Windows Intune – How to enroll a Windows Device and deploy a Windows App

It has been a long time that I have worked with Windows Intune. The most recently blog was about Windows Intune this year in January. I had a day off today. That means for me, it’s time for Intune! I was curious about Direct Management, Deploying Windows Apps to a Windows Device and how to register an Android mobile device via Company Portal. So, I begun with Windows Device enrollment, Windows App deploying and Direct Management.

First you have to know about sideloading and deploying Windows App to different versions of Windows 8.1. There are different ways to deploy or install a Windows app. You can use the Windows Store or, you can use a deployment tool like; ConfigMgr, MDT or Windows Intune. Apps which are available in the Windows App Store are automatically signed and validated as trusted by Microsoft and can be deployed by Windows Intune directly out the Windows Store to the devices. When you have to distribute a business-line(LOB) app directly to a user without using the Windows Store, you have to sideload the app. Sideloading means bypass the validation and signing requirements of the Windows Store and makes you responsible for validating and singing them. You cannot sideload an app that has been downloaded from the Windows Store. Due the corporate policy it’s duly that the company doesn’t want to make there LOB apps available in the Windows Store. For them is sideloading the only option to deploy Windows Store apps. Also, they will be responsible for app updates to users. For sideloading you have to use sideload keys. They are available at Microsoft Volume Licensing. More information about sideloading, check this url: http://technet.microsoft.com/en-us/library/dn613831.aspx

Which versions must be sideloading the apps?

NOTE: Unfortunately, I can’t test sideloading. I don’t have the keys for sideloading. Because of that, I could test only a Windows 8.1 Enterprise Update 1 domain joined.

NOTE: Follow this blog if you don’t have a Windows Store App. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

UPDATE: Microsoft has changed its Sideloading process for all Windows 8.1 devices.  For Windows Phone 8.1 you can download the .XAP from the Windows Store and put it on your external disk of your mobile device. From the external memory/disk you can install the app. This is also available(via PowerShell, SCCM or Windows Intune) if your Windows 8.1 Pro and Enterprise are domain joined. For devices which are not domain joined (like Windows RT) you have to use Sideloading activation keys. Obtain a Sideloading activation key, see the this site Windows 8 Volume Licensing Guide.  Read more about this process at Technet: http://technet.microsoft.com/en-us/library/dn613831.aspx How to use Sideloading Product Activation Key, see this website: http://technet.microsoft.com/en-us/library/dn613835.aspx


 

Let’s begin with a group policy. We have to enable Allow all trusted app to install in Computer Configuration -> Administrative Templates -> Windows Components -> App Package Deployment or you can change this registry HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1.

Prerequisites:

  • Enterprise PKI server
  • Certificate for ADFS
  • Active directory
  • AD Federation Service
  • Windows Intune subscription
  • Windows 8.1 update 1

Direct Management Setup:

Step 1 ) https://albertneef.wordpress.com/2014/05/05/installing-and-configuring-an-enterprise-pkiadcs-environment/

Step 2 ) https://albertneef.wordpress.com/2014/05/07/installing-and-configuring-adfsdirsync-for-windows-intune/

Step 3 ) From Technet:

Users download the Windows Intune Company Portal app that is available in the Windows Store. The following steps describe the enrollment process.

  1. Go to Settings > PC Settings > Network > Workplace.
  2. Enter the User ID and click Turn on.
  3. Check the Allow apps and services from IT admin dialog box, and click Turn on.

Enable Direct Management on the client:

Go to Change PC Settings

Go to Network

Go to Workplace and click Join. If the device is joined the Workplace successfully, click on the Turn On button. The user needs Local Administrator permission to turn on device management.

You can verify the eventvwr for errors or warnings. Go to Applications and Services\Microsoft\Windows\Workplace Join\Admin. You will see few events.

After few minutes the device is added in Windows Intune, ready to be managed.

Ok, now we have to upload a Windows app. If you don’t have an app yet. Follow this blog to make a simple test app without content. https://albertneef.wordpress.com/2014/05/07/create-a-windows-store-app/

Go to Software -> Overview –> Step 1: Add Software

Click Add Software in the menu.

If you get this message, click Run.

You will get this window. Follow the screenshots/figures

wiappxwiappx2

Right click on the app -> Manage deployment…

I don’t have any groups, so I have to select All Users. Click Next.

Select Available Install. Click Finish.

Check the app again. Deployed is changed to Yes

We have to import the app certificate into Windows Intune. Go to Administration -> Mobile Device Management and click/select Windows. Click Modify Code-Signing Certificates

Go to the AppPackages directory, where you got the appx (app file) and select the *.cer.

wicert

Verify the imported certificate.

It’s time to deploy the app to a Windows Device.

Download the Company portal from the Windows Store.

The device is ready. You can install your test app from the Company Portal.

That’s all folks. You have a device that is being direct managed by Windows Intune and it is ready to deploy Windows Store apps.  If you have any questions or comments about this configuration or about deploying, don’t hesitate to leave a message!

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.