How can I manage modern devices using System Center 2012 R2 Configuration Manager ? – Part 6

In Part 1 of this mini series we integrated Windows Intune with System Center 2012 R2 Configuration Manager. In Part 2 we added Support for iOS devices (Iphone, iPad). In Part 3 we learned the difference between App Package for iOS (*.ipa file) and applications from the Apple App Store. We learned how to deploy them to iOS devices and configured the deployment type so that the applications were made available to the user based on the iPhone or Ipad operating system version, in addition we also checked device Ownership information and deployed the application based on those requirements.

In Part 4 we learned how to use and configure compliance settings in order to enable or disable certain configurable features on iOS devices. We enforced a Password requirement and enforced a minimum password length as this is a common requirement for organizations. In Part 5 we enabled support for Windows 8.1 devices (both Windows RT 8.1 and Windows 8.1 Enterprise) so that they could be managed via System Center 2012 R2 Configuration Manager integrated with Windows Intune. Now we will look at deploying Windows 8.1 apps (appx) to Windows 8.1 devices.

 

Mobile apps that are deployed using Configuration Manager appear in the company portal on mobile devices. You can deploy sideloaded apps or links to application stores to enrolled devices. Client computers that run different versions of Windows 8 have different requirements for enabling the sideloading of apps. For example, you must configure the sideloading key on a computer that runs Windows 8 Enterprise if the computer is not joined to a domain. For more information about these requirements, see the following section in Technet:- Windows 8 Sideloading Requirements.

 

Note: In case it’s not clear in the table below, if you want to sideload apps you need a sideloading key. To create a sideloading key expand Software Library, Application Management, Windows Sideloading Keys and right click, choose Create SideLoading key and enter the details. For the purposes of this guide I will assume that you have entered your sideloading key(s) prior to commencing the steps below.

 

Windows 8 SideLoading Requirements.png

 

You can enable sideloading for this scenario by installing a sideloading product key on the computers. For more information about sideloading product activation keys, see Microsoft Volume Licensing. Additionally, the article How to Add and Remove Apps describes how to use the Windows Software Licensing Management Tool (Slmgr.vbs) to add and activate the sideloading product key.

 

 

Step 1. Create a Reg key to allow Appx installation

First of all we need to configure Windows 8 computers to allow direct installation of Windows 8 apps (appx apps). To do so, you would normally use group policy to configure the following sideloading registry settings, however our Windows 8.1 devices are not domain joined so Group Policy is out of the question. As we cannot currently deploy registry entries via Windows Intune integrated with Configuration Manager you’ll need to do this step manually or use a script.

 

As our (modern) Windows 8.1 devices are workgroup joined we need to manually create the following registry key, so please save the text below into a file called AllowAllTrustedApps.reg and then run it on your Windows 8.1 clients.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\Appx]
"AllowAllTrustedApps"=dword:00000001

Step 2. Create and deploy a Certificate Profile

A Certificate is required to ensure that the app is trusted. Without the correct certificate, you can’t sideload apps. As we will be installing an Appx app using the Company Portal we therefore need the certificate in place.

 

Tip: Sideloading of apps is when you install them using a method other than the via the Store (sideloading is appropriate for other platforms as well, such as iOS, Windows Phone, Android).

 

This certificate does not have to be rooted to a trusted certification authority; it just has to be trusted by your PCs. The Publisher Name in the package manifest must match the Publisher Name in the certificate that is used to sign the app package. Windows trusts many Certificate Authorities without any additional configuration. If the certificate is from one of these already trusted authorities, you don’t need to deploy and manage additional certificates to the targeted PCs. You also can use your company’s internal Certificate Authority to sign the app, as long as you ensure that the CA certificate is installed in the Windows images of the targeted PCs.

 

We can use a new feature in Configuration Manager 2012 R2 to deploy Certificate Profiles. Certificate profiles in System Center 2012 Configuration Manager works with Active Directory Certificate Services and the Network Device Enrollment Service role to provision authentication certificates for managed devices so that users can seamlessly access company resources. For example, you can create and deploy certificate profiles to provide the necessary certificates for users to initiate VPN and wireless connections.

 

In Assets and Compliance expand Compliance Settings, then expand Company Resources and finally select Certificate Profiles. Right click and choose Create Certificate Profile

 

Create Certificate Profile.png

 

Give it a suitable name and description, In this blog post you are learning how to Deploy Appx apps to modern (mobile) devices and this example will be sufficient for our needs, we can use the certificate we created when we created out sample Appx app in this post.

 

test certificate.png

 

Browse to the folder where you’ve got your Appx certificate (or to the folder where you have a Windows 8.1 appx app source files plus the self signed certificate) and select the certificate and then choose open.

 

open cert.png

 

We can use the default Computer Certificate Store (Root)

 

computer certificate store - Root.png

 

Next we want to select the Operating Systems we want to provision with this certificate profile, so select Windows 8.1

 

select the platforms that will be provisioned with this certificate profile.png

 

The certificate profile is created, click close.

 

certificate profile created.png

 

Step 3. Deploy the Certificate

Now that we’ve created our test appx certificate profile, we will deploy it to our Windows 8.1 modern devices. Right click the certificate profile and choose Deploy.

