A few weeks ago I came in contact with Douwe van de Ruit who is working at our partner KPN. Douwe is an expert in ConfigMgr & Intune and has experience with several Intune implementations, his personal blog is located here. He e-mailed me an internal document which describes how to develop a (simple) Modern App and deploy that using Intune Standalone. There are many guides available on how to develop apps and how to deploy existing apps – his guide bridges the gap in between. I proposed to write a joint blog, however he did the vast majority. Credits should go to him.
The purpose of this guide is to demonstrate how to Build and Deploy a modern UI App to Windows 8.1 using Windows Intune Standalone. This guide is based on a fictive organization named Contoso.com and is divided in three sections:
What you will need:
In this guide we used ZipApp to keep it as simple as possible.
At this point we have created an appx package that is code signed and that can be deployed using ConfigMgr or Windows Intune.
This guide is based on a Windows Intune stand-alone scenario so in the following steps you will need a Windows Intune subscription with the Mobile Device Management Authority set to Windows Intune. You won’t need Single Sign-on or Active Directory synchronization.
Note: For those who have their Windows Intune subscription connected to a ConfigMgr 2012 site you should be able to complete all the steps. You don’t need to set the Mobile Device Management Authority because it is already set to ConfigMgr 2012 permanently.
If you have a stand-alone Windows Intune subscription complete the following step.
To create and manage user accounts you will need the Account management console http://account.manage.microsoft.com. Using the Windows Intune management console http://manage.microsoft.com you can manage devices and software.
We need to configure the following:
At this point we have a test user which is member of a group that we are going to use for targeting the software using a deployment. Next thing would be to upload our modern UI app to Windows Intune.
Note: Although Windows Intune supports most browsers it would be best to use Internet Explorer to upload software to Intune. This is because the console uses a web installer to launch the Windows Intune Software Publisher which is a small application that is used to check and upload the software packages. Using other browsers you won’t get a seamless experience in using the Software Publisher.
There you go, all configurations that are required to deploy the modern UI demo app are done. Next thing to do is to enroll a Windows 8.1 client into Windows Intune by installing the Intune client software.
To successfully deploy a modern UI app to a Windows 8.1 client some rules have to be followed. There are two:
You may ask yourself why these rules exist. Well it is because they (partly) implement Microsoft’s approach on securing/trusting apps. For testing, complying with these rules can be achieved by making some configurations on the client.
For this guide we used a Windows 8.1 Enterprise x86 evaluation version which is member of a workgroup. To be able to install the app the code signing certificate can be installed manually. However to execute the app we will need sideloading keys because we did not setup an Active Directory and therefore the client will remain member of a workgroup. And because we don’t want to buy sideloading keys at this stage we will use a developer license as an alternative.
Before making the configurations the client must be enrolled into the Windows Intune service.
Important: After the setup finished the Windows Intune client may take up to 30 minutes to fully initialize and register itself as a management agent on the client and into the Windows Intune service. Make sure that no pending updates or reboots are preventing the Windows Intune client from installing or initializing.
wait for a few minutes….
Note: In real life this setting is configured using a Group Policy. On test clients configuring it by hand would be sufficient.
Note: The company portal app should only be installed when the Windows Intune client is fully initialized. .
You can now close PowerShell. If you want to check your developer license status later, you can use the following PowerShell command:
It will return an object stating whether the license is valid, and what the expiration date is. You can also remove/deactivate the developer license using the following PowerShell command:
Now start the app again. Voila!
Thanks Douwe for this useful guide!
heck of a job.. You can tell them easy way to
http://www.apphinge.com" > build an app
great walkthrough, I asked our app developer to use the new Symantec Code signing certificate we purchased to sign the Windows Company Portal for our organisation. They say they get an error using this certificate as the EKU's are wrong. I would have thought
it would be the perfect certificate?
Tried to use this new certificate but unfortunately it’s been rejected by Visual Studio.
Looking over the section “Validating Certificates” at
https://msdn.microsoft.com/en-us/library/windows/apps/br230260(v=vs.110).aspx I suspect the point that it’s failing on is :
Verifies the value of the Enhanced Key Usage property, which must contain Code Signing and may also contain Lifetime Signing. Any other EKUs are prohibited.
Examining the certificate gives the following EKUs:
Code Signing (22.214.171.124.126.96.36.199.3)
Unknown Key Usage (2.16.840.1.1137188.8.131.52.1)