SCCM 2012 SP1 – Windows Phone 8 Portal App and Azure Active Directory allowed characters

Hey, here’s Martin again.

I faced the Problem, that I could not Rollout the Company Portal app to a Windows Phone 8 Device. Well, I thought that this might be the Problem, but later more…
Everything started with my new Windows Phone 8 Device, and the possibility to manage this Device through System Center 2012 Configuration Manager. The requirements for the Installation of this Company App is not easy, because you need the „Symantec Code Signing Certificates for Windows Phone” and to get this you’ll need a Windows Phone 8 Developer Account, unfortunately both of them cost some bucks.

You can sign-up fo the Microsoft Developer Account for 99$ here: http://dev.windowsphone.com/en-us/join
For the Code signing, 299$, go to this Symantec Page: https://products.websecurity.symantec.com/orders/enrollment/microsoftCert.do
/Update:For LAB purposes you can use a Free possibility: http://www.microsoft.com/en-us/download/details.aspx?id=39079 (Thanks to Torsten for the link!)

When you both have created, it’s time to sign you app, for this, you will have to download the following pieces of Software:
The Windows Phone 8 SDK: https://dev.windowsphone.com/en-us/downloadsdk
And the Windows Phone 8 Company Portal App: http://www.microsoft.com/en-us/download/details.aspx?id=36060 (be sure Using Version 2.0, in Version 1.0 there was a Problem with the Application Name)

Install the downloaded Company Portal App, mind the Installation Path (on x64 “C:\Program Files (x86)\Microsoft Corporation\Windows Intune Company Portal for Windows Phone 8”), because there you will find the file “SSP.xap”, this you will now sign with your code signing certificate. Now start “VS2012 x86 Native Tools Command Prompt” and make sure that your current Directory is “%ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool” where the XapSignTool.exe resides. Then you can start to sign your App:
XapSignTool.exe sign /f {Certificate File} /p {Password to Certificate} {Full Path to your app file}SSP.xap

You can Change the Name “SPP” to something you like, it doesn’t matter. Refer to this MSDN library: http://msdn.microsoft.com/en-us/library/windowsphone/develop/jj681686(v=vs.105)

With that, you have not yet everything, you will need an Intune Subscription, and fortunately there is a 30-day free subscription: http://www.microsoft.com/en-us/windows/windowsintune/try.aspx

I will not Point out the process of integrate Intune to SCCM, there are many guides available and in my experience it’s a robust and well working step.

When SCCM has uploaded the Company Portal App to the newly created DP manage.microsoft.com, you can start with you Intune experience!

You have now 3 (and very soon 4) Options to Login at the devices:

Manually Created Users in Intune with same UPN as a User from On-Premise and manually handled Password for Intune Accounts
With DirSync created Users from your On-Premise AD and manually handled Password for Intune Accounts
With DirSync created Users from your On-Premise AD and an ADFS Authentication process to use same Password in On-Premise AD and Azure AD
This was announced at TechEd that in the Next Wave (same release Date as R2 Wave for 2012) the synchronization of the Password will also be supported.

Which Option you want to deploy depends on your size and other depencies. For my big Lab Environment with 1 User, I truly can not manage the Password for this user manually, and so I implemented ADFS. This process is well documented and the most important thing is, that you use a public SSL certificate on your ADFS Servers!

Lot of work is done until here, but now the fun part begins 🙂

On your Windows Phone 8 Device go to Settings and open “Company apps”:
Read the upcoming message carefully and go on “add account”:
Insert your UPN and your Password and tap on sign in:
After a short shivering time you will see this Screen:
Don’t uncheck the “Install Company app or Hub”. The last Screen Shows the success of the Enrollment, but not about installing the app.
From this Moment, you can check the SCCM Console to get the Status from the Installation of the Company app, go to Monitoring -> Deployments and choose the Company Portal App deployment which is on your Collection that was added in the Intune Subscription:
And W000H000:When you start the app, you will be asked to provide your credentials, and your App will be loaded:

That seemed easy huh? But I will be honest, I had some Problems on my way to get this…

First:
DirSync does not Support IPv6, that means, if your DirSync Server is in DualStack mode, the synchronization will fail.

The second and biggest Problem was to Login with my On-Premise Account with ADFS. Everything else worked really fine. One Point to search when using ADFS is the Office 365 Single Sign on test: https://www.testexchangeconnectivity.com/?tabid=1

Everything was green, and it also worked perfectly on the Webbrowser, but not with Windows Phone 8, I was always getting the error: “We weren’t able to set up this Company account on your phone. Try again later. If you still can’t add it, contact your company’s Support Person for help.”:
So, who should I contact…? I decided to use the Intune Support, which was a very good experience. We was getting closer to the Problem, and found it: The Azure Active Directory got some restrictions to the character set allowed for a Password. Refer to this “Password policy in Windows Azure AD”:
http://technet.microsoft.com/en-us/library/jj943764.aspx
After changing the Password which follows the restrictions, the Login process worked like a charm 🙂