Scenario
You have Windows Intune integrated to System Centre Configuration Manager 2012 R2. As part of this integration you have the capability to deploy Wi-Fi profiles to Windows Phone 8.1 devices.
You use a WPA/WPA2 with a pre-shared key and want your Windows Phone 8.1 devices to automatically connect to the Wi-Fi access points in your environment using the existing infrastructure.
Theory
Within the Windows Phone 8.1 Mobile Device Protocol Guide at there is a section called “WiFi configuration service provider (New in Windows Phone 8.1). In this section it details how the Wi-Fi configuration service provider (CSP) provides functionality to add or delete Wi-Fi networks on a Windows Phone device. The CSP accepts a SyncML input and converts it to a network profile that is installed on the device. This profile enables the phone to connect to the Wi-Fi network when it is in range.
Note 1: Since Windows Phone Emulators do not have Wi-Fi radio support, Wi-Fi network configuration cannot be tested end-to-end with an emulator. A Wi-Fi network can still be provisioned using the WiFi CSP and the network should be visible in the Wi-Fi Settings page, but connectivity to that network cannot be tested.
Note 2: For WEP, WPA, and WPA2-based networks, the passkey must be included in the network configuration in plaintext. It will be encrypted automatically while storing on the device.
Note 3: WlanXml blob is sent in OMA SyncML XML message as chr. The profile XML content needs to be XML escaped in OMA message.
Note 4: keyMaterial if exists in the wlanxml blob needs to come after keyType and protected elements like documented in MSDN – http://msdn.microsoft.com/en-us/library/windows/desktop/aa370032(v=vs.85).aspx
Note 5: The SSID of the Wi-Fi networks part of the LocURI node, which must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.
The following diagram shows the Wi-Fi configuration service provider in tree format.
Profile
Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the phone to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. Supported operation: Get.
<SSID>
The SSID of the Wi-Fi network (maximum length 32 bytes, case-sensitive). This can be represented in ASCII. Supported operations: Get. SSID is added when WlanXML node is added, and deleted when WlanXml is deleted.
WlanXml
This is the XML describing the network configuration and follows the Windows WLAN_profile Schema (MSDN documentation). Supported operations: Get, Add, Delete, Replace
Proxy
This is an optional node, and includes the configuration of the network proxy (if any). The format is url:port. Supported operations: Get, Add, Delete, Replace
Best Practices
NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>
Solution
There are two methods to deploy a Wi-Fi profile to a Windows Phone 8.1 device.
- Deploying a Wi-Fi Profile from within Configuration Manager integrated with Windows Intune
- Deploying a configuration item using a custom OMA-URI from within Configuration Manager integrated with Windows Intune
With either method we must first build and establish an xml output of the Wi-Fi profile.
To generate the xml you can either construct it yourself or leverage a script to generate the output for you.
Pre-Requisite (Creation of XML for Wi-Fi Profiles)
You must first generate a Wi-Fi profile xml for consumption as either the OMA-URI string or the Wi-Fi profile that you will look to consume into configuration manager 2012 R2.
To output this xml , one of my friends in Microsoft Services (Saud Al-Mishari) generated a powershell script that constructs the XML output that you need.
The script will be posted to the TechNet gallery here.
The following script creates a character-escaped XML document that can be configured in a custom OMA URI Compliance Setting in System Center 2012 R2 Configuration Manager. It is designed to allow the configuration of WPA-PSK and WPA2-PSK WiFi profiles in a hybrid MDM scenario (where Windows Intune and System Center 2012 R2 Configuration Manager are intergrated together). The script take simple input and outputs the XML in the format expected by Windows Phone 8.1.
NOTE: The resulting XML file contains the passphrase in unencrypted format. This is required as per the Windows Phone 8.1 MDM Protocol. This also means that the passphrase will be visible in the Configuration Manager console unencrypted and stored in the Configuration Manager and Windows Intune databases unencrypted. If this is a concern, please evaluate using certificate based authentication on your wireless networks. The Windows Phone 8.1 MDM protocol documentation defines that the passphrase will be stored securely on the device itself.
