Unified Device Management with Configuration Manager 2012 R2 - Part 10. Adding Windows Phone 8 devices

[anyweb]

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

 

In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. In Part 6 we deployed Windows 8.1 apps (appx) to Windows 8.1 devices. In Part 7 we looked at how to make Windows 8.1 store apps available in the Company Portal and how to make them featured apps with their own categories.

 

In Part 8 we added support for Android and learned how to deploy mobile device settings to Android devices. We enforced a Password requirement and saw how to enable File encryption on Android devices and we used resource explorer to browse the phone properties and to see if the device was a Jailbroken or rooted device. In Part 9 we learned how to deploy native APK (Android application package file) apps and how to deploy apps from Google Play. We learned that Available deployments to Users work but Available deployments to devices fail and we saw how to make our deployed app a featured app within the Company Portal and with it's own category.

 

In this part we will add support for Windows Phone 8 and we will do so using free trial software already signed from Microsoft. Unfortunately I do not have a Windows Phone (if anyone would like to send one to me to review please drop me a line) so I used a Windows Phone 8 emulator instead. This guide assumes you want to test Windows Phone 8 support in Configuration Manager 2012 R2 with Intune Integration using the trial version of the Self Service Portal (SSP) and 3 sample apps, all of these are signed by Microsoft using the same cert (A-Datum), therefore no PFX is provided or needed with this trial. If however you want to manage these in Production then you'll need the proper certificates from Symantec and that process is well documented (see recommended reading at the end of this guide).

 

 

Step 1. Download and install the Support Tool for Windows Intune Trial Management of Window Phone 8

To add Windows Phone 8 platform support, you will need a Symantec Enterprise mobile code signing certificate which is available from Symantec at a cost of 300 USD. You will also need a Windows developers license which costs approx 99 USD) .

 

However if you simply want to test this functionality in a lab (or pilot), you can use this trial software which contains a sample Self Service Platform (SSP) and three sample Windows Phone 8 applications and these are all signed by the same certificate from Microsoft (A. Datum). The name of the file is WPTrial.MSI. When you run the msi you'll see the Welcome to the support tool for Windows Intune Trial Management of Windows Phone Setup Wizard.

 

 

Install it to the default folder which is C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\

 

 

Browse to the Windows Phone 8 sample apps folder in C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\Sample Apps and copy those sample apps

 

 

Copy those apps to your CM12 source folder for example to \\cm12\sources\apps\xap like in the screenshot below

 

 

Step 2. Copy the Windows Phone 8 Company portal app

The trial version of Windows Intune Company Portal for Windows Phone (SSP.xap) is available in the C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\SSP folder. This version is signed by Microsoft already with the A. Datum certificate so it's perfect for testing in a Lab.

 

Note: Do not use the trial version of SSP.XAP for Production use as it is signed with a test certificate (A. Datum) from Microsoft. Instead, download the SSP.XAP from Microsoft from here and sign that SSP.XAP file using the XapSignTool and your Symantec Certificate. If you are unsure which SSP.XAP file you have then check the Digital Certificate that it is signed with. The trial version of SSP.XAP is signed with a A. Datum certificate as are the sample apps provided with that download. This is ok for pilot use (lab) but not ok for Production. If you want to support Windows Phone 8 in production then you'll need to use the proper certificate from Symantec and you'll need to sign both your SSP.XAP with that and any apps you make available to your Windows Phone 8 users. If you have your own cert, you can either run the AET generator from the WinPhone SDK on your own and then upload that, or you can just upload the PFX directly and we’ll run the AET generator behind the scenes.

 

 

Copy the file named SSP.XAP to our sample XAP apps folder.

 

 

Step 3. Add the Windows Phone Company Portal

In the Configuration Manager console, browse to Applications, then Modern applications, Windows Phone 8, choose Create Application

 

 

When the Create Application wizard appears select Windows Phone xap package from the drop down menu and select the SSP.xap file which you have copied to your application source folder (eg: \\cm12\sources\apps\xap\SSP.xap)

 

 

Continue through the wizard (and change the Name of the app to Windows Phone 8 Company Portal) until completion

 

 

Step 4. Deploy the Company Portal to the Windows Intune Users collection

Right Click our newly created application and choose Deploy.

