Media Services offline streaming

Note

Google Widevine content protection services are currently unavailable in the Microsoft Azure regions operated by 21Vianet.

Media Services logo v3


Warning

Azure Media Services will be retired June 30th, 2024. For more information, see the AMS Retirement Guide.

  • Your viewers might need to download content onto their phone or tablet for playback when they are disconnected from the Internet.
  • In some regions, Internet availability and/or bandwidth is still limited. Users may choose to download content to watch it in higher resolutions.
  • Some content providers may disallow DRM license delivery beyond a region's border. If a user needs to travel abroad and still wants to watch content, offline download is needed.

Azure Media Services provides a set of well-designed content protection services for Microsoft PlayReady, Apple FairPlay Streaming, and AES-128 encryption.

Note

Offline DRM is only billed for making a single request for a license when you download the content. Any errors are not billed.

Prerequisites

Before you implement offline DRM for FairPlay on an iOS 10+ device:

  • Read Apple FairPlay license requirements and configuration
  • Obtain the FPS SDK from the Apple Developer Network. The FPS SDK contains two components:
    • The FPS Server SDK, which contains the Key Security Module (KSM), client samples, a specification, and a set of test vectors.
    • The FPS Deployment Pack, which contains the D function specification, along with instructions about how to generate the FPS Certificate customer-specific private key, and Application Secret Key. Apple issues the FPS Deployment Pack only to licensed content providers.
  • The .der/.cer certificate files you receive as part of the generation of the FPS certificate contain a public key and can be made available to the client. The private key (.pfx) should be secured in Azure Key Vault or another secure location.

Store a FairPlay Private Key (.pfx) in Azure Key Vault

The private key (.pfx) that you receive from Apple should be treated as a secure certificate and can be stored in the Azure Key Vault.

  • The .pfx certificate file should first be converted to base 64 text file by the admin
  • Once converted, this file can be stored in Azure DevOps Services as a secure text file.
  • The string can then be stored in Azure KeyVault manually as a "secret object", or as part of a deployment/build script for your solution. An example of storing the FairPlay private certificate in Azure KeyVault can be seen in the Gridwich project sample code
  • Optionally, store the password for the .pfx file as a secret in the key vault.

Example CLI script

To copy the base64 encoded private key file to the Azure KeyVault:

set -eu
echo key vault : $SHARED_KV_NAME
echo "Copying FairPlay certificate to key vault as secret"
az keyvault secret set --vault-name $SHARED_KV_NAME -n ams-fairPlay-certificate-b64 -f $(FairPlayCertificate.secureFilePath) --output none

Clone the sample

Clone the Media Services .Net samples.

git clone https://github.com/Azure-Samples/media-services-v3-dotnet-tutorials.git

Modify the code

Modify the code in Encrypt with DRM using .NET to add FairPlay configurations.

More information

For more information, see Content Protection in the FAQ.