Monday, 27 January 2014

MDM in SCCM 2012 R2 - Legacy Devices

Back to ConfigMgr main menu         
Back to MDM Menu

We previously discussed the devices that can be enrolled by ConfigMgr 2012 R2

Windows Phone 8
iOS 6.0 or later
Android 4.0 or later
Windows 8 RT, Windows 8.1 RT
Windows 8.1 non-domain joined.

You can use the Exchange Server Connector when you want to manage mobile devices that connect to Exchange Server (on-premises or online- Exchange 2010 SP1 or later) by using the Microsoft Exchange ActiveSync protocol, and you cannot enrol them by using Configuration Manager.

When you manage mobile devices by using the Exchange Server connector, this does not install the Configuration Manager client on the mobile devices. Some management functions are therefore limited eg. you cannot install software or use configuration items.

ConfigMgr 2012 R2 also supports legacy management for Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type.

Exchange Server Connector

Navigate to Administration > Hierarchy Configuration.

See Exchange Server Connectors.

Right click and choose to "Add Exchange Server".

Specify the URL for your Exchange Client Access Server (CAS).

Specify the domain account to connect to Exchange. Note the permissions that are required - quite a few. It can be easier just to make this account Exchange Enterprise Administrator.

Select the options you require.

Click Next. You can configure mobile device settings afterwards. Note that settings configured here will override settings that are configured in the Default Exchange ActiveSync mailbox policy.

Click Next to create the connector.

Close the wizard.

See new Exchange Server Connector.

Right click and "Synchronize Now".

Verify success and check for errors in the EasDisc.log file.

Devices can now be seen in the ConfigMgr console. Note the Exchange symbol confirming that the devices are being managed by the Exchange Connector.

Properties of a device. Note the Agent Name.

Legacy Client

ConfigMgr 2012 R2 supports legacy management for Windows Mobile, and Windows CE when you install the Configuration Manager mobile device legacy client. Features for these mobile devices vary by platform and client type.

You must install the mobile device legacy client by using a package and program. This solution also requires PKI certificates that must be installed independently from ConfigMgr.

This solution supports:

Windows CE 5.0, 6.0 and 7.0
Windows Mobile 6.0 

Wednesday, 15 January 2014

MDM in SCCM 2012 R2 - Windows RT

Back to ConfigMgr main menu         

Back to MDM Menu

In this section I will show how to "enable Windows enrollment" in our ConfigMgr 2012R2/Windows Intune unified solution. Windows 8 RT and Windows 8.1 RT are supported.

(Note that you can now also use ConfigMgr 2012 R2/Windows Intune to manage Windows 8.1 devices that are not joined to the domain and do not have the Configuration Manager client installed).

It's very straightforward. Simply open the properties of the previously created Windows Intune Subscription. 

Check the box "Enable Windows enrollment". That's it. All done.

(Note that this includes Windows RT, Windows RT 8.1 and Windows 8.1 that are not domain-joined).

See the reference to sideloading keys and code-signing certificate. We don't have to worry about this at this time. You can enrol Windows RT devices without any further configuration. You can download the Windows Intune Company Portal App directly from the Windows Store.

Sideloading simply means installing a Windows Store app without publishing it in and downloading it from the store. You install it directly. You may do this if you don't want to publish a private Line of Business App through the public Windows Store.

All sideloaded apps must be signed with a trusted code-signing certificate.
You can develop your own sideloaded apps for testing purposes. 
See here for the process:

OK, let's enrol a device. The section below is an extract from a Techet Library

For Windows RT, users start enrollment from the Windows RT device. The users must complete the following tasks:
  1. On the Windows RT device, users select Start, and type “System Configuration”, and click the dialog box to open the Company Apps.
  2. The users enter their company credentials and are authenticated. This establishes a relationship between the user, the Windows RT device, and the Windows Intune service.
  3. Windows Intune collects inventory and applies management settings. Users now have access to line-of-business apps and direct links to the app store through the company portal.
For Windows 8.1 and Windows RT 8.1, the user enrolls through the device.
  1. On the Windows 8.1 device, the user selects Settings, clicks PC Settings, then clicks Network, and finally, clicks Workplace.
  2. The user enters their user ID in the (ID) field.
  3. The user clicks Turn on and provides their password.
  4. The user agrees to the Allow apps and services from IT admin dialog box, and clicks Turn on.

The RT device can be seen in the ConfigMgr console.

Properties of the RT device.

