Geek Gift – Mobility Style

2 | December 23rd, 2008 | Posted in Off-Topic

Now I’m not a big fan of Christmas. Well, sure, I get time off work, get to eat good food, etc. But a lot of it is more of a kid’s thing in my opinion. That does not mean that I’m off the hook when it comes around to gifts however. I had the opportunity to be creative though, and do it in a proper Mobile Geek fashion :)

My girlfriend wants a new laptop. The one she’s using now is an HP Pavilion I used before. A few years old, but ok specs for her needs – only problem is the flex cable, (connecting the LCD to the graphics card), is almost worn out (flickering display), and there’s some other sporadic hardware issues as well. Time for a replacement. Now I’m not giving her a laptop, but I can help her along the way. She actually said to me that she wanted a gift certificate at our preferred online retailer. (How great is that – no chasing through stores looking for stuff I have no interest in:) )

So I could have just purchased a gift certificate, and printed it out on a piece of paper. Let’s make it more sexy :) I have an HTC Diamond I’m not using at the moment, so I decided to turn it into a delivery tool. No, she doesn’t get to keep it. She gets to boot it up and learn what her gift is. First thing I did was create a png file with the logo of the retailer, the words “Gift Certificate” in a fancy font, and some Christmassy looking trees. You’ll either want to make it 640×640 or 480×640. Save it as “welcomehead.96.png”.

I made a second png with a picture of a laptop I recommend as good value for money (Lenovo N500), and the amount/value of the certificate written below. Save it with whatever name you like and transfer to the Diamond. I disabled the TouchFlo plugin from the today screen, but kept the HTC Black theme. Chose the png I just created as the background image, and I’m done with part one.

Now on to part two which is transferring the first png to the \Windows folder on the device (replacing the file currently there). HTC has been clever on the Diamond, so all the files in this folder are write-protected system files. Which means you can’t just overwrite/delete files. This means it’s workaround time. I created a cab with WinCE Cab Manager, (you can download a trial, it’s a great utility), and added the png file to this cab. By setting the system and read-only properties you can install this on your device even though you can’t do it through file explorer. You’ll need to soft-reset, but that’s hardly a problem.

What you get now is a device that displays a custom boot splash screen, (resembling a gift certificate), instead of the green Windows Mobile logo, followed by a background image displaying the gift the certificate helps acquire. Since there was a test SIM-card in the device that I didn’t bother to remove, I rounded it out with setting the PIN to 2412 :)

I don’t think she reads this blog, so hopefully she will be impressed tomorrow night :) Maybe your guys out there are already finished with your shopping – then you can keep this trick, and use it on another occasion instead. Oh, and I’ll be bubble wrapping the device along with some nice Valrhona chocolate which probably won’t hurt either.

SCMDM 2008 – Web Services - MobileDeviceManagerAdmin

0 | December 5th, 2008 | Posted in Coding, SCMDM, Utilities

For new attendees to the class this a walkthrough of the Web Services in SCMDM (you may start with the introduction first: http://mobilitydojo.net/2008/12/02/scmdm-2008-web-services-introduction/). For regulars; in this part we get to the meatier part when we go through the MobileDeviceManagerAdmin service.

I don’t know what the correct technical term is, but when looking at the virtual directory you’ll see there are a number of “sub services”:
image

Probably the more correct term is that there are actually several distinct web services grouped under a common virtual directory.

They are available at https://FQDN:8446/MDM/x/Admin.asmx where FQDN is your Device Management Server, and x is the service you want. (Replace x with a value from the list in the screenshot above.)

I’ve listed them all below here for your convenience, but as you can see from the available options not all of them are relevant for your “average” usage scenario.

AdgpService
image

AdminService
image

GatewayService
image

InventoryService
image

SoftwareDistributionService
image

TaskExecutionEngine
image

WipeService
image

We will not go into all of these operations. The functionality we are interested in right now (relating back to our sample application) is Wipe.

We want something like this in our utility:
image

Looking into the Wipe operation in our web browser we find the following:
image

This deviceID is the SID (Security Identifier) that can be found as a property of the device object in Active Directory. Given the device name we should be able to look up the SID so for the sake of our user interface this does not matter.

WipeOut
So we just pass the SID on to the Wipe operation, and we’re done right? Ah, if it only were that easy. If you have been following my trail of screenshots you’ll have noticed other operations that might seem to be related to the wipe operation namely the following:
- UnEnroll (EnrollmentAdmin – shown in previous web service article)
- RemoveDevice (AdminService)
- AddBlockedDevice (GatewayService)

You see, there are different kinds of wipes depending on what you are trying to achieve. A wipe deletes the contents of a device, a block prevents the device from establishing the VPN tunnel (thus only reaching as far as the Gateway server), remove device will remove it from the managed devices list, and unenroll presumably removes the Active Directory object. But I’ll admit that I am not entirely sure of the details these operations perform, in which sequence you should execute them, etc. “Wipe” and “Block Device” are both available as options in the MDM console, and has different purposes (a blocked device can be unlocked and allowed to connect again). Let’s just it leave it there for now :)

In the spirit of keeping things simple I’ll only use the “simple” wipe operation here since this will get rid of everything on the device. The code used to wipe looks like this:
image

Few things to keep in mind here. Since the SID of the device can only be found through Active Directory I perform an LDAP lookup that should return the SID given the device name as input. Make sure the ldapPath is searching the right OU for devices. Make sure you use the correct objectCategory and objectClass in the LDAP filter. (The values I use should work for you as well if you haven’t modified anything regarding device objects.)