##——————START
# DISCLAIMER:
#——————————————————————-
#
# This sample is provided as is and is not meant for use on a
# production environment. It is provided only for illustrative
# purposes. The end user must test and modify the sample to suit
# their target environment.
#
# Microsoft can make no representation concerning the content of
# this sample. Microsoft is providing this information only as a
# convenience to you. This is to inform you that Microsoft has not
# tested the sample and therefore cannot make any representations
# regarding the quality, safety, or suitability of any code or
# information found here.
Param(
[Parameter(Mandatory=$true)]
[string]$SSIDName, #Your SSID name
[Parameter(Mandatory=$true)]
[string]$Passphrase, #NOTE: this is stored in ConfigMgr and Intune unencrypted. If this is a concern, consider using a certificate-based authentication mechanism. This is stored on device securely as per MDM Protocol documentation.
[Parameter(Mandatory=$true)]
[string]$AuthticationType, #WPAPSK or WPA2PSK (WEP not supported by script)
[Parameter(Mandatory=$true)]
[string]$EncryptionType #TKIP or AES
)
$defaultStringXML =
‘<?xml version=”1.0″ encoding=”US-ASCII”?>
<WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1“>
<name>SampleWPAPSK</name>
<SSIDConfig>
<SSID>
<name>SampleWPAPSK</name>
</SSID>
</SSIDConfig>
<connectionType>ESS</connectionType>
<connectionMode>auto</connectionMode>
<autoSwitch>false</autoSwitch>
<MSM>
<security>
<authEncryption>
<authentication>WPAPSK</authentication>
<encryption>TKIP</encryption>
<useOneX>false</useOneX>
</authEncryption>
<sharedKey>
<keyType>passPhrase</keyType>
<protected>false</protected>
<keyMaterial>password</keyMaterial>
</sharedKey>
</security>
</MSM>
</WLANProfile>’
#Cast our prototype XML document into a .NET XML document object
$customXML = [xml]$defaultStringXML
#Set XML values
$customXML.WLANProfile.name = $SSIDName
$customXML.WLANProfile.SSIDConfig.SSID.name = $SSIDName
$customXML.WLANProfile.MSM.security.authEncryption.authentication = $AuthticationType
$customXML.WLANProfile.MSM.security.authEncryption.encryption = $EncryptionType
$customXML.WLANProfile.MSM.security.sharedKey.keyMaterial = $Passphrase
###DEBUG###
#$StringWriter = New-Object System.IO.StringWriter
#$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter
#$xmlWriter.Formatting = “indented”
#$customXML.WriteContentTo($XmlWriter)
#$XmlWriter.Flush()
#$StringWriter.Flush()
#Write-Output $StringWriter.ToString()
###DEBUG###
#Write out our customised XML using XML character escaping
#This is done because this XML document is going to be
#embedded in another document
[System.Security.SecurityElement]::Escape($customXML.InnerXml)
$customXML.InnerXml
##———– END —–
Copy the code and save it to a ps1 file. From PowerShell then run the following
Script.ps1 SSIDNAME PassKey Authentication Encryption
For example if my WPA2 need the following
Wi-Fi SSID – Zarb_5
Passkey – Welcome123
Authentication – WPA2PSK
Encryption – AES
The command would be
Script.ps1 Zarb_5 Welcome123 WPA2PSK AES
As you can see you get two outputs. The first and highlighted in yellow is the expanded xml, and the second is non expanded xml.
In both the OMA-URI and Wi-Fi profile scenarios we will use a single long string from the standard xml (you could also pipe this out to notepad for the complete string script.ps1 Zarb Welcome1234 WPA2PSK AES > wifi.txt and copy and paste the 2nd line into an xml file) .
i.e.
<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>
Once you have this output in xml then we are good to go to either method 1 (Wi-Fi Profile) or 2 (OMA-URI) .
Method 1 – Importing Wi-Fi Profile into Configuration Manager and Windows Intune
Now with the outputted XML file place that in a location that SCCM can target to import the file (a UNC share that Configuration Manager 2012 R2 has access to).
