Enterprise Mobile

The Windows Mobile device management platform supports two different Open Mobile Alliance (OMA) standards:  OMA Client Provisioning (OMA CP) and OMA Device Management (OMA DM).  By the say, OMA CP is the new name for WAP Provisioning.  So, when you see Windows Mobile configuration XML with the root node of <wap-provisioningdoc>, you know you are using OMA CP.

Because Windows Mobile supports both OMA CP and OMA DM, you’ll find that MSDN documentation for most Windows Mobile Configuration Service Providers will include information on configuration XML for both standards.  OMA DM is suppose to be the new, improved standard (and it is in many ways).  So, you may wonder why OMA CP support is still included. 

As with most wireless-related standards and protocols, ubiquitous deployment and use of OMA DM has been slow.  OMA CP is still widely used.  Of course, the improvements inherent to OMA DM will drive eventual OMA DM ubiquity, but for now, OMA CP still rules the roost.

But, from a Windows Mobile developer point of view, there is another reason why OMA DM is slow to take hold.  The Windows Mobile device management platform does not come with  an OMA DM API.  The only way to take advantage of Windows Mobile OMA DM functionality is to bootstrap an OMA DM server to the device and interact with the platform through a client/server connection.

In comparison, the Windows Mobile device management platform provides much richer interfaces to configure the device using OMA CP.  There is nice API, DMProcessConfigXML (this is the native API, managed .NET CF API is called ProcessConfigXML in Microsoft.WindowsMobile.Configuration) .  You can also configure the device via Remote API (RAPI) that is exposed on desktop PCs running ActiveSync or Vista Windows Mobile Device Center (WMDC).  Of course, OMA CP can be configured via a WAP provisioning server for the client/server connection functionality.  But, for device developers, we need a client-side API which does not exist for OMA DM on Windows Mobile.

Why do we need a client-side API for OMA DM?  The main reason is to build a value-added device management solution for customers that want more then what you can get out-of-the-box with the Windows Mobile device management platform. 

For instance, a client application can save bandwidth and improve performance by adding smart query logic to device management transactions.  Otherwise, you’d need to offload all the logic to the server.  An example might be that a client can detect a new Bluetooth profile registration and allow or disallow its use based on a pre-configured policy.  Without this, the information must be uploaded to the server, processed by an admin or some server-side application and a new policy is provisioned to the device’s networkpolicy CSP.  That’s just one example though.

Another reason to build a client application for device management is to add new device management features to those provided out-of-the-box.  If you use a device with built in GPS, RFID reader, etc., you may want to manage these devices and their requisite applications as well.  And, if you want to support device management across multiple hardware and operating system platforms, you’ll probably end up opting to build a device management client.

You may be thinking that this is all a lot of whining though because the Windows Mobile device management platform still makes OMA CP configuration accessible to applications.  But, consider that in Windows Mobile 6.1, most all of the new software management Configuration Service Providers are OMA DM only with no ability to manage them via OMA CP.  This means that a Windows Mobile Device Management developer will need to use an OMA DM server or a proprietary client application to leverage the new, cool, built-in Configuration Service Providers that manage software and ROM update installations. 

In conclusion, the call to action is for Microsoft to provide and public, documented API for applications to interface with Windows Mobile OMA DM components just like OMA CP.  Perhaps DMProcessConfigXML() can be extended to support both OMA DM and OMA CP XML input.

Dave Field, CISSP, MCP

Device Managment and Security Architect

Enterprise Mobile, Inc.

Hello,

Here is a little issue that I researched this week and I thought I’d share it on the blog.

PROBLEM:  When accessing a website that is secured to use an NTLM authenticated password, the “Save Password” option does not work on Windows Mobile Pocket PCs and Smartphones.

Here are detailed steps that outline how to reproduce this problem using a Motorola/Symbol MC70 Pocket PC.  Note that the test device was running Windows Mobile 5.0 AKU3.

1.       Perform a “clean” reboot of the device which is a cold boot that resets all storage volumes on the device to factory defaults.

2.       Configure a website connected to an Active Directory domain to use password authentication.  During testing, you’ll need access to IIS Admin. 

a.       Start out using basic authentication.  In properties for the website, open the “Directory Securty” tab, click the “Edit” button for “Authentication and access control” and check the box for “Basic authentication”

b.      Use of HTTPS/SSL is irrelevant to the test.  However, basic should not be used without SSL because the basic password is sent in clear text.

