Projecting iOS Demo Environments using AirServer


You want to share with your customers a rich experience from a iOS / Android or Windows Phone device on your monitor that you can project. This give the customer a great immersive experience of what it’s like to be an end user and helps you tell that story.


There are a number of tools on the market to share your iOS device on your screen, iTools, Reflector just to name a couple. One of these tools is Airserver. Airserver enables you to project a device to your monitor using Airplay or Miracast. This gives you an opportunity to share the story with your customers. These tools are great and they are powerful to really help explain and demonstrate features.

In this example post we will show you how to get a free trial of Airserver and install this to share your iOS screen. In future posts we will show other technologies

Step 1 : Sign up for the Airserver Free Trial

Go to and click the download for free … when you click that option you will get a chance to register… in the registration use “enter your details below” and put your email address in the email option (you can also use facebook however for this example i have used the registration option).

You will then shortly receive an email to be able to download the software.


An email similar to the below will drop in your mailbox with your license code

Hello Justin,
Thank you for requesting a free trial of AirServer. To receive your activation code and begin your free trial, click on the link below:

If you did not request a free trial of AirServer, please disregard this message.
Best regards,
AirServer Team

Click on the link to validate your account and this will now offer you a activation code and download link to get your copy for Windows or Mac


Step 2 : Airserver Install

Depending on the options and requirements you need there are 2 install methods;

1. Use airplay, the enables you to use your iOS device connected with the cable or stream over airplay. This requires itunes to be installed.

2. User miracast , this enables your devices if it supports miracast to stream over a wifi connection to your monitor. It does not require itunes however you do need an appropriate NDES Netwrok Driver with MiraCast you need NDES 6.4 driver ( )

a. To find out if the WiFi adapter is running Windows 8.1 (NDIS 6.4) driver, open Power Shell and run this command: Get-NetAdapter | Select Name, NdisVersion

Once you have chosen your install method find the installer and run it


Click Next at the initial screen


Next select the protocol support you want to use. Remember you need itunes for airplay and the correct NDES network driver for miracast


And next again after all the checks are validated ….i.e if you don’t have an appropriate NDES driver it will say you need to install itunes/quicktime and filters etc you can then click next as its ready to install


Accept the end user license agreement


In the activation select “I am trying out AirServer Universal and have a trial activation” this is where you will put the activation code you received earlier when downloading the software


Set the installation location and click next


Define if you want airserver to automatically start or you select it to start


And now click Install


Now click Finish


Step 3: Connect your iOS device to Airserver

First start airserver from your start menu (if you have not automatically started based on the earlier install)


You will see a new icon (highlighted green in this example) in your tray icons


Now connect your iOS device by a cable (Airplay) or mirracast by swiping up from the bottom of your ipad clicking the Airplay button and selecting your PC name and enabling mirroring


Your iOS device will now magically appear on your screen and give you a killer demo environment.


References :

Airserver – 
Airserver Support – 
Apple iTunes – 
Apple QuickTime – 
Airserver Universal System Requirements –

Getting Managed Apps Working with a pin for iOS


Your organisation has the requirement to have applications that are used in a company compliant and secure state. For example they want to restrict certain actions such as cut, copy, and paste operations within a specific application or configure an application to open all web links inside a managed browser that the company specify specific policies around.



In the December 2014 release of Microsoft Intune, Microsoft added the capability to enable policy for compliance and security into an application. The restrictions to an application can be done via the use of the Microsoft Intune App Software Development Kit (SDK) or Application Wrapped app using the Microsoft Intune App Wrapping Tool for iOS.

This currently is available via the standalone release of Microsoft Intune.



When setting this configuration for managed apps, you will have the requirement for Workplace Join (WPJ) to take place. For this to take place correctly you need a CNAME record specified.


We have highlighted the enterpriseregistration CNAME as we have seen a lot of people missing this option.

The device must also be workplace joined to be able to receive managed applications. We will cover this in part 4, however the above CNAME is critical for this to work.

Available Managed apps

The first set of applications that have been made available are the office applications. From the app store, find, and note the URL of the policy managed app you want to deploy

Microsoft Word for iPad –
Microsoft Excel for iPad –
Microsoft PowerPoint for iPad –
Managed Browser – link TBA

Or you can look to create a wrapped app for iOS applications. Use the information in the topic Prepare apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS to create a wrapped app.

Part 1 : Publishing the Microsoft Office Managed Apps

In this example we will push a managed application as a required install to an iPad. To publish a managed application we must start the Microsoft Intune Software Publisher.