Go to the Asset and Compliance node in SCCM and expand the Compliance Settings > Company Resource Access node and right click Wi-Fi Profiles > and click on Create Wi-Fi Profile.
Type a Name, Description and check the Import an existing Wi-Fi profile item from a file and click next
Click the add button and located the Wi-Fi xml file that you created in the first stage. Once you select this click ok and then next.
In the select platform that this Wi-Fi profile will be provisioned to select Windows Phone 8.1 and click Next.
Confirm the setting and click next
Now click close
Now your Wi-Fi Profile is created we can look to deploy this profile to a collection. In this example I will deploy this to my Windows Intune Users.
On your newly created Wi-Fi Profile right click and select Deploy. In the Deploy Wi-Fi Profile dialogue select your collection that you want to distribute the Wi-Fi Profile to and click Ok.
Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi profile will get delivered and the device will have a company delivered Wi-Fi WPA2PSK profile.
Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”
In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.
Method 2 – Creating the XML and deploying it via OMA-URI
With our xml string created in the pre-requisite
<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>
We can deliver this via OMA-URI. To do this we need to create a Configuration Item. Under Assets and Compliance expand Compliance Settings then right click on Configuration Items and select Create configuration Item
When the wizard starts specify a name for the Custom configuration item and also select Mobile Device for the configuration that you want to create.
Under “select the mobile device setting groups to configure” click the check box for “configure additional settings that are not in the default settings group”
In the “configure additional mobile device settings” click Add
In the “Browse Settings” dialogue click Create Setting
As we highlighted at the beginning of this document this will be the OMA-URI path for
./Vendor/MSFT/WiFi/Profile/SSID/WlanXml where SSID is the SSID for my Wi-Fi SSID, meaning in my scenario this will be
./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml . For each different SSID you will need a new string to target this correctly.
Specify the following attributes in the create settings page
Name – Custom Wi-Fi Settings
Setting type – OMA URI
Data type – String
OMA-URI (case sensitive) – ./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml
Once specified select ok
You will now see the “Custom Wi-Fi Settings” previously created under the “Browse Settings” dialogue page. Select this and click select
Important fact for this section
Best Practices
NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>
The script you ran earlier to generate the XML output has done this for you
Specify a name and specify your xml for the following values:
<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>
Also confirm the check box for remediate noncompliant rules when supported is check and then click ok
Click Close in the “Browse Settings” . You will now see your rule that you have created. Now select Next.
Under specify the supported platforms select Windows Phone 8.1 and click Next
Now click Next, Next and Next again to complete the wizard. This has now created us the custom Configuration Item that will be used with our configuration baseline.
You will now see the Custom Wi-Fi setting in your configuration items
Now we have the configuration item, we need to create or add this to a configuration baseline that will be deployed to a client. In this scenario we will create a new configuration baseline and deploy this to a collection.
Right click on the Configuration Baseline and select the Create Configuration Baseline
In the Create Configuration Baseline Dialogue specify a Name and then under configuration data click Add and select Configuration Items
In the Add Configuration Items Select the Custom Wi-Fi Configuration item and click Add, this will move the setting from the available configuration items to configuration items that will be added to this configuration baseline and click ok
You will now see the configuration item in the configuration data. Now Click OK
Once the configuration baseline is set we can look to deploy this. Right click on the Configuration baseline you have just created and select Deploy
In the Deploy Configuration Baselines validate that your configuration baseline is under the selected configuration baselines.
Validate and make sure the check box is selected for “Remediate noncompliant rules when supported”.
Lastly specify the collection that you are looking to target and click OK
Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi configuration baseline will get delivered and the device will have a company delivered OMA-URI Wi-Fi profile.
Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”
In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.
References :
Windows Phone 8.1 MDM Protocol guide (Page 163) – http://msdn.microsoft.com/en-us/library/dn499787.aspx
WLAN_profile Schema – http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx
Project My Screen App for Windows Phone – http://www.microsoft.com/en-us/download/details.aspx?id=42536