You are browsing the archive for Workplace Join.

Work Folders app for Iphone finally released

1:15 pm in EMS, intune, iOS, Iphone, IT-Dev Connections, IT/Dev Connections, ITDevconnections, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

We are happy to announce that an iPhone app for Work Folders has been released into the Apple AppStore® and is available as a free download.

( There also is a Work Folders app for iPad released a few months ago.)

Overview

Work Folders is a Windows Server feature that allows individual employees to access their files securely from inside and outside the corporate environment. This app connects to it and enables file access on an Apple iPhone and iPad. Work Folders enables this while allowing the organization’s IT department to fully secure that data.

This app for iOS features an intuitive UI, selective sync, end-to-end encryption, search and in-app file viewing.
It also integrates well with Windows Intune to fully complete the most important mobile device management scenarios around corporate data on mobile devices.

You will learn more about it on our session “Securely Delivering Traditional Windows File Server Home Folders to BYOD Devices’ at

ITnDevConnections_logo_TylerOptimized_236x59

Hope it Helps ,

Kenny Buntinx

MVP Enterprise Client Management

ADFS & Workplace Join & Intune : "Profile Installation Failed" error when iOS device is Workplace Joined by using DRS on a Windows Server 2012 R2-based server

4:59 am in ADFS, ADFS 3.0, CM12, CM12 R2, CM12 SP1, intune, MDM, SCCM 2012, SCCM 2012 R2, SCCM 2012 SP1, UDM, Workplace Join by Kenny Buntinx [MVP]

Hi,

We’ve got in our lab environment our 2012 R2 Workplace Join environment up & running with one Windows 8.1 client successfully browsing the claims app. When we tried to workplace join an IPAD device, it could go as far as the Workplace Join screen.

If you want to know what ‘Workplace join’ is and how to manage it, please visit my earlier blog post at  http://scug.be/sccm/2014/05/20/workplace-join-with-adfs-3-0-device-registration-services-and-our-workplace-join-hitman-powershell-app-to-the-rescue/

Attempt to install the profile resulted in two different errors:

– On the Ipad you should see the profile install fail on the iPad. Assuming that the Apple iOS device is configured by using the over-the-air enrollment. An Apple certificate for the IOS device is expired. In this situation, you receive an error message that resembles the following: ‘Profile Installation Failed the server certificate for federation server name/otaprofile/profile?operation=enroll is invalid.’

– If I look on the ADFS WAP server , I see the following issue in the eventvwr

clip_image001

There are two main places you can start when troubleshooting an iOS-specific issue. 

1) The DRS event logs on the AD FS server.  May shed some light as to what is wrong.
2) The iOS device logs.  You’ll need to download the iPhone Configuration Utility (works with iPads as well).  http://support.apple.com/kb/DL1466

Microsoft has released a Hotfix for this http://support.microsoft.com/kb/2970746. Make sure to download and install it !

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP

“Workplace Join” with ADFS 3.0 Device Registration Services and our ‘Workplace Join Hitman’ PowerShell App to the rescue !

5:00 pm in ADFS 3.0, BRIFORUM, ConfigMgr, configmgr 2012 R2, drs, intune, powershell, SCCM 2012, sccm 2012 R2, Workplace Join by Kenny Buntinx [MVP]

 

Domain Join is what we have had for a long time, tight admin control, group policy, managing the desktop in full glory and control. "Workplace Join is much lighter, and is about authenticating an unknown device like a Surface RT, iOS or Android device. We will put a certificate on the device, and can challenge the device for this as part of claims based authentication to applications or other resources such as data, plus there is no admin control of the device, it remains under the control of the end user.

When coupled with BYO device management with a solution like Windows Intune, you can apply policy, deploy apps and control access to resources on machines that you otherwise have no control over."

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision with Windows Intune. Workplace Join allows unmanaged or untrusted operating systems such as Windows RT / Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Lost Device Protection

As covered earlier, devices registered via ‘Workplace Join’ are registered within Active Directory in the following container ;

CN=<Device ID>,CN=RegisteredDevices,DC=mydomain,DC=com.

Lost devices can be denied access by disabling or deleting the appropriate object within AD (I moved the device objects to another OU to test this). Access through AD FS is immediately revoked for the workplace joined client.

From testing thus far, devices joined, left and re-registered via Workplace Join are currently not cleaned up within the ‘RegisteredDevices’ container. Some PowerShell scripting is currently required to enforce this. Later in this blog post we will explain you what we made available thru powershell.

image

This is question comes up all the time … how do I map a user to the devices that they have registered ?

