(./User/Vendor/MSFT/EnterpriseAppVManagement) contains the following sub-nodes.
diff --git a/windows/client-management/mdm/bootstrap-csp.md b/windows/client-management/mdm/bootstrap-csp.md index e07354fa81..de909e2501 100644 --- a/windows/client-management/mdm/bootstrap-csp.md +++ b/windows/client-management/mdm/bootstrap-csp.md @@ -16,18 +16,18 @@ ms.date: 06/26/2017 The BOOTSTRAP configuration service provider sets the Trusted Provisioning Server (TPS) for the device. +>[!Note] +>BOOTSTRAP CSP is only supported in Windows 10 Mobile. +> +> This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. -> **Note** BOOTSTRAP CSP is only supported in Windows 10 Mobile. -> -> -> -> **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. +The following shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - - -The following image shows the BOOTSTRAP configuration service provider in tree format as used by Open Mobile Alliance (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - - +``` +BOOTSTRAP +----CONTEXT-ALLOW +----PROVURL +``` **CONTEXT-ALLOW** Optional. Specifies a context for the TPS. Only one context is supported, so this parameter is ignored and "0" is assumed for its value. diff --git a/windows/client-management/mdm/browserfavorite-csp.md b/windows/client-management/mdm/browserfavorite-csp.md index 15a939f7eb..9fd7e646d0 100644 --- a/windows/client-management/mdm/browserfavorite-csp.md +++ b/windows/client-management/mdm/browserfavorite-csp.md @@ -28,9 +28,13 @@ This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID -The following diagram shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. +The following shows the BrowserFavorite configuration service provider in tree format as used by Open Mobile Alliance Device (OMA) Client Provisioning. The OMA Device Management protocol is not supported with this configuration service provider. - +``` +BrowserFavorite +favorite name +----URL +``` ***favorite name*** Required. Specifies the user-friendly name of the favorite URL that is displayed in the Favorites list of Internet Explorer. @@ -78,19 +82,19 @@ The following table shows the Microsoft custom elements that this configurationparm-query
Parm-query
Yes
noparm
Noparm
Yes
nocharacteristic
Nocharacteristic
Yes
characteristic-query
Characteristic-query
Yes
Recursive query: Yes
Top-level query: Yes
Optional. Integer. Specifies the default roaming value. Valid values are:
diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 44886adee0..208f4e9777 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -18,9 +18,35 @@ The CM\_CellularEntries configuration service provider is used to configure the This configuration service provider requires the ID\_CAP\_NETWORKING\_ADMIN capability to be accessed from a network configuration application. -The following diagram shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. +The following shows the CM\_CellularEntries configuration service provider management object in tree format as used by Open Mobile Alliance Client Provisioning (OMA CP). The OMA DM protocol is not supported with this configuration service provider. - +``` +CM_CellularEntries +----entryname +--------AlwaysOn +--------AuthType +--------ConnectionType +--------Desc.langid +--------Enabled +--------IpHeaderCompression +--------Password +--------SwCompression +--------UserName +--------UseRequiresMappingPolicy +--------Version +--------DevSpecificCellular +-----------GPRSInfoAccessPointName +--------Roaming +--------OEMConnectionID +--------ApnId +--------IPType +--------ExemptFromDisablePolicy +--------ExemptFromRoaming +--------TetheringNAI +--------IdleDisconnectTimeout +--------SimIccId +--------PurposeGroups +``` ***entryname***Defines the name of the connection.
@@ -51,27 +77,27 @@ The following diagram shows the CM\_CellularEntries configuration service providgprs
Gprs
Default. Used for GPRS type connections (GPRS + GSM + EDGE + UMTS + LTE).
cdma
Cdma
Used for CDMA type connections (1XRTT + EVDO).
lte
Lte
Used for LTE type connections (eHRPD + LTE) when the device is registered HOME.
legacy
Legacy
Used for GPRS + GSM + EDGE + UMTS connections.
lte_iwlan
Lte_iwlan
Used for GPRS type connections that may be offloaded over WiFi
iwlan
Iwlan
Used for connections that are implemented over WiFi offload only
nocharacteristic
Nocharacteristic
Yes
characteristic-query
Characteristic-query
Yes
parm-query
Parm-query
Yes
4444666666352222333331222223333322222222223666662222222
+ 33333B3333244444422222222222BBBBBB111111115555444111155551111333355555parm-query
Parm-query
Yes
Note that some GPRS parameters will not necessarily contain the exact same value as was set.
noparm
Noparm
Yes
nocharacteristic
Nocharacteristic
Yes
characteristic-query
Characteristic-query
Yes
4104
-Hex:1008
Hex: 1008
TPS Policy
This setting indicates whether mobile operators can be assigned the Trusted Provisioning Server (TPS) SECROLE_OPERATOR_TPS role.
