Windows 8.1 and the different management options

WorkplaceEnrollment01In this blog post I would like to address a topic that’s often forgotten in the mobile devices management discussion. That topic is based on the question, “How are we going to manage the Windows 8.1 devices?”. Yes, I know, technically speaking a Windows 8.1 device is not a mobile device, but that doesn’t mean that we can’t treat it like one.

In this blog post I’ll go through the different management options for Windows 8.1 from a Microsoft Intune standalone and a Microsoft Intune hybrid perspective. Also, I will provide an overview of the related management prerequisites, from both perspectives, and I’ll show the end-user enrollment possibilities.

Management options

The introduction of Microsoft Intune introduced a lot of management options for all the iOS, Android and Windows (Phone) devices. More specifically, for Windows 8.1devices the management options are enormous. With the introduction of Microsoft Intune and Windows 8.1 we suddenly have multiple options for managing Windows 8.1 devices.

Microsoft Intune client

Let’s start with the Microsoft Intune client. The Microsoft Intune client can be used to fully manage the Windows 8.1 devices in Microsoft Intune standalone and the Microsoft Intune hybrid. Yes, really, even in Microsoft Intune hybrid. With Microsoft Intune hybrid, we only configure ConfigMgr as the mobile device management authority. That means that full clients can still be managed through Microsoft Intune. Yes, it does kill the idea of using one console to manage all devices, but I’ve been in scenarios where it was the best option for managing the close-to-always-out-of-the-office devices. It allowed them to stay in control without introduction something like Internet based client management (IBCM), or DirectAccess (DA).

In general, the Microsoft Intune client is the ideal solution for fully managing company owned devices in Microsoft Intune standalone. In really specific use cases, the Microsoft Intune client can a good alternative in Microsoft Intune hybrid.

ConfigMgr client

The ConfigMgr client can be used to manage the Windows 8.1 devices in Microsoft Intune hybrid. In Microsoft Intune hybrid the ConfigMgr client is the most enhanced client that is capable to manage devices in the most advanced way. The ConfigMgr client can not take advantage of the Microsoft Intune service, which means that for close-to-always-out-of-the-office devices we still have to look at something like Internet based client management (IBCM), or DirectAccess (DA).

In general, the ConfigMgr client is the ideal solution for fully managing company owned devices in Microsoft Intune hybrid.

OMA-DM agent

OMA Device Management (OMA-DM) is an open standard designed for mobile devices. The nice thing is that OMA-DM is now also available in Windows, since Windows 8.1, and will be even more utilized in Windows 10. That also means that the OMA-DM agent can be used to slightly manage a Windows 8.1 device in a similar way as a mobile device. It provides just enough capabilities to put some requirements on a personal device of the user that he, for example, wants to connect to the company Wi-Fi. After the installation of the Microsoft Intune Company Portal app it’s even possible to provide the user with some company specific apps.

In general, the OMA-DM agent is the ideal management solution for personal devices in Microsoft Intune standalone and Microsoft Intune hybrid.

Workplace Join

Besides OMA-DM, Workplace Join is the other often forgotten option for Windows 8.1. A Workplace Join is somewhere in between being part of the domain, or not.  Very simplistically said, after the Workplace Join action, the computer authentication can be used for single sign-on purposes and to provide conditional access to company resources and services. There is no overlap with the management capabilities provided via Microsoft Intune standalone or Microsoft Intune hybrid, it’s more an addition.

That’s also why I won’t go into more detail, in this blog post, about Workplace Join, as I want to focus on the management capabilities of the combination of Windows 8.1 and Microsoft Intune. I did thought it was worth mentioning that it’s a very nice addition to the management capabilities of Microsoft Intune.

Management prerequisites

Now that I’ve gone through the different management options, it’s time to look at the management prerequisites for Microsoft Intune standalone and Microsoft Intune hybrid.

Microsoft Intune client

Looking at the Microsoft Intune client there are no specific configurations required in Microsoft Intune standalone, or Microsoft Intune hybrid, to allow Windows 8.1 devices. From a client perspective, the device has to run Windows 8.1 Pro or Windows 8.1 Enterprise.  As I’m only writing about Windows 8.1, there are no specific software requirements. A couple of important things to keep in mind are the following.

Requirement More information
Administrative permissions The account that installs the Microsoft Intune client must have local administrator permissions on the device.
Remove incompatible client software Before the Microsoft Intune client can be installed any ConfigMgr-like management client should be removed.

For all the requirements related to the Microsoft Intune client installation, see: https://technet.microsoft.com/en-us/library/dn646950.aspx

ConfigMgr client

Now looking at the ConfigMgr client there are also no specific configurations required, in Microsoft Intune hybrid, to allow Windows 8.1 devices. However, it is required to run at least ConfigMgr 2012 SP1 CU3, to support Windows 8.1 devices. From a client perspective the device has to run Windows 8.1 Pro or Windows 8.1 Enterprise. Again, as I’m only writing about Windows 8.1 devices, there are no specific software requirements that are not already installed during the client installation. A couple of important things to keep in mind are the following.

Requirement More information
Administrative permissions The account that installs the ConfigMgr client must have local administrator permissions on the device.
Remove incompatible client software Before the ConfigMgr client can be installed any Microsoft Intune-like management client should be removed.
Microsoft Task Scheduler service The Microsoft Task Scheduler service must be enabled on the device for the client installation to complete.

