diff --git a/changes/15408-fix-windows-mdm-poll-interval b/changes/15408-fix-windows-mdm-poll-interval new file mode 100644 index 0000000000..7f4fae6470 --- /dev/null +++ b/changes/15408-fix-windows-mdm-poll-interval @@ -0,0 +1 @@ +* Fixed the Windows MDM polling interval so that enrolled devices check-in regularly with Fleet to look for pending MDM-related actions. diff --git a/server/mdm/microsoft/syncml/syncml.go b/server/mdm/microsoft/syncml/syncml.go index fe0211fb50..c2e7f222cf 100644 --- a/server/mdm/microsoft/syncml/syncml.go +++ b/server/mdm/microsoft/syncml/syncml.go @@ -248,27 +248,6 @@ const ( // The DocProvisioningVersion attributes defines the version of the provisioning document format DocProvisioningVersion = "1.1" - // The number of times the DM client should retry to connect to the server when the client is initially configured or enrolled to communicate with the server. - DmClientCSPNumberOfFirstRetries = "8" - - // The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfFirstRetries - DmClientCSPIntervalForFirstSetOfRetries = "15" - - // The number of times the DM client should retry a second round of connecting to the server when the client is initially configured/enrolled to communicate with the server - DmClientCSPNumberOfSecondRetries = "5" - - // The waiting time (in minutes) for the second set of retries as specified by the number of retries in NumberOfSecondRetries - DmClientCSPIntervalForSecondSetOfRetries = "3" - - // The number of times the DM client should retry connecting to the server when the client is initially configured/enrolled to communicate with the server - DmClientCSPNumberOfRemainingScheduledRetries = "0" - - // The waiting time (in minutes) for the initial set of retries as specified by the number of retries in NumberOfRemainingScheduledRetries - DmClientCSPIntervalForRemainingScheduledRetries = "1560" - - // It allows the IT admin to require the device to start a management session on any user login, regardless of if the user has preciously logged in - DmClientCSPPollOnLogin = "true" - // It specifies whether the DM client should send out a request pending alert in case the device response to a DM request is too slow. DmClientCSPEnableOmaDmKeepAliveMessage = "true" diff --git a/server/service/microsoft_mdm.go b/server/service/microsoft_mdm.go index 37292cb50d..971de43f76 100644 --- a/server/service/microsoft_mdm.go +++ b/server/service/microsoft_mdm.go @@ -680,14 +680,37 @@ func NewDMClientProvisioningData() mdm_types.Characteristic { newCharacteristic(syncml.DocProvisioningAppProviderID, []mdm_types.Param{}, []mdm_types.Characteristic{ newCharacteristic("Poll", []mdm_types.Param{ - newParm("NumberOfFirstRetries", syncml.DmClientCSPNumberOfFirstRetries, syncml.DmClientIntType), - newParm("IntervalForFirstSetOfRetries", syncml.DmClientCSPIntervalForFirstSetOfRetries, syncml.DmClientIntType), - newParm("NumberOfSecondRetries", syncml.DmClientCSPNumberOfSecondRetries, syncml.DmClientIntType), - newParm("IntervalForSecondSetOfRetries", syncml.DmClientCSPIntervalForSecondSetOfRetries, syncml.DmClientIntType), - newParm("NumberOfRemainingScheduledRetries", syncml.DmClientCSPNumberOfRemainingScheduledRetries, syncml.DmClientIntType), - newParm("IntervalForRemainingScheduledRetries", syncml.DmClientCSPIntervalForRemainingScheduledRetries, syncml.DmClientIntType), - newParm("PollOnLogin", syncml.DmClientCSPPollOnLogin, syncml.DmClientBoolType), - newParm("AllUsersPollOnFirstLogin", syncml.DmClientCSPPollOnLogin, syncml.DmClientBoolType), + // AllUsersPollOnFirstLogin - enabled + // https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollalluserspollonfirstlogin + newParm("AllUsersPollOnFirstLogin", "true", syncml.DmClientBoolType), + + // PollOnLogin - enabled + // https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollpollonlogin + newParm("PollOnLogin", "true", syncml.DmClientBoolType), + + // NumberOfFirstRetries - 0 (meaning repeat infinitely, Second and Remaining retries will not be used) + // https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollnumberoffirstretries + // + // Note that the docs do mention: + // + // The total time for first set of retries shouldn't be more than + // a few hours. The server shouldn't set NumberOfFirstRetries to + // be 0. RemainingScheduledRetries is used for the long run + // device polling schedule. + // + // but we really want to keep polling regularly at short intervals + // and it seems like the way to do it (and they do support infinite + // retries, so...). + newParm("NumberOfFirstRetries", "0", syncml.DmClientIntType), + // IntervalForFirstSetOfRetries - 1 minute (we can't go lower than that) + // https://learn.microsoft.com/en-us/windows/client-management/mdm/dmclient-csp#deviceproviderprovideridpollintervalforfirstsetofretries + newParm("IntervalForFirstSetOfRetries", "1", syncml.DmClientIntType), + + // Second and Remaining retries are disabled (0). + newParm("NumberOfSecondRetries", "0", syncml.DmClientIntType), + newParm("IntervalForSecondSetOfRetries", "0", syncml.DmClientIntType), + newParm("NumberOfRemainingScheduledRetries", "0", syncml.DmClientIntType), + newParm("IntervalForRemainingScheduledRetries", "0", syncml.DmClientIntType), }, nil), }), }), diff --git a/tools/mdm/windows/poc-mdm-server/README.md b/tools/mdm/windows/poc-mdm-server/README.md index 9ac47cba06..74760b2de2 100644 --- a/tools/mdm/windows/poc-mdm-server/README.md +++ b/tools/mdm/windows/poc-mdm-server/README.md @@ -7,7 +7,7 @@ This project uses the protocols: - [MS-MDE](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-mde/d9e18701-cd4c-4fdb-8a3e-c1ddd33b1307) - [MS-MDM](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-mdm/33769a92-ac31-47ef-ae7b-dc8501f7104f) -- [MS-WSTEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea) +- [MS-WSTEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wstep/4766a85d-0d18-4fa1-a51f-e5cb98b752ea) - [MS-XCEP](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-xcep/08ec4475-32c2-457d-8c27-5a176660a210) - [OMA