[MS-MDE2]:

Mobile Device Enrollment Protocol Version 2

Intellectual Property Rights Notice for Open Specifications Documentation

Technical Documentation. Microsoft publishes Open Specifications documentation (this documentation) for protocols, file formats, data portability, computer languages, and standards support. Additionally, overview documents cover inter-protocol relationships and interactions.

Copyrights. This documentation is covered by Microsoft copyrights. Regardless of any other terms that are contained in the terms of use for the Microsoft website that hosts this documentation, you can make copies of it in order to develop implementations of the technologies that are described in this documentation and can distribute portions of it in your implementations that use these technologies or in your documentation as necessary to properly document the implementation. You can also distribute in your implementation, with or without modification, any schemas, IDLs, or code samples that are included in the documentation. This permission also applies to any documents that are referenced in the Open Specifications documentation.

No Trade Secrets. Microsoft does not claim any trade secret rights in this documentation.

Patents. Microsoft has patents that might cover your implementations of the technologies described in the Open Specifications documentation. Neither this notice nor Microsoft's delivery of this documentation grants any licenses under those patents or any other Microsoft patents. However, a given Open Specifications document might be covered by the Microsoft Open Specifications Promise or the Microsoft Community Promise. If you would prefer a written license, or if the technologies described in this documentation are not covered by the Open Specifications Promise or Community Promise, as applicable, patent licenses are available by contacting iplg@microsoft.com.

License Programs. To see all of the protocols in scope under a specific license program and the associated patents, visit the Patent Map.

Trademarks. The names of companies and products contained in this documentation might be covered by trademarks or similar intellectual property rights. This notice does not grant any licenses under those rights. For a list of Microsoft trademarks, visit www.microsoft.com/trademarks.

Fictitious Names. The example companies, organizations, products, domain names, email addresses, logos, people, places, and events that are depicted in this documentation are fictitious. No association with any real company, organization, product, domain name, email address, logo, person, place, or event is intended or should be inferred.

Reservation of Rights. All other rights are reserved, and this notice does not grant any rights other than as specifically described above, whether by implication, estoppel, or otherwise.

Tools. The Open Specifications documentation does not require the use of Microsoft programming tools or programming environments in order for you to develop an implementation. If you have access to Microsoft programming tools and environments, you are free to take advantage of them. Certain Open Specifications documents are intended for use in conjunction with publicly available standards specifications and network programming art and, as such, assume that the reader either is familiar with the aforementioned material or has immediate access to it.

Support. For questions and support, please contact dochelp@microsoft.com.

Revision Summary

Date

Revision History

Revision Class

Comments

6/30/2015

1.0

New

Released new document.

10/16/2015

2.0

Major

Significantly changed the technical content.

7/14/2016

3.0

Major

Significantly changed the technical content.

3/16/2017

4.0

Major

Significantly changed the technical content.

6/1/2017

4.0

None

No changes to the meaning, language, or formatting of the technical content.

9/15/2017

5.0

Major

Significantly changed the technical content.

12/1/2017

6.0

Major

Significantly changed the technical content.

