How to use the Microsoft Intune Company Portal app for Windows Phone 8.1 from the Download Center

A bit more than a month ago Microsoft released the Microsoft Intune Company Portal app specifically for Windows Phone 8.1 in the Download Center. This version of the Microsoft Intune Company Portal app is created specifically for Windows Phone 8.1 and later, as it’s created in the APPX format, which is not supported by Windows Phone 8. It can be used by administrators to deploy to end-users who do not have access to the Windows Phone Store. The main feature of this version of the Microsoft Intune Company Portal app is the ability to show the configured Terms and Conditions in Microsoft Intune standalone.

In this blog post I’ll describe how this version of the Microsoft Intune Company Portal app can be signed and how it can be used in either Microsoft Intune hybrid, or Microsoft Intune standalone.

Sign the Microsoft Intune Company Portal app

Let’s start with the part that got me puzzled for a while, signing the Microsoft Intune Company Portal app. I was smart enough to use the Signtool.exe, but that alone will not do the trick. This will provide an error message indicating that the publisher of the app does not match the used code-signing certificate. For signing the Microsoft Intune Company Portal app a little bit more is required, but luckily there is a PowerShell script, which is part of the Windows Phone 8.1 SDK, which is part of Visual Studio Community 2013 CU4, that takes care of everything. To sign the Microsoft Intune Company Portal app, perform the following steps.

Tip: Use the same certificate that’s used to sign other LOB applications, or that’s already been used to sign the Microsoft Intune Company Portal app for Windows Phone 8 (xap).

  1. SignCompanyPortalAppOpen a Command Pompt as administrator;
  2. Run the command PowerShell.exe –File “%ProgramFiles(x86)%\Microsoft SDKs\WindowsPhoneApp\v8.1\Tools\MDILXAPCompile\BuildMDILAPPX.ps1” -appxfilename C:\Data\CompanyPortal.appx -pfxfilename C:\Data\InovativEnterpriseCodeSigningCertificate.pfx –password <Password>;
  3. In the Delete Files dialog box, click Yes.

The PowerShell script BuildMDILAPPX.ps1 does all the required work to successfully sign the Microsoft Intune Company Portal app. The path specified in the command, of the script, is the default path after the installation of Visual Studio Community 2013 CU4. The parameters used as input to this script require the following information.

  • appxfilename – This parameter specifies the path and name of the APPX file;
  • pfxfilename – This parameter specifies the path and name of the certificate file;
  • password – This parameter specifies the password of the specified certificate.

Configure the Microsoft Intune Company Portal app

Now that the Microsoft Intune Company Portal app is signed, let’s have a look at how it can be used. I’ll go through both scenarios, Microsoft Intune hybrid and Microsoft Intune standalone, as they both have their own configuration requirements.

Microsoft Intune hybrid

WindowsPhoneConfigurationSince the release of the latest service pack for ConfigMgr 2012 R2, the configuration for enabling just Windows Phone 8.1 is a lot easier. Simply navigate to the Microsoft Intune Subscription Properties and select Windows Phone 8.1 and later in the configuration of the Windows Phone platform.

To make sure that the Microsoft Intune Company Portal app can be installed, the code-signing certificate, used for signing the app, must also be configured. This can be done by simply selecting pfx file and browsing to the code-signing certificate, that’s used to sign the Microsoft Intune Company Portal app, or by selecting Application enrollment token and browsing to the location of the AET file.

RequiredCompanyPortalAppFor Windows Phone 8.1 and later the Microsoft Intune Company Portal app must be deployed, with a Purpose of Required, to either an user or a device collection. I would suggest to target an user collection, as that collection membership is already available during the enrollment of the mobile device. This will make sure that the Microsoft Intune Company Portal app installation happens sooner, as it doesn’t have to wait on the collection membership of the mobile device. Even better would be to use the user collection configured in the Microsoft Intune Subscription Properties, as this user collection gets top priority.

