Windows 8.1 has gone gold, or RTM as the more official term is, and while GA is a month away it has at least become available through TechNet and MSDN. The whole Start-button debacle has possibly garnered most of the attention even if Microsoft is trying to focus primarily on other features of the upgrade. A new feature that hasn’t really been talked about a lot is the inclusion of Mobile Device Management (MDM).
Granted, most consumers don’t care about MDM, so I can understand that. But some of us care, and I’m one of them 🙂
About six months ago I covered MDM in Windows Phone 8:
You might want to skim through that article as most of the things there apply to Windows 8.1 as well. The underlying protocol is OMA DM here as well, and the enrollment part of it is basically the same. There are a couple of differences to be aware of though, so I thought I’d walk through a couple of those.
Now some of you might be thinking where MDM fits into the picture since we’ve had management of Windows clients for a long time, both with System Center Configuration Manager as a first-party product, (and SMS before that), and third-party products like Sybase Afaria and a dozen others. If you have invested in an SCCM infrastructure I don’t suggest you throw that out just because MDM has arrived on the scene. It will still work with Windows 8.1. The purpose of supporting OMA DM is to solve bring-your-own-device scenarios. If the employee owns the device, and it’s not joined to your domain SCCM isn’t necessarily the weapon of choice.
MDM support in Windows 8.1 solves the scenarios where the device needs to be managed, but in a non-intrusive and "scaled-down" version. Sure, that means less support for advanced scenarios, but it wasn’t designed for that either.
As I said there are some differences between the enrollment server for Windows Phone 8 and Windows 8.1, but most of those are details like how the SOAP messages and XML being passed back and forth looks like. Do note that while Windows Phone 8 will let you run through the process with a certificate issued by a non-trusted root CA that is not the case for the 8.1 agent. (You can of course install the root CA cert quite easily so it’s less of an issue, but the agent will not prompt you during the enrollment process to accept the untrusted root.) I’d recommend getting a certificate from a trusted root for both device types, but often when I’m doing development I’m using my own CA or going with self-signed if I can get away with it.
For Windows Phone it is recommended to keep the server at the FQDN specified by autodiscovery, and if you use some other address you will get to enter the correct address manually. For Windows 8.1 you need the specific DNS entry present – it will not prompt you to provide a different address and will simply fail if DNS is not configured to it’s liking. (Ypu have to option of editing your hosts file for dev purposes which isn’t an option on the phone bits.)
The authentication part is also different as it’s browser-based, and you can do things like passive federation, signing in with Google/Facebook/whatnot whereas the phone enrollment does not allow for such scenarios.
These details are not deal-breakers if you’ve got an enrollment server developed already, but it does mean you can’t use your existing enrollment server without some minor tweaks.
The email address will be used to compose the FQDN where an enrollment server is expected to be found. (So "firstname.lastname@example.org" as the email address means there must be something listening at https://enterpriseenrollment.contoso.com.) The "Join"-button refers to the Workplace Join feature I touched on here:
Windows 8.1 does not enforce or provide any means of authentication. This is entirely up to the provider of the MDM solution to determine.
Once you’ve agreed the enrollment will complete. There’s no fanfare or any indicator it was a success, and you’ll just notice the button has switched to saying "Turn off" instead in case you want to unenroll your device.
The relevant keys reside in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\MDM. There seems to be a bug in the MSDN documentation as the sample there omits “Microsoft” from the registry hive, so be aware that a copy-paste might not work.
So, what can do you with an enrolled device? Well, much like enrolling regular phones you can apply policies, push applications, query inventory, etc. (Funny fact: the "device" reports that the operating system is "Windows NT Workstation 6.3".)
For the reference of all settings available check this MSDN link:
SyncML Request Commands: http://msdn.microsoft.com/en-us/library/dn365313.aspx