions were pull only. So, the device would connect to the server at scheduled intervals to ask if there were any new policies to apply, and if there were any they would be applied accordingly. This is ok for things like minor policy changes, but it feels kind of silly for remote wipes. That’s right, in WP 8.0 there was no way to have a remote wipe apply immediately. (You could of course say that if the device haven’t checked in to get wiped in a couple of days it has possibly already been wiped, but there could be plenty of scenarios where this isn’t the case.) Anyways, we now get server-initiated MDM push.

The push mechanism works similarly to Apple and Google in that the server pings Microsoft, (the Windows Notification Service), and Microsoft’s servers in turn ping the device and instruct it to connect to the server. The actual command is not in the push, so the processing server side is still incoming pull requests, but I don’t see any major drawbacks to this approach.

With server push now being an option remote wipe feels a bit more immediate. Being able to trigger connections there are also another couple of “remote actions” you can perform.

There’s remote lock and/or reset lock. You can choose if you just want to have the device lock kick in right away, or if you want to reset the lock code of the device (in case the user forgot their code). If you choose to reset the code the device will generate a new code, and the server will have to retrieve this code for you. You can not choose your own code for this.

Remote ring will have the device ringing as if a phone call came in. This will be audible even if the volume is set to low/muted. So if you’ve lost the device between the couch cushions you can have it scream out to you.

Certificate support
The support for certificates gets updated a bit as well. Client certificates are now a part of the OS in a more sensible way. Now, you could/can install client certs in WP 8.0 if you like. Using it afterwards? That may, or may not work… I’ve managed to use it for Exchange ActiveSync and web sites, but that was more luck than due to the interfaces for managing the functionality. It is important to note though that it’s not meant for distributing pfx-files with the entire certificate including the public and private keys. The intent is that you should have a Certificate Authority available which exposes a SCEP interface for enrolling the certificates directly from the device. The MDM server will send down settings like which server address to talk to and such, but will not provide the actual cert.

If you’re already supporting iOS devices it’s not unlikely you have SCEP already since it’s a component often used for iOS MDM. This should be possible to re-use for Windows Phone 8.1. If you’re using a “bundled” CA, as in part of the MDM solution and not a stand-alone box, you will of course need to wait for the vendor to support it. But then again you would need to wait for them to support WP 8.1 anyways πŸ™‚

VPN support
The lack of VPN support in WP 8.0 was a show-stopper for enterprise customers running web and enterprise apps that were never meant to send their data on the public internet. Some things you usually don’t expose outside of the firewall, and some times it will require a lot of re-working to publish the resource externally in a secure way. Say hello to VPN support:

Blue_02

Changes from previous implementations you should be aware of: no PPTP support. You get IPSec this time around. This is the same IPSec supported by the VPN provider in Windows Server 2012/R2 so you don’t need to buy a third-party solution to get it working either if you’re commited to the Microsoft stack. If however you have an aging ForeFront TMG setup you’re not good to go. TMG does support IPSec, but not IKEv2 which the Windows Phone 8.1 client uses.

There is also support for third-party SSL VPN, but thus requires downloading plug-ins from the app store and configuration as instructed by the vendor. The MDM server might be able to assist, but this would be dependent on how the plugin is implemented by said third-party.

There are also a bunch of settings related to the VPN setup like split-tunneling, auto-VPN, etc..
Blue_03

The question marks is just me not having done all my data annotations properly yet; it’s not a bug πŸ™‚

Web Authentication Broker
I’ve seen the MDM enrollment process on the device in WP 8.0 implemented in a couple of different variants. Not all are as smooth as I would prefer them to be. The autodiscover process has some challenges, but a thing like discovering a server without the user typing in a server address will always have it’s limitations. That’s workable though, as long as you provide a not to cryptically long DNS name people will be able to type it in as a fallback mechanism. The authentication part of it though? Did you see a lot of MDM solutions properly integrated with Active Directory? And possibly running in the cloud too? Yes, I have seen “proper” AD auth in MDM, but doing it in a clean manner server side wasn’t without it’s challenges. (If you’re a user this might be something you haven’t given much thought of course. If you’re a developer you have possibly been slightly annoyed when implementing this.)

