Thursday, April 21, 2016

Windows Device Support in WSO2 EMM 2.0.0

WSO2 Enterprise Mobility Manager (EMM) is a unique solution designed to specifically address the mobile enterprise needs.EMM includes of two key aspects: Mobile Device Management (MDM) and Mobile Application Management (MAM). WSO2 EMM also supports single sign-on (SSO) and multi-tenancy.
EMM enables organizations to secure, manage and monitor Android, iOS and Windows powered devices (e.g., smart phones, ipod touch devices and tablet PCs), irrespective of the mobile operator, service provider, or the organization.
The administrator can create policies in EMM and define the device management rules that must be applied on devices. When employees register their devices with EMM, the applicable policy rules (e.g., enabling the phone lock, disabling the camera.) will be enforced on their devices.

Windows device management is supported since wso2 emm 2.0.0. Now we can go through the entire message flow of the windows device registration process.


 Proxy redirection configurations:

RewriteCond %{REQUEST_METHOD} ^(GET)$
RewriteRule ^/EnrollmentServer/Discovery.svc http://[serverIP]:port/mdm-windows-agent/services/discovery/get [P,L]
 RewriteCond %{REQUEST_METHOD} ^(POST)$
RewriteRule ^/EnrollmentServer/Discovery.svc http://[serverIP]:port/mdm-windows-agent/services/discovery/post [P,L]

ProxyPass /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc http://
[serverIP]:port/mdm-windows-agent/services/certificatepolicy/xcep
ProxyPassReverse /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc http://
[serverIP]:port/mdm-windows-agent/services/certificatepolicy/xcep

ProxyPass /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc http://
[serverIP]:port/mdm-windows-agent/services/deviceenrolment/wstep
ProxyPassReverse /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc http://
[serverIP]:port/mdm-windows-agent/services/deviceenrolment/wstep

ProxyPass /Syncml/initialquery http://
[serverIP]:port/mdm-windows-agent/services/syncml/devicemanagement/request
ProxyPassReverse /Syncml/initialquery http://
[serverIP]:port/mdm-windows-agent/services/syncml/devicemanagement/request

ProxyPass /emm-web-agent http://
[serverIP]:port/emm-web-agent
ProxyPassReverse /emm-web-agent http://
[serverIP]:port/emm-web-agent

Windows devices are enrolled through the inbuild/system application(Workplace app). User  can reach the  workplace app through  the Settings/workplace app in windows 8.1/8.
Existing user needs to signing via his mail address just like a above example.Then Device discovery service get the mail address and create the discovery request according to the above message flow diagram.The email address is provided in the following format: <user>@<EMAIL_DOMAIN>.
Device: Discovery Service
The automatic discovery service of the device uses the following fields and constructs a unique URI:
  • Append the subdomain enterpriseenrollment.
  • Extracts and append the domain from the username, i.e <EMAIL_DOMAIN>, that was submitted when signing in.
  • Append the path /EnrollmentServer/Discovery.svc
Example request URI for the mail address : admin@wso2.com
https://enterpriseenrollment.wso2.com/EnrollmentServer/Discovery.svc

Since EMM server hasn't provided that kind of endpoints(/EnrollmentServer/Discovery.svc),Uses a proxy server(Apache2) to redirect the service calls.Following proxy pass configuration for the discovery endpoint redirection:

RewriteRule^/EnrollmentServer/Discovery.svc    http://10.10.10.70:9763/mdm-windows-agent/services/discovery/post 

These proxy configuration mappings are thoroughly depicted in here

First get request(.../mdm-windows-agent/services/discovery/get) check the server availability and provide success(200) response and then proxy direct a post request(..../mdm-windows-agent/services/discovery/post) to the server side discovery endpoint.

 Server : Discovery Server endpoint

Once the POST request is received to the discovery endpoint,Following endpoints(proxy endpoints) are attached to the response body and send it to the device. 
1.  Authentication Policy.(Federated)
2. Proxy endpoint for the Enrollment policy. (/ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc)
3. Proxy endpoint for the Enrollment Service. (/ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc)
4.  Proxy endpoint for the Windows login page. (/emm-web-agent)
  
The device requests the login page through the received proxy endpoint URL. Then proxy server redirect this request according to following mapping.


ProxyPass  /emm-web-agent   http://10.10.10.70:9763/emm-web-agent 

The emm broker page is rendered by the server end.