Device Management Protocol](https://www.openmobilealliance.org/release/DM/V1_2_1-20080617-A/OMA-TS-DM_Protocol-V1_2_1-20080617-A.pdf) @@ -22,7 +22,9 @@ This code is MIT licensed and it was forked from [here](https://github.com/oscar ## Usage -On the server side, you just need to run the project using the already provided cert and keys. So go to the project folder and run. +On the server side, you just need to run the project using the already provided cert and keys. The certificate is in `.pfx` file format, so you need to extract the certificate and key first, see https://stackoverflow.com/a/59120388/1094941. + +Next go to the project folder and run. ```bash go run . @@ -31,11 +33,11 @@ go run . On the Windows client side, you need to import a custom CA certificate to the certificate store, and populate the `hosts` file before running the Windows Enrollment. The certificate to import is on the certs directory and it is called `dev_cert_mdmwindows_com.pfx`. You need to copy this certificate to the client machine and run the powershell command below. This is required because the project uses a local dev https endpoint. 1) Import certificate to Trusted CAs repository (be sure to update the path to the pfx certificate) - + powershell -ep bypass "$mypwd = ConvertTo-SecureString -String 'testpassword' -Force -AsPlainText ; Import-PfxCertificate -FilePath c:\path\to\dev_cert_mdmwindows_com.pfx -CertStoreLocation Cert:\LocalMachine\Root -Password $mypwd" - + 2) Add mdmwindows.com to the list of static DNS - + echo mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts echo autodiscovery.mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts echo enterpriseenrollment.mdmwindows.com >> %SystemRoot%\System32\drivers\etc\hosts @@ -55,19 +57,19 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin Cache-Control: no-cache Pragma: no-cache User-Agent: ENROLLClient - - + + ----------- Empty Input Body ----------- ========================================================================= - - - + + + ============================= Output Response ============================= ----------- Response Header ----------- HTTP/1.1 200 OK Connection: close - - + + ----------- Empty Response Body ----------- ========================================================================= @@ -78,10 +80,10 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin Content-Length: 1042 Content-Type: application/soap+xml; charset=utf-8 User-Agent: ENROLLClient - - + + ----------- Input Body ----------- - + http://schemas.microsoft.com/windows/management/2012/01/enrollment/IDiscoveryService/Discover @@ -108,20 +110,20 @@ Below is the raw https exchange of the MS-MDE and MS-MDM protocols when run usin ========================================================================= - - - - + + + + ============================= Output Response ============================= ----------- Response Header ----------- HTTP/1.1 200 OK Content-Length: 1107 Content-Type: application/soap+xml; charset=utf-8 - - + + ----------- Response Body ----------- - - + + @@ -239,7 +241,7 @@ Content-Type: application/soap+xml; charset=utf-8 -### MDM Certificate Enrollment Extensions Flow (MS-WSTEP) +### MDM Certificate Enrollment Extensions Flow (MS-WSTEP) ============================= Input Request ============================= @@ -249,10 +251,10 @@ Content-Type: application/soap+xml; charset=utf-8 Content-Length: 4295 Content-Type: application/soap+xml; charset=utf-8 User-Agent: ENROLLClient - - + + ----------- Input Body ----------- - + http://schemas.microsoft.com/windows/pki/2009/01/enrollment/RST/wstep @@ -333,20 +335,20 @@ Content-Type: application/soap+xml; charset=utf-8 ========================================================================= - - - - + + + + ============================= Output Response ============================= ----------- Response Header ----------- HTTP/1.1 200 OK Content-Length: 8598 Content-Type: application/soap+xml; charset=utf-8 - - + + ----------- Response Body ----------- - - + + 1.2 @@ -468,19 +470,19 @@ Content-Type: application/soap+xml; charset=utf-8 ========================================================================= - - - - + + + + ============================= Output Response ============================= ----------- Response Header ----------- HTTP/1.1 200 OK Content-Length: 1736 Content-Type: application/vnd.syncml.dm+xml - - + + ----------- Response Body ----------- - + @@ -554,11 +556,11 @@ Content-Type: application/soap+xml; charset=utf-8 ========================================================================= - - + + 192.168.8.10 - - [30/Dec/2022:16:59:44 -0300] "POST /ManagementServer/MDM.svc?mode=Maintenance&Platform=WoA HTTP/2.0" 200 1400 - - + + ============================= Input Request ============================= ----------- Input Header ----------- POST /ManagementServer/MDM.svc?mode=Maintenance&Platform=WoA HTTP/2.0 @@ -570,10 +572,10 @@ Content-Type: application/soap+xml; charset=utf-8 Content-Type: application/vnd.syncml.dm+xml Ms-Cv: a/tCeBgffEqA5408.0.0.0 User-Agent: MSFT OMA DM Client/1.2.0.1 - - + + ----------- Input Body ----------- - + 1.2 @@ -613,19 +615,19 @@ Content-Type: application/soap+xml; charset=utf-8 ========================================================================= - - - - + + + + ============================= Output Response ============================= ----------- Response Header ----------- HTTP/1.1 200 OK Content-Type: application/vnd.syncml.dm+xml Content-Length: 0 - - + + ----------- Response Body ----------- - + =========================================================================