For all the requirements related to the ConfigMgr client installation, see: https://technet.microsoft.com/en-us/library/gg682042.aspx

OMA-DM agent

For the OMA-DM agent there are specific configurations required, mainly for Microsoft Intune hybrid, to allow the enrollment of Windows 8.1 devices. Let’s have a quick look from both perspectives to see what the required configuration changes are.

Microsoft Intune standalone

Intune_WindowsEnrollEnabledIn Microsoft Intune standalone there is no specific configuration required to enable the enrollment of Windows 8.1 devices. However, if the installation of line-of-business apps is required, it is required to add sideloading keys. Also, if a non-public, not trusted, code-signing certificate is used to sign the line-of-business apps, it is also required to provide that certificate. To add sideloading keys and/or to provide the code-signing certificate, follow the next steps.

Step Configuration
1 Navigate to Mobile Device Management > Windows.
2

Intune_WindowsEnrollTo add sideloading keys, click Add Sideloading Key. In the Add Sideloading Key dialog box provide the Name, Key and Total activations and click OK.

To upload a code-signing certificate, click Modify Code-Signing Certificate. In the Upload a Code-Signing Certificate dialog box select the certificate and click Upload.

Microsoft Intune hybrid

In Microsoft Intune hybrid there is a small configuration required to allow the enrollment of Windows 8.1 devices. If the installation of line-of-business apps is also required, it is also required to add sideloading keys. Also, if a non-public, not trusted, code-signing certificate is used to sign the line-of-business apps, it is also required to provide that certificate. To allow the enrollment of Windows 8.1 devices and to add sideloading keys and/or to provide the code-signing certificate, follow the next steps.

Step Configuration
1 Navigate to Administration > Overview > Cloud Services > Windows Intune.
2 Double-click Windows Intune Subscription and select the Windows tab.
3 ConfigMgr_WindowsEnrollTo allow the enrollment of Windows 8.1 devices, select Enable Windows enrollment and click OK.

To upload a code-signing certificate, click Browse. In the Open dialog box select the certificate and click Open and click OK.

To add sideloading keys, do as mentioned in the dialog box, and navigate to Software Library > Overview > Application Management > Windows Sideloading Keys. Click Create Sideloading Key, in the Add Sideloading Key dialog box provide the Name, Key and Total activations and click OK.

Enrollment requirements

After allowing the enrollment of Windows 8.1 devices, a couple of important things to keep in mind, before enrolling the Windows 8.1 devices, are the following.

Requirement More information
Administrative permissions The account that enrolls the device must have local administrator permissions and can not be the buildin administrator.
Remove incompatible client software Before a device can be enrolled any ConfigMgr-like management client should be removed.

End-user enrollment

Now that I’ve gone through the different management options and the different management requirements, there is one last subject that I would like to address and that’s the end-user enrollment. No, I won’t go through all the different, known, options to install the Microsoft Intune client, or the ConfigMgr client. I’ll only go through the most unknown scenario and that’s the the end-user enrollment. The end-user enrollment experience is the same in Microsoft Intune standalone and Microsoft Intune hybrid.

Microsoft Intune client

Let’s start by looking at the end-user enrollment for the Microsoft Intune client. Yes, as long as the management requirements are met, the end-user can install the Microsoft Intune client by following the next steps.

Step Configuration
1 Login to portal.manage.microsoft.com.
2 Select This device is either not enrolled or the Company Portal can’t identify it.
3 In the Identify or enroll this device dialog box select ENROLL.
4 In the Enroll your computer dialog box select DOWNLOAD SOFTWARE.
5 In the Do you want to run or save Microsoft_Intune_Setup.exe from msub3.manage.microsoft.com dialog box select Run.
6 Intune_ClientInstallThis will start the Microsoft Intune Setup wizard.

  • On the Welcome to the Microsoft Intune Setup Wizard page, click Next.
  • On the Completed the Microsoft Intune Setup Wizard page, click Finish.

ConfigMgr client

There is no out-of-the-box end-user enrollment available for the ConfigMgr client.

OMA-DM agent

Now let’s have a look at the end-user enrollment from a OMA-DM perspective. When the management prerequisites are in place, the end-user can enroll their Windows 8.1 device by performing the steps mentioned below.

Enrollment

The first thing that the end-user must do is to enroll its Windows 8.1 device.

Step Configuration
1 Navigate to PC settings > Network > Workplace.
2 In the Workplace screen, provide a user ID and click Join.
3 In the Connecting to a service screen provide the password and click Sign in.
4 In the Allow apps and services from IT admin screen, select I agree and click Turn on.

Company portal

When the end-user also wants to be able to install the available company apps, the next thing that the end-user must do is to install the Microsoft Intune Company Portall app.

Step Configuration
1 Open the Store.
2 In the Home screen, use the Search for apps field to search for Microsoft Intune Company Portal.
3 In the Results for “Microsoft Intune Company Portal” screen, select Company Portal.
4 In the Company Portal screen, click Install.

More information

I have to admit that this was a long blog post. That’s why I can imagine that on specific subjects some more information might be required to get the complete picture. The following links provide additional information about the subjects touched in this post:

Share

1 thought on “Windows 8.1 and the different management options

Leave a Comment