In the Microsoft Intune console select Software on the left hand side and then Managed Software. Then select Add Software and then pass your credentials to open the Microsoft Intune Software Publisher


At the Before you begin page click next


In the Select the platform and specify the location of the software files , click the drop down for Managed iOS App from the App Store and then paste the url for one of your managed applications

Microsoft Word for iPad –
Microsoft Excel for iPad –
Microsoft PowerPoint for iPad –

In the below example we have pasted the Microsoft Word application. Then click next


In the describe the software enter details and icons for the software and the click next


In the specify the requirements that must be met on the target mobile devices before installation can start, we have left this as Any. You can at this point be more targeted to your specific iOS device. Then click next


Review the software that you are adding to Microsoft Intune and click upload and then click close one the upload of data completed successfully


Part 2 : Creating the Management Policy

Currently we have configured and uploaded an application. However we have not created a management policy for the application, nor have we targeted who the application or management policy is going to be delivered to.

To configure a simple management policy go to policy on the left hand side and then select Configuration Policies and click add


In the Create a New Policy wizard select Software then Mobile Appliacation Management Policy (iOS 7 and later) and select whether to use the recommended settings or create a custom policy. In this example we will use the Create a Policy with the Recommended Settings and click Create Policy


Once this complete you will see your policy in the list of policies. If you want you can edit this further or customise it by selecting your policy and clicking edit.

You can see in the policy i have configured that i have a requirement for a simple PIN for access


At this point the basic policy is now configured. See section 3 for Create a mobile application management policy for more detail.

Part 3 : Deploy the Application and the Policy

Now that we have the application uploaded and the policy configured we can now look to distribute this to our targeted group.

In the Microsoft Intune console select Software on the left hand side and then Managed Software. Then select our managed application, in this scenario it is Microsoft Word, and the select Manage Deployment


Select the group of users or devices you want to target the application to. In this scenario we will target it to the User Group for Windows Intune Users, once added select Next


In the Deployment Action we have selected a required install to take place then select next


In the Mobile App Management , this is where our Mobile Application Management Policy is bound to this managed deployment. Validate that the policy is selected and click next


In the VPN Profile click Finish


At this point our managed deployment has been completed and the application and management policy will be targeted to the group.


Part 4 : Validate Managed App on iOS device

On your iOS device you can force a policy update or wait for the policy to be delivered to your device.

To force a policy go into the company portal and select your device and hit the sync button.


If your iOS device has yet to workplace join it will need to update your enrollment prior to a managed application being able to work.

If you select the company portal and are prompted for an update to the enrollment for this device this will be your iOS device Workplace joining.


Warning: If you do not have the CNAME pre-req in place you will not be able to workplace join and will be unable to use managed apps and will get an error similar to the below


Once that this is completed you should be prompted for an app installation and a warning that an icon will be landing on your home screen. You will then see the Microsoft Word application icon appearing on your home screen.



On the first time you launch the first managed application, in our case Microsoft Word you will be prompted for your corporate credentials


Once you supply your corporate credentials you will be prompted to set a numerical pin (remember the option we selected for our managed application policy)


Once that is set you will be able to use Microsoft Word


This policy will be in place for each time you start Microsoft Word.


Remember that when there is a mobile application management policy conflict on the first deployment to the user or device, the specific setting value in conflict will be removed from the policy deployed to the app, and the app will use a built-in conflict value.

When there is a mobile app management policy conflict on later deployments to the app or user, the specific setting value in conflict will not be updated on the mobile app management policy deployed to the app, and the app will use the existing value for that setting.

In cases where the device or user receives two conflicting policies, the following behaviour applies:

  • If a policy has already been deployed to the device, the existing policy settings are not overwritten.
  • If no policy has already been deployed to the device, and two conflicting settings are deployed, the default setting built into the device is used.




Control apps using mobile application management policies with Microsoft Intune –

Microsoft Intune App Wrapping Tool for iOS –

Prepare apps for mobile application management with the Microsoft Intune App Wrapping Tool for iOS –

Start managing Windows devices with Microsoft Intune –

Managed Android Applications


Microsoft has released a number of the managed applications for the December 2014 release of Microsoft Intune. These managed applications will allow you to put policy into your applications for controls.

You can see a great overview on the technology below from TechEd EMEA 2014

The Android managed applications can be found in the play store;

AV Player:

Managed Browser:

PDF Viewer:

Image Viewer:

These are just the start of the managed applications.

To help with publishing these into your Company Portal application one of my colleges Yann Seyroles has created some canned text you can use for publishing the applications.


Intune AV Player

Description : The Managed AV Viewer app lets you view audio and video content available within Microsoft Intune managed apps.


• View and control audio and video content from Microsoft Intune managed apps


Intune Managed Browser

Description : The Managed Browser app provides a web browsing solution that can be managed by your corporate IT administrator using Microsoft Intune mobile application management policies.


