Saturday 16 February 2013

System Center 2012 Configuration Manager SP1 and Windows Intune - Configuring Windows Phone 8 Management

This is a post in a series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager.  The other posts can be found here.

This post was slightly delayed due to an issue with the app display name.  More info can be found here and worth checking if your Windows Phone 8 is running English[UK] or European Portuguese.

Preparing the Windows Intune – Windows Phone 8 Company Portal

Step 1 – Obtain the code signing certificate


Go to the Windows Phone Dev Center (https://dev.windowsphone.com/en-us), sign-in using a Windows Live ID and register for an account.
The process will then begin with Symantec and Microsoft to verify your company details.  This may take between 2 – 10 days.



Once approved, and only once approved, make a note of your Symantec Id on the Account summary of the Dev Center and then go to this site to request and pay for your certificate: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do

Symantec will send an e-mail with a URL to retrieve your new certificate and 2 URLs to install the root certificates in the chain.

Open a new MMC window (Windows Key + Run -> mmc), from the file menu choose Add/Remove Snapin, select Certificates and then choose Computer account.  Click Next, Finish and then OK.


Use this URL to download and save the Symantec Root CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_Root_for_Microsoft.cer

Use the open MMC console to import this certificate into the Trusted Root Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.


Use this URL to download and save the Symantec Intermediate CA Cert: https://knowledge.verisign.com/library/VERISIGN/ALL_OTHER/Symantec_Enterprise_Mobile_CA_for_Microsoft_Cert.cer

Use the open MMC console to import this certificate into the Intermediate Certification Authorities store by expanding the nodes then right clicking, choosing All Tasks then Import.


Once this has been completed, use the Symantec supplied URL to retrieve your code signing certificate.  This should install the certificate into the Personal store of the currently logged on user.

Close the mmc window if still open and then reopen a new mmc console, use the Add/Remove snapins option and select Certificates, but this time choose “My user account”.


Navigate to the Personal > Certificates node, select the newly imported code signing certificate, right click on it, and choose All Tasks then Export.


Step through the wizard choosing to export the Private Key and to include all certificates in the chain and save the certificate to C:\Intune.

N.B. It is important that you select the option to include all certificates in the chain otherwise later the Company Portal app will fail to download to your device.

Step 2 – Signing the Portal App


To sign Windows Phone 8 applications you will need the Windows Phone 8 SDK installing.
This SDK also requires Windows 8 as the Operating System.

Download the SDK from here:
https://dev.windowsphone.com/en-us/downloadsdk

Once the SDK is installed, navigate to C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool and copy the contents to the C:\Intune folder created earlier

Navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x86 and copy signtool.exe to the C:\Intune folder

At the Start Screen (Windows 8) search for VS2012 x86 to find the Native Tools command prompt and run it As an Administrator


In the command prompt type:
  • CD\
  • CD Intune
  • XapSignTool.exe sign /f C:\Intune\Certificate.pfx /p xXxXxXxXx C:\Intune\SSP.xap
    (xXxXxXxXx is the password you used for the exported certificate)

This will sign the Company Portal App with your code signing certificate ready for import into Intune/ConfigMgr.

If you want to double check the app has been signed, rename the extension to .zip again and extract one of the .dll files to the C:\Intune folder.  Open the properties of the file by right clicking it and choosing properties, then Digital Signatures.  You can keep checking deeper by choosing the relevant details options for the certificate.


Uploading the Windows Phone 8 Company Portal


At this point I've split the instructions into the steps for both direct management from Intune (Step 3a) and management from ConfigMgr SP1 with Intune (Step 3b).  Choose the relevant step for your management method.

Step 3a – Uploading the signed Company Portal to Windows Intune


Login to the Admin Console here: https://admin.manage.microsoft.com

Navigate in the console to Administration > Mobile Device Management > Windows Phone 8

Click the Upload Signed App File button


Follow the wizard through, specifying the signed xap file and certificate used from the previous steps.


At this point it’s worth waiting about 15 minutes before attempting to enrol a Windows Phone 8 device.

