Jump to content


Unified Device Management with Configuration Manager 2012 R2 - Part 10. Adding Windows Phone 8 devices

Recommended Posts

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.


In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. In Part 6 we deployed Windows 8.1 apps (appx) to Windows 8.1 devices. In Part 7 we looked at how to make Windows 8.1 store apps available in the Company Portal and how to make them featured apps with their own categories.


In Part 8 we added support for Android and learned how to deploy mobile device settings to Android devices. We enforced a Password requirement and saw how to enable File encryption on Android devices and we used resource explorer to browse the phone properties and to see if the device was a Jailbroken or rooted device. In Part 9 we learned how to deploy native APK (Android application package file) apps and how to deploy apps from Google Play. We learned that Available deployments to Users work but Available deployments to devices fail and we saw how to make our deployed app a featured app within the Company Portal and with it's own category.


In this part we will add support for Windows Phone 8 and we will do so using free trial software already signed from Microsoft. Unfortunately I do not have a Windows Phone (if anyone would like to send one to me to review please drop me a line) so I used a Windows Phone 8 emulator instead. This guide assumes you want to test Windows Phone 8 support in Configuration Manager 2012 R2 with Intune Integration using the trial version of the Self Service Portal (SSP) and 3 sample apps, all of these are signed by Microsoft using the same cert (A-Datum), therefore no PFX is provided or needed with this trial. If however you want to manage these in Production then you'll need the proper certificates from Symantec and that process is well documented (see recommended reading at the end of this guide).


windows noob in Windows Phone 8.png


Step 1. Download and install the Support Tool for Windows Intune Trial Management of Window Phone 8

To add Windows Phone 8 platform support, you will need a Symantec Enterprise mobile code signing certificate which is available from Symantec at a cost of 300 USD. You will also need a Windows developers license which costs approx 99 USD) .


However if you simply want to test this functionality in a lab (or pilot), you can use this trial software which contains a sample Self Service Platform (SSP) and three sample Windows Phone 8 applications and these are all signed by the same certificate from Microsoft (A. Datum). The name of the file is WPTrial.MSI. When you run the msi you'll see the Welcome to the support tool for Windows Intune Trial Management of Windows Phone Setup Wizard.


Welcome to the support tool for Windows Intune Trial Management of Windows Phone Setup Wizard.png


Install it to the default folder which is C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\


Installation Complete.png


Browse to the Windows Phone 8 sample apps folder in C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\Sample Apps and copy those sample apps


copy the Windows Phone sample apps.png


Copy those apps to your CM12 source folder for example to \\cm12\sources\apps\xap like in the screenshot below


sample apps in XAP folder.png


Step 2. Copy the Windows Phone 8 Company portal app

The trial version of Windows Intune Company Portal for Windows Phone (SSP.xap) is available in the C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\SSP folder. This version is signed by Microsoft already with the A. Datum certificate so it's perfect for testing in a Lab.


Note: Do not use the trial version of SSP.XAP for Production use as it is signed with a test certificate (A. Datum) from Microsoft. Instead, download the SSP.XAP from Microsoft from here and sign that SSP.XAP file using the XapSignTool and your Symantec Certificate. If you are unsure which SSP.XAP file you have then check the Digital Certificate that it is signed with. The trial version of SSP.XAP is signed with a A. Datum certificate as are the sample apps provided with that download. This is ok for pilot use (lab) but not ok for Production. If you want to support Windows Phone 8 in production then you'll need to use the proper certificate from Symantec and you'll need to sign both your SSP.XAP with that and any apps you make available to your Windows Phone 8 users. If you have your own cert, you can either run the AET generator from the WinPhone SDK on your own and then upload that, or you can just upload the PFX directly and we’ll run the AET generator behind the scenes.


The SSP app is included in the support tool for windows Intune Trial Management.png


Copy the file named SSP.XAP to our sample XAP apps folder.


SSP copied.png


Step 3. Add the Windows Phone Company Portal

In the Configuration Manager console, browse to Applications, then Modern applications, Windows Phone 8, choose Create Application


Create Application.png


When the Create Application wizard appears select Windows Phone xap package from the drop down menu and select the SSP.xap file which you have copied to your application source folder (eg: \\cm12\sources\apps\xap\SSP.xap)


automatically detect information about this application from installation files.png


Continue through the wizard (and change the Name of the app to Windows Phone 8 Company Portal) until completion


the create application wizard completed successfully.png


Step 4. Deploy the Company Portal to the Windows Intune Users collection

Right Click our newly created application and choose Deploy.


Deploy Windows Phone 8 Company Portal.png


select the Windows Intune Users collection


Windows Intune Users collection.png


On the Content Distribution screen click on Add and select Distribution Point from the drop down, then select Manage.Microsoft.com from the list of available distribution points


add the cloud dp.png


Tip: Choose an Available deployment purpose as Windows Phone 8 does not support Apps being deployed with a Required Purpose.


Continue through that wizard until completion.


deploy wizard completed succesfully.png


Step 5. Enable support for Windows Phone 8

Note: In this guide we are using the trial certificate from Microsoft and we'll allow that tool to Enable Windows Phone 8 support in our Windows Intune Integrated subscription within Configuration Manager 2012 R2. If you are enabling support for Windows Phone 8 in production, do not use the trial certificate or tools mentioned here, and instead add your certificate from Symantec in the options provided.


Using a command prompt browse to the support tools folder located here C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\Support Tools.


In the command prompt, run the script ConfigureWP8Settings_Field.vbs in query mode to get the Windows Phone 8 Company Portal associated ScopeID.