• View and navigate web pages approved by your organization through Microsoft Intune


Intune PDF Viewer

Description : The Managed PDF Viewer app lets you view PDFs available within Microsoft Intune managed apps.


• View and navigate PDFs available within Microsoft Intune managed apps


Intune Image Viewer

Description : The Managed Image Viewer app lets you view images available within Microsoft Intune managed apps.


• View images from Microsoft Intune managed apps

The below images are 240×240 and can be used for the Company Portal when you publish the application.



New Mobile Application Management Capabilities Coming to Microsoft Intune This Week – 

Mobile Application Management with Intune –

Creating a Wi-Fi Profile with WPA-PSK and WPA2-PSK to Windows Phone 8.1 via Windows Intune and Configuration Manager 2012 R2


You have Windows Intune integrated to System Centre Configuration Manager 2012 R2. As part of this integration you have the capability to deploy Wi-Fi profiles to Windows Phone 8.1 devices.

You use a WPA/WPA2 with a pre-shared key and want your Windows Phone 8.1 devices to automatically connect to the Wi-Fi access points in your environment using the existing infrastructure.


Within the Windows Phone 8.1 Mobile Device Protocol Guide at there is a section called “WiFi configuration service provider (New in Windows Phone 8.1). In this section it details how the Wi-Fi configuration service provider (CSP) provides functionality to add or delete Wi-Fi networks on a Windows Phone device. The CSP accepts a SyncML input and converts it to a network profile that is installed on the device. This profile enables the phone to connect to the Wi-Fi network when it is in range.

Note 1: Since Windows Phone Emulators do not have Wi-Fi radio support, Wi-Fi network configuration cannot be tested end-to-end with an emulator. A Wi-Fi network can still be provisioned using the WiFi CSP and the network should be visible in the Wi-Fi Settings page, but connectivity to that network cannot be tested.

Note 2: For WEP, WPA, and WPA2-based networks, the passkey must be included in the network configuration in plaintext. It will be encrypted automatically while storing on the device.

Note 3: WlanXml blob is sent in OMA SyncML XML message as chr. The profile XML content needs to be XML escaped in OMA message.

Note 4: keyMaterial if exists in the wlanxml blob needs to come after keyType and protected elements like documented in MSDN –

Note 5: The SSID of the Wi-Fi networks part of the LocURI node, which must be a valid URI based on RFC 2396. This requires that all non-ASCII characters must be escaped using a %-character. Unicode characters without the necessary escaping are not supported.

The following diagram shows the Wi-Fi configuration service provider in tree format.



Each Wi-Fi network configuration is represented by a profile object. This network profile includes all the information required for the phone to connect to that network – for example, the SSID, authentication and encryption methods and passphrase in case of WEP or WPA2 networks. Supported operation: Get.


The SSID of the Wi-Fi network (maximum length 32 bytes, case-sensitive). This can be represented in ASCII. Supported operations: Get. SSID is added when WlanXML node is added, and deleted when WlanXml is deleted.


This is the XML describing the network configuration and follows the Windows WLAN_profile Schema (MSDN documentation). Supported operations: Get, Add, Delete, Replace


This is an optional node, and includes the configuration of the network proxy (if any). The format is url:port. Supported operations: Get, Add, Delete, Replace

Best Practices

NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>


There are two methods to deploy a Wi-Fi profile to a Windows Phone 8.1 device.

  1. Deploying a Wi-Fi Profile from within Configuration Manager integrated with Windows Intune
  2. Deploying a configuration item using a custom OMA-URI from within Configuration Manager integrated with Windows Intune

With either method we must first build and establish an xml output of the Wi-Fi profile.

To generate the xml you can either construct it yourself or leverage a script to generate the output for you.

Pre-Requisite (Creation of XML for Wi-Fi Profiles)

You must first generate a Wi-Fi profile xml for consumption as either the OMA-URI string or the Wi-Fi profile that you will look to consume into configuration manager 2012 R2.

To output this xml , one of my friends in Microsoft Services (Saud Al-Mishari) generated a powershell script that constructs the XML output that you need.

The script will be posted to the TechNet gallery here.

The following script creates a character-escaped XML document that can be configured in a custom OMA URI Compliance Setting in System Center 2012 R2 Configuration Manager. It is designed to allow the configuration of WPA-PSK and WPA2-PSK WiFi profiles in a hybrid MDM scenario (where Windows Intune and System Center 2012 R2 Configuration Manager are intergrated together).  The script take simple input and outputs the XML in the format expected by Windows Phone 8.1.