Step 3b – Uploading the signed Company Portal to Configuration Manager

  1. Navigate in the ConfigMgr console to Software Library>Overview>Application Management>Applications
  2. Click on the Create Application button on the ribbon
  3. Drop the selection list down and choose Windows Phone app package (*.xap file)
  4. Click Browse and navigate to the company portal xap file you signed earlier
  5. Step through the wizard to complete creating the application
  6. Deploy the application to the collection of users you are allowing to enrol mobile devices but ensure you choose the Intune cloud distribution point (manage.microsoft.com) during the wizard
  7. Navigate in the ConfigMgr console to Administration>Hierarchy Configuration>Windows Intune Subscriptions
  8. Click on the Windows Intune Subscription that you setup previously
  9. Click on Properties on the ribbon bar
  10. On the Windows Intune Subscription Properties screen that opens Click the Windows Phone 8 tab
  11. Tick the check box next to Enable Windows Phone 8 platform
  12. Click Browse next to the Code signing certificate box, navigate to your code-signing certificate and Click OK
  13. Enter the password for the certificate
  14. Click Browse next to the Company portal app box, select your company app from the list and Click OK


Windows Intune Company Portal Strange Display Name

I've been holding off posting the next part in my series of posts on Windows Intune and the new integration capabilities found in System Center 2012 SP1 Configuration Manager, specifically the Windows Phone 8 management setup due to a small problem I encountered.

While I was at a customer running an Intune PoC, we deployed the Company App to a Windows Phone 8 device and while it installed we were created with the app being called C:\Data\Programs\{o...


I tried re-signing, re-uploading and other things, all to no avail.

I finally caved in and rang Intune Support.

After stepping through all the procedures again with the same results, the Intune support team went away to investigate further with the product team.

They came back to me asking what language my phone was running (English[UK]) and if I could try changing it to English[US] which I did.

This immediately changed the name of the app to it's correct name of Company Portal.

It transpires there is a problem with the company portal app not falling back to English[US] for the app title as there is no direct support for the English[UK] language.  Other parts of the app work fine and fall back to English[US], just not the app title.

I've been discussing this on the TechNet Forums as others were having a similar issue:
http://social.technet.microsoft.com/Forums/en-US/windowsintuneprod/thread/b83bf0da-3daf-4296-9ca2-31ba5966481a/

There is a reply on there from Cathy Moya explaining that they're aware and looking into the issue.

 
It's nice to see Microsoft take such a quick action (Only a couple of days after logging the issue) to acknowledge there's a problem and to start looking to resolve it.
 
I would also like to say a special thanks to Jon Lynn who picked up this call and is constantly trawling the forums to give people advice and help.
 
 
If for some reason you really can't wait for MS to release an updated/fixed Company Portal app, I do have a workaround hack however.
 
Just please note that this is not supported, disables all Multi-Language capabilities for the title display of the app and could have other impacts that I don't know about.  So on your own head be it.
 

Modifying the Self Service Company Portal to display a friendly name

The following steps are to prevent the Company Portal from being installed and displaying a name of @C:\Data\Programs\{0……

This is unsupported by myself and probably Microsoft, do your own testing and accept the risks or don't use.

  • Download the Windows Phone 8 Company Portal App from here: http://www.microsoft.com/en-us/download/details.aspx?id=36060
  • Run the MSI installer, accepting the defaults.
  • Create a new folder in the root of C:\ called Intune
  • Navigate in Windows Explorer to C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone 8
  • Copy the SSP.xap file to the C:\Intune folder you created earlier
  • Rename the SSP.xap file to SSP.zip and extract the contents to C:\Intune\SSP
  • Open the new SSP folder, find the WMAppManifest.xml file and open it in Notepad
  • Find this following section in the file:
<App ProductID="{01914a77-09e7-4f01-88d1-099162777f9b}" Title="@AppResLib.dll,-100" RuntimeType="Silverlight" Version="4.0.10731.0" Genre="apps.normal" Author="Microsoft" Description="Company Portal" Publisher="Microsoft" PublisherID="{EE6B2801-0000-0000-0000-000000000000}" xmlns=">
  • Locate the text that reads Title="@AppResLib.dll,-100 and change it to reflect the friendly name you want your customers to see the Company Portal app displayed as on their Windows Phone 8 devices.
  • E.g. If I would like my users to see “Company Portal” as my app name I would change the text from:
    Title="@AppResLib.dll,-100"  Title="Company Portal"
<App ProductID="{01914a77-09e7-4f01-88d1-099162777f9b}" Title="Company Portal" RuntimeType="Silverlight" Version="4.0.10731.0" Genre="apps.normal" Author="Microsoft" Description="Company Portal" Publisher="Microsoft" PublisherID="{EE6B2801-0000-0000-0000-000000000000}" xmlns=">
  • There is also a section under <Tokens> that also has a Title block that is worth changing to the same text as was used above.
    <Tokens>
…..
          <Title>@AppResLib.dll,-200</Title>
…..
    </Tokens>
 
  • Recompress the files into a zip folder, being careful to ensure the files are in the root of the zip, not in a sub folder.


  • Rename this zip file extension back to a xap file extension