If you’ve had a hankering for some MDM love on the Windows 8 platform, (Windows RT and Windows Phone 8 specifically), Christmas comes early from Microsoft who has upgraded their Windows Intune platform to support the aforementioned devices. (I realize that there might be a limited audience of people desperate to manage these devices as I don’t think there’s been any large scale deployments yet, but people are starting to ask about what’s happening in the MDM space for MSFT operating systems so it’s worth looking into nonetheless.)
Not much has been released publicly regarding the MDM capabilities of Windows RT & Windows Phone 8 so far other than some vague statements about an MDM API, and support in Windows Intune and System Center Configuration Manager 2012 SP1. (SP1 has RTMed and should go GA in a matter of a few weeks.) A couple of third-party MDM vendors have also announced support, but they haven’t shared all that many details either. So let’s do a quick tour of what we can do now that we have a tool available.
If you login to Windows Intune (https://manage.microsoft.com) you’ll notice a couple of relevant menu items under "Administration"->"Mobile Device Management":
Notice that "Windows RT" and "Windows Phone 8" are two separate items although the code base is similar (we’ll delve further into this).
Step 1 is just a test to verify if you have setup DNS correctly (not done in Windows Intune). For autodiscover purposes you will need to create a CNAME record for
"enterpriseenrollment.yourdomain.com" which points to
Alternatively you can have your users enter the address manually if you don’t want the automated setup.
Step 2 is not required for MDM as such, but required if you want to install enterprise apps on your RT tablets. MSFT aren’t really all that happy to inform you were you can obtain these keys other than stating that you need one and redirecting you to some other page at TechNet/MSDN which brings you no further… I tried entering a Windows 8 volume license key and got no complaints doing so, but it might not be the correct approach. Who knows…
Step 3 is relevant if you’re doing your own apps and you might want to sign them with a certificate issued by your own organization. Export the certificate from your developer machine without the private key, and upload the .cer file.
The DNS name is the same test/setting as Windows RT. If you’ve got a CNAME setup for RT enrollment, this will be the same for Windows Phone 8.
There is no sideloading key needed as this license restriction is not present in Windows Phone. The technical requirement to sign the files is still present though. However this is not the same certificate that you use for your "regular" Metro style apps. You need to have an enterprise developer account, and apply for a code signing certificate issued by Symantec to sign Windows Phone apps.
Another interesting detail regarding MDM and app distribution (on Windows RT) is that while they work nicely in tandem you don’t need to do both. You can deploy apps without MDM, and you can do MDM without deploying apps. Of course it seems logical that you don’t have to deploy apps, but it also means that you don’t have to bother with signing certificates if you know you’re not going to be using it.
For Windows Phone you don’t need to deploy a bunch of apps either, but you cannot enroll without the signing cert (more on that further down the page).
So, let’s try to enroll an RT device.
Settings for this policy are documented here:
And you’re done 🙂
It’s not all that many settings to configure, but I suppose the basics are covered. Oh, and in case you’re wondering, the tool tip for the encryption setting states that Windows RT does not support encryption… (RT supports BitLocker so maybe it’ll be supported at a later time?)
And now we need to tap our fingers on our tablet to proceed.
For some reason I am prompted to provide the server address manually even though I know my autodiscover should be ok. (The admin console says to direct the alias to enterpriseenrollment.manage.microsoft.com, but the wizard points to
enterpriseenrollment-s.manage.microsoft.com . I don’t know if this is a snafu on MSFT’s side or if it’s because I’m using an Office 365 account which is only partially redelegated.)
(It lists the "Unique Device ID" and "WiFi MAC" as well – I just removed those from the screenshot.)
But wipe isn’t supported for Windows RT yet…
While you might be left with the impression that you need to enroll before installing the portal app this isn’t actually a requirement. You can easily install the app, and sign in without the enrollment. Since I don’t have any apps uploaded I don’t know if there’s any differences between in behavior when comparing a managed and an unmanaged device.
I tried to run through the same steps on the Windows Phone 8 emulator, (not having a real device in my hands right now), but as expected it doesn’t work. You need to acquire the code signing cert, and create a company portal that you upload to Intune to be able to complete the enrollment. MSFT has provided a sample portal you can use, but it’s unsigned so you still need that cert.
Download link: http://www.microsoft.com/en-us/download/details.aspx?id=36060
The whole company portal thing is a separate topic really, so I think I’ll leave that out of this article. It also ties in with other app-related features in the platforms which I also need to sort out.
I don’t know the lower levels yet of how this is actually implemented, but I expect other MDM platforms to announce their service packs and updates for enablement of this support in the near future. The RT bit seems pretty painless to me, but the Windows Phone part does require some extra effort because of the certificate and need to sign the portal. If this means the Phone portal is more customizable than the RT one I don’t know. (Read: I don’t know which parts of the Metro app are hard-coded and which parts are just a customizable web view.)
It’s a start though, isn’t it? 🙂