1. The first attempt of Microsoft can be found here as this blog post is provided by Adam Hall . This is the output if you run the original script :

image

2. The second attempt to optimize the readout was done by a colleague Stijn Callebaut and it was already an improvement

image  

The optimized code could be found below :

#user is provide by argument
if ($args.count -ne 1)
{        
    Write-Host "Usage: GetRegisteredDeviceForUser.ps1 <user name>"
    exit 1 
}

#get user's sid
$domain = Get-ADDomain
$userName = $args[0]
$userSid = (New-Object System.Security.Principal.NTAccount($domain.NetBIOSName, $userName)).Translate([System.Security.Principal.SecurityIdentifier]).value

#search device object when registeredUser = user sid
$objDefaultNC = New-Object System.DirectoryServices.DirectoryEntry

$ldapPath = "LDAP://CN=RegisteredDevices," + $objDefaultNC.distinguishedName 
$objDeviceContainer = New-Object System.DirectoryServices.DirectoryEntry($ldapPath)
$strFilter = "(&(objectClass=msDS-Device)(msDS-RegisteredOwner=$userSid))"

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDeviceContainer 
$objSearcher.PageSize = 100
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Onelevel"
$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults){
    $props = @{
        cn=$objResult.Properties['cn']
        whencreated=$objResult.Properties['whencreated']
        whenchanged=$objResult.Properties['whenchanged']
        displayname=$objResult.Properties['displayname']
        }
    new-object PSObject -Property $props
            
}

3. But weren’t quite there yet. We wanted three things :

  • Easy browsing and easily find devices registered to a user
  • Easy selection of the devices needed
  • Delete the devices properly

A colleague working with me on a project and good friend Kurt Depre , learned to use Powershell Xaml thru MVP Kaido Jarvemets for our customer project and said he would make a great interface for my issue. After some days of testing we finally can show you the result of our powershell tool.

The tool is called Workplace Join Hitman and can let you do easy searching for devices that are workplace joined by a single user and revoke access by deleting the object .

image

You can download it and please rate the tool if you like it. It’s downloadable on Technet Gallery here : http://gallery.technet.microsoft.com/WorkPlace-Join-Hitman-8c691238

It is not perfect , but it is intended to give you some idea’s to further automate the process when a device is stolen , lost or just discontinued. Next idea is to do that in a kind of Orchestrator workflow.

Hope it Helps , 

Kenny Buntinx

Enterprise Client Management MVP

Conquering BYOD with Implementing ConfigMgr 2012 R2 and Windows Intune,“ADFS”, “WAP”, “Workplace Join” and “Work Folders”. Part I

3:55 pm in ADFS, ADFS 2.1, ADFS 3.0, BYOD, WAP, Work Folders, Workplace Join by Kenny Buntinx [MVP]

 

In the next few posts, I wanted to take a look at the changes to be found in Windows Server 2012 R2 with respect to Active Directory Federation Services (AD FS) that is used for mainly Product and features such as “Windows Intune” , “Workplace Join” and “Work Folders” Introduced in windows 8.1 .

Through the new Workplace Join feature within R2, AD FS becomes a focal point for mobile access in the enterprise and an integral component in the Microsoft Bring Your Own Device (BYOD) vision. Workplace Join allows unmanaged/untrusted operating systems such as Windows RT/Windows 8.1 and IOS to be moved into a more controlled access context, by allowing their registration and affiliation with Active Directory.

Workplace Join is made possible by the Device Registration Service (DRS) that is included with the Active Directory Federation Role in Windows Server 2012 R2. When a device is Workplace Joined, the DRS provisions a device object in Active Directory and sets a certificate on the consumer device that is used to represent the device identity. The DRS is meant to be both internal and external facing. Companies that deploy both DRS and the Web Application Proxy will be able to Workplace Join devices from any internet connected location. To further secure this process, additional factors can be also used with Windows Azure Active Authentication (Phone Factor).

Work Folders is a brand new direction for enabling access to data in offline scenarios, along the lines of Dropbox and Skydrive Pro, but without the web and sharing features. Like most Microsoft OS features, Work Folders is tied to a specific release of Windows; however according to this Channel 9 video, Microsoft will release Work Folders for Windows 7, iOS and “other devices“ soon.

For all that technology to make it work, you will need to implement ADFS 3.0 which is only available in Windows Server 2012 R2 . The current levels of AFDS are difficult to find, so I will list them once more :

  • ADFS 2.0 – Windows 2003/2008/2008R2 (supported only for SSO in Windows Intune)
  • ADFS 2.1 – Windows 2012 (supported only for SSO in Windows Intune)
  • ADFS 3.0 – Windows 2012 R2 (supports SSO in Windows Intune , Workplace Join and Work Folders)

To be able to support ADFS 3.0, we will need some prerequisites that I will list below:

  • Forest Functional Level = min 2003 or higher

To check the ForestLevel –> Get-ADObject -Identity "cn=Schema,cn=Configuration,dc=vnextdemo,dc=be" -Properties * | Select objectVersion

  • Domain Controller OS = Min 2012 or higher

· If no DC 2012R2 then upgrade schema with Adprep. New Device class requires a schema change to Active Directory. For those upgrading an existing Windows setup, the appropriate files can be found on the R2 installation CD under D:\Support\ADPrep.

· If upgrading to 2012R2 for DC :

            • Execute following command PS C:\> netdom query FSMO
            • Then use the Move-ADDirectoryServerOperationMasterRole cmdlets to move them.  You can do this with a simple one liner! Move-ADDirectoryServerOperationMasterRole -identity "DC01" -OperationMasterRole 0,1,2,3,4

 

  • ADFS 3.0 and Web Application Proxy requires to be installed on Windows server 2012 R2 

 

In the next blog post , I will continue on how to setup the ADFS 3.0 to support “Windows Intune” , “Workplace Join” and “Work Folders”. So stay tuned for Part II

 

Hope it Helps ,

Kenny Buntinx

Enterprise Client Management MVP