 

 

select the Windows Intune Users collection

 

 

On the Content Distribution screen click on Add and select Distribution Point from the drop down, then select Manage.Microsoft.com from the list of available distribution points

 

 

Tip: Choose an Available deployment purpose as Windows Phone 8 does not support Apps being deployed with a Required Purpose.

 

Continue through that wizard until completion.

 

 

Step 5. Enable support for Windows Phone 8

Note: In this guide we are using the trial certificate from Microsoft and we'll allow that tool to Enable Windows Phone 8 support in our Windows Intune Integrated subscription within Configuration Manager 2012 R2. If you are enabling support for Windows Phone 8 in production, do not use the trial certificate or tools mentioned here, and instead add your certificate from Symantec in the options provided.

 

Using a command prompt browse to the support tools folder located here C:\Program Files (x86)\Microsoft\Support Tool for Windows Intune Trial management of Windows Phone\Support Tools.

 

In the command prompt, run the script ConfigureWP8Settings_Field.vbs in query mode to get the Windows Phone 8 Company Portal associated ScopeID.

 

To run the script in query mode do as follows:

cscript.exe ConfigureWP8Settings_Field.vbs CM12 QuerySSPModelName

as in the screenshot below

 

 

Now we have the ScopeID and it's value is listed below, your ScopeID will of course be different.

 

ScopeId_6181AC54-9218-4D8D-B5F4-306DCF019A19/Application_6f47e5b9-dfcf-42d7-b1fa-552ff9a0b855

 

Tip: If you add and remove the app for whatever reason you must run this process again as the ScopeID will change.

 

Next, we need to save our settings, to do this we run the Script in Save mode.

 

To run the script in save mode do as follows:

cscript.exe ConfigureWP8Settings_Field.vbs CM12 SaveSettings ScopeId_6181AC54-9218-4D8D-B5F4-306DCF019A19/Application_6f47e5b9-dfcf-42d7-b1fa-552ff9a0b855

If everything was entered correctly and you encountered no issues you'll see output similar to the below screenshot, note that the command prompt text scrolled off screen so I've stitched the output together and omitted some of the spurious output.

 

 

Step 6. Verify that Windows Phone 8 support is enabled

 

After completion of the steps above, you can verify that Windows Phone 8 device management has been automatically enabled by the process we just followed. In the Configuration Manager console, browse to Administration and expand Cloud Services, then right click on Windows Intune Subscriptions, choose Properties and select the Windows Phone 8 tab, you should see that it is now enabled, and that the PFX certificate is present, and the company portal app should be populated with the SSP app we selected above in Step 5.

 

 

Step 7. Start your Windows Phone 8 emulator

If you have a Windows Phone 8 phone then you can skip this step.

 

I'll assume you've installed the Windows 8 SDK which includes the emulator if not you can download it from here. I had Visual Studio 2013 installed and I opted to include the SDK when installing it. To start the Windows Phone 8 emulator, start the Default Windows Phone Emulator Virtual Machine in HyperV and then open a Command Prompt in Administrator mode and issue the following commands:

cd "C:\Program Files (x86)\Microsoft XDE\8.0”. 

then

xde -vhd "C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Emulation\Images\Flash.vhd"

This should start your Windows Phone 8 emulator

 

 

Step 8. Enroll Windows Phone 8

 

Move the start screen to the left and then scroll down to Settings

 

 

and scroll the screen up until you see Company Apps

 

Note: For Windows Phone 8.1 it's called Workplace instead of Company Apps.

 

 

Select that and click on Add Account

 

 

Enter your credentials and click on Sign In

 

 

if you enter your credentials correctly, it will tell you that your account was added

 

 

and click on Install and it will install the Company Portal (do not deselect the installation of the comany portal).

 

Step 9. Verify enrollment in the Console

In the Configuration Manager console, browse to Device Collections, and check the All Mobile Devices collection, after updating membership you should see your Windows Phone 8 device appear

 

 

and you should check the status of your Company Portal deployment, if it failed, then the first thing to check is what certificate the SSP.XAP tool was signed with (in this guide we are using the trial certificate called A. Datum). A successful deployment is shown below.