MDM in SCCM 2012 R2 - iOS

Back to ConfigMgr main menu     
Back to MDM Menu

Apple devices (iOS 6.0 or later) can also be managed using the ConfigMgr 2012 R2/Windows Intune Unified Mobile Device Management solution (iOS 5.0 can be managed with ConfigMgr 2012 SP1).

The management of iOS devices requires an APN (Apple Push Notification). This allows communication between Intune and the Apple Push Notification Service (and hence your Apple devices).

Navigate to Administration > Cloud Services.

Right click Windows Intune Subscriptions and select to "Create APN certificate request". 

Enter a path and appropriate file name for your Certificate Signing Request (CSR). Click Download to contact Windows Intune and retrieve the CSR.

Enter your Windows Intune credentials when requested. 

Download is complete.  Close the Window.

See CSR file.

Now you must log in to the Apple Push Notification Portal

It is recommended NOT to use IE for this part of the process. Use another browser (this is opposite to what we found with the Symantec Enterprise Code Signing Certificate in Windows 8 Phone) or you may have difficulty downloading the .pem file.

However, I will stick with IE and show you what to do when you encounter the problem.

Enter your Apple ID and password.

 Select "Create a Certificate".

Accept the "Terms of use".

Browse to your CSR and Upload.

You receive a notification that you can now download a file. If you were using an alternative browser you could download and save this file. However we need a .pem file to continue. We are presented with a .json file which is of no use to us. Cancel this download and log out of the Apple Portal.

Now log back in to the Apple Push Notification Portal

See your certificate is now available.  Select to Download the certificate.

Now see that you are prompted to download a .pem file. This is what we want. Save the file.

This is our APN certificate.

Now open the properties of our previously created Windows Intune Subscription. Check the box to enable iOS enrollment. Browse to locate your APN certificate and Apply.

You have now successfully enabled iOS enrollment. The path to your APN cert now disappears.

Now it's time to enrol a device. The Windows Intune Company Portal for Apple was released on Nov 19 2013. It is available for free download from the Apple Store.

On a device search for the Windows Intune Company Portal in the Apple Store.

Open the app to download and install it.

Open the Portal.

Enter your email address (UPN) and domain password (as shown before with Windows 8 Phones).

The company portal opens. See "My Devices". Your device will show an "information symbol - i". This means that the device is not enrolled. Click on the device and enrollment commences.

Select "Add Device". You are presented with information about granting administrative rights to your IT dept. Click "Add" to confirm.

You are prompted to install the Management Profile. Select Install.

Select "Install now".

 See progress.

You are prompted with another warning. Click Install to accept it and continue.

Device is now enrolled and will appear in ConfigMgr console.

It will receive it's compliance policy shortly and the user will be forced to choose a PIN.

Example of device properties in ConfigMgr console.

Tuesday, 14 January 2014

MDM in SCCM 2012 R2 - Android

Back to ConfigMgr main menu     

Back to MDM Menu

Support for Android devices begins with Android 2.3. However limited functionality is available in the older versions. The Company Portal App for Android supports Android 4.0 or later. Therefore I always say that ConfigMgr supports Android 4.0 or later (it's not strictly accurate but in reality it's true).
It is very straightforward to configure Android management support in ConfigMgr 2012. 

Open the Windows Intune Subscription Properties. Check the box to "Enable Android enrollment". That's it. All done.

Now enrol an Android device.

The Windows Intune Company Portal for Android was released in December 9, 2013. It is available for download in the Google Store.

Search for the app.

Download and install the app.

Open the Company Portal.

Click to "Add this device". 

Log into Windows Intune using your email address (UPN) & password. Note your user account must be a member of the "Intune Users" ConfigMgr user collection that we previously created.

Select Activate.

The device is added and will be available in the ConfigMgr console.

MDM in SCCM 2012 R2 - Windows 8 Phone

Back to ConfigMgr main menu
Back to MDM Menu

This is a lengthy process and can be a little tricky. I've tried to be as detailed as possible so this is a long post. Note that it can take several days to get a Symantec Enterprise Code Signing Certificate. Be careful and try to get it right first time - it can be a lot of hassle otherwise.

(If you just want to trial this technology then you shouldn't spend the money required below - download the support tool for Windows Intune Trial Management of Window Phone 8)

Note that management of Windows Phone through SCCM 2012 and Windows Intune is only supported on version 8. Previous versions can be managed by using the Exchange connector.