NOTE: The resulting XML file contains the passphrase in unencrypted format. This is required as per the Windows Phone 8.1 MDM Protocol. This also means that the passphrase will be visible in the Configuration Manager console unencrypted and stored in the Configuration Manager and Windows Intune databases unencrypted. If this is a concern, please evaluate using certificate based authentication on your wireless networks. The Windows Phone 8.1 MDM protocol documentation defines that the passphrase will be stored securely on the device itself.





# This sample is provided as is and is not meant for use on a

# production environment. It is provided only for illustrative

# purposes. The end user must test and modify the sample to suit

# their target environment.


# Microsoft can make no representation concerning the content of

# this sample. Microsoft is providing this information only as a

# convenience to you. This is to inform you that Microsoft has not

# tested the sample and therefore cannot make any representations

# regarding the quality, safety, or suitability of any code or

# information found here.



[string]$SSIDName, #Your SSID name


[string]$Passphrase, #NOTE: this is stored in ConfigMgr and Intune unencrypted. If this is a concern, consider using a certificate-based authentication mechanism. This is stored on device securely as per MDM Protocol documentation.


[string]$AuthticationType, #WPAPSK or WPA2PSK (WEP not supported by script)


[string]$EncryptionType #TKIP or AES


$defaultStringXML =

‘<?xml version=”1.0″ encoding=”US-ASCII”?>

<WLANProfile xmlns=”“>

























#Cast our prototype XML document into a .NET XML document object

$customXML = [xml]$defaultStringXML

#Set XML values

$ = $SSIDName

$ = $SSIDName

$ = $AuthticationType

$ = $EncryptionType

$ = $Passphrase


#$StringWriter = New-Object System.IO.StringWriter

#$XmlWriter = New-Object System.XMl.XmlTextWriter $StringWriter

#$xmlWriter.Formatting = “indented”




#Write-Output $StringWriter.ToString()


#Write out our customised XML using XML character escaping

#This is done because this XML document is going to be

#embedded in another document



##———– END —–

Copy the code and save it to a ps1 file. From PowerShell then run the following

Script.ps1 SSIDNAME PassKey Authentication Encryption

For example if my WPA2 need the following

Wi-Fi SSID – Zarb_5

Passkey – Welcome123

Authentication – WPA2PSK

Encryption – AES

The command would be

Script.ps1 Zarb_5 Welcome123 WPA2PSK AES


As you can see you get two outputs. The first and highlighted in yellow is the expanded xml, and the second is non expanded xml.

In both the OMA-URI and Wi-Fi profile scenarios we will use a single long string from the standard xml (you could also pipe this out to notepad for the complete string script.ps1 Zarb Welcome1234 WPA2PSK AES > wifi.txt and copy and paste the 2nd line into an xml file) .


<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

Once you have this output in xml then we are good to go to either method 1 (Wi-Fi Profile) or 2 (OMA-URI) .

Method 1 – Importing Wi-Fi Profile into Configuration Manager and Windows Intune

Now with the outputted XML file place that in a location that SCCM can target to import the file (a UNC share that Configuration Manager 2012 R2 has access to).

Go to the Asset and Compliance node in SCCM and expand the Compliance Settings > Company Resource Access node and right click Wi-Fi Profiles > and click on Create Wi-Fi Profile.


Type a Name, Description and check the Import an existing Wi-Fi profile item from a file and click next


Click the add button and located the Wi-Fi xml file that you created in the first stage. Once you select this click ok and then next.

In the select platform that this Wi-Fi profile will be provisioned to select Windows Phone 8.1 and click Next.


Confirm the setting and click next


Now click close


Now your Wi-Fi Profile is created we can look to deploy this profile to a collection. In this example I will deploy this to my Windows Intune Users.

On your newly created Wi-Fi Profile right click and select Deploy. In the Deploy Wi-Fi Profile dialogue select your collection that you want to distribute the Wi-Fi Profile to and click Ok.


Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi profile will get delivered and the device will have a company delivered Wi-Fi WPA2PSK profile.

Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”

In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.


Method 2 – Creating the XML and deploying it via OMA-URI

With our xml string created in the pre-requisite

<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

We can deliver this via OMA-URI. To do this we need to create a Configuration Item. Under Assets and Compliance expand Compliance Settings then right click on Configuration Items and select Create configuration Item


When the wizard starts specify a name for the Custom configuration item and also select Mobile Device for the configuration that you want to create.


Under “select the mobile device setting groups to configure” click the check box for “configure additional settings that are not in the default settings group”


In the “configure additional mobile device settings” click Add


In the “Browse Settings” dialogue click Create Setting


As we highlighted at the beginning of this document this will be the OMA-URI path for

./Vendor/MSFT/WiFi/Profile/SSID/WlanXml where SSID is the SSID for my Wi-Fi SSID, meaning in my scenario this will be

./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml . For each different SSID you will need a new string to target this correctly.