To run the script in query mode do as follows:

cscript.exe ConfigureWP8Settings_Field.vbs CM12 QuerySSPModelName

as in the screenshot below




Now we have the ScopeID and it's value is listed below, your ScopeID will of course be different.




Tip: If you add and remove the app for whatever reason you must run this process again as the ScopeID will change.


Next, we need to save our settings, to do this we run the Script in Save mode.


To run the script in save mode do as follows:

cscript.exe ConfigureWP8Settings_Field.vbs CM12 SaveSettings ScopeId_6181AC54-9218-4D8D-B5F4-306DCF019A19/Application_6f47e5b9-dfcf-42d7-b1fa-552ff9a0b855

If everything was entered correctly and you encountered no issues you'll see output similar to the below screenshot, note that the command prompt text scrolled off screen so I've stitched the output together and omitted some of the spurious output.


SaveSettings new.png


Step 6. Verify that Windows Phone 8 support is enabled


After completion of the steps above, you can verify that Windows Phone 8 device management has been automatically enabled by the process we just followed. In the Configuration Manager console, browse to Administration and expand Cloud Services, then right click on Windows Intune Subscriptions, choose Properties and select the Windows Phone 8 tab, you should see that it is now enabled, and that the PFX certificate is present, and the company portal app should be populated with the SSP app we selected above in Step 5.


Windows Phone 8 enabled.png


Step 7. Start your Windows Phone 8 emulator

If you have a Windows Phone 8 phone then you can skip this step.


I'll assume you've installed the Windows 8 SDK which includes the emulator if not you can download it from here. I had Visual Studio 2013 installed and I opted to include the SDK when installing it. To start the Windows Phone 8 emulator, start the Default Windows Phone Emulator Virtual Machine in HyperV and then open a Command Prompt in Administrator mode and issue the following commands:

cd "C:\Program Files (x86)\Microsoft XDE\8.0”. 


xde -vhd "C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Emulation\Images\Flash.vhd"

This should start your Windows Phone 8 emulator


Windows Phone 8.png


Step 8. Enroll Windows Phone 8


Move the start screen to the left and then scroll down to Settings




and scroll the screen up until you see Company Apps


Note: For Windows Phone 8.1 it's called Workplace instead of Company Apps.


Company Apps.png


Select that and click on Add Account


Add Account.png


Enter your credentials and click on Sign In


Sign In.png


if you enter your credentials correctly, it will tell you that your account was added


Account Added.png


and click on Install and it will install the Company Portal (do not deselect the installation of the comany portal).


Step 9. Verify enrollment in the Console

In the Configuration Manager console, browse to Device Collections, and check the All Mobile Devices collection, after updating membership you should see your Windows Phone 8 device appear


Windows Phone 8 enrolled and in console.png


and you should check the status of your Company Portal deployment, if it failed, then the first thing to check is what certificate the SSP.XAP tool was signed with (in this guide we are using the trial certificate called A. Datum). A successful deployment is shown below.


successful deployment.png


Step 10. Use the Company Portal on a Windows Phone

On your Windows Phone go to apps and you should see the Company Portal listed.


Company Portal installed.png


Click on it and you'll be prompted to login


Company Portal login.png


and then you'll see the company portal showing whatever apps you've deployed to the Windows Phone 8.


company portal showing apps.png


and you can browse the other devices and functionality of the Company Portal on the Windows phone.


windowsintunenoob on windows phone 8.png


Success !



Recommended Reading


Adding support for Windows Phone 8 is a breeze but you need to be aware of the Certificate requirements when using the Configuration Manager 2012 R2 with Windows Intune Integration. You have two choices, use the trial software from Microsoft for your Lab (small pilot), or use the Enterprise certificate from Symantec for your production deployments and sign any of your Windows Phone 8 apps (.xap) and the SSP with the correct certificate from Symantec for production deployments. Thanks to Cathy Moya for clarifying points with me in this guide.



You can download a Microsoft Word copy of this guide here. How can I manage modern devices using System Center 2012 R2 Configuration Manager Part 10.zip

Share this post

Link to post
Share on other sites

Thank you so much for the series, I'm considering implementing it in our company, but would appreciate a clarification. If I only want to deploy our own certificates, Wifi and VPN profiles to Windows Phones, do I still need a Symantec certificate? What if I want to deploy only Windows Phone Store apps or perhaps only links to store apps (not sure that is possible), with no internal LOB apps which need to be sideloaded? In short when do I need a Symantec certificate when dealing with Windows Phone?

Share this post

Link to post
Share on other sites

hi there and thanks, good question I checked with Microsoft and they stated that the Windows Phone Software Development Kit mandates that the SSP (Self Service Portal) itself needs to be side loaded, and you can’t sideload it without the Symantec certificate. So even if you don't intend deploying sideloading apps you need the SSP to manage the phone, so yes you need the Symantec Certificate, this is the current situation, it may change in the future and if it does i'll update you




Share this post

Link to post
Share on other sites

Hi, Thanks for Sharing! I have an question in "Step 8. Enroll Windows Phone 8,Enter your credentials and click on Sign In" , I don't know what kind of e-mail address I can type.

Windows Intune:Tony@Huangjh.onmicrosoft.com

Share this post

Link to post
Share on other sites

the username is as I've shown above, it's not an onmicrosoft.com account as you've setup dirsync as described in Part 1 here

Share this post

Link to post
Share on other sites

i mean use your own domain name, so for example @windowsintunenoob.com is a domain name i own, so if your domain name is @something.com then use a user for that domain (assuming you've carried out the steps I highlighted in Part 1 of this series)

Share this post

Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.


  • Create New...