The basic steps are as follows:

1. Windows Developer Account
2. Symantec Enterprise Code Signing Certificate
3. Sign Company Portal
4. Enable Windows 8 Phone
5. Test Windows 8 Phone device

1. Windows Developer Account

The first step in this process is to sign up for a Windows Developer Account. Note that there is a cost associated with this.

You can sign up here

Scroll down

Select "Accept and Continue"

Sign in with your Microsoft account.

This is a highly secure process. An email is sent to you containing a security code. Enter the code.

Choose your region.

Make sure that you choose a Company account.

Enter your details where required (red asterisk).

Choose a "Publisher Display Name". This should be your company name (that can be verified).

Accept the Microsoft Terms and Conditions.

Review your order.

 Enter your credit card details.

Click Purchase to order the account.

You're told that "You're done!". This is not quite right. Note that you are told that Symantec will contact you on behalf of Microsoft to verify the account information.

Verify your account  information. See "Validating your account". Click "Learn more" for details on this process. Also note your Symantec ID. You will require this later to purchase the Enterprise Code Signing Certificate.

 Read and understand the validation process.

Within 15 mins you should  receive an email confirming your order. You account is still not validated. This will be a manual process. Symantec (on behalf of Microsoft) must contact you to verify that you have actually placed this order.

Several hours later (5 in my case) you will receive this email from Symantec. It tells you that telephone verification is required and urges you to contact them via Live Chat (link is supplied). Surprisingly it is pretty easy to make contact via Live Chat. You will be answered very quickly and the Symantec rep will make arrangements to call you (notify your switchboard operator that you are expecting this call - they may think it's sales related).

Several hours after the call from Symantec (6 in my case) you will receive an email stating that your identity has been verified by Symantec.

Very soon after you get an email from Microsoft confirming that your Windows Developer account has been activated (Phew).

2. Symantec Enterprise Code Signing Certificate

Now we will request a Symantec Enterprise Code Signing Certificate. Note that there is a cost associated with this.

Symantec recommend that you use Internet Explorer to request the Code Signing Certificate - it seems that other browsers can give difficulties with the Private Key (I can verify that I previously had difficulty using Chrome but good success with IE10/Windows 7 combination).

You MUST use the same browser (the same computer) to request the certificate and subsequently download it. If you make a mess out of this you will have to purchase a new certificate (although Symantec will refund you for the first one).

Follow this link

Enter your Symantec Publisher ID (from your Windows Developer Account). Also enter your email address.

Enter the required details (marked by red asterisk).

Accept the Symantec terms.

Accept the Microsoft terms  and click to "Submit Order".

Accept the warning.

Your order has been accepted and you are given an order number.

Very quickly you will receive an email from Symantec thanking you for your order.

You will receive another email from Symantec. Read the instructions and follow the link to approve the request.

Finally you receive the mail informing you that your request has been approved. It also gives you instructions on downloading and installing the certificates.

Sent: ‎13/‎12/‎2013 13:22
Subject: Your Enterprise Code Signing Certificate Has Been Approved
Congratulations!  Symantec has approved your request for an Enterprise Code Signing Certificate.
Note:  Your Enterprise certificate is issued by a private Microsoft Root and CA, and is not inherently trusted by your computer.  Please ensure that you install and trust the Root and CA certificates before installing your Enterprise certificate (newer Windows operating systems will not allow you to install your Enterprise certificate properly if the issuing chain is not already trusted).
STEP 1 – Install the Root certificate:
Click on the link below and install the Root certificate.  When prompted for where to install the certificate, select the option to “Place all certificates in the following store” (DO NOT accept the automatic default) and select the “Trusted Root Certification Authorities” store.
STEP 2 – Install the CA certificate:
Click on the link below and install the Intermediate certificate.  When prompted for where to install the certificate, select the option to “Place all certificates in the following store” (DO NOT accept the automatic default) and select the “Intermediate Certification Authorities” store.
STEP 3 – Install your Enterprise certificate:
Please use the pickup link below to install your certificate.  If using Windows 8 / IE 10 to pickup your certificate, please put your browser into "compatibility mode" first -- this is accomplished by clicking on the "ripped page" icon to the right of the URL.  Clicking the icon toggles this mode.
Also visit the Symantec Support Web site, where you will find a wide range of support tools to help you:
Best Regards,
Symantec Customer Support Hours of Operation: Mon - Fri 05:00 - 18:00 (PST) Email: Web: Phone: 1-877-438-8776 or 1-650-426-3400
Please see the following KB article for more information:


Download and install the Root Certificate (using the same browser and computer with which you made the request).

Save and install the certificate.

Choose the correct store - Trusted Root Certification Authorities.