Specify the following attributes in the create settings page

Name – Custom Wi-Fi Settings

Setting type – OMA URI

Data type – String

OMA-URI (case sensitive) – ./Vendor/MSFT/WiFi/Profile/Zarb_5/WlanXml

Once specified select ok


You will now see the “Custom Wi-Fi Settings” previously created under the “Browse Settings” dialogue page. Select this and click select


Important fact for this section

Best Practices

NOTE: The <name>name_goes_here</name><SSIDConfig> must match the <SSID><name> name_goes_here</name></SSID>

The script you ran earlier to generate the XML output has done this for you

Specify a name and specify your xml for the following values:

<?xml version=”1.0″ encoding=”US-ASCII”?><WLANProfile xmlns=”″><name>Zarb_5</name><SSIDConfig><SSID><name>Zarb_5</name></SSID></SSIDConfig><connectionType>ESS</connectionType><connectionMode>auto</connectionMode><autoSwitch>false</autoSwitch><MSM><security><authEncryption><authentication>WPA2PSK</authentication><encryption>AES</encryption><useOneX>false</useOneX></authEncryption><sharedKey><keyType>passPhrase</keyType><protected>false</protected><keyMaterial>Welcome1234</keyMaterial></sharedKey></security></MSM></WLANProfile>

Also confirm the check box for remediate noncompliant rules when supported is check and then click ok


Click Close in the “Browse Settings” . You will now see your rule that you have created. Now select Next.

Under specify the supported platforms select Windows Phone 8.1 and click Next


Now click Next, Next and Next again to complete the wizard. This has now created us the custom Configuration Item that will be used with our configuration baseline.


You will now see the Custom Wi-Fi setting in your configuration items


Now we have the configuration item, we need to create or add this to a configuration baseline that will be deployed to a client. In this scenario we will create a new configuration baseline and deploy this to a collection.

Right click on the Configuration Baseline and select the Create Configuration Baseline


In the Create Configuration Baseline Dialogue specify a Name and then under configuration data click Add and select Configuration Items


In the Add Configuration Items Select the Custom Wi-Fi Configuration item and click Add, this will move the setting from the available configuration items to configuration items that will be added to this configuration baseline and click ok


You will now see the configuration item in the configuration data. Now Click OK


Once the configuration baseline is set we can look to deploy this. Right click on the Configuration baseline you have just created and select Deploy


In the Deploy Configuration Baselines validate that your configuration baseline is under the selected configuration baselines.

Validate and make sure the check box is selected for “Remediate noncompliant rules when supported”.

Lastly specify the collection that you are looking to target and click OK


Now wait for the policy to arrive on your device. Next time the policy sync takes place the Wi-Fi configuration baseline will get delivered and the device will have a company delivered OMA-URI Wi-Fi profile.

Once the policy is deployed and the device has synced go to the settings control panel and select WiFi > Scroll to the bottom of the WiFi settings and select manage > Select the WiFi profile SSID that was deployed > You will now see that the WiFi profile has been “added by company policy”

In this scenario the WiFi profile will automatically connect to the SSID that has been deployed.


References :

Windows Phone 8.1 MDM Protocol guide (Page 163) –

WLAN_profile Schema –

Project My Screen App for Windows Phone –

Windows Phone 8.1 Enterprise Mobility Management

Mobility has changed the way we live and work everyday. Channel 9 has released a Windows Phone 8.1 Enterprise Mobility Management course which walks you through the capabilities and learning’s in this space.

Throughout this course you will learn the progress Windows has had and what’s new in Windows Phone 8.1, whether it be with user benefits or IT benefits. Microsoft technology experts Simon May, David Alessi, Mike Danoski, and Alan Meeus will delve into these topics.

This training really can help you understand Windows Phone and how this is managed via a Mobile Device Management platform.

Full course outline:


Full details and the course can be found below;

Mod 01: Mobile Device Management

In this module you will get an overview of all the components associated with Mobile Device Management, and explore how enrollment, policy and setting configuration are beneficial to the services.

  • [29:52] – Enrollment Demo
  • [35:14] – Policy and Settings Configuration


Mod 02: Asset and User Management

In this module you will learn about management and enrollment/device retirement.

  • [00:05] – Policy and Settings Configuration
  • [15:49] – Asset and User Management


Mod 03: App Deployment

Explore how the company portal, app deployment, and app lifecycle management all are important.


Mod 04: App Lifecycle Management

Learn the dynamics of App lifecycle Management while seeing how policies can affect apps.

