Sunday 27 January 2013

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows RT Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

System Center 2012 SP1 Configuration Manager when linked with an Intune subscription has the ability to manage Windows RT devices such as the Microsoft Surface or Asus Vivo Tab RT.

First up Windows RT Management/Enrolment requires enabling within ConfigMgr.

  1. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
  2. Click on the Windows Intune Subscription that you setup previously
  3. Click on Properties on the ribbon bar
  4. On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
  5. Tick the check box next to Enable Windows RT platform
  6. Leave the Code signing certificate bit for now and Click OK

N.B. These next steps assume you've followed the previous guides and have setup the required accounts in Intune using DirSync and have the Intune Subscription in ConfigMgr pointed at a collection containing the users that are allowed to enrol devices.

Next we need to enrol the Windows RT device and download the "Company Portal".

  • On your Windows RT device (Surface RT in my case) navigate back to the Start Screen
  • On the Start Screen start typing Company App  and then click on Settings

  • Click/Tap on Company Applications and accept the UAC elevation box that pops up
  • Enter your e-mail address and password for the account you synchronised to Intune
    (N.B. If you haven't setup ADFS then remember this will be a unique password for the Intune service.  You may need to go into the Intune account management portal and reset the password if you haven't already)
  • Click OK
  • If you haven't setup a DNS CNAME on your domain for enterpriseenrollment with the alias pointing to you will be presented with a screen asking you to Try Again or Enter more information.

  •  You could either:
  • I had to do the second option in my lab as my hosting provider for my domain moaned that the DNS alias was too long...
  • Click OK and wait while the device is registered with Intune/ConfigMgr
  • Once that's complete you'll be shown a screen informing you that before you can access company applications and resources that you will need to install a management application, a.k.a the Company Portal
  • Click the link shown on the screen to open Internet Explorer to show the Company Portal App Store information
  • Click the View in Windows Store button and when the Windows Store opens, Click Install
  •  Once the app downloads and installs it should appear on the very right hand side of the Start Screen, move the Company Portal to which ever position best suits you
  • Click/Tap the Company Portal app to open it
  • You'll then be asked to Sign in again.  Use the credentials you used to enrol the Windows RT device

  • Once signed into the application you should then see your company name that you specified in the properties of the Intune Subscription in the ConfigMgr console, any devices you have enrolled and any applications that have recently been made available to you.
  • Click/Tap on New Apps to see which applications have been recently made available to you, or All Apps to just show everything.
  • Click/Tap on the app you would like to install
  • In my example, the application is a link to an application within the Windows store rather than a LoB app that I have the .appx file for so I have a link to View in the Windows Store

  • Click/Tap on the View in Windows Store link and then click/tap Buy or Try 

 Following this guide will allow you to register a device with Intune/ConfigMgr, ready for deploying applications to it and setting policies, which will be explained in more detail in another blog post.

Another two settings can also be setup for the management of Windows RT Devices, if you require the ability to push out Line of Business apps that don't exist in the Windows Store.

To do this you must supply an Enterprise Sideloading key, which can be obtained from your Microsoft Volume Licensing Service Center portal or if you require another key, from your Licensing LAR.
  • Once you have your key, navigate in the ConfigMgr console to Software Library>Windows RT Sideloading Keys
  • Click on Create Sideloading Key
  • Fill out the information in the Specify Sideloading Key window

If your applications are only signed with an Internal PKI certificate and not one that is publically trusted then you will also need to add your certificate to Intune/ConfigMgr to enable trusting of your certificate that you sign apps with.
  • Navigate in the ConfigMgr console to Administration>Windows Intune Subscriptions
  • Click on the Windows Intune Subscription that you setup previously
  • Click on Properties on the ribbon bar
  • On the Windows Intune Subscription Properties screen that opens Click the Windows RT tab
  • Click Browse and navigate to your certificate, select it and Click OK
  • Click OK