SCCM 2012 SP1 – Windows Phone 8 Portal App and Azure Active Directory allowed characters

Hey, here’s Martin again.

I faced the Problem, that I could not Rollout the Company Portal app to a Windows Phone 8 Device. Well, I thought that this might be the Problem, but later more…
Everything started with my new Windows Phone 8 Device, and the possibility to manage this Device through System Center 2012 Configuration Manager. The requirements for the Installation of this Company App is not easy, because you need the „Symantec Code Signing Certificates for Windows Phone” and to get this you’ll need a Windows Phone 8 Developer Account, unfortunately both of them cost some bucks.

You can sign-up fo the Microsoft Developer Account for 99$ here:
For the Code signing, 299$, go to this Symantec Page:
/Update:For LAB purposes you can use a Free possibility: (Thanks to Torsten for the link!)

When you both have created, it’s time to sign you app, for this, you will have to download the following pieces of Software:
The Windows Phone 8 SDK:
And the Windows Phone 8 Company Portal App: (be sure Using Version 2.0, in Version 1.0 there was a Problem with the Application Name)

Install the downloaded Company Portal App, mind the Installation Path (on x64 “C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone 8”), because there you will find the file “SSP.xap”, this you will now sign with your code signing certificate. Now start “VS2012 x86 Native Tools Command Prompt” and make sure that your current Directory is “%ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool” where the XapSignTool.exe resides. Then you can start to sign your App:
XapSignTool.exe sign /f {Certificate File} /p {Password to Certificate} {Full Path to your app file}SSP.xap

You can Change the Name “SPP” to something you like, it doesn’t matter. Refer to this MSDN library:

With that, you have not yet everything, you will need an Intune Subscription, and fortunately there is a 30-day free subscription:

I will not Point out the process of integrate Intune to SCCM, there are many guides available and in my experience it’s a robust and well working step.

When SCCM has uploaded the Company Portal App to the newly created DP, you can start with you Intune experience!

You have now 3 (and very soon 4) Options to Login at the devices:

  1. Manually Created Users in Intune with same UPN as a User from On-Premise and manually handled Password for Intune Accounts
  2. With DirSync created Users from your On-Premise AD and manually handled Password for Intune Accounts
  3. With DirSync created Users from your On-Premise AD and an ADFS Authentication process to use same Password in On-Premise AD and Azure AD
  4. This was announced at TechEd that in the Next Wave (same release Date as R2 Wave for 2012) the synchronization of the Password will also be supported.

Which Option you want to deploy depends on your size and other depencies. For my big Lab Environment with 1 User, I truly can not manage the Password for this user manually, and so I implemented ADFS. This process is well documented and the most important thing is, that you use a public SSL certificate on your ADFS Servers!

Lot of work is done until here, but now the fun part begins 🙂

On your Windows Phone 8 Device go to Settings and open “Company apps”:
Windows Phone 8 Company App_01Read the upcoming message carefully and go on “add account”:
Windows Phone 8 Company App_02Insert your UPN and your Password and tap on sign in:
Windows Phone 8 Company App_03After a short shivering time you will see this Screen:
Windows Phone 8 Company App_04Don’t uncheck the “Install Company app or Hub”. The last Screen Shows the success of the Enrollment, but not about installing the app.
Windows Phone 8 Company App_05From this Moment, you can check the SCCM Console to get the Status from the Installation of the Company app, go to Monitoring -> Deployments and choose the Company Portal App deployment which is on your Collection that was added in the Intune Subscription:
Windows Phone 8 Company App Deployment StatusAnd W000H000:Windows Phone 8 Company AppWhen you start the app, you will be asked to provide your credentials, and your App will be loaded:
Windows Phone 8 Company App Login      Windows Phone 8 Company App Logged In

That seemed easy huh? But I will be honest, I had some Problems on my way to get this…

DirSync does not Support IPv6, that means, if your DirSync Server is in DualStack mode, the synchronization will fail.

The second and biggest Problem was to Login with my On-Premise Account with ADFS. Everything else worked really fine. One Point to search when using ADFS is the Office 365 Single Sign on test:

Everything was green, and it also worked perfectly on the Webbrowser, but not with Windows Phone 8, I was always getting the error: “We weren’t able to set up this Company account on your phone. Try again later. If you still can’t add it, contact your company’s Support Person for help.”:
Windows Phone 8 Company App Login failedSo, who should I contact…? I decided to use the Intune Support, which was a very good experience. We was getting closer to the Problem, and found it: The Azure Active Directory got some restrictions to the character set allowed for a Password. Refer to this “Password policy in Windows Azure AD”:
After changing the Password which follows the restrictions, the Login process worked like a charm 🙂

And now, I was asking myself, is it possible to restrict the character set in Active Directory, and yes it is. I don’t know if I really would apply this, but it seems to be possible:

Now having fun with Intune 🙂

2 thoughts on “SCCM 2012 SP1 – Windows Phone 8 Portal App and Azure Active Directory allowed characters

Leave a Reply to Martin Wüthrich Cancel reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.