Saturday, 16 February 2013

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows Phone 8 Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post was slightly delayed due to an issue with the app display name.  More info can be found here and worth checking if your Windows Phone 8 is running English[UK] or European Portuguese.

Preparing the Windows Intune – Windows Phone 8 Company Portal

Step 1 – Obtain the code signing certificate


Go to the Windows Phone Dev Center (https://dev.windowsphone.com/en-us), sign-in using a Windows Live ID and register for an account.
The process will then begin with Symantec and Microsoft to verify your company details.  This may take between 2 – 10 days.



Once approved, and only once approved, make a note of your Symantec Id on the Account summary of the Dev Center and then go to this site to request and pay for your certificate: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

Symantec will send an e-mail with a URL to retrieve your new certificate and 2 URLs to install the root certificates in the chain.

Open a new MMC window (Windows Key + Run -> mmc), from the file menu choose Add/Remove Snapin, select Certificates and then choose Computer account.  Click Next, Finish and then OK.


Use this URL to download and save the Symantec Root CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_Root_for_Microsoft.cer

Use the open MMC console to import this certificate into the Trusted Root Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.


Use this URL to download and save the Symantec Intermediate CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer

Use the open MMC console to import this certificate into the Intermediate Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.


Once this has been completed, use the Symantec supplied URL to retrieve your code signing certificate.  This should install the certificate into the Personal store of the currently logged on user.

Close the mmc window if still open and then reopen a new mmc console, use the Add/Remove snapins option and select Certificates, but this time choose “My user account”.


Navigate to the Personal > Certificates node, select the newly imported code signing certificate, right click on it, and choose All Tasks then Export.


Step through the wizard choosing to export the Private Key and to include all certificates in the chain and save the certificate to C:\Intune.

N.B. It is important that you select the option to include all certificates in the chain otherwise later the Company Portal app will fail to download to your device.

Step 2 – Signing the Portal App


To sign Windows Phone 8 applications you will need the Windows Phone 8 SDK installing.
This SDK also requires Windows 8 as the Operating System.

Download the SDK from here:
https://dev.windowsphone.com/en-us/downloadsdk

Once the SDK is installed, navigate to C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool and copy the contents to the C:\Intune folder created earlier

Navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x86 and copy signtool.exe to the C:\Intune folder

At the Start Screen (Windows 8) search for VS2012 x86 to find the Native Tools command prompt and run it As an Administrator


In the command prompt type:
  • CD\
  • CD Intune
  • XapSignTool.exe sign /f C:\Intune\Certificate.pfx /p xXxXxXxXx C:\Intune\SSP.xap
    (xXxXxXxXx is the password you used for the exported certificate)

This will sign the Company Portal App with your code signing certificate ready for import into Intune/ConfigMgr.

If you want to double check the app has been signed, rename the extension to .zip again and extract one of the .dll files to the C:\Intune folder.  Open the properties of the file by right clicking it and choosing properties, then Digital Signatures.  You can keep checking deeper by choosing the relevant details options for the certificate.


Uploading the Windows Phone 8 Company Portal


At this point I've split the instructions into the steps for both direct management from Intune (Step 3a) and management from ConfigMgr SP1 with Intune (Step 3b).  Choose the relevant step for your management method.

Step 3a – Uploading the signed Company Portal to Windows Intune


Login to the Admin Console here: https://admin.manage.microsoft.com

Navigate in the console to Administration > Mobile Device Management > Windows Phone 8

Click the Upload Signed App File button


Follow the wizard through, specifying the signed xap file and certificate used from the previous steps.


At this point it’s worth waiting about 15 minutes before attempting to enrol a Windows Phone 8 device.

Step 3b – Uploading the signed Company Portal to Configuration Manager

  1. Navigate in the ConfigMgr console to Software Library>Overview>Application Management>Applications
  2. Click on the Create Application button on the ribbon
  3. Drop the selection list down and choose Windows Phone app package (*.xap file)
  4. Click Browse and navigate to the company portal xap file you signed earlier
  5. Step through the wizard to complete creating the application
  6. Deploy the application to the collection of users you are allowing to enrol mobile devices but ensure you choose the Intune cloud distribution point (manage.microsoft.com) during the wizard
  7. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
  8. Click on the Windows Intune Subscription that you setup previously
  9. Click on Properties on the ribbon bar
  10. On the Windows Intune Subscription Properties screen that opens Click the Windows Phone 8 tab
  11. Tick the check box next to Enable Windows Phone 8 platform
  12. Click Browse next to the Code signing certificate box, navigate to your code-signing certificate and Click OK
  13. Enter the password for the certificate
  14. Click Browse next to the Company portal app box, select your company app from the list and Click OK


3 comments:

Anonymous said...

Hi Steve, where did you get the SSP.xap? When I follow your instructions at the command line for signing, its not finding the SSP.xap - I have searched my machine after installing the SDK and cannot locate it. Cheers

Steve Beaumont said...

I can't believe I missed a crucial step!!

The portal is a separate download and install/extract from here: http://www.microsoft.com/en-us/download/details.aspx?id=36060

Regards,
Steve

Sami Dorro said...

The zoom issue appears to have vanished, maybe with the update to 7.5 (?) But now I'm having an issue with FR abruptly stopping. It off and on again happens when I am utilizing the back shaft to return to the sustains record, additionally now and then happens when simply perusing a post. This may happen a couple times throughout, say, a half hour of reading.aside from the general vexation, I can't return to the post I was perusing since FR marks it as of recently read. Has any other individual experienced this, or is just me having bizarre issues once more?