It’s only been a year since Windows Server 2012 was released, but we already have a new version of the operating system incoming in the form of Windows Server 2012 R2.
While R2 releases usually don’t change things dramatically, there’s still some new features and general polish to make it worthwhile. If you’ve got a few hundred hours to spare I can recommend streaming through both Build and TechEd sessions over on Channel9 to learn more 🙂
As per the usual marketing speak there’s no end to what the new release can do to empower businesses and enabling visions, etc.
That’s all nice and dandy, but how about seeing if there’s something we can use?
Clearly there’s no need for me to cover everything, but I thought I’d look into the Workplace Join feature today as that must be said to be a feature intended for the mobile crowd. It currently supports iOS in addition to Windows 8.1. Windows 7 has been confirmed as a candidate for support after RTM. Android has an unknown status.
I spun up a couple of servers and configured them according to this guide:
Workplace Join – Setting up the lab environment:
It takes some time to go through all the steps, but the explanations are clear enough that I’m not going to repeat them here. In short – after you have gone through the guide you will have a domain controller, an ADFS server, and a web app using claims. You can co-locate the DC and the ADFS server if you like, but it’s easier having the web app on a separate server. You don’t need to setup a client computer unless you’re doing everything on a closed network.
If you’ve ever played around with ADFS in Windows Server before you’ll probably have the feeling it hasn’t been updated for some time. It’s not responsively designed in HTML5 so it looks good on mobile devices, and customizing it can be painful too. It’s received some updates on the UI end (both web UI and server config), and some completely new settings.
What caught my eye was the way the "Workplace Join"-feature worked on the iPad. In Windows 8.1 there’s a setting in the control panel for doing a Workplace Join, but this isn’t available on iOS. To get going on an iPad (or iPhone if you like)you go to https://contoso.com/enrollmentserver/otaprofile and follow the steps:
What happens is that the ADFS server provides a profile for SCEP enrollment, and the iOS device will end up with a client certificate afterwards. If you’re familiar with using iOS devices with MDM platforms SCEP enrollments will be something you’ve encountered before. It’s important to note though that this enrollment does not provide MDM. It’s just for installing a client certificate. (Which is good because that means you can still use your MDM solution of choice without breaking anything.)
The purpose of this exercise is to be able to do what plenty of companies want when users work on mobile devices – enable stronger and/or multi-factor authentication. If you’ve got an internal web app it’s now quite easy to configure this to require client certificates for access. (There’s options for multiple configs depending on whether the app is accessed internally or externally, etc.)
I ran into what I can only assume are preview bugs so it doesn’t actually work entirely like it should on the iPad, but I assume this will be fixed with RTM. I also ran into a snag when selecting client certs on the device as evidenced in one of the screenschots above .
The common name of the certificate makes no sense at all, so I hope that can be changed to something like my username/email address.
I am aware that R2 has technically RTMed when you read this, but I built this lab before RTM, and it’s not like I have my hands on the RTM build yet either. But I think you’ll be able to piece it together once everything is finalized. (I used iOS 7 beta as well so I’m waiting for a final build there as well.)