Table of Contents

1Introduction6

1.1Glossary6

1.2References9

1.2.1Normative References9

1.2.2Informative References10

1.3Overview10

1.4Relationship to Other Protocols13

1.5Prerequisites/Preconditions13

1.6Applicability Statement13

1.7Versioning and Capability Negotiation13

1.8Vendor-Extensible Fields13

1.9Standards Assignments14

2Messages15

2.1Transport15

2.2Common Message Syntax15

2.2.1Namespaces15

2.2.2Messages15

2.2.3Elements16

2.2.4Complex Types16

2.2.5Simple Types16

2.2.6Attributes16

2.2.7Groups16

2.2.8Attribute Groups16

2.2.9Common Data Structures16

2.2.9.1XML Provisioning Schema16

2.2.9.2CertificateStore Configuration Service Provider18

2.2.9.3DMClient Configuration Service Provider25

2.2.9.4RootCATrustedCertificates Configuration Service Provider35

2.2.9.5w7 APPLICATION Configuration Service Provider38

2.2.9.6OSEdition Enumeration42

2.2.10Faults44

3Protocol Details47

3.1IDiscoveryService Server Details47

3.1.1Abstract Data Model49

3.1.2Timers49

3.1.3Initialization49

3.1.4Message Processing Events and Sequencing Rules49

3.1.4.1Discover49

3.1.4.1.1Messages50

3.1.4.1.1.1IDiscoveryService_Discover_InputMessage Message50

3.1.4.1.1.2IDiscoveryService_Discover_OutputMessage Message50

3.1.4.1.2Elements51

3.1.4.1.2.1Discover51

3.1.4.1.2.2DiscoverResponse51

3.1.4.1.3Complex Types51

3.1.4.1.3.1DiscoveryRequest52

3.1.4.1.3.2DiscoveryResponse53

3.1.5Timer Events53

3.1.6Other Local Events53

3.2Interaction with Security Token Service (STS)54

3.3Interaction with X.509 Certificate Enrollment Policy55

3.3.1Abstract Data Model57

3.3.2Timers57

3.3.3Initialization57

3.3.4Message Processing Events and Sequencing Rules57

3.3.4.1GetPolicies Operation58

3.3.4.1.1Messages58

3.3.4.1.1.1GetPolicies58

3.3.4.1.1.1.1Get Policies using Federated Authentication58

3.3.4.1.1.1.2GetPolicies using Certificate Authentication59

3.3.4.1.1.1.3GetPolicies using On-Premise Authentication61

3.3.4.1.1.2GetPoliciesResponse62

3.3.5Timer Events63

3.3.6Other Local Events63

3.4Interaction with WS-Trust X.509v3 Token Enrollment64

3.4.1Abstract Data Model65

3.4.2Timers65

3.4.3Initialization65

3.4.4Message Processing Events and Sequencing Rules65

3.4.4.1RequestSecurityToken Operation66

3.4.4.1.1Messages66

3.4.4.1.1.1RequestSecurityToken66

3.4.4.1.1.1.1RequestSecurityToken using Federated Authentication66

3.4.4.1.1.1.2RequestSecurityToken using Certificate Authentication70

3.4.4.1.1.1.3RequestSecurityToken using On-Premise Authentication73

3.4.4.1.1.2RequestSecurityTokenResponseCollection76

3.4.5Timer Events77

3.4.6Other Local Events77

3.5Certificate Renewal77

3.5.1Abstract Data Model78

3.5.2Timers78

3.5.3Initialization78

3.5.4Message Processing Events and Sequencing Rules78

3.5.4.1RequestSecurityToken Operation78

3.5.4.1.1Messages78

3.5.4.1.1.1RequestSecurityToken78

3.5.4.1.1.2RequestSecurityTokenCollectionResponse80

3.5.5Timer Events81

3.5.6Other Local Events81

4Protocol Examples82

4.1Discovery Example82

4.1.1Discovery Example: Request82

4.1.1.1Discovery Example Request Using Federated Authentication82

4.1.1.2Discovery Example Request Using Certificate Authentication82

4.1.1.3Discovery Example Request Using On-Premise Authentication83

4.1.2Discovery Example: Response84

4.1.2.1Discovery Example Response using Federated Authentication84

4.1.2.2Discovery Example Response using Certificate Authentication84

4.1.2.3Discovery Example Response using On-Premise Authentication85

4.2GetPolicies Example85

4.2.1GetPolicies Example: Request86

4.2.1.1GetPolicies Example Request using Federated Authentication86

4.2.1.2GetPolicies Example Request using Certificate Authentication86

4.2.1.3GetPolicies Example Request using On-Premise Authentication88

4.2.2GetPolicies Example: Response88

4.3RequestSecurityToken Example89

4.3.1RequestSecurityToken Example: Request90

4.3.1.1RequestSecurityToken Example: Request using Federated Authentication90

4.3.1.2RequestSecurityToken Example: Request using Certificate Authentication91

4.3.1.3RequestSecurityToken Example: Request using On-Premise Authentication94

4.3.2RequestSecurityToken Example: Response95

5Security97

5.1Security Considerations for Implementers97

5.2Index of Security Parameters97

6Appendix A: XSD Schema98

7Appendix B: Product Behavior100

8Change Tracking102

9Index103

Introduction

An industry trend has been developing in which employees connect their personal mobile computing devices to the corporate network and resources (either on premise or through the cloud) to perform workplace tasks. This trend requires support for easy configuration of the network and resources, such that employees can register personal devices with the company for work-related purposes. Appl