Creating a Wi-Fi Profile with WPA-PSK and WPA2-PSK to Windows Phone 8.1 via Windows Intune and Configuration Manager 2012 R2

Scenario

You have Windows Intune integrated to System Centre Configuration Manager 2012 R2. As part of this integration you have the capability to deploy Wi-Fi profiles to Windows Phone 8.1 devices.

You use a WPA/WPA2 with a pre-shared key and want your Windows Phone 8.1 devices to automatically connect to the Wi-Fi access points in your environment using the existing infrastructure.

Theory

Within the Windows Phone 8.1 Mobile Device Protocol Guide at there is a section called “WiFi configuration service provider (New in Windows Phone 8.1). In this section it details how the Wi-Fi configuration service provider (CSP) provides functionality to add or delete Wi-Fi networks on a Windows Phone device. The CSP accepts a SyncML input and converts it to a network profile that is installed on the device. This profile enables the phone to connect to the Wi-Fi network when it is in range.

Note 1: Since Windows Phone Emulators do not have Wi-Fi radio support, Wi-Fi network configuration cannot be tested end-to-end with an emulator. A Wi-Fi network can still be provisioned using the WiFi CSP and the network should be visible in the Wi-Fi Settings page, but connectivity to that network cannot be tested.

Note 2: For WEP, WPA, and WPA2-based networks, the passkey must be included in the network configuration in plaintext. It will be encrypted automatically while storing on the device.

Note 3: WlanXml blob is sent in OMA SyncML XML message as chr. The profile XML content needs to be XML escaped in OMA message.

Note 4: keyMaterial if exists in the wlanxml blob needs to come after keyType and protected elements like documented in MSDN – http://msdn.microsoft.com/en-us/library/windows/desktop/aa370032(v=vs.85).aspx

Note 5: The SSID of the Wi-Fi networks part of the LocURI node, which must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.

The following diagram shows the Wi-Fi configuration service provider in tree format.

clip_image001

Profile

Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the phone to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. Supported operation: Get.

<SSID>

The SSID of the Wi-Fi network (maximum length 32 bytes, case-sensitive). This can be represented in ASCII. Supported operations: Get. SSID is added when WlanXML node is added, and deleted when WlanXml is deleted.

WlanXml

This is the XML describing the network configuration and follows the Windows WLAN_profile Schema (MSDN documentation). Supported operations: Get, Add, Delete, Replace

Proxy

This is an optional node, and includes the configuration of the network proxy (if any). The format is url:port. Supported operations: Get, Add, Delete, Replace

Best Practices

NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>

Solution

There are two methods to deploy a Wi-Fi profile to a Windows Phone 8.1 device.

  1. Deploying a Wi-Fi Profile from within Configuration Manager integrated with Windows Intune
  2. Deploying a configuration item using a custom OMA-URI from within Configuration Manager integrated with Windows Intune

With either method we must first build and establish an xml output of the Wi-Fi profile.

To generate the xml you can either construct it yourself or leverage a script to generate the output for you.

Pre-Requisite (Creation of XML for Wi-Fi Profiles)

You must first generate a Wi-Fi profile xml for consumption as either the OMA-URI string or the Wi-Fi profile that you will look to consume into configuration manager 2012 R2.

To output this xml , one of my friends in Microsoft Services (Saud Al-Mishari) generated a powershell script that constructs the XML output that you need.

The script will be posted to the TechNet gallery here.

The following script creates a character-escaped XML document that can be configured in a custom OMA URI Compliance Setting in System Center 2012 R2 Configuration Manager. It is designed to allow the configuration of WPA-PSK and WPA2-PSK WiFi profiles in a hybrid MDM scenario (where Windows Intune and System Center 2012 R2 Configuration Manager are intergrated together).  The script take simple input and outputs the XML in the format expected by Windows Phone 8.1.

NOTE: The resulting XML file contains the passphrase in unencrypted format. This is required as per the Windows Phone 8.1 MDM Protocol. This also means that the passphrase will be visible in the Configuration Manager console unencrypted and stored in the Configuration Manager and Windows Intune databases unencrypted. If this is a concern, please evaluate using certificate based authentication on your wireless networks. The Windows Phone 8.1 MDM protocol documentation defines that the passphrase will be stored securely on the device itself.