  • [01:50] – App Lifecycle Management


Mod 05: Managing Data on Devices

Explore remote wipe, encryption, and app sandboxing.


Mod 06: Managing Device Access

Get an understanding on how managing access from devices is beneficial. This module will go over email, certificates, and VPN throughout this module.


Mod 07: Windows Phone 8.1 Overview

In this module you will learn about the new features and updates in Windows Phone 8.1 for IT Pros and Enterprises.


References :

Windows Phone 8.1 Enterprise Mobility Management –

Mod 01: Mobile Device Management –

Mod 02: Asset and User Management –

Mod 03: App Deployment –

Mod 04: App Lifecycle Management –

Mod 05: Managing Data on Devices –

Mod 06: Managing Device Access –

Mod 07: Windows Phone 8.1 Overview –

Launch workplace control panel from hyperlink


You want to send a simple email to your Windows Phone 8.1 users to enrol their devices in the Windows Intune service, without telling them how to go to settings and find the workplace control panel.

You want a simple hyperlink in the email that redirects the end users to the workplace control panel for Windows Phone 8.1.



The Windows Phone 8.1 MDM Protocol guide is a mecca for information around the current capabilities for the Windows Phone platform.

As part of this documentation there are some powerful and handy tips.

One of these tips is around launching the workplace control panel from a hyperlink. In the documentation is describes that Windows Phone 8.1 supports the launching of the workplace control panel using a hyperlink: mssettings-workplace.

This should read : mssettings-workplace:

Please note the : at the end.


This sounds really promising to help end users join the workplace for Windows Intune. This means you can send an email to a user with the above hyperlink which intern open the workplace control panel.


However when receiving emails from an Exchange server, Windows Phone automatically filters out links like ms-settings-workplace: .  If you copy/paste the link, you will see that it has been replaced.

So the end users end up seeing the below




To work around this, the system does support HREF tags for HTML.  In order for this to work, you must host a re-direct website or page that can redirect the user to ms-settings-workplace: via a website to avoid the remapping on the client.  This will invoke the IE browser to deep-link into the settings page.

For example here is some source for a HTML page that you can copy and paste into notepad or web editor;


<html lang=”en-US”>
<meta charset=”UTF-8″>
<meta http-equiv=”refresh” content=”0;url=”ms-settings-workplace://”>
<script type=”text/javascript”>
window.location.href = “ms-settings-workplace://”
<title>Page Redirection</title>
<!– Note: don’t tell people to `click` the link, just tell them that it is a link. –>
If you are not redirected automatically, follow the <a href=’ms-settings-workplace://’>link to example</a>


Save this html to a file called wp811.htm . You can then upload or host it on your production website for your organisation.

As this point I can then send a email out to my end users. With a hyperlink that redirects clients to your WP811.htm location in an email that can be picked up on there Windows Phone 8.1 devices.

As an example here is my link that will kick off the workplace control panel :

As example here is the whole workflow


I have highlighted some pages that your end user will never see, as an example the redirect page will not show.

References :

Windows Phone 8.1 MDM protocol documentation :

Windows Phone 8.1 MDM protocol documentation PDF : Windows Phone 8.1 MDM protocol documentation

Microsoft Online Services – Service Level Agreement

A customer recently reached out to me asking for the service level agreement for Microsoft Online Services.

We have a detailed set of information on the Windows Intune Trust Center

if you do a search for service you will find this section.


The link takes you to you to : 

Which details in a number of languages the SLA for the Microsoft Online Services which include Intune along many others.


References :

Microsoft Online Services SLA –

Windows Intune Trust Center –

Can I get access to my Windows Intune Service from anywhere?

The Windows Intune service has a great geographic availability. Microsoft operates the Windows Intune in data centers around the world.

I was asked by a friend internally;

“if a customer has a user that is signed up for Windows Intune in the UK but they travel to a country or location that does not have Windows Intune availability or they are not able to buy licenses in the country….. what happens!?”

Great question? and a common question?

We answer a lot of these questions in the Windows Intune Trust Center. One of the sub topics is Privacy .

During the initial sign-up for services, the customer’s administrator creates a tenant account and inputs the customer’s country or region. The customer’s selected geographic area (“geo” and “region”) determines the storage for the Customer Data. For example, if the administrator inputs United Kingdom, the Customer Data processed as part of the Windows Intune subscription will be stored in a datacenter located in Europe. Available geos and regions are shown below.

Please see the Windows Intune Status Page for service availability by region.


