Monday, 18 July 2016

ConfigMgr Current Branch - deploy offline apps from Windows Store for Business

System Center Configuration Manager landing page

In 2013 Microsoft first integrated Intune with ConfigMgr 2012 SP1. I remember those days well. I think I was one of the first to implement the solution in production for the management of Windows 8 Phones. That was fun. There were a number of difficulties to overcome back then. Remember the Microsoft Developer account and Symantec Enterprise Code Signing certificate that was required just to enrol those devices. A few short years later, the solution and it's associated technologies has grown into a truly enterprise solution. The difficulties encountered back in the early days are a distant memory. One of the main issues for me at the time was in the area of application deployment to Windows Phones. If I wanted to deploy a free Windows store app to my users I couldn't just download the app and deploy it with ConfigMgr. Believe me I tried everything I could to make it work. Instead I had to deploy a deeplink to the store and the user had to access the store to download the app themselves. This meant that each user had to have their own Microsoft account. This wasn't ideal. Microsoft promised to fix this and they did. You can now download an offline app from the Windows Store for Business and deploy it as a regular application using ConfigMgr.

In this blog I will give an overview of the Windows Store for Business and then walk through how to deploy an appx bundle to Windows 10 mobile devices.
(Note that Configuration Manager Current Branch 1602 was used for this blog post. 1606 has been released and introduces new features in this space. WSfB is now natively integrated with ConfigMgr).

What is the Windows Store for Business?

The Windows Store for Business (WSfB) is a cloud service that now allows organizations to manage volume purchases of Windows apps. It supports apps for Windows 10 desktop and Windows 10 mobile.

The features are listed as follows on TechNet:
  • Scales to fit the size of your business - For smaller businesses, with Azure AD accounts and Windows 10 devices, you can quickly have an end-to-end process for acquiring and distributing content using the Store for Business. For larger businesses, all the capabilities of the Store for Business are available to you, or you can integrate the Store for Business with management tools, for greater control over access to apps and app updates. You can use existing work or school accounts.
  • Bulk app acquisition - Acquire apps in volume from the Store for Business.
  • Private store - Curate a private store for your business that’s easily available from any Windows 10 device.
  • Flexible distribution options - Flexible options for distributing content and apps to your employee devices:
  • Distribute through Store for Business services. You can assign apps to individual employees, or make apps available to all employees in your private store.
  • Use a management tool from Microsoft, or a 3rd-party tool for advanced distribution and management functions, or for managing images.
  • Offline licensing model allows you to distribute apps without connecting to Store services, and for managing images.
  • Line-of-business apps - Privately add and distribute your internal line-of-business apps using any of the distribution options.
  • App license management: Admins can reclaim and reuse app licenses. Online and offline licenses allow you to customize how you decide to deploy apps.
  • Up-to-date apps - The Store for Business manages the update process for apps with online licenses. Apps are automatically updated so you are always current with the most recent software updates and product features. Store for Business apps also uninstall cleanly, without leaving behind extra files, for times when you need to switch apps for specific employees.

Sign up for Windows Store for Business

Navigate to https://www.microsoft.com/business-store to sign up for the store.






Enter your Azure User ID and click Next.


You are notified that your account can now be used to sign into the Windows Store for Business. Select "Sign In".


Sign in with your Azure ID.


Accept the services agreement.


Welcome to the Windows Store for Business. Let's have a look around.


See some recommended Microsoft apps. Let's have a look at Sway.


That doesn't look quite right. I can't see an offline version of the app.


I need to configure the store so that I can see offline versions. Click on Settings > Account Information.


Scroll to the bottom of the page and check the box to see offline licensed apps.


Now we can see the offline version.


Clicking on the offline button adds the app to inventory. Click Close.


You can now download the app. Note that there will often be a different versions depending on the platform and architecture.

Deploy an app

There is a lot to discover about the WSfB and I hope to blog more about it in the future. For now though, I'm only interested in deploying offline apps to my Windows 10 mobile using ConfigMgr Current Branch.



I've chosen the Bing Translator app as an example.


Clicking on the offline button adds the app to my inventory.


Now I can download the app. Note that there is only a single app for all devices in this case. Download the apps bundle to a local folder.


Also download the license file and all the required prerequisites to the same folder.

See the downloaded files.


Now we create a ConfigMgr app as normal.


Select "Windows app package" and enter the location of the downloaded files. Click Next.


ConfigMgr interrogates the files and lists the content. It mistakenly suggests that we have missing prerequisites. This is normal for now. Click Next to continue.


Verify the app details.


Review the summary and click Next to create the app.

Distribute the app to the cloud distribution point and deploy the app to a collection containing Windows 10 mobile devices.


ConfigMgr reports a successful deployment.

End User Experience

Perhaps the heading "End User Experience" is not suitable here as there is none. The deployment is seamless to the user (which was my goal in the first place).