##——————START

# DISCLAIMER:

#——————————————————————-

#

# This sample is provided as is and is not meant for use on a

# production environment. It is provided only for illustrative

# purposes. The end user must test and modify the sample to suit

# their target environment.

#

# Microsoft can make no representation concerning the content of

# this sample. Microsoft is providing this information only as a

# convenience to you. This is to inform you that Microsoft has not

# tested the sample and therefore cannot make any representations

# regarding the quality, safety, or suitability of any code or

# information found here.

Param(

[Parameter(Mandatory=$true)]

[string]$SSIDName, #Your SSID name

[Parameter(Mandatory=$true)]

[string]$Passphrase, #NOTE: this is stored in ConfigMgr and Intune unencrypted. If this is a concern, consider using a certificate-based authentication mechanism. This is stored on device securely as per MDM Protocol documentation.

[Parameter(Mandatory=$true)]

[string]$AuthticationType, #WPAPSK or WPA2PSK (WEP not supported by script)

[Parameter(Mandatory=$true)]

[string]$EncryptionType #TKIP or AES

)

$defaultStringXML =

‘<?xml version=”1.0″ encoding=”US-ASCII”?>

<WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1“>

<name>SampleWPAPSK</name>

<SSIDConfig>

<SSID>

<name>SampleWPAPSK</name>

</SSID>

</SSIDConfig>

<connectionType>ESS</connectionType>

<connectionMode>auto</connectionMode>

<autoSwitch>false</autoSwitch>

<MSM>

<security>

<authEncryption>

<authentication>WPAPSK</authentication>

<encryption>TKIP</encryption>

<useOneX>false</useOneX>

</authEncryption>

<sharedKey>

<keyType>passPhrase</keyType>

<protected>false</protected>

<keyMaterial>password</keyMaterial>

</sharedKey>

</security>

</MSM>

</WLANProfile>’

#Cast our prototype XML document into a .NET XML document object

$customXML = [xml]$defaultStringXML

#Set XML values

$customXML.WLANProfile.name = $SSIDName

$customXML.WLANProfile.SSIDConfig.SSID.name = $SSIDName

$customXML.WLANProfile.MSM.security.authEncryption.authentication = $AuthticationType

$customXML.WLANProfile.MSM.security.authEncryption.encryption = $EncryptionType

$customXML.WLANProfile.MSM.security.sharedKey.keyMaterial = $Passphrase

###DEBUG###

#$StringWriter = New-Object System.IO.StringWriter

#$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter

#$xmlWriter.Formatting = “indented”

#$customXML.WriteContentTo($XmlWriter)

#$XmlWriter.Flush()

#$StringWriter.Flush()

#Write-Output $StringWriter.ToString()

###DEBUG###

#Write out our customised XML using XML character escaping

#This is done because this XML document is going to be

#embedded in another document

[System.Security.SecurityElement]::Escape($customXML.InnerXml)

$customXML.InnerXml

##———– END —–

Copy the code and save it to a ps1 file. From PowerShell then run the following

Script.ps1 SSIDNAME PassKey Authentication Encryption

For example if my WPA2 need the following

Wi-Fi SSID – Zarb_5

Passkey – Welcome123

Authentication – WPA2PSK

Encryption – AES

The command would be

Script.ps1 Zarb_5 Welcome123 WPA2PSK AES

clip_image002

As you can see you get two outputs. The first and highlighted in yellow is the expanded xml, and the second is non expanded xml.

In both the OMA-URI and Wi-Fi profile scenarios we will use a single long string from the standard xml (you could also pipe this out to notepad for the complete string script.ps1 Zarb Welcome1234 WPA2PSK AES > wifi.txt and copy and paste the 2nd line into an xml file) .

i.e.

<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

Once you have this output in xml then we are good to go to either method 1 (Wi-Fi Profile) or 2 (OMA-URI) .

Method 1 – Importing Wi-Fi Profile into Configuration Manager and Windows Intune

Now with the outputted XML file place that in a location that SCCM can target to import the file (a UNC share that Configuration Manager 2012 R2 has access to).

Go to the Asset and Compliance node in SCCM and expand the Compliance Settings > Company Resource Access node and right click Wi-Fi Profiles > and click on Create Wi-Fi Profile.

clip_image003

Type a Name, Description and check the Import an existing Wi-Fi profile item from a file and click next

clip_image004

Click the add button and located the Wi-Fi xml file that you created in the first stage. Once you select this click ok and then next.

