Windows RT – MDM First Impressions

If you’ve had a hankering for some MDM love on the Windows 8 platform, (Windows RT and Windows Phone 8 specifically), Christmas comes early from Microsoft who has upgraded their Windows Intune platform to support the aforementioned devices. (I realize that there might be a limited audience of people desperate to manage these devices as I don’t think there’s been any large scale deployments yet, but people are starting to ask about what’s happening in the MDM space for MSFT operating systems so it’s worth looking into nonetheless.)

Not much has been released publicly regarding the MDM capabilities of Windows RT & Windows Phone 8 so far other than some vague statements about an MDM API, and support in Windows Intune and System Center Configuration Manager 2012 SP1. (SP1 has RTMed and should go GA in a matter of a few weeks.) A couple of third-party MDM vendors have also announced support, but they haven’t shared all that many details either. So let’s do a quick tour of what we can do now that we have a tool available.

If you login to Windows Intune ( you’ll notice a couple of relevant menu items under "Administration"->"Mobile Device Management":

Notice that "Windows RT" and "Windows Phone 8" are two separate items although the code base is similar (we’ll delve further into this).

In addition there’s support for iOS and Exchange (in the form of an ActiveSync filter), and from what I can gather they’re working on Android support.

Opening up the Windows RT item we see the following options present themselves:

Step 1 is just a test to verify if you have setup DNS correctly (not done in Windows Intune). For autodiscover purposes you will need to create a CNAME record for
"" which points to
Alternatively you can have your users enter the address manually if you don’t want the automated setup.

Step 2 is not required for MDM as such, but required if you want to install enterprise apps on your RT tablets. MSFT aren’t really all that happy to inform you were you can obtain these keys other than stating that you need one and redirecting you to some other page at TechNet/MSDN which brings you no further… I tried entering a Windows 8 volume license key and got no complaints doing so, but it might not be the correct approach. Who knows…

Step 3 is relevant if you’re doing your own apps and you might want to sign them with a certificate issued by your own organization. Export the certificate from your developer machine without the private key, and upload the .cer file.

If we switch to taking a look at the Windows Phone 8 settings you’ll find there are some similarities, and some differences…

The DNS name is the same test/setting as Windows RT. If you’ve got a CNAME setup for RT enrollment, this will be the same for Windows Phone 8.

There is no sideloading key needed as this license restriction is not present in Windows Phone. The technical requirement to sign the files is still present though. However this is not the same certificate that you use for your "regular" Metro style apps. You need to have an enterprise developer account, and apply for a code signing certificate issued by Symantec to sign Windows Phone apps.

Another interesting detail regarding MDM and app distribution (on Windows RT) is that while they work nicely in tandem you don’t need to do both. You can deploy apps without MDM, and you can do MDM without deploying apps. Of course it seems logical that you don’t have to deploy apps, but it also means that you don’t have to bother with signing certificates if you know you’re not going to be using it.

For Windows Phone you don’t need to deploy a bunch of apps either, but you cannot enroll without the signing cert (more on that further down the page).

So, let’s try to enroll an RT device.

You’ll need to create a policy first by switching to a different place in the UI:

Click on "Add Policy", and create a mobile device security policy (I’ll go with the recommended settings for the sake of the example):

Settings for this policy are documented here:

Assign it to a user group:

And you’re done 🙂

Note that you don’t select which type of device this policy applies to – it will apply to all mobile devices. But there are some settings in the policy that are unique to the individual platforms:

It’s not all that many settings to configure, but I suppose the basics are covered. Oh, and in case you’re wondering, the tool tip for the encryption setting states that Windows RT does not support encryption… (RT supports BitLocker so maybe it’ll be supported at a later time?)

And now we need to tap our fingers on our tablet to proceed.

Open up the Control Panel and locate "System". Clicking "Company applications" should trigger the enrollment process.

For some reason I am prompted to provide the server address manually even though I know my autodiscover should be ok. (The admin console says to direct the alias to, but the wizard points to . I don’t know if this is a snafu on MSFT’s side or if it’s because I’m using an Office 365 account which is only partially redelegated.)

When I verify the details it goes through and I’m prompted to "Install the management application".

The link sends me to the Windows Store to download the "Company Portal".

Install, open it up, and you’ll need to sign in:

Supply your credentials:

And you’re in:

Once your device has been talking to the server it should list your device(s) in the portal too:

Returning to the Intune admin console you should be able to find your RT device under the "Groups" menu where you’ll be able to list inventory details.

(It lists the "Unique Device ID" and "WiFi MAC" as well – I just removed those from the screenshot.)


There’s a remove/wipe button in the UI as well which brings up a new dialog box:

But wipe isn’t supported for Windows RT yet…

In case you want to "pimp" the portal you can do that as well quite easily in the admin UI:

While you might be left with the impression that you need to enroll before installing the portal app this isn’t actually a requirement. You can easily install the app, and sign in without the enrollment. Since I don’t have any apps uploaded I don’t know if there’s any differences between in behavior when comparing a managed and an unmanaged device.

I tried to run through the same steps on the Windows Phone 8 emulator, (not having a real device in my hands right now), but as expected it doesn’t work. You need to acquire the code signing cert, and create a company portal that you upload to Intune to be able to complete the enrollment. MSFT has provided a sample portal you can use, but it’s unsigned so you still need that cert.
Download link:

The whole company portal thing is a separate topic really, so I think I’ll leave that out of this article. It also ties in with other app-related features in the platforms which I also need to sort out.

I don’t know the lower levels yet of how this is actually implemented, but I expect other MDM platforms to announce their service packs and updates for enablement of this support in the near future. The RT bit seems pretty painless to me, but the Windows Phone part does require some extra effort because of the certificate and need to sign the portal. If this means the Phone portal is more customizable than the RT one I don’t know. (Read: I don’t know which parts of the Metro app are hard-coded and which parts are just a customizable web view.)

It’s a start though, isn’t it? 🙂

2 thoughts on “Windows RT – MDM First Impressions”

Leave a Reply

Your email address will not be published. Required fields are marked *