You were locked into the enrollment client experience very tightly, and there weren’t many options to customize the behavior. So, it’s nice to see that now Windows Phone comes with support for Web Authentication Broker (WAB).

WAB what, you say? This component provides the same behavior as seen in Windows 8.1 (non-phone) when enrolling for MDM:
http://mobilitydojo.net/2013/09/23/understanding-windows-8-1-mdm/

This means you can get creative and have support for AD accounts, Microsoft accounts, and Google and Facebook if you so like. The login experience is browser-based, and you can “outsource” the authentication bits from the MDM server component to other modules instead. As seen below I get redirected to a web view after typing in my email address and doing a successful autodiscover:

Blue_04

This particular authentication screenshot doesn’t actually work as I’ve only printed out the parameters as displayed by the device for debug purposes, so you would want to create some more meaningful html behind the scenes than I’ve done here.

I’d say those are the high-level things of enterprise support in Windows Phone 8.1 that I can think of for now. Compressed like this it doesn’t sound like much, but I’ve tried to be short and to the point. Don’t know yet if I will be digging into any of these features in greater detail – we’ll see how that plays out.

There is a session at Build 2014 you might want to check out if this is your area of interest:
Windows Phone Enterprise Management
http://channel9.msdn.com/Events/Build/2014/2-513

For lack of a time machine I don’t know if this is an interesting session as I’m typing this article, but from the description it sounds like it’s spot on for this subject.

As always you can provide your feedback in the comments below, or by pinging me directly.

11 thoughts on “Windows Phone 8.1 – MDM & Enterprise”

  1. Just a note that SCEP isn’t a requirement for MDM on iOS πŸ˜‰

    Love the article! Push! Yes!

  2. Nitpicking πŸ™‚
    You are right though, technically it’s not required to use SCEP so my wording wasn’t correct. I reformulated the sentence to be more in line with this, and reflect the fact that is often included when you do MDM for iOS πŸ™‚

  3. Pingback: Philip BΓΌchler
  4. Andreas, it’s a nice article, thanks. I have one question around mdm push notification service. I don’t get as when would the “notification channel uri” be generated during enrollment process. I guess there would be two one for my “company hub” app and one for my mdm server policy management. The Windows documentation isn’t clear about the required WNS auth token and “notification channel uri” for mdm push, the app push notification makes perfect sense on http://msdn.microsoft.com/en-in/library/windows/apps/hh913756.aspx

    Let me know you comments.

    -Bipin

  5. When I wrote this article originally not all details on the MDM push was clear from MSFT’s side so it was vague on my part too.

    The way it works is that the MDM server needs an “app” registration in the store similar to as if you were publishing an app – you just leave out the part of uploading any files. So if you already have a company app I don’t see any reason you couldn’t reuse the credentials you already have.

    You cannot configure push during the enrollment process. You can only configure the pull config during bootstrap, and then you need to set the push config during a normal management session. You do an Addd/Replace of the PFN to the device, and then you do a Get for ./Vendor/MSFT/DMClient/Provider/ProviderID/Push/ChannelURI (where ProviderID is a value you bootstrapped) to get the uri you need for sending push to that specific device.

  6. I just found this post.

    I am looking for a simple way to disable store and/or Black/whiteliste apps from app store.

    I saw your screenshoots. What kind of MDM is that?

    Regards Andy

  7. The screenshots are from my own Windows Phone MDM Server which is a working prototype I use for testing and developing. So, outside my lab it’s not an actual product.

  8. I Have a few queries which i am a little confused about:

    1.Do we require MDM Client to Send push notification on Windows 8 and Windows 8.1 devices(Phones)

    2)If yes what are the requirements?

    3)How to configure WNS and MPNS on afaria MDM any Idea?

  9. The Push notification is entirely handled server side. The MDM server keeps track of the clients and sends the push through Microsoft’s servers. The MDM server queries the client for client unique ids, but that happens as part of the MDM process and isn’t visible.

    The settings for the push services is handled by the MDM provider, and unless Afaria has chosen unique keys pr customer there shouldn’t be anything to configure. (I haven’t played with Afaria for months so I haven’t tested out their 8.1 support.)

Leave a Reply

Your email address will not be published. Required fields are marked *

*