Review the settings and Finish.

Accept the Warning.

Download and install the Intermediate Certificate (using the same browser and computer with which you made the request).

Save and install the cert.

Choose the correct store - Intermediate Certification Authorities.

Click to Finish the wizard.

Download and install the Enterprise Certificate (using the same browser and computer with which you made the request).

Configure browser settings for IE.

Follow the link in the email above (it will be specific to your request). The other links were general.

Accept the warning.

Confirmation that the Enterprise Certificate has been installed on your local PC.

Now we have to export the Enterprise Certificate so that we can use it in our ConfigMgr environment.

Open the Microsoft Management Console on your local PC (mmc). Select File > Add/Remove Snap-in.

Choose Certificates and select Add.

Choose "Computer account".

Choose "Local Computer".

Click OK to load the Certificates Snap-in.

Right click Certificates and choose "Find Certificates".

Type Symantec and click Find Now.

See the three installed certificates. Right click the Enterprise Certificate and choose to Export it.

Make sure that you export the private key.

Choose the .PFX format. Ensure that you "Include all certificates in the path".

You MUST password protect.

Specify a path for the exported .PFX file.

Finish the wizard.

The export has been successful.

3. Sign Company Portal

Next step - we need to download the Windows Intune Company Portal for Windows Phone and sign it with the Enterprise Certificate that we created in step 2 above. Note that you carry out all these steps on your local PC (I used a Windows 8.1 PC).

Download Company Portal for Windows Phone here


Choose to download and save. Start the setup wizard.

Accept the Microsoft License Agreement.

Installation is complete.

Now download and install Windows Phone 8 SDK (Software Development Kit) and Visual Studio 2012.

Reboot may be required to enable HyperV.

Have a look in the Windows Kits folder. See signtool.exe. This is the tool for signing apps.

Have a look in the Windows Intune Company Portal folder. See SSP.xap. This is your Company Portal app.

Copy signtools.exe, SSP.xap and your .PFX certificate to the XapSignTool folder.

Now open an Administrator Command Prompt and navigate to XapSignTool folder under your Microsoft SDK folder in Program Files (x86).  

Issue the command
XapSignTool.exe Sign /f Nameofyourcertificate.pfx /p YourCertificatePassword SSP.XAP

Your Company Portal app (SSP.XAP) is now signed with your Enterprise Certificate.

See the properties of SSP.XAP.

4. Enable Windows 8 Phone

We have signed our Company Portal app and now must create a ConfigMgr application using our SSP.XAP file. 

Copy the SSP.XAP file and .PFX Enterprise Certificate to your ConfigMgr Source folder.

Navigate to Software Library > Application Management. Right click Applications and choose to create one.

Choose "Windows Phone app package *.xap"

Browse to your SSP.XAP file.

The file is interrogated by ConfigMgr and application information is imported.

Change the name if you wish.

Click next to continue.

Click Close to end the wizard.

The "Windows Intune Company Portal for Windows 8 Phone" app has been created. 

Now, open the Windows Intune Subscription and choose to Enable Windows 8 Phone enrollment. Select your .PFX Enterprise Certificate and "Windows Intune Company Portal for Windows 8 Phone" app.

5. Test Windows 8 Phone device

You can now test with a Windows 8 Phone. However I don't have one. Luckily the Windows Phone SDK (Visual Studio 2012) has an emulator that I can use. 

Note that if I was using Windows 8 I could just continue here. However the Visual Studio 2012 emulator does not work with Windows 8.1. I need to install the Visual Studio 2012 Update 4 first. 

You can download it here

Download and install the VS update.

Launch Visual Studio 2012 (with update 4).

Select "New Project".

Choose Windows Phone.

Choose "Windows Phone OS 8.0".

Click on the green triangle to launch the emulator.

Scroll to the right.

Choose Settings.

Select "Company Apps".

Click "Add account"

Enter your email address (actually UPN - remember our AD configuration) and password. Note that you must be a member of the "Intune Users" ConfigMgr user collection.

Enter the server details

(If I previously created a DNS record for my domain to direct EnterpriseEnrollment to then I would not need this step).

The account is being configured.

The account is verified and successfully added to the device. Make sure that "Install company app or hub" is checked.

The device is enrolled - whew.

See Company Portal. Launch the Portal.

You are asked to sign in to Intune. Use your email address and password again.

See the Apps which have been deployed to this user.

Note that company policies will now apply and the user will be forced to choose a PIN code.

See enrolled device.

Device details.