I've also successfully tested the same deployment to a domain joined device with full ConfigMgr client. I'll test with on-premise MDM next.

I hope this blog was useful. Until next time.....



Friday, 1 July 2016

ConfigMgr Current Branch - Manage Windows 10 with Configuration Service Providers (CSPs)

System Center Configuration Manager landing page

I've been pretty quiet on my blog recently. I've been writing chapters for the upcoming ConfigMgr Current Branch Unleashed book and I'm looking forward to it being published towards the end of the year.

So, what's been going on? Deploying and managing Windows 10 has been a lot of fun recently. Microsoft have been promoting the enrollment of Windows 10 devices to be managed as mobile devices. There are several methods of accomplishing this such as:

  • Azure Workplace Join (with Intune automatic enrollment)
  • ConfigMgr On-premise MDM
So, what does it actually mean - managed as mobile devices? Beginning with Windows 8.1, Windows computers can also be enrolled and managed as mobile devices through the Open Mobile Alliance-Device Management (OMA-DM) channel. The OMA-DM standard is designed for managing mobile devices such as mobile phones and tablets. It is a lightweight specification and was designed to manage small foot-print devices, where memory, storage space, and bandwidth could be limited. Devices that use this standard are referred to as modern devices.

OMA-DM uses Open Mobile Alliance–Unified Resource Identifier (OMA-URI) values. Microsoft has led the way in publishing OMA-URI values that can be used to manage their devices using Intune. Useful examples of custom URI settings are available in this Microsoft document:

Custom URI settings for Windows 10 devices

More jargon - what is OMA-URI in English? Before that can become clear I need to introduce another term - Configuration Service Provider (CSP). CSPs expose device configuration settings in Windows 10. They provide an interface to read, set, modify, or delete configuration settings for a given feature and typically map to registry keys, files or permissions. CSPs are specific to a Windows 10 feature eg VPN CSP allows VPN configuration of a device. So, as promised, OMA-URI in English is: 

"The full path to a specific configuration setting is represented by its OMA-URI. The URI is relative to the devices’ root node (MSFT, for example)".

It's clearer when you see an example:



This is a tree format diagram of the RemoteLock configuration service provider. The RemoteLock CSP supports the ability to lock a device that has a PIN set on the device or reset the PIN on a device that may or may not have a PIN set. This CSP is only supported in Windows 10 Mobile.

We can configure this feature using URIs as follows:

./Vendor/MSFT/RemoteLock/Lock
./Vendor/MSFT/RemoteLock/LockAndResetPIN
./Vendor/MSFT/RemoteLock/NewPINValue

It's all pretty straightforward. Lets see a real world example. I want to stop users being able to unenrol their Windows 10 devices. This is very easy to configure using ConfigMgr Current Branch (you can do this with standalone Intune as well). You will need to have added an Intune subscription (even if you are using on-premise MDM). We will use the Policy CSP. There are a lot of settings that you can configure using this CSP. Have a look at this Microsoft document for details. You can see the settings and their supported Windows 10 editions.

Policy CSP

We are interested in this setting: Experience/AllowManualMDMUnenrollment. It's available for both desktop and mobile.

The URI full path is:

./Vendor/MSFT/Policy/Config/Experience/AllowManualMDMUnenrollment

Data type: Integer

Allowed values:
0 – not allowed
1 – allowed (default)


The process is carried out by creating and deploying Configuration Items in the ConfigMgr console.


Navigate to Assets and Compliance > Overview > Compliance Settings > Configuration Items

Right click Configuration Item and choose Create Configuration Item

On the General page, enter a name and description. Select "Windows 8.1 and Windows 10" in the "Settings for devices managed without the Configuration Manager client" section. Click Next.

Select all Windows 10 on the Supported Platforms page. Click Next. 


On the "Device Settings" page, select "Configure additional settings that are not in the default settings groups". Click Next.


Click Add on the Additional Settings page.


Click Create Setting on the Browse Settings page.


Enter the required details on the "Create Setting" page. Click Apply and OK.


Back on the Browse Settings page choose your new setting and click Select.


Add the required value on the rules page and select OK.


The rule has now been configured. Finish the wizard to create the Configuration Item and then add to a Configuration Baseline. Finally deploy the Configuration Baseline to your devices.

So what does that look like on the client.




I've tried to remove the MDM management in this managed Windows 10 client but I'm unable to do so.

So, now that you've seen how easy this is try it yourself. Peter van der Woude has some cracking examples of managing Windows 10 features using OMA-DM:

Managing AppLocker on Windows 10 via OMA-DM

Setting up kiosk mode on Windows 10 via OMA-DM

Managing Windows Update for Business on Windows 10 via OMA-DM

Have a look at the full list of Configuration Service Providers. It's a impressive comprehensive list and you'll certainly find something that you can test in your lab.

Configuration service provider reference

I hope this blog was useful in explaining some of the new terminology. Until next time......