Windows Server 2012 R2 – Workplace Join from Mobile Devices

It’s only been a year since Windows Server 2012 was released, but we already have a new version of the operating system incoming in the form of Windows Server 2012 R2.

While R2 releases usually don’t change things dramatically, there’s still some new features and general polish to make it worthwhile. If you’ve got a few hundred hours to spare I can recommend streaming through both Build and TechEd sessions over on Channel9 to learn more 🙂

As per the usual marketing speak there’s no end to what the new release can do to empower businesses and enabling visions, etc.

That’s all nice and dandy, but how about seeing if there’s something we can use?

Clearly there’s no need for me to cover everything, but I thought I’d look into the Workplace Join feature today as that must be said to be a feature intended for the mobile crowd. It currently supports iOS in addition to Windows 8.1. Windows 7 has been confirmed as a candidate for support after RTM. Android has an unknown status.

I spun up a couple of servers and configured them according to this guide:
Workplace Join – Setting up the lab environment:
http://technet.microsoft.com/en-us/library/dn280939.aspx

It takes some time to go through all the steps, but the explanations are clear enough that I’m not going to repeat them here. In short – after you have gone through the guide you will have a domain controller, an ADFS server, and a web app using claims. You can co-locate the DC and the ADFS server if you like, but it’s easier having the web app on a separate server. You don’t need to setup a client computer unless you’re doing everything on a closed network.

If you’ve ever played around with ADFS in Windows Server before you’ll probably have the feeling it hasn’t been updated for some time. It’s not responsively designed in HTML5 so it looks good on mobile devices, and customizing it can be painful too.  It’s received some updates on the UI end (both web UI and server config), and some completely new settings.

What caught my eye was the way the "Workplace Join"-feature worked on the iPad. In Windows 8.1 there’s a setting in the control panel for doing a Workplace Join, but this isn’t available on iOS. To get going on an iPad (or iPhone if you like)you go to https://contoso.com/enrollmentserver/otaprofile and follow the steps:
WJ_iOS_01
WJ_iOS_02
WJ_iOS_03
WJ_iOS_04
WJ_iOS_05

What happens is that the ADFS server provides a profile for SCEP enrollment, and the iOS device will end up with a client certificate afterwards. If you’re familiar with using iOS devices with MDM platforms SCEP enrollments will be something you’ve encountered before. It’s important to note though that this enrollment does not provide MDM. It’s just for installing a client certificate. (Which is good because that means you can still use your MDM solution of choice without breaking anything.)

The purpose of this exercise is to be able to do what plenty of companies want when users work on mobile devices – enable stronger and/or multi-factor authentication. If you’ve got an internal web app it’s now quite easy to configure this to require client certificates for access. (There’s options for multiple configs depending on whether the app is accessed internally or externally, etc.)

So, if we configure the settings like this on the ADFS server:
(Authentication Policies->Primary Authentication->Global Settings->Edit)
ADFS_MFA_01
ADFS_MFA_02

And try to access the web app on a desktop browser(which has not enrolled for a client certificate) it looks like this:
IE_with_MFA_01
IE_with_MFA_02

Whereas accessing it from an iPad should look similar to this:
iOS_ClientCert_01
iOS_ClientCert_02
iOS_ClientCert_03
iOS_ClientCert_04
iOS_ClientCert_05

I ran into what I can only assume are preview bugs so it doesn’t actually work entirely like it should on the iPad, but I assume this will be fixed with RTM. I also ran into a snag when selecting client certs on the device as evidenced in one of the screenschots above .

The common name of the certificate makes no sense at all, so I hope that can be changed to something like my username/email address.

I am aware that R2 has technically RTMed when you read this, but I built this lab before RTM, and it’s not like I have my hands on the RTM build yet either. But I think you’ll be able to piece it together once everything is finalized. (I used iOS 7 beta as well so I’m waiting for a final build there as well.)

7 thoughts on “Windows Server 2012 R2 – Workplace Join from Mobile Devices”

  1. The Workplace Join feature is part of the 8.1/R2 wave so it’s not available in the current version of Windows Phone 8. MSFT are gearing up for new releases of Windows Phone of course, so they might include it in a similar fashion at a later point in time.

    The feature is also related to the device enrollment feature in Windows 8.1 which brings the same kind of device management as Windows Phone. (Think OMA DM and SyncML.) So, when RTM becomes available I’ll be exploring it closer. (The preview bits haven’t worked out for me for MDM.)

    In the meantime one might be able to enroll for certificates through MDM. It is not covered by the CSPs for the OMA DM part, but maybe it works by using the “old school” approach from the Windows Mobile days that I used in my DojoCert utility. I haven’t tested it though.

  2. hi
    i can not join my workgroup
    i set 3 vm -dc -adfs -webserv
    it doesn’t work successful….
    did you have the SOP of workgroup join
    thanks for your help.
    :DD

  3. Workplace join successfully configured and it is working, But the MDM i am not able to enable it… even no entries in EVENT LOGS regarding turn on mdm…

  4. Workplace join and MDM are separate features although Microsoft hasn’t really made that clear in the interface of Windows 8.1.

    Workplace join can be enabled just to “tweaking” Windows Server 2012 R2, but MDM requires a separate server/component not included in Windows Server to handle enrollment.

  5. If we are just fine with forms based authentication, do we still need certificates to be installed on the devices? (assuming we have other mechanisms to authenticate the devices.)

    Is it possible to just connect with a mobile browser and access intranet applications by providing forms based authentication without workplace join?

  6. The certificates are an additional factor, but if you don’t need that forms based is ok.

    You will need network level access to an intranet like VPN if you’re not publishing it through a reverse proxy.

    Currently workplace join isn’t necessarily an optimal experience. There is however happening a lot in Azure both with a cloud-based join, and the ability to proxy through Azure AD with pre-auth so if you’re into testing that might be something you could look into.

Leave a Reply

Your email address will not be published. Required fields are marked *

*