3.       From the device, open the website in the Mobile IE browser.  You will be prompted for the password.  Note:  “Realm” is included in the Basic authentication dialog box.  For NTLM authentication, “domain” input is required.

4.       Enter your domain\username and your password.  Make sure to check the “Save Password” box.  Then tap “OK”.

5.       Confirm that your password-secured site renders in the Mobile IE browser.

6.       At this point, if you were to refresh the page or even browse to a couple sites before revisting the site, you would not be asked for the password again.  This is because the website page that was opened after authentication is cached.  By exiting out of the browser session and re-opening the page, authentication occurs again.  You can exist the browser session by warm resetting.  But, it is easier to stop and restart the “internet explorer” process as follows: 

a.       On the device, go to Settings/System tab/Memory/Running Programs tab.  S

b.      elect “Internet Explorer” from the “Running Programs List:”

c.       Tap the “Stop” button.  This stops the browser process.

7.       Re-open the Mobile IE browser on the device and browse to the website again.  You should find that you do not need to enter the credentials this time for the web site because they are cached. 

CONCLUSION:  Save Password works with “Basic Auth”

8.       Close the browser session again as described above in step #6

9.       In IIS admin, change the authentication for your website from basic to NTLM:

a.       Uncheck basic and check the box for “Integrated Windows Authentication” which is NTLM.

b.      Stop and restart the website to ensure the authentication change is implemented

10.   On the device, confirm that the “internet explorer” process is not running.  If it is, stop the process.

11.   Open Mobile IE and browse the website again.  This time, you’ll see the following authentication dialog for NTLM (Windows Integrated) authentication. You’ll see that username and domain are cached from the previous use of your credentials for basic authentication.  However, the previously cached password is not re-used.

12.   Enter your password and be sure to check the “save password” box prior to tapping the “OK” button.

13.   Confirm that your password-secured site renders in the Mobile IE browser.

14.   Close the browser session again as described above in step #6

15.   Now re-open the website .

16.   You will see the same authentication dialog that you saw in step# 11 above.

CONCLUSION:  By default, the “Save Password” option exposed in the Mobile IE authentication dialog does not save the password for NTLM authentication cases.

WHY DOES THIS HAPPEN?:  Underlying Mobile IE is the use of the Windows Internet API (wininet) which is a set of core code inherited from desktop windows.  You may have noticed that in order to cache NTLM with desktop IE, you need to configure the website to be an “intranet” zone website.  Furthermore, you have to set your security settings to use user authentication logon settings to use automatic logon only for intranet zone” or “Automatic Logon for user name and password”.  Once the user of desktop IE has entered and saved their password for the “intranet” website one time, they no longer need to enter it on subsequent use.  Mobile IE encounters the same problem as desktop IE, but in Windows Mobile IE, there is no configuration UI to allow the user to make these changes.

SOLUTION:  You can add the website to the list of intranet sites by hacking the registry on the device.  To configure http://www.yoursite.com/ and https://www.yoursite.com/ as “intranet” websites and therefore eligible for NTLM password caching:

1. Add the registry key:  HKLM\Software\Microsoft\Windows\CurrentVersion\Internet settings\ZoneMap\domains\yoursite.com\www
2. Under this new key add 2 values: “http” and “https”
3. Set each of the 2 values to “1″

NOTES:

• The website domain name prefix (eg, “www”) is configured as a sub-key of the domain name (eg, “yoursite.com”).
• You need to configure each URI scheme (http, https, ftp, etc.) that may be used for the website. Each different URI scheme will require a separate instance of the cached password
• By setting value=”1″ for the URI scheme, you are configuring that full URI as a site in the “intranet” zone. Here is the value associated with all zones: 0 My Computer, 1 Local Intranet Zone, 2 Trusted sites Zone, 3 Internet Zone, 4 Restricted Sites Zone.

• For a full discussion of all security zone registry settings see: http://support.microsoft.com/kb/182569

• There are a number of registry editors for Windows Mobile devices that you can download and use. However, you can use WAP Provisioning XML to query and write to the registry via the registry configuration service provider. You can use a tool such as rapiconfig to implement WAP provisioning XML on Windows Mobile devices. The rapiconfig tool is available in the Windows Mobile Software Development Kits.

Dave Field, CISSP, MCP

Device Managment and Security Architect

Enterprise Mobile, Inc.