Jump to content


anyweb

Unified Device Management with Configuration Manager 2012 R2 - Part 5. Enabling support for Windows 8.1 devices

Recommended Posts

Introduction

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

 

In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. Now we will enable support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) to be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. Configuration Manager adds to the application experience with Windows 8.1 modern UI apps by adding some new features listed below:-

  • Windows 8.1 introduces the app bundle (or .appxbundle package) to help optimize the packaging and distribution of Windows Store apps and resource packages. Configuration Manager extends the existing Windows app package deployment type to recognize .appxbundle package files.
  • The create application wizard includes a new option that allows you to configure featured applications. These applications are displayed prominently in the company portal.
  • You can specify a privacy link for each application that users can review before they install the application.
  • You can configure an application to automatically open a VPN connection if a VPN profile has been configured. For more information, see VPN Profiles in Configuration Manager.

Step 1. Verify your CNAME DNS settings are working

In Step 3 of Part 1 you should have created a CNAME DNS entry for your public domain name that redirects EnterpriseEnrollment.yourpublicdomainname.com to manage.microsoft.com. The CNAME record is used as part of the enrollment process.

 

We will now do a couple of quick tests to verify that the redirection is working.

 

In a web browser, type in the following URL.

  • http://EnterpriseEnrollment.yourpublicdomainname.com

Replace yourpublicdomain.com with your own public domain name, so for example if your public domainname is windowsintunenoob.com then for the url above use http://EnterpriseEnrollment.windowsintunenoob.com


If your CNAME DNS entry is working then the redirection will show something like the following:-

 

enterpriseenrollment working cname in place.png

 

If the CNAME DNS entry hasn't taken yet or hasn't been done at all, or was done incorrectly you'll see something like the below:-

 

enterpriseenrollment not working no cname yet.png

 

If you don't have access to a Web Browser you can open a command prompt and ping EnterpriseEnrollment.yourdomainname.com and it should return a result like below (note the redirection to manage.microsoft.com... it IS ok that it doesn't return the ping and that that address may have nsatc.net attached to the end, that's a load balancing server)

 

ping test.png

 

If you are testing and cannot change the CNAME settings you can install a Registry key on your Windows 8.1 client to help with the above redirection. The registry key is shown below

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"DiscoveryService"="manage.microsoft.com"

Step 2. Enable Windows RT, Windows RT 8.1, and Windows 8.1 Enrollment

In the Configuration Manager console browse to Cloud Services, select Windows Intune Subscriptions and right click on the previously created subscription, choose Properties.

 

windows intune subscription properties.png

 

Select the Windows tab and place a check mark in the box provided to Enable Windows Enrollment.

 

Enable Windows Enrollment.png

At this point if you wish you can click on Apply and Ok and you'll be able to enroll Windows 8.1 devices and move to the next step. If however you want to deploy Windows Modern UI type applications (appx Metro apps...) then you'll need to install an appropriate code-signing certificate by clicking on the browse button and selecting your code-signing certificate.

 

Note: To distribute line-of-business apps to Windows RT users, you must also ensure that the apps are signed with a certification authority that is trusted by the users’ devices. You can either obtain a non-Microsoft public certificate, or use a code-signing certificate from your organization’s certification authority. For information, see Acquire a Code Signing Certificate.

 

For Windows RT or Windows 8.1 devices, you can deploy line-of-business apps using a process known as sideloading, or you can deploy links to apps in the Windows Store (deeplinking).

 

Note: Although sideloaded applications do not have to be certified by the Windows Store or installed through the Windows Store, they can only be installed on sideloading-enabled devices. To enable a Windows RT device for sideloading, you must first obtain sideloading product activation keys. For information about how to obtain sideloading product activation keys, see Microsoft Volume Licensing.

 

Step 3. Enroll the device

 

Check the Pre-requirements of your Windows 8.x device here before continuing. In this step we will actually enroll the device with Windows Intune and this involves turning on mobile device management capability in Windows 8.1.

 

Tip: To enable management, you do need to be a local administrator. Logon as a user that is a local administrator of the Windows 8.1 device (do not use the built-in Administrator account).

 

The method used to enroll the devices depends on which version of Windows you are using. If you are using

  • Windows RT 8

Select Start, and type “System Configuration”, and click the dialog box to open the Company Apps. Enter your company credentials and the device will be enrolled.

 

Note: I don't have a Windows 8 RT device so cannot show that process, I hope everyone has upgraded to Windows RT 8.1 at this point and that process is shown below.

  • Windows RT 8.1, Windows 8.1 (workgroup joined, no Configuration Manager client installed)

Note: If you are trying to enroll a Windows 8.1 device then make sure it is Workgroup Joined (not joined to a domain, otherwise you won't see the MDM Turn On button.) and that there is no Configuration Manager client installed.

 

Swipe in from the right and choose Settings

 

Settings.png

 

Click on Change PC Settings

 

Change PC Settings.png

 

Select Network

 

Network.png

 

Select Workplace and enter your company credentials, then click on Turn On (do not select Join.)

 

Turn on.png

 

it should say connecting to workplace....

 

connecting to workplace.png

 

if it doesn't and you get an error such as

 

Confirm that you are using the correct sign-in information and that your workplace uses this feature. Also the connection to your workplace might not be working at the moment. Please wait and try again.

 

then review the following and more importantly Step 1 above. Also verify that you are not logged on as the local administrator but as another account that has administrative permissions on this device. And in case you have not checked, double check that you actually have enabled Windows Enrollment in the Windows Intune Subscription in the Configuration Manager console.

 

Assuming all went ok, a Connecting to a service screen appears, enter your password when prompted to do so and click on Sign In

 

Connecting to a Service.png

 

you'll be prompted to accept an agreement, place a checkmark in the I agree box and click on Turn On.

 

I agree.png

 

At this point your device is enrolled and the only option shown should be Turn Off (don't select that).

 

Tip: You can confirm a successful enrollment by checking Event Viewer and looking at the SystemSettings log (event ID 510 - should say "Attempted to turn on workplace device management. Result is 0x0 ending at phase 3."). You can also check what certificates are installed, and look at the Trusted Root Certificates Authority, if all went well you should see a SC_Online_Issuing certificate with an Intended Purpose of <All> in your Certificates store such as the one in the screenshot below:

 

 

SC_Online_Issuing.png

 

 

Step 4. Install the Company Portal

Start the Windows Store and search for Company Portal

 

search for Company Portal in the Windows Store.png

 

choose Install

 

The company portal was Installed.png

 

once installed, start the application, you'll be prompted for your password, enter it and click on sign in.

 

enter your credentials.png

 

The Company Portal should appear and any devices you have previously enrolled should be listed. In the screenshot below you can see both a Windows 8.1 device (workgroup joined, no Configuration Manager Client installed) called Hyperv-5 and a Windows RT 8.1 device.

 

company portal is loaded.png

 

Job done !

 

until next time, adios.

 

Recommended Reading

Summary

In this post we've enabled support for Windows 8 RT, Windows RT 8.1 and Windows 8.1 devices by enabling the option in our Windows Intune Subscription within Configuration Manager 2012 R2. We've learned how to easily check if our CNAME DNS entry is working and seen the enrollment process in detail. In our next post we'll look at deploying applications to the company portal for users of Windows 8.x devices.

 

Continue on to Part 6.

 

Downloads

You can download a Microsoft word copy of this guide here:

 

How can I manage modern devices in System Center 2012 R2 Configuration Manager Part 5 enabling support for Windows 8.1.zip

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...


×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.