 

Deploy appx certificate.png

 

and select the All Mobile devices Device collection.

 

Note: In the screenshot below I have not changed the compliance evaluation schedule from the default setting of 15 minutes, which in a lab is ok, however in production you’d want to set it to something more realistic like once a week.

 

all mobile devices.png

 

Step 4. Verify the Certificate is deployed

Now that the Certificate is deployed it’s a waiting game, the device must receive it’s policy which by default is once every 24 hours. Once it has received policy you can verify that the certificate is actually deployed by bringing up the Certificates MMC on one of your Windows 8.1 devices. In the screenshot below we are viewing a certificate on two separate computers, the one on the left is on the CM12 server and the one on the right is on a Windows 8.1 client. On the left side you can see the Certificate properties of the self signed certificate in the sample Appx app highlighted, you can bring up the Certificate Properties by double clicking on the certificate in the sample Appx folder, and on the right side we have the Certificate Properties of the Certificate we Deployed to our Windows 8.1 device in Step 3 above. If you look closely, they match.

 

Certificates match.png

 

Additionally you can browse to the Deployments tab of our Appx Certificate deployment, and right click and choose View Status

 

view status of Deployments.png

 

which will bring you to the monitoring node and allow you to dig deeper in terms of successful deployments etc, the screenshot below shows the successful deployment of the certificate used above on one of the 3 Windows 8.1 devices used in this lab.

 

compliance of the deployment.png

 

Step 5. Create an Appx App

In Application Management, Applications, section browse to our previously created folder layout and select Windows 8.1, right click and choose Create Application, select Windows Appx package from the type menu (the default is MSI)

 

create application.png

 

point it to our sample app that we created earlier

 

and fill the UNC location of the appx app

 

fill in type and location.png

 

the import information is shown

 

import information.png

 

On the General Information screen add any changes you need or just click next to continue, note that you can also select to Use an Automatic VPN connection (if configured), this feature is explained here.

 

General Information.png

 

continue through to completion and then close the wizard

 

appx wizard completion.png

 

Step 6. Distribute The Content

Modern devices (and other clients too) won’t be able to get Appx apps unless the content is actually present in the ‘cloud’ so we need to distribute it to our Windows Intune managed distribution point. Right click on the newly added Appx app and choose Distribute Content

 

Distribute Content.png

 

click next

 

Distribute Content detect.png

 

click through to the Content Distribution screen and click on Add to Add a distribution point

 

add dp.png

 

select the MANAGE.MICROSOFT.COM distribution point (Cloud)

 

select the manage dp.png

 

and click your way through the rest of the wizard, you can review the distmgr.log to verify it has distributed the content.

 

content is distributed to the cloud.png

 

 

Step 7. Deploy the Appx application

The next step is to Deploy the Appx application in order for our modern device users to see it in the company portal, so right click it and choose Deploy

 

Deploy Lockscreen Appx app.png

 

fill in the relevant info and choose the Windows Intune Users collection

 

software and collection.png

 

next you’ll see which distribution points the content is on,

 

content lists the cloud.png

 

we want the deployment to be of an Available purpose (optional)

 

Install Available.png

 

click your way through to the end of the Wizard

 

Deploy appx completed.png

 

Step 8. Test the Appx Deployment

Login to a Windows 8.1 computer that you’ve enrolled exactly as described in Part 5. We will speed up policy retrieval by opening a command prompt and issuing a command called mdmagent

 

mdmagent.png

 

Bring up the Start menu and select the Company Portal

 

company portal.png

 

and sign in with your credentials

 

sign in to the company portal.png

 

the Lockscreen Appx app appears, click on it to start the installation process

 

Lockscreen Appx app.png

 

and select Install in the top left corner

 

install LockScreen.png

 

it should say Installing

 

Installing.png

 

and if everything is ok it will install.

 

Note: I do not have any sideloading keys and therefore cannot show you the completion of this appx installation.

 

Troubleshooting

Check the following registry key on your Windows 8.1 device to see the status of your Appx installation

 

HKEY_Current_User\Software\Microsoft\Windows\CurrrentVersion\MDM\JobDB

 

and verify the status such as in the screenshot below, the status of 78(120) means SideLoading key is required, to get a list of what these status codes mean see this post.

 

sideloading key required.png

 

You can also check that the .appx application has been signed by the correct authority. To do this, make a copy of the appx app, and rename the copied .appx file to .zip and unzip the files. Open the AppxManifest.xml within the extracted files using notepad and check both the Identity parameter and Publisher value.

 

 

 

Recommended Reading

Summary

Installing Appx apps on Windows 8.1 devices using Windows Intune Integration in Configuration Manager 2012 R2 is not as straightforward as you would think, there are quite a few requirements on the client which in some cases need to be resolved outside of Configuration Manager/Windows Intune due to current capabilities. However once those requirements are in place you can use the Company Portal as your online ‘store’ in the cloud and manage everything via System Center 2012 R2 Configuration Manager.

 

Special thanks to Wally and Panu for their advice on this guide.

 

until next time,

cheers

niall.

This entry was posted in ConfigMgr 2012. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.