In the select platform that this Wi-Fi profile will be provisioned to select Windows Phone 8.1 and click Next.

clip_image005

Confirm the setting and click next

clip_image006

Now click close

clip_image007

Now your Wi-Fi Profile is created we can look to deploy this profile to a collection. In this example I will deploy this to my Windows Intune Users.

On your newly created Wi-Fi Profile right click and select Deploy. In the Deploy Wi-Fi Profile dialogue select your collection that you want to distribute the Wi-Fi Profile to and click Ok.

clip_image008

Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi profile will get delivered and the device will have a company delivered Wi-Fi WPA2PSK profile.

Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”

In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.

clip_image009

Method 2 – Creating the XML and deploying it via OMA-URI

With our xml string created in the pre-requisite

<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

We can deliver this via OMA-URI. To do this we need to create a Configuration Item. Under Assets and Compliance expand Compliance Settings then right click on Configuration Items and select Create configuration Item

clip_image010

When the wizard starts specify a name for the Custom configuration item and also select Mobile Device for the configuration that you want to create.

clip_image011

Under “select the mobile device setting groups to configure” click the check box for “configure additional settings that are not in the default settings group”

clip_image012

In the “configure additional mobile device settings” click Add

clip_image013

In the “Browse Settings” dialogue click Create Setting

clip_image014

As we highlighted at the beginning of this document this will be the OMA-URI path for

./Vendor/MSFT/WiFi/Profile/SSID/WlanXml where SSID is the SSID for my Wi-Fi SSID, meaning in my scenario this will be

./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml . For each different SSID you will need a new string to target this correctly.

Specify the following attributes in the create settings page

Name – Custom Wi-Fi Settings

Setting type – OMA URI

Data type – String

OMA-URI (case sensitive) – ./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml

Once specified select ok

clip_image015

You will now see the “Custom Wi-Fi Settings” previously created under the “Browse Settings” dialogue page. Select this and click select

clip_image016

Important fact for this section

Best Practices

NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>

The script you ran earlier to generate the XML output has done this for you

Specify a name and specify your xml for the following values:

<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”http://www.microsoft.com/networking/WLAN/profile/v1″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

Also confirm the check box for remediate noncompliant rules when supported is check and then click ok

clip_image017

Click Close in the “Browse Settings” . You will now see your rule that you have created. Now select Next.

Under specify the supported platforms select Windows Phone 8.1 and click Next

clip_image018

Now click Next, Next and Next again to complete the wizard. This has now created us the custom Configuration Item that will be used with our configuration baseline.

clip_image019

You will now see the Custom Wi-Fi setting in your configuration items

clip_image020

Now we have the configuration item, we need to create or add this to a configuration baseline that will be deployed to a client. In this scenario we will create a new configuration baseline and deploy this to a collection.

Right click on the Configuration Baseline and select the Create Configuration Baseline

clip_image021

In the Create Configuration Baseline Dialogue specify a Name and then under configuration data click Add and select Configuration Items

clip_image022

In the Add Configuration Items Select the Custom Wi-Fi Configuration item and click Add, this will move the setting from the available configuration items to configuration items that will be added to this configuration baseline and click ok

clip_image023

You will now see the configuration item in the configuration data. Now Click OK

clip_image024

Once the configuration baseline is set we can look to deploy this. Right click on the Configuration baseline you have just created and select Deploy

clip_image025

In the Deploy Configuration Baselines validate that your configuration baseline is under the selected configuration baselines.

Validate and make sure the check box is selected for “Remediate noncompliant rules when supported”.

Lastly specify the collection that you are looking to target and click OK

clip_image026

Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi configuration baseline will get delivered and the device will have a company delivered OMA-URI Wi-Fi profile.

Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”

In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.

clip_image009[1]

References :

Windows Phone 8.1 MDM Protocol guide (Page 163) – http://msdn.microsoft.com/en-us/library/dn499787.aspx

WLAN_profile Schema – http://msdn.microsoft.com/en-us/library/windows/desktop/ms707341(v=vs.85).aspx

Project My Screen App for Windows Phone – http://www.microsoft.com/en-us/download/details.aspx?id=42536