Microsoft will not transfer Customer Data outside the selected geo(s) except where necessary for Microsoft to provide customer support, troubleshoot the service, or comply with legal requirements; or where customer configures an account to enable such transfer of Customer Data, including through the use of:

  • Features that do not enable geo selection, such as Content Delivery Network (CDN) that provides a global caching service;
  • Preview, beta, or other pre-release features that may store or transfer Customer Data to the United States regardless of deployment geo; or
  • Windows Azure Active Directory (except for Access Control), which may transfer Active Directory Customer Data to the United States for European customers, or to the United States or Europe for Asian customers.

Microsoft does not control or limit the geos from which customers or their end users may access Customer Data.

Windows Intune has the same list of restricted countries as office 365, you can see these restrictions here .

Meaning that as of this posts writing Customers that purchase may assign a license to a user that resides anywhere in the world, except for Cuba, Iran, Democratic People’s Republic of Korea, Myanmar, Sudan, and Syria.

To sum up, we have restrictions for where a license can be assigned to a user, but Microsoft does not control or limit the geos from which customers or their end users may access customer data.

References :

Windows Intune Trust Center – 

Windows Intune Trust Center Privacy – 

About license restrictions ––  

Windows Intune Status Page –

Creating an Android x86 Virtual Machine for testing Windows Intune and EMS capabilities

When I took on my role , I went through a process of consuming information, scenarios, and customer requirements. To help me in building that foundation I reached out to many colleagues to understand how they did certain activities. One of these colleges was Yann Seyroles in France.

I asked Yann a simple question, “how do you demonstrate/test Android?”

I had been using the Android SDK for which was an interesting experiences but not an efficient experience!

He chuckled and pointed me to Android x86.


You want to demonstrate features and scenarios of Windows Intune or a MDM service being deployed to an Android platform without going out and spending money on an Android handset.

Android x86 Project

To enable the opportunity for us to run Android on Hyper-V we have used the Android x86 platform. This is a project to port Android open source project to x86 platform, formerly known as “patch hosting for android x86 support“. The original plan is to host different patches for android x86 support from open source community. A few months after we created the project, we found out that we could do much more than just hosting patches. So we decide to create our code base to provide support on different x86 platforms, and set up a git server to host it.

This is an open source project licensed under Apache Public License 2.0.


A Windows Platform running Hyper-V (other Virtualization Technologies can be used)

Android ISO (I have used RC1 as I had difficulties with RC2) –

Android-x86 4.4-RC1 live & installation iso –

How To

Go to and select the build of your choice, in my scenario I will be using Android-x86 4.4-RC1 live & installation iso –



Once you have downloaded the iso and you have a machine with Hyper-V running we can configure our base operating system.

Hyper-V Virtual Guest Configuration

I have create a new virtual machine on my Hyper-V machine


A wizard will kick off , click Next


Specify the name of the Android Virtual Machine and if you want to change the storage location now is the time


If you are using Windows Server 2012 OR Windows 8 you will have an option to specify which generation the virtual machine will be. Select Generation 1 and click Next


Specify the amount of memory the virtual memory that you want to allocate to the Android platform and click next


Specify your network adapter, my network connects me to the external network for connecting to my Windows Intune environment and click next


Define the hard disk size and location. I have created a 16GB disk and click next


Define the location of your Android x86 iso and click next


Review the summary and select finish


In the virtual machines you should now see your new workload


Before starting the virtual machine we need to make two changes to the configuration

  1. Remove the current network adapter
  2. Add a legacy network adapter and have this connected to the network

To do this go to the setting of the virtual machine by right clicking on the virtual machine and selecting settings


Select the network adapter and click remove in the right hand of the dialogue box


This will remove the network adapter


Now select Add Hardware , select Legacy Network Adapter and then click Add


A new legacy network adapter will now appear and need configuration for your virtual switch configuration and then click apply/ok


You can also look to change the Processor configuration (i.e. not just have 1 virtual processor) , but the above will be the basic configuration to enable you to boot and install Android.

Installing Android 4.4

Start your virtual machine by right clicking the Android virtual machine and selecting start


Then right click on the virtual machine and click connect


A Virtual Machine Connection will be established to the console of the booting Android virtual machine


At this point you have four option to select, I want to install Android to a state that’s always kept when I make changes (i.e. installing Android to the hard disk rather than running the live CD), select the Installation – Install Android-x86 to harddisk and hit enter


It will then bring you to the Chose Partition screen. At this point select Create/Modify partitions and select ok, the purpose is to set up a partition for our Android virtual guest as at present we just have a blank virtual hard disk


When you are in the partition options select New (use left and right to select your option and click enter to select), Then select Primary, And define the disk size


Next select Bootable and click enter. You will notice that the Flags will change from {blank} to Boot. This enables the drive to be bootable.