 

 

Step 10. Use the Company Portal on a Windows Phone

On your Windows Phone go to apps and you should see the Company Portal listed.

 

 

Click on it and you'll be prompted to login

 

 

and then you'll see the company portal showing whatever apps you've deployed to the Windows Phone 8.

 

 

and you can browse the other devices and functionality of the Company Portal on the Windows phone.

 

 

Success !

 

 

Recommended Reading

• Symantec Enterprise mobile code signing certificate - http://www.symantec.com/code-signing/windows-private-enterprise
• Support Tool for Windows Intune Trial Management of Window Phone - http://www.microsoft.com/en-us/download/details.aspx?id=39079
• Windows Intune Company Portal for Windows Phone - http://www.microsoft.com/en-ie/download/details.aspx?id=36060.
• Windows Phone Emulator for Windows Phone 8 - http://msdn.microsoft.com/en-us/library/windowsphone/develop/ff402563%28v=vs.105%29.aspx#BKMK_Installation
• Managing Windows Phone 8 with Windows Intune includes handling of the Symantec Certificate - http://www.microsoft.com/en-us/download/details.aspx?id=36174
• Technical Reference for Log Files in Configuration Manager - http://technet.micro...y/hh427342.aspx
• How to Create and Deploy Applications for Mobile Devices in Configuration Manager - http://technet.micro...y/dn469410.aspx
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 1
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 2
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 3
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 4
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 5
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 6
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 7
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 8
• CM12 in a Lab - How can I manage modern devices using System Center 2012 R2 Configuration Manager ? - Part 9

Summary

Adding support for Windows Phone 8 is a breeze but you need to be aware of the Certificate requirements when using the Configuration Manager 2012 R2 with Windows Intune Integration. You have two choices, use the trial software from Microsoft for your Lab (small pilot), or use the Enterprise certificate from Symantec for your production deployments and sign any of your Windows Phone 8 apps (.xap) and the SSP with the correct certificate from Symantec for production deployments. Thanks to Cathy Moya for clarifying points with me in this guide.

 

Downloads

You can download a Microsoft Word copy of this guide here. How can I manage modern devices using System Center 2012 R2 Configuration Manager Part 10.zip

[CypherBit]

Thank you so much for the series, I'm considering implementing it in our company, but would appreciate a clarification. If I only want to deploy our own certificates, Wifi and VPN profiles to Windows Phones, do I still need a Symantec certificate? What if I want to deploy only Windows Phone Store apps or perhaps only links to store apps (not sure that is possible), with no internal LOB apps which need to be sideloaded? In short when do I need a Symantec certificate when dealing with Windows Phone?

[anyweb]

hi there and thanks, good question I checked with Microsoft and they stated that the Windows Phone Software Development Kit mandates that the SSP (Self Service Portal) itself needs to be side loaded, and you can’t sideload it without the Symantec certificate. So even if you don't intend deploying sideloading apps you need the SSP to manage the phone, so yes you need the Symantec Certificate, this is the current situation, it may change in the future and if it does i'll update you

 

cheers

niall

[CypherBit]

Thanks, it doesn't make much sense esp. since it's the only platform that requires an additional investment, but what can we do.

[Tony Huang]

Hi, Thanks for Sharing! I have an question in "Step 8. Enroll Windows Phone 8,Enter your credentials and click on Sign In" , I don't know what kind of e-mail address I can type.

Windows Intune:Tony@Huangjh.onmicrosoft.com

[anyweb]

the username is as I've shown above, it's not an onmicrosoft.com account as you've setup dirsync as described in Part 1 here

[Tony Huang]

the username that you have shown above(@windowsintunenoob.com), how can I get this e-mail address and sign in for windows phone

[anyweb]

i mean use your own domain name, so for example @windowsintunenoob.com is a domain name i own, so if your domain name is @something.com then use a user for that domain (assuming you've carried out the steps I highlighted in Part 1 of this series)