Important note about KB3081699

ExampleGood news! Microsoft has just released KB3081699 to fix the issue that Windows Phone Apps cannot be deployed or added to Allowed Apps or Blocked Apps lists via ConfigMgr. This hotfix applies to ConfigMgr 2012 R2 SP1 and ConfigMgr SP2. However, it’s important to note that, even though this hotfix was released after CU1, the current version of this hotfix should be installed before CU1.

Update August 7, 2015: As expected this update is now available in two flavors. In the hotfix request form it’s now possible to select the one of the following:

  • pre-CU1: ConfigMgr_2012_SP2_R2SP1_CU0_QFE_KB3081699_ENU
  • post-CU1: ConfigMgr_2012_SP2_R2SP1_CU1_QFE_KB3081699_ENU
Share

Store accounts and the Microsoft Intune Company Portal app

CompanyPortalAppLogo_thumb9In this blog post I will answer a question that I get, with a lot of customers, and that’s if it’s required for end-users to have an account for the app store, of their platform, to download the Microsoft Intune Company Portal app. The app store that I mean here is can be the Google Play app store, the Apple app store,  the Windows Phone app store or the Windows app store. All these stores match with their platform and require their own store account to download apps.

Before I can answer the initial question, I first have to answer another question. That question is if it’s required to use the Microsoft Intune Company Portal app, simply because a store account is not required if the Microsoft Intune Company Portal app is not required. In this post I’ll try to answer both of these questions by providing tables for a nice overview of the requirements per platform. In general this is applicable for both Microsoft Intune standalone and Microsoft Intune integrated with ConfigMgr 2012.

Microsoft Intune Company Portal app

Now let’s start with the first question, is the Microsoft Intune Company Portal app required? In almost all the scenario’s the answer to this question will be, yes. Also, keep in mind that the advised scenario for every platform is to install the Microsoft Intune Company Portal app  and to enroll the mobile device. To be complete the following table lists the functional requirements for the Microsoft Intune Company Portal app  for every platform.

 Platform Enrollment and policies Application deployment
Android Yes Yes
iOS Yes1 Yes
Windows Phone 8.0 No Yes
Windows Phone 8.1 No Yes
Windows No Yes

1 It is possible to enroll iOS devices without using the Microsoft Intune Company Portal app. That can be achieved by either using portal.manage.microsoft.com on an iOS device, or by using the corporate device enrollment feature with Microsoft Intune standalone.

Store account

That brings me to the second question, is the store account required to get the Microsoft Intune Company Portal app? Well, this also differs per platform. To make it easy I can say that it’s required for the non-Microsoft platforms. The following table provides a quick overview per platform, including the alternatives for the Microsoft platforms.

Platform Store account required Alternative
Android Yes N/A
iOS Yes N/A
Windows Phone 8.0 No Microsoft Intune Company Portal app for Windows Phone
Windows Phone 8.1 No Microsoft Intune Company Portal app for Windows Phone 8.1
Windows No Microsoft Intune Company Portal app for Windows 8.1

Conclusion

At this moment the best method for end-users to enroll their device is to use the Microsoft Intune Company Portal app, if possible. In case the Microsoft Intune Company Portal app is not required for the enrollment, like with Microsoft platforms, it’s still advised to install the Microsoft Intune Company Portal app to better manage devices and applications.

Back to the original question, this would mean that, at this moment, a store account is always required for non-Microsoft platforms. For Microsoft platforms it depends on how the Microsoft Intune Company Portal app is deployed. Like I mentioned in my previous post, I like to use the Microsoft Intune Company Portal app for the Microsoft App store, if possible, and in that case a store account is required.

Share

How to troubleshoot Windows Phone 8.1 enrollment via Microsoft Intune

In this blog post I want to put a spotlight on the troubleshooting of Windows Phone 8.1 enrollment in Microsoft Intune (with or without ConfigMgr integration). The problem with Windows Phone enrollment was that there was little to no log information about the enrollment process, but that has changed with Windows Phone 8.1. Before Windows Phone 8.1 there were only some log files (like the dmpdownloader) when the integration with ConfigMgr was used, but in most occasions they wouldn’t show helpful information.

Starting with Windows Phone 8.1 this has changed and there is the ability to get some logging of the mobile device. It’s not an easy process, and probably not an option in every situation,  but it will help to verify the health of the environment. Starting with Windows Phone 8.1 it’s possible to get logging during the device enrollment, during the certificate enrollment and during the VPN configuration. The minor detail is that the Windows Phone needs to be an emulator image, or a developer unlocked retail device.

Prerequisites

Before I will start with the steps to collect and view the logging of a Windows Phone device, it is important to have the following prerequisites in place:

Step 1: Collect the Enterprise Management logging

The first step in troubleshooting, starting with Windows Phone 8.1, is to collect the logging of the device. Since Windows Phone 8.1 and the Windows Phone Developer Power Tools 8.1 it is possible to get some logging when the mobile device is connected to the desktop, or laptop, running the tools. To collect the logging, perform the following steps:

  1. WP_DPTStart the Windows Phone Developer Power Tools 8.1;
  2. Select Device and click Connect;
  3. Select the Performance Recorder –tab, navigate to Extras and select Enterprise Management;
  4. Click Start to start the collecting of the logging;
  5. Perform the Windows Phone 8.1 enrollment;
  6. Click Stop to stop the collection of the logging and save the collected logging locally.

Step 2: View the Enterprise Management logging

The second step in troubleshooting, starting with Windows Phones 8.1, is to view the logging of the device. The captured logging is saved in an ETL format and can be opened with the Windows Performance Analyzer (WPA). To view the logging, perform the following steps:

  1. WPA_GEVEStart the Windows Performance Analyzer and open the collected logging.
  2. In the Graph Explorer, expand System Activity and double-click Generic Events.
  3. In the Analysis –tab, click Open View Editor (image).
  4. In the Generic Events View Editor, select at least Message and click Apply.
  5. Back in the Analysis –tab, the Message column will provide the detailed (error) information per provider.
  6. For device enrollment the logged information will be available in the provider named Microsoft-WindowsPhone-Enrollment-API-Provider.

Note: For troubleshooting SCEP certificate enrollment the provider will be named Microsofot-WindowsPhone-SCEP-Provider and for troubleshooting VPN configuration the provider will be named Microsoft-WindowsPhone-CmCspVpnPlus.

Result

The following picture will show an example of the logging collected of a Windows Phone 8.1 device, while enrolling the device in Microsoft Intune/ ConfigMgr. The error message 0x80090016 pointed me straight to certificate issues. The only “variable” certificates that are being used during the enrollment are used to sign the company portal. After resigning my company portal the problem was solved. This was a lot easier troubleshooting then the default message on a Windows Phone mobile device.WPA_Message

Further reading

This information an much more can be found in the Windows Phone 8.1 management bible, which can be downloaded here: http://go.microsoft.com/fwlink/?LinkID=279003

Share