In Part 1 of this series, we prepared the Intune environment for mobile device management. We also make sure we got the Intune subscription account.
In Part 2, we configured Active Directory and create users in Intune.
In Part 3, we prepared our Configuration Manager server in order to link it to Intune using the SCCM connector.
In Part 4, we enrolled an Apple iOS devices in SCCM.
In Part 5, we enrolled an Android device in SCCM.
In Part 6, we will enroll a Windows Phone 8.1 in SCCM.
This post assume that you’ve done the necessary in your infrastructure to support Windows Phone enrollment. See previous posts of this series if it’s not the case.
I’ll start with bad news, this process is not a walk in the park. Microsoft has strict requirements before you can enroll your WP8.1 devices. Here’s required steps :
- Enable the Windows Phone 8.1 extension in the Configuration Manager console
- Obtain a Windows Phone developer account
- The Company Portal app must be code-signed with a Symantec certificate that is trusted by the Windows Phone devices
- You must create the Company Portal application in the Software Library
- Enable Windows Phone enrollment in SCCM
- Enroll your phone
If you need to deploy apps to devices, they must be code-signed by using your company’s certification authority or an external certification authority.
Now the good news is that Microsoft has release the Support Tool for Windows Intune Trial Management of Window Phone to create all of this if you want to easily (!) test this in your environment. If you are doing a proof of concept, browse to this Technet blog entry that will guide you on the Support Tool for Windows Intune Trial Management of Window Phone installation process.
We’ll take one bite at a time and try to simplify it for you.
Enable the Windows Phone 8.1 extension
The extension enables device management functionality that includes security settings, wipe, inventory, app management, VPN profiles, Wi-Fi profiles, certificate profiles, email profiles and remote profiles.
- Open the SCCM Console
- Go to Administration / Overview / Cloud Services / Extensions for Windows Intune
- Right click Windows Phone 8.1 Extention
- Select Enable
- Accept the Licences Terms
Windows Phone developer account
Important note : There’s a 100$ cost for a developer account.
To create your account, go to the Microsoft Dev Center and complete the process. You will need the account ID to request the Symantec Certificate in the next step.
For technical reason, I can’t guide you through the whole account creation process of the Microsoft dev account. Fellow blogger Gerry Hampson has describe the process in one of his blog post.
Important note : There’s a 299$ cost for a 1 year certificate.
To obtain the certificate, go to the Symantec Enterprise Mobile Code Signing Certificate page and complete the process. It can take a couple of days before you receive your certificate.
Once again, for technical reason, I can’t guide you through the whole buying process of the Symantec certificate. Fellow blogger Gerry Hampson has describe the process in one of his blog post.
Code-signed the Company Portal app with the Symantec certificate
Once you created your Developper Account and obtain the Symantec certificate you almost have all you need to proceed. In this section we will download the Company Portal app and Windows Phone SDK to sign the app before we can do the necessary in SCCM.
- Download and install the Windows Phone SDK from the Microsoft Download Center
- Download and install the Company Portal App from the Microsoft Download Center
Once both are installed
- Browse to C:\Program Files (x86)\Windows Kits\8.0\bin\x64
- Copy signtools.exe to C:\Program Files (x86)\Windows Kits\8.0\Tools\XapSignTool
- Copy SSP.XAP from your Company Portal installation folder to C:\Program Files (x86)\Windows Kits\8.0\Tools\XapSignTool
- Copy your Symantec .PFX certificate to C:\Program Files (x86)\Windows Kits\8.0\Tools\XapSignTool
- Open an Administrator Command Prompt
- Go to C:\Program Files (x86)\Windows Kits\8.0\Tools\XapSignTool
- Run the command XapSignTool.exe Sign /f YourSymantecCertificate.pfx /p YourCertificatePassword SSP.XAP
Your Company Portal app (SSP.XAP) is now signed with your Enterprise Certificate. You can verify it by looking at the Properties of the SSP.XAP file in the Digital Signature tab and by clicking Details
Create the Company Portal app in SCCM
- Copy the SSP.XAP file and your .PFX Enterprise Certificate to your SCCM Source folder
- Open the SCCM console
- Go to Software Library / Application Management
- Right click Applications and select Create Application
- In Type, select Windows Phone app package *.xap
- In Location, enter the path to your SSP.XAP file
- Click Next
- View the imported information and click Next
- Change the name if you need, we will call it Company Portal, click Next
- Click Next and Close to end the wizard
The Company Portal app is now created in SCCM and ready to be sent to your users.
Enable Windows Phone enrollment in SCCM
- Open the SCCM Console
- Go to Administration / Overview / Cloud Services / Windows Intune Subscriptions
- Right-click Windows Intune Subscriptions
- Select Windows Phone tab
- Check the Enable Windows Phone enrollment box
- Click the .PFX file radio button and click Browse to your .PFX file
- In the Application package section, click Browse and select your Company Portal app that you’ve previously created
Windows Phone 8.1 Enrollment
You’re finally there, you can enroll your device
- On your Windows Phone device
- Go to Settings / System / Workplace
- Select Add Account
- Enter your Intune credentials and select Sign-In
- You will receive a confirmation on the process. Select to install the Company Portal app, Select Done
- You’ll be return to the Workplace screen. Notice the name of your company on the bottom.
Here’s a couple of troubleshooting tips that has been gathered by Kenny Buntinx, fellow MVP :
If the Company Portal is not signed correctly or the certificate has expired, your phones will stop enrolling and you won’t get any error message. You’ll ony receive a notification that the phone can’t find the server.
If the Company Portal not installed after enrolling on Windows Phone visit this Technet blog entry.
When you enroll a Windows Phone 8.1 device, enrollment fails if the optional setting for device authentication is enabled as part of global authentication policy in Active Directory Federated Services (AD FS).
Workaround: Disable device authentication on the AD FS server by unchecking Enable device authentication in Edit Global Authentication Policy.
This post conclude the modern device enrollment process. The next post will focus on management tasks.
SCCM Windows Phone device enrollment
Founder of System Center Dudes. Based in Montreal, Canada, Senior Microsoft SCCM Consultant, 5 times Enterprise Mobility MVP. Working in the industry since 1999. His specialization is designing, deploying and configuring SCCM, mass deployment of Windows operating systems, Office 365 and Intunes deployments.