Default value: 1
@@ -58,7 +61,7 @@ The following security policies are supported.4105
-Hex:1009
Hex: 1009
Message Authentication Retry Policy
This setting specifies the maximum number of times the user is allowed to try authenticating a Wireless Application Protocol (WAP) PIN-signed message.
Default value: 3
@@ -66,7 +69,7 @@ The following security policies are supported.4108
-Hex:100c
Hex: 100c
Service Loading Policy
This setting indicates whether SL messages are accepted, by specifying the security roles that can accept SL messages. An SL message downloads new services or provisioning XML to the device.
Default value: 256 (SECROLE_KNOWN_PPG)
diff --git a/windows/client-management/mdm/vpn-csp.md b/windows/client-management/mdm/vpn-csp.md index 42a6882673..ef99c4aa65 100644 --- a/windows/client-management/mdm/vpn-csp.md +++ b/windows/client-management/mdm/vpn-csp.md @@ -23,7 +23,7 @@ The VPN configuration service provider allows the MDM server to configure the VP Important considerations: -- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is particularly critical for forced tunnel VPN. +- For a VPN that requires a client certificate, the server must first enroll the needed client certificate before deploying a VPN profile to ensure that there is a functional VPN profile at the device. This is critical for forced tunnel VPN. - VPN configuration commands must be wrapped with an Atomic command as shown in the example below. @@ -31,9 +31,61 @@ Important considerations: - For the VPN CSP, you cannot use the Replace command unless the node already exists. -The following diagram shows the VPN configuration service provider in tree format. +The following shows the VPN configuration service provider in tree format. - +``` +./Vendor/MSFT +VPN +-----ProfileName +---------Server +---------TunnelType +---------ThirdParty +-------------Name +-------------AppID +-------------CustomStoreURL +-------------CustomConfiguration +---------RoleGroup +---------Authentication +-------------Method +-------------Certificate +---------------Issuer +---------------EKU +---------------CacheLifeTimeProtectedCert +-------------MultiAuth +---------------StartURL +---------------EndURL +-------------EAP +---------Proxy +-------------Automatic +-------------Manual +---------------Server +---------------Port +-------------BypassProxyforLocal +---------SecuredResources +-------------AppPublisherNameList +---------------AppPublisherName +-------------AppAllowedList +---------------AppAllowedList +-------------NetworkAllowedList +---------------NetworkAllowedList +-------------NameSapceAllowedList +---------------NameSapceAllowedList +-------------ExcudedAppList +---------------ExcudedAppList +-------------ExcludedNetworkList +---------------ExcludedNetworkList +-------------ExcludedNameSpaceList +---------------ExcludedNameSpaceList +-------------DNSSuffixSearchList +---------------DNSSuffixSearchList +---------Policies +-------------RememberCredentials +-------------SplitTunnel +-------------BypassforLocal +-------------TrustedNetworkDetection +-------------ConnectionType +---------DNSSuffix +``` ***ProfileName*** Unique alpha numeric Identifier for the profile. The profile name must not include a forward slash (/). @@ -48,12 +100,12 @@ Supported operations are Get, Add, and Replace. Value type is chr. Some examples are 208.23.45.130 or vpn.contoso.com. **TunnelType** -Optional, but required when deploying a 3rd party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. +Optional, but required when deploying a third-party IKEv2 VPN profile. Only a value of IKEv2 is supported for this release. Value type is chr. Supported operations are Get and Add. **ThirdParty** -Optional, but required if deploying 3rd party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. +Optional, but required if deploying third-party SSL-VPN plugin profile. Defines a group of setting applied to SSL-VPN profile provisioning. Supported operations are Get and Add. @@ -73,17 +125,17 @@ Valid values: - Checkpoint Mobile VPN **ThirdParty/AppID** -Optional, but required when deploying a 3rd party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. +Optional, but required when deploying a third-party SSL-VPN plugin app from a private enterprise storefront. This is the ProductID associated with the store application. The client will use this ProductID to ensure that only the enterprise approved plugin is initialized. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomStoreURL** -Optional, but required if an enterprise is deploying a 3rd party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the 3rd party SSL-VPN plugin app. +Optional, but required if an enterprise is deploying a third-party SSL-VPN plugin app from the private enterprise storefront. This node specifies the URL of the third-party SSL-VPN plugin app. Value type is chr. Supported operations are Get, Add, Replace, and Delete. **ThirdParty/CustomConfiguration** -Optional. This is an HTML encoded XML blob for SSL-VPN plugin specific configuration that is deployed to the device to make it available for SSL-VPN plugins. +Optional. This is an HTML encoded XML blob for SSL-VPN plugin-specific configuration that is deployed to the device to make it available for SSL-VPN plugins. Value type is char. Supported operations are Get, Add, Replace, and Delete. @@ -98,7 +150,7 @@ Optional node for ThirdParty VPN profiles, but required for IKEv2. This is a col Supported operations are Get and Add. **Authentication/Method** -Required for IKEv2 profiles and optional for third party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. +Required for IKEv2 profiles and optional for third-party profiles. This specifies the authentication provider to use for VPN client authentication. Only the EAP method is supported for IKEv2 profiles. Supported operations are Get and Add. @@ -114,7 +166,7 @@ Optional node. A collection of nodes that enables simpler authentication experie Supported operations are Get and Add. **Authentication/Certificate/Issuer** -Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used in conjunction with EKU for more granular filtering. +Optional. Filters out the installed certificates with private keys stored in registry or TPM. This can be used with EKU for more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -123,7 +175,7 @@ Value type is chr. Supported operations are Get, Add, Delete, and Replace. **Authentication/Certificate/EKU** -Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this in conjunction with ISSUER for a more granular filtering. +Optional. This Extended Key Usage (EKU) element is used to filter out the installed certificates with private keys stored in the registry or TPM. You can use this with ISSUER for a more granular filtering. Value type is chr. Supported operations are Get, Add, Delete, and Replace. @@ -175,16 +227,16 @@ Default is False. Optional node. A collection of configuration objects that define the inclusion resource lists for what can be secured over VPN. Allowed lists are applied only when Policies/SplitTunnel element is set to True. VPN exclusions are not supported.. **SecuredResources/AppAllowedList/AppAllowedList** -Optional. Specifies one or more ProductIDs for the enterprise line of business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is auto-triggered, VPN is triggered automatically by these apps. +Optional. Specifies one or more ProductIDs for the enterprise line-of-business applications built for Windows. When this element is defined, then all traffic sourced from specified apps will be secured over VPN (assuming protected networks defined allows access). They will not be able to connect directly bypassing the VPN connection. When the profile is autotriggered, VPN is triggered automatically by these apps. -Supported operations are Get, Add, Replace and Delete. +Supported operations are Get, Add, Replace, and Delete. Value type is chr. Examples are {F05DC613-E223-40AD-ABA9-CCCE04277CD9} and ContosoApp.ContosoCorp\_jlsnulm3s397u. **SecuredResources/NetworkAllowedList/NetworkAllowedList** -Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is auto-triggered, the VPN is triggered automatically by these protected networks. +Optional, but required when Policies/SplitTunnel is set to true for IKEv2 profile. Specifies one or more IP ranges that you want secured over VPN. Applications connecting to protected resources that match this list will be secured over VPN. Otherwise, they’ll continue to connect directly. The IP ranges are defined in the format 10.0.0.0/8. When the profile is autotriggered, the VPN is triggered automatically by these protected networks. Supported operations are Get, Add, Replace, and Delete. @@ -202,7 +254,7 @@ Value type is chr. An example is \*.corp.contoso.com. **SecuredResources/ExcluddedAppList/ExcludedAppList** -Optional. Specifies one or more ProductIDs for enterprise line of business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. +Optional. Specifies one or more ProductIDs for enterprise line-of-business applications built for Windows. When the element is defined, these apps will never use VPN. They will connect directly and bypass the VPN connection. Supported operations are Get, Add, Replace, and Delete. diff --git a/windows/client-management/mdm/w4-application-csp.md b/windows/client-management/mdm/w4-application-csp.md index e7321b1888..4c31e6b3d2 100644 --- a/windows/client-management/mdm/w4-application-csp.md +++ b/windows/client-management/mdm/w4-application-csp.md @@ -21,11 +21,17 @@ The default security roles are defined in the root characteristic, and map to ea > **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_CSP\_W4\_APPLICATION capabilities to be accessed from a network configuration application. - +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. -The following diagram shows the configuration service provider in tree format as used by OMA Client Provisioning. - - +``` +APPLICATION +----APPID +----NAME +----TO-PROXY +----TO-NAPID +----ADDR +----MS +``` **APPID** Required. This parameter takes a string value. The only supported value for configuring MMS is "w4". diff --git a/windows/client-management/mdm/w7-application-csp.md b/windows/client-management/mdm/w7-application-csp.md index 7aaa801796..b8113fb873 100644 --- a/windows/client-management/mdm/w7-application-csp.md +++ b/windows/client-management/mdm/w7-application-csp.md @@ -19,11 +19,37 @@ The APPLICATION configuration service provider that has an APPID of w7 is used f > **Note** This configuration service provider requires the ID\_CAP\_CSP\_FOUNDATION and ID\_CAP\_DEVICE\_MANAGEMENT\_ADMIN capabilities to be accessed from a network configuration application. - -The following image shows the configuration service provider in tree format as used by OMA Client Provisioning. +The following shows the configuration service provider in tree format as used by OMA Client Provisioning. - +``` +APPLICATION +---APPADDR +------ADDR +------ADDRTYPE +------PORT +---------PORTNBR +---APPAUTH +------AAUTHDATA +------AAUTHLEVEL +------AAUTHNAME +------AAUTHSECRET +------AAUTHTYPE +---AppID +---BACKCOMPATRETRYDISABLED +---CONNRETRYFREQ +---DEFAULTENCODING +---INIT +---INITIALBACKOFTIME +---MAXBACKOFTIME +---NAME +---PROTOVER +---PROVIDER-ID +---ROLE +---TO-NAPID +---USEHWDEVID +---SSLCLIENTCERTSEARCHCRITERIA +``` > **Note** All parm names and characteristic types are case sensitive and must use all uppercase. Both APPSRV and CLIENT credentials must be provided in provisioning XML. diff --git a/windows/client-management/mdm/wifi-csp.md b/windows/client-management/mdm/wifi-csp.md index e867ae66ef..dfeb5d926f 100644 --- a/windows/client-management/mdm/wifi-csp.md +++ b/windows/client-management/mdm/wifi-csp.md @@ -29,9 +29,22 @@ Programming considerations: - For the WiFi CSP, you cannot use the Replace command unless the node already exists. - Using Proxyis only supported in Windows 10 Mobile. Using this configuration in Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) will result in failure. -The following image shows the WiFi configuration service provider in tree format. +The following shows the WiFi configuration service provider in tree format. + +``` +./Device/Vendor/MSFT +or +./User/Vendor/MSFT +WiFi +---Profile +------SSID +---------WlanXML +---------Proxy +---------ProxyPacUrl +---------ProxyWPAD +---------WiFiCost +``` - The following list shows the characteristics and parameters. diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index 4f22b0b48c..2bfea76614 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -17,9 +17,25 @@ ms.date: 11/01/2017 The Windows Defender Advanced Threat Protection (WDATP) configuration service provider (CSP) allows IT Admins to onboard, determine configuration and health status, and offboard endpoints for WDATP. -The following diagram shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). +The following shows the WDATP configuration service provider in tree format as used by the Open Mobile Alliance (OMA) Device Management (DM). - +``` +./Device/Vendor/MSFT +WindowsAdvancedThreatProtection +----Onboarding +----HealthState +--------LastConnected +--------SenseIsRunning +--------OnboardingState +--------OrgId +----Configuration +--------SampleSharing +--------TelemetryReportingFrequency +----Offboarding +----DeviceTagging +--------Group +--------Criticality +``` The following list describes the characteristics and parameters. diff --git a/windows/client-management/mdm/wmi-providers-supported-in-windows.md b/windows/client-management/mdm/wmi-providers-supported-in-windows.md index 2fe71b5e76..7dfbe89239 100644 --- a/windows/client-management/mdm/wmi-providers-supported-in-windows.md +++ b/windows/client-management/mdm/wmi-providers-supported-in-windows.md @@ -86,19 +86,19 @@ For links to these classes, see [**MDM Bridge WMI Provider**](/windows/win32/dmw