I have also hard-coded username/password for authentication, and included the FQDN of the web service which means you can run it from other computers in the LAN than the server, and without using the credentials of the logged-on user. This is purely for the purpose of illustration! Do not actually take this approach for a solution you will be using. (I like to show different techniques which is why I do it here, but I will change it later when tidying up the internals of my application.)

I guess we can check off another item on my “feature list” for the simple helpdesk utility. There’s still a few steps that remains before we have a working application, but most of those aren’t relevant for you to go through. So I’ll perform those by myself, and present you with the result instead :)

We have scratched the surface of the web services interface in SCMDM, and showed some very simple things you can do with it. There are obviously some limitations to this interface to the servers, but you can probably still come up with other use cases than the ones I have. I might revisit the web service topic at a later time though. I’ll post a wrap-up of the helpdesk utility as soon as I have it compiled and performed an initial beta test.

SCMDM 2008 – Web Services - EnrollmentAdmin

0 | December 4th, 2008 | Posted in Coding, SCMDM, Utilities

Following my previous introduction to web services in SCMDM; to start off with the walkthroughs I’ll attack the EnrollmentAdminService first. Provided you have not altered the default port settings it can be located at
https://FQDN:8445/MDM/EnrollmentAdminService/Admin.asmx where FQDN is your enrollment server.

The following operations are available:
image

We’ll have a closer look at the following operations:
- GetConfiguration
- SetConfiguration
- NewEnrollmentRequest
- RemoveEnrollmentRequest

The other operations also serve a purpose, but not necessarily in this context. (Do you perform traces daily?) GetEnrollmentServiceLog is useful, but is also easy to do in Powershell.

GetConfiguration
Testing this in the browser we see that no parameters are required.
image

Resulting XML (excerpt):
image

It’s basically a more verbose version of the cmdlet Get-EnrollmentConfig:
image

SetConfiguration
Browsing to this operation we see another scenario:
image

This basically means – you cannot test this in your browser.

NewEnrollmentRequest
This operation cannot be tested in the browser either, but we can learn something from the SOAP definitions:
image

These are the fields we need to provided to create an enrollment, and yes, they are the same fields needed for running the Powershell cmdlet New-EnrollmentRequest:
image

RemoveEnrollmentRequest
Just as easily as we can create enrollments, we can remove them. This only applies to enrollments requests (not enrolled devices), and is another name for canceling an enrollment. (Maybe you made a typo or something when creating the original request.)

You may invoke this operation from the web browser provided you have all the necessary details available (I don’t perform base64-encoding as a mental exercise):
image

Monkey see, monkey code
Ok. Let’s have a look at how this will work out in our own program. I adjusted some design elements from the mock-up, and I have also filled in sample values:
image

I have not implemented the two “Browse”-buttons yet, so no screenshots, but the first one should let you browse for users, and the second for OUs/CNs. The Device OU field should ideally be populated with the default OU for devices. Enrollment Password and Enrollment Expires could actually be labels as they are read-only.

Here’s the code snippet for the “Create Pre-Enrollment Request”-button:
image

Hard-coding the url to the enrollment server is not very flexible, but it makes the sample shorter (as do the omission of a try-catch block). If you are wondering where the AdminEnrollService class came from I added the web service as a web reference. (I haven’t shown any details regarding creating the Visual Studio project, but I don’t know if there’s a demand for it, or if people will figure it out themselves.)

I did an additional “cheat” as well here. I am not authenticating in any way. But I am running on the server, as administrator, and therefore it will work anyway.

So, does this work? Well, here’s what it looks like after clicking the “Create…”-button:
image

Guess it worked then! (Will get around to using the status bar later to output “OK” or something.)

Let’s try removing the request as well. First through the web browser:
image

Resulting XML:
image

It does seem easy doesn’t it? But where did that base64 string come from? Well, when creating the pre-enrollment request a property called requestId is returned, so I catched this value in debug mode when creating the pre-enrollment and I pasted it into the web page.

Doing it in code would look like this:
image

GetConfiguration and SetConfiguration that I showed above aren’t really relevant to implement in coding. It’s easy to work it through Powershell, and I’ll leave it at that.

No, I didn’t include the code as images instead of providing text you can copy-paste just to be cruel. It looks better, and is easier for me, since I have some problems with the plug-in for syntax highlighting. It’s not large amounts of code to type though, and I might attach some source files later.

I hope you’re still following me (and enjoying the ride) – there’s still more web services to come :)