Tip: Use the Microsoft Intune Company Portal app for Windows Phone 8 (xap), when the company also supports Windows Phone 8 devices, or when the company is still running ConfigMgr 2012 R2 (without service pack). This will save a lot of administrative overhead, for only minor application changes, especially from a Microsoft Intune hybrid perspective.

Microsoft Intune standalone

ConfigureCompanyPortalAppFunny enough, the configuration for the Microsoft Intune Company Portal app is more complicated in Microsoft Intune standalone. There is no configuration required to allow the enrollment of Windows Phone 8.1 devices, but the fun starts with uploading the code-signing certificate.

To make sure that the Microsoft Intune Company Portal app can be installed, the code-signing certificate, used for signing the app, must be uploaded to Microsoft Intune and that can only be achieved by uploading a signed Microsoft Intune Company Portal app for Windows Phone 8 (xap). After that’s successfully done, the code-signing certificate is available within Microsoft Intune for usage with other applications.

RequiredInstallCompanyPortalAppNow to prevent the installation of the Microsoft Intune Company Portal app for Windows Phone 8 (xap), configure the Approval configuration, of the deployment, to Uninstall. The next thing is to make sure that the Microsoft Intune Company Portal app for Windows Phone 8.1 (appx) is deployed with the Approval configuration of Required Install, to either an user or a device group. Again, I would suggest to target an user group, as that group membership is already available during the enrollment of the mobile device. This will make sure that the Microsoft Intune Company Portal app installation happens sooner, as it doesn’t have to wait on the group membership of the mobile device.

Tip: Use the Microsoft Intune Company Portal app for Windows Phone 8 (xap), unless the company uses custom Terms and Conditions. This will save a lot of administrative overhead, for only minor application changes.

Conclusion

Personally I prefer everything that’s newer, which in this case would be the Microsoft Intune Company Portal app for Windows Phone 8.1 (appx), but as mentioned a couple of times it’s not always the best option from an administrative perspective. To prevent any confusions make sure to know the different scenarios of the Microsoft Intune Company Portal app, before just simply deploying. For example, in Microsoft Intune standalone the use of custom Terms and Conditions can be a reason to (also) use the Microsoft Intune Company Portal app for Windows Phone 8.1 (appx).

More information

For more information about the different subjects of this blog post please refer to the following links:

7 thoughts on “How to use the Microsoft Intune Company Portal app for Windows Phone 8.1 from the Download Center”

  1. Peter – do you know how you can add this application as a whitelisted/allowed app if you’re using an Allow/Whitelist for applications on Windows Mobile 8.1?

    Currently my customer is blocking all apps aside from those specified in the new “Compliant Apps List” feature introduced in 2012 R2 SP1 but sadly this includes the Company Portal app – I can’t add this as a Whitelisted/Allowed app as I don’t know it’s GUID (I’ve tried the GUID from the Windows Store and it doesn’t seem to work).

    Any assistance would be welcome 🙂

    Reply
    • Hi Jonathan,

      As mentioned via email, while my website was down, you can simply rename the APPX to ZIP and you’ll be able to check the content. If you’ve got a third party application, like 7-Zip, it’s not even needed to rename it to ZIP, as it can simply browse through an APPX. The AppxManifest.xml contains the ProductId. This line contains the required information: Reply

  2. Hi Peter,

    When you open the company portal app We see three options there, Company apps, Other apps and Categories.

    Can you tell me how can I create my own categories under that categories option?

    However I’m able to create my own categories under Company apps>Categories

    Please help me on this.

    Reply
  3. Peter:
    We’re running Intune Standalone. Built for us Nov. 2016. We need the 8.1 Company Portal app signed and uploaded for us. Within Intune, it now looks like you can upload your Symantec Code Signing cert, which makes me ask whether this step is still necessary: To make sure that the Microsoft Intune Company Portal app can be installed, the code-signing certificate, used for signing the app, must be uploaded to Microsoft Intune and that can only be achieved by uploading a signed Microsoft Intune Company Portal app for Windows Phone 8 (xap). After that’s successfully done, the code-signing certificate is available within Microsoft Intune for usage with other applications.

    Reply

Leave a Reply to Scott Noebel Cancel reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.