Tip of the Day: Getting Ready for Windows 10 - An MDM Primer

Today’s Tip…

Need to understand the finer points of MDM, but have no more than 10 minutes to spare?  Then let’s get started…..

Mobile Device Manager (MDM) Primer

Open Mobile Alliance Device Management (OMA-DM)

Mobile Device Management (MDM) solutions offer an effective way to meet the challenges of managing modern Enterprise BYOD scenarios.  ‘MDM’ is an industry-term referring to the administration of devices using platform-independent protocols based on Open Mobile Alliance Device Management (OMA-DM) standards.  OMA-DM standardization allows IT admins to manage compliant device platforms from a variety of vendors including Microsoft Windows, Apple iOS and Android.  OMA-DM based solutions such as Microsoft Intune provide IT administrators a common toolset to apply and enforce VPN connection policies across these devices.

Synchronization Markup Language (SyncML)

Synchronization Markup Language (SyncML) is a platform-independent XML-based synchronization standard used for data exchange in OMA-DM based solutions.  The purpose of SyncML is to offer an open standard as a replacement for existing vendor-specific device management solutions. 

Device policies, including VPN connection profiles, are formatted using the XML-based Synchronization Markup Language (SyncML).

The SyncML Device Management Tree (DM Tree)

Conceptually similar to methods used by other management protocols, OMA SyncML organizes device settings into a tree structure known as a SyncML Device Management Tree, or DM Tree.  At the root of a given DM Tree is a node defining a namespace representing a given platform-vendor such as Microsoft (MSFT).  This namespace provides the context under which all other device-specific configuration settings (or ‘device configuration resources’) are organized.

Immediately underneath the vendor namespace, is a top-level node identifying the specific ‘Configuration Service Provider (CSP)’ being targeted.  Typically each feature being configured, wireless, VPN and so-on implement their own CSP.  CSP’s map directly to a devices capabilities and there may be significant differences between versions; for example, Windows 8.1 and Windows 10.

Open Mobile Alliance Uniform Resource Identifier (OMA-URI)

The full path to a specific device configuration setting (referred to in some documentation as a ‘resource’) is represented by an Open Mobile Alliance Uniform Resource Identifier (OMA-URI). The URI is relative to the devices’ root node and the full device URI must always be used when configuring policy. 

The following example illustrates the full OMA-URI path specifying a VPN Server address setting using the built-in VPN plugin.

.Device/Vendor/MSFT/VPNv2/ProfileName/NativeProfile/Servers

In a tree diagram, this would be represented as follows:

CSP’s and configuration of VPN profile settings using OMA-URIs are covered later in this lesson.

SyncML Data Exchange and Client/Server Interactions

A collection of settings such as those required to construct a VPN connection profile are defined using a set of OMA-URI statements, which are then delivered to the device by an XML data-exchange with the MDM server.  ‘Configuration service providers (CSP)’ on the device are responsible for accepting and mapping the OMA-URI object to the appropriate configuration setting (registry, file permission, etc.)

Briefly, the process is as follows:

Device Management Session

MDM, based on OMA-DM is a client/server protocol.  A client must first initiate a device management session with the server using the OMA-DM specified ‘initialization from client to server’ method.

After a session has been established, the server may issue SyncML commands indicating operations to perform against component classes on the client device.

The client always initiates the conversation by transmitting SyncML messages to the server via an HTTP POST.  The server response to client commands, as well as other commands issued to the client, are contained in the HTTP response associated to the POST request.

An example of a short OMA-DM session is shown in the following figure:

For more information on the Open Mobile Alliance visit the OMA website at; https://openmobilealliance.org