Overview
Windows devices are enrolled through the inbuilt application of the respective device, i.e Company app on Windows 8.0 and Workplace on Windows 8.1. The endpoints it triggers cannot be altered as required by the service developer. Therefore additional server configurations are required to manage Windows devices using WSO2 EMM.
...
The high level message flow of a Windows device is shown in the below diagram. The Windows device sends requests to a Proxy server that then directs the requests to the WSO2 EMM server.
How it works
Table of Contents | ||||
---|---|---|---|---|
|
Anchor | ||||
---|---|---|---|---|
|
When a user signs in through the Workplace application using a Windows device, the user's email address needs to be provided as shown below:
Info The email address is provided in the following format:
<user>@<EMAIL_DOMAIN>
.- The automatic discovery service of the device uses the following fields and constructs a unique URI:
- Append the subdomain
enterpriseenrollment
. - Extracts and append the domain from the username, i.e
<EMAIL_DOMAIN>
, that was submitted when signing in. - Append the path
/EnrollmentServer/Discovery.svc
.
Info The constructed URI will take the following format:
enterpriseenrollment.<EMAIL_DOMAIN>/EnrollmentServer/Discovery.svc
Example: If the given user name is
admin@wso2.com
the resulting URI would beenterpriseenrollment.wso2.com/EnrollmentServer/Discovery.svc
. - Append the subdomain
- The constructed URI will then be used to initiate the enrollment process of the mobile device.
Step 2: Proxy endpoint 01
Code Block | ||
---|---|---|
| ||
http://enterpriseenrollment.<EMAIL_DOMAIN>/enrollmentserver/discovery.svc |
The first Proxy endpoint known as the
Discovery Service Endpoint
receives the initial request from the device.Info The initial request from the device is a standard
HTTP GET
request.The received request is redirected by the Proxy Server to MDM endpoint 01 at the server end.
Info The
GET
request helps the device to check if the server is up and running.- Once a success message is returned to the device by MDM endpoint 01, It will move to the next step.
Step 3: MDM endpoint 01
Code Block | ||
---|---|---|
| ||
http://<server-ip>:<server-port>/mdm-windows-agent/discovery/ |
- This endpoint receives the initial
GET
request that was redirected by the Proxy Server. It then returns a success response to the device. - When the endpoint receives the success message from the server, the device triggers a
HTTPS POST
request to the same proxy endpoint (Proxy endpoint 01) .
The Proxy Server redirects the request to MDM endpoint 02, which is at the server side.
Step 4: MDM endpoint 02
Code Block | ||
---|---|---|
| ||
http://<server-ip>:<server-port>/mdm-windows-agent/discovery/ |
- Once the
POST
request from the device is received at this endpoint, the MDM server will include the following details within a response body and send to the device.- Authentication Policy.
- Proxy endpoint 02.
- Proxy endpoint 03.
Proxy endpoint for the Windows login page.
Code Block https://enterpriseenrollment.<EMAIL_DOMAIN>/emm/enrollments/windows/login-agent
- After receiving the above responses, the device requests are made in the following order:
The device requests for the login page using the proxy endpoint URL. The proxy server will then route the request to the following EMM endpoint.
Code Block http://<server-ip>:<server-port>/emm
- Next the device sends a request to Proxy endpoint 2 and 3 respectively.
Step 5: Proxy endpoint 02
Code Block | ||
---|---|---|
| ||
https://enterpriseenrollment.<EMAIL_DOMAIN>/enrollmentserver/policyenrollmentwebservice.svc |
Step 6: MDM endpoint 03
Code Block | ||
---|---|---|
| ||
http://<server-ip>:<server-port>/mdm-windows-agent/certificatepolicy/xcep |
MDM Endpoint 3 responds back to the device with the Certificate Enrollment Policy.
Info The Certificate Enrollment Policy is an implementation of the MS-XCEP 509 protocol.
- Once the certificate enrollment policy is received, the device sends the Certificate Signing Request (CSR) to Proxy endpoint 03.
Step 7: Proxy endpoint 03
Code Block | ||
---|---|---|
| ||
https://enterpriseenrollment.<EMAIL_DOMAIN>/enrollmentserver/deviceenrollmentwebservice.svc |
Step 8: MDM Endpoint 04
Code Block | ||
---|---|---|
| ||
http://<server-ip>:<server-port>/mdm-windows-agent/deviceenrolment/wstep |
- The service corresponding to this endpoint generates the signed certificate for the Certificate Signing Request and Root certificate.
It then responds to the device with an encoded
wap-provisioning.xml
file, which includes necessary certificates and other Device Management information.Info The certificate enrollment is an implementation of the
MS-WSTEP
protocol.The initial details provided through the
POST
request are used to persist the device details in the database.
At the end of this flow the device is successfully enrolled.
Step 9: Proxy Endpoint 04
Code Block | ||
---|---|---|
| ||
https://enterpriseenrollment.<EMAIL_DOMAIN>/syncml/initialquery |
This Proxy Server routes the message received to MDM endpoint 05.
Step 10: MDM Endpoint 05
Code Block | ||
---|---|---|
| ||
http://<server-ip>:<server-port>/mdm-windows-agent/services/Syncml/devicemanagement/request |
This endpoint will handle all the device management requests and responses.
Info |
---|
The protocol that is being used is SyncML v1.2. |