Next select Write (this will write your partition changes and disk configuration to disk), it will then ask “are you sure you want to write the partition table to disk? (yes or no)” make sure you type Yes, and then hit enter, it will display that partitions are writing its table to disk


We now want to select Quit


At this point you will see a new option for the partitions. Currently we have a sda1 partition and want to format this . Select sda1 Linux Virtual HD and click ok


And option will display for choosing how you want to format the file system. Select ext3


Agree that you are happy to format the partition and lose any existing data and click ok. The disk will now format


You will then be prompted to install the boot loader GRUB. Make sure you select Yes. Next also make sure to select Yes for making the install read-write


Android will now install to disk


Once complete eject the iso and reboot (alternatively you can just Run Android-x86)


Android Boot Up, Login and Company Portal

Upon your reboot you will now be confronted with a GRUB to select your build. At this point you can boot from disk directly to Android-x86 4.4-RC1


You will see the standard Android boot and then go into the setup process. You will encounter a couple of error messages (one around Bluetooth and the other around Wi-Fi). Just select OK should they appear , these will not disrupt your experience.


Walk through the wizard to setup Android. I have added a Google Play account to gain access to the play store and allow myself to download the company portal application.


Now I am in Android I can do all the Android stuff that I want to. Specifically in this case is to install the company portal application and deliver settings to my device. Firstly I have to log into my Android virtual machine, find the play store and then locate and install the company portal. Once I download and install the company portal I will be able to browse applications that Windows Intune has published to myself and have settings pushed down to the device.


At this point you have the perfect test environment to play with Windows Intune capabilities around Android devices.

I will delve into some of these in later posts.

References :

Android-x86 Project – Run Android on Your PC –

Installing Android-x86 on Hyper-V with Windows 8.1 in under 5 minutes –

Hyper-V generation 2 virtual machines – part 1 –

Mobile Device Management Capabilities in Windows Intune –

Microsoft Enterprise Mobility Workshops


In the UK subsidiary Microsoft will be running a series of Enterprise Mobility Workshops.

The Microsoft Enterprise Mobility Workshops are ½ day and delivered jointly with our one of our strategic partners at regional locations across the UK. These workshops are designed to help you understand how Microsoft can keep your users productive, help with data protection & compliance, and unify your environment to drive efficiency – introducing enterprise mobility solutions & technologies from Microsoft.

Nobody said being in IT was easy. And now they have to deal with the increased use of mobile devices, a proliferation of apps, and users’ expectations to access company data from virtually anywhere. IT needs a reliable, complete and efficient solution that takes a people-centric approach to the management of users, their devices and the protection of corporate data. Microsoft has solutions to help organisations harness the power of enterprise mobility, without unnecessary risk or complexity.

For more information, please visit:

How can IT provide a consistent and personalised experience for users across a wide range of devices? How does IT help to keep corporate information protected? How are these two requirements achieved without adding unrealistic cost and complexity to the business? Microsoft has solutions to enable enterprise mobility:

  • Hybrid Identity Management
  • Mobile Device Management
  • Access and Information Protection
  • Desktop Virtualization

Microsoft recently announced the Enterprise Mobility Suite (EMS), which is the comprehensive cloud solution to address your consumerisation of IT, BYOD, and cloud SaaS challenges. The suite is the most cost effective way to acquire all of the included cloud services: Microsoft Azure Active Directory Premium, Windows Intune, and Microsoft Azure Rights Management.


  • 09:30-09:45 – What’s The Microsoft Enterprise Mobility Story?
  • 09:45-10:30 – Hybrid Identity Management and Information Protection
  • 10:30-10:45 – BREAK
  • 10:45-11:30 – Windows Devices in the Enterprise
  • 11:30-12:15 – Unified Device Management
  • 12:15-12:45 – LUNCH
  • 12:45-13:30 – Desktop & Application Virtualization
  • 13:30-13:45 – Licensing Overview
  • 13:45-14:00 – Customer References and Next Steps

Register for the Microsoft Enterprise Mobility Workshops





2 September 2014


Cardinal Place, 80-100 Victoria Street, London, SW1E 5JL

16 September 2014


Radisson Blu Edwardian Manchester, Free Trade Hall, Peter Street, Manchester, M2 5GP

23 September 2014


Park Plaza Cardiff, Greyfriars Road, Cardiff, CF10 3AL

7 October 2014


Microsoft Campus, Thames Valley Park, Reading, RG6 1WG

15 October 2014


Liverpool Marriott Hotel City Centre, One Queen Square, Liverpool, L1 1RH

22 October 2014


DoubleTree by Hilton Hotel Leeds City Centre, Granary Wharf, 2 Wharf Approach, Leeds, LS1 4BR

4 November 2014


Waverley Gate, 2-4 Waterloo Place, Edinburgh, EH1 3EG

12 November