MDM_ClientCertificateInstall_System02_Install05 class

[Some information relates to pre-released product which may be substantially modified before it's commercially released. Microsoft makes no warranties, express or implied, with respect to the information provided here.]

The MDM_ClientCertificateInstall_System02_Install05 class enables the enterprise to set the installation of client certificates.Required for SCEP certificate enrollment. Parent node to group SCEP cert install related request.

Format is node. Supported operation is Add, Delete.

Note   Even though the child nodes under Install support Replace commands, after the Exec command is sent to the device, the device will take the values which are set when the Exec command is accepted. The server should not expect the node value change after Exec command is accepted will impact the current undergoing enrollment. The server should check the Status node value and make sure the device is not at unknown stage before changing child node values.

The following syntax is simplified from Managed Object Format (MOF) code and includes all of the inherited properties.

Syntax

[dynamic, provider("DMWmiBridgeProv"), AMENDMENT]class MDM_ClientCertificateInstall_System02_Install05
{
  string InstanceID;
  string ParentID;
  string ServerURL;
  string Challenge;
  string EKUMapping;
  sint32 KeyUsage;
  string SubjectName;
  sint32 KeyProtection;
  sint32 RetryDelay;
  sint32 RetryCount;
  string TemplateName;
  sint32 KeyLength;
  string HashAlgorithm;
  string CAThumbprint;
  string SubjectAlternativeNames;
  string ValidPeriod;
  sint32 ValidPeriodUnits;
  string ContainerName;
  string CustomTextToShowInPinPrompt;
};

Members

The MDM_ClientCertificateInstall_System02_Install05 class has these types of members:

  • Methods
  • Properties

Methods

The MDM_ClientCertificateInstall_System02_Install05 class has these methods.

Method Description
EnrollMethod

Required. Triggers the device to start the certificate enrollment.

 

Properties

The MDM_ClientCertificateInstall_System02_Install05 class has these properties.

CAThumbprint

Data type: string

Access type: Read-only

Required. Specifies Root CA thumbprint. This is a 20-byte value of the SHA1 certificate hash specified as a hexadecimal string value. When client authenticates the SCEP server, it checks the CA certificate from the SCEP server to verify a match with this certificate. If it is not a match, the authentication will fail.

Data type format is a string.

Challenge

Data type: string

Access type: Read-only

Required for SCEP certificate enrollment. B64 encoded SCEP enrollment challenge.

Data type format is a string.

ContainerName

Data type: string

Access type: Read-only

Optional. Specifies the NGC container name (if NGC KSP is chosen for the node). If this node is not specified when NGC KSP is chosen, the enrollment will fail.

The data type format is a string.

CustomTextToShowInPinPrompt

Data type: string

Access type: Read-only

Optional. Specifies the custom text to show on the NGC PIN prompt during certificate enrollment. The admin can choose to provide more contextual information in this field for why the user needs to enter the PIN and what the certificate will be used for.

The data type format is a string.

EKUMapping

Data type: string

Access type: Read-only

Required. Specifies extended key usages. Subject to SCEP server configuration. The list of OIDs are separated by a plus +. For example, OID1+OID2+OID3.

Data type format is a string.

HashAlgorithm

Data type: string

Access type: Read-only

Required. Hash algorithm family (SHA-1, SHA-2, SHA-3) specified by MDM server. If multiple hash algorithm families are specified, they must be separated via +.

For NGC, only SHA256 is supported as the supported algorithm.

Data type format is a string.

InstanceID

Data type: string

Access type: Read-only

Qualifiers: key

TBD

KeyLength

Data type: sint32

Access type: Read-only

Required for enrollment. Specify private key length (RSA).

Data type format is an integer.

Valid values are 1024, 2048, and 4096.

For NGC, only 2048 is the supported key length.

KeyProtection

Data type: sint32

Access type: Read-only

Optional. Specifies where to keep the private key.

Note  Even if the private key is protected by TPM, it is not protected with a TPM PIN.

The date type format is an integer corresponding to one of the following values:

Value Description
1 Private key protected by TPM.
2 Private key protected by phone TPM if the device supports TPM. All Windows Phone 8.1 devices support TPM and will treat value 2 as 1.
3 (Default) Private key saved in software KSP.
4 Private key protected by NGC. If this option is specified, the ContainerName must be specifed, otherwise enrollment will fail.

 

KeyUsage

Data type: sint32

Access type: Read-only

Required for enrollment. Specify the key usage bits (0x80, 0x20, 0xA0, etc.) for the certificate in decimal format. The value should at least have the second (0x20), fourth (0x80) or both bits set. If the value doesn’t have those bits set, the configuration will fail.

Data type format is a string.

ParentID

Data type: string

Access type: Read-only

Qualifiers: key

Describes the full path to the parent node. For this class, the string is "./Vendor/MSFT/ClientCertificateInstall/My/System/SCEP/UniqueID"

RetryCount

Data type: sint32

Access type: Read-only

Optional. Unique to SCEP. Specifies the device retry times when the SCEP sever sends a pending status.

Data type format is an integer.

Default value is 3.

Maximum value is 30. If the value is larger than 30, the device will use 30.

Minimum value is 0, which indicates no retry.

RetryDelay

Data type: sint32

Access type: Read-only

Optional. When the SCEP server sends a pending status, this value specifies the device retry waiting time in minutes.

Data type format is an integer.

The default value is 5.

The minimum value is 1.

ServerURL

Data type: string

Access type: Read-only

Required for SCEP certificate enrollment. Specifies the certificate enrollment server. Multiple server URLs can be listed, separated by semicolons.

Data type format is a string.

SubjectAlternativeNames

Data type: string

Access type: Read-only

Optional. Specifies subject alternative names (SAN). Multiple alternative names can be specified by this node. Each name is the combination of name format+actual name. Refer to the name type definitions in MSDN for more information.

Each pair is separated by semicolon. For example, multiple SAN are presented in the format of [name format1]+[actual name1];[name format 2]+[actual name2].

Data type format is a string.

SubjectName

Data type: string

Access type: Read-only

Required. Specifies the subject name.

Data type format is a string.

TemplateName

Data type: string

Access type: Read-only

Optional. OID of certificate template name.

Note  This name is typically ignored by the SCEP server; therefore the MDM server typically doesn’t need to provide it.

Data type format is a string.

ValidPeriod

Data type: string

Access type: Read-only

Optional. Specifies the units for the valid certificate period.

Valid values are:

  • Days (Default)
  • Months
  • Years

Note  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server will decide how to use this valid period to create the certificate.

ValidPeriodUnits

Data type: sint32

Access type: Read-only

Optional. Specifies the desired number of units used in the validity period. This is subject to SCEP server configuration. Default value is 0. The unit type (days, months, or years) are defined in the ValidPeriod node. Note the valid period specified by MDM will overwrite the valid period specified in the certificate template. For example, if ValidPeriod is Days and ValidPeriodUnits is 30, it means the total valid duration is 30 days.

The data type format is a string.

Note  The device only sends the MDM server expected certificate validation period (ValidPeriodUnits + ValidPeriod) to the SCEP server as part of certificate enrollment request. Depending on the server configuration, the server will decide how to use this valid period to create the certificate.

Requirements

Minimum supported client

Windows 10 Insider Preview

Minimum supported server

None supported

Namespace

Root\CIMv2\MDM\DMMap

MOF

DMWmiBridgeProv.mof

DLL

DMWmiBridgeProv.dll