Server : Web Authentication Broker
Windows Phone 8.1 adds the support of a Federated as supported AuthPolicy value. When authentication policy is set to be Federated, Web Authentication Broker (WAB) will be leveraged by the enrollment client to get a security token. The WAB start page URL is provided by the discovery service in the response
message(
Proxy endpoint for the Windows login page). The enrollment client will call the WAB API within the response message to start the WAB process. WAB pages are server hosted web pages. The server should build those pages to fit the phone screen nicely and be as consistent as possible to other builds in the MDM enrollment UI. The opaque security token that is returned from WAB as an endpage will be used by the enrollment client as the device security secret during the client certificate enrollment request call(XCEP and WSTEP calls(described in later)).
The enrollment client(Windows device) issues an HTTPS request as follows:
AuthenticationServiceUrl?appru=<appid>&login_hint=<User Principal Name> 


<appid> is of the form ms-app://string
<User Principal Name> is the name of the enrolling user, for example, admin@wso2.com as inputted by the user in an enrollment sign in page. The value of this attribute serves as a hint that can be used by the authentication server as part of the authentication. 

After authentication is complete, Web authentication broker must take the binary security token for the specific user from the BST(Binery security token) endpoint and sent it back to the Device. 
The auth server SHOULD return an HTML form document with a POST method action of appid identified in the query string parameter. For example: 


<html>
<head>
<title>Working...</title>
<script>
function formSubmit() {
document.forms[0].submit();
}
window.onload=formSubmit;
</script>
</head>
<body>
<!-- appid below in post command must be same as appid in previous client https request. -
->
<form method="post" action="ms-app://appid">
<p><input type="hidden" name="wresult" value="token value"/></p>
<input type="submit"/>
</form>
</body>
</html>



Server : License agent 
 load the license according to the device type.
Device : Certificate Client
Then the certificate client send the request with the BST(Binary security token.) 
Client needs to get the certificate policy from the server endpoint.Since earlier Server provide the proxy endpoint for EnrollmentPolicy URL.

Example Proxy mapping:

ProxyPass /ENROLLMENTSERVER/PolicyEnrollmentWebservice.svc http://10.10.10.70:9763/mdm-windows-agent/services/certificatepolicy/xcep



Server: XCEP Server Endpoint
This XCEP web service implements the X.509 Certificate Enrollment Policy Protocol (MS-XCEP) specification that allows customizing certificate enrollment to match different security needs of enterprises at different times (cryptographic agility). The service processes the GetPolicies message from the client, authenticates the client, and returns matching enrollment policies in the GetPoliciesResponse message.

After the user is authenticated, the web service retrieves the certificate template that the user should enroll with and creates enrollment policies based on the certificate template properties .

Client send the certificate signing request according to policy template which given by the XCEP endpoint.
Discovery endpoint provided related proxy endpoint.Proxy server redirect to WSTEP endpoint.

Proxy mapping:
ProxyPass /ENROLLMENTSERVER/DeviceEnrollmentWebservice.svc http://10.10.10.70:9763/mdm-windows-agent/services/deviceenrolment/wstep 

Server: WSTEP Server Endpoint
This web service implements the MS-WSTEP protocol. It processes the RequestSecurityToken (RST) message from the client, authenticates the client using Binary security token which have provided earlier. requests the certificate from the CA, and returns it in the RequestSecurityTokenResponse (RSTR) to the client.Besides the issued certificate, the response also contains configurations needed to provision the DM client.

Other configurations for the Device management client:
  • Server certificate
  • Signed certificate
  • Server credentials
  • Client credentials
  • Next server endpoint to be initiate DM Client provisioning session.(
/Syncml/initialquery)
 Proxy mapping:
ProxyPass /Syncml/initialquery http://10.10.10.70:9763/mdm-windows-agent/services/syncml/devicemanagement/request

Device: Device Management Client
DMClient send the initial syncml(xml) request which contains device initial details to be persist in server side. 

Server: Syncml Server Endpoint
Take the sycml response and parse it and persist the initial details and handle device management scenarios.



Sunday, April 10, 2016

Apache proxy configurations for windows

Apache proxy configurations for windows


Http apache2 server can be configured in both forward proxy,reverse proxy and also known as gateway mode.Proxy is intermediate between client and server,Client send request to the server,but actually that request receive to the proxy server and it gets the request and redirect it to the original server.and get the content from the server and response back to the client as behaving original target endpoint.



In here client only knows number1 indicating area.Server only knows the number2 indicating area.

First of all we need to configure the apache2 server to behave as a proxy(gateway mode.)
These configurations are depend on OS platform.Earlier I described that how to configure the apache proxy in linux environment.Now We can see how to configure in windows environment.

1. Download the Apache server from http://www.apachelounge.com/download/
2. Open httpd.conf in "Apache_home\conf"
3. Uncomment below lines in 'httpd.conf' (Search for mod_proxy)

LoadModule proxy_module modules/mod_proxy.so
LoadModule proxy_ajp_module modules/mod_proxy_ajp.so
LoadModule proxy_http_module modules/mod_proxy_http.so


4. Add below lines at the end of the file 'httpd.conf' for Proxy passing

ProxyPass <proxyname> <endpointURL>
eg:

ProxyPass "/foo" "http://foo.example.com/bar"  
ProxyPassReverse "/foo" "http://foo.example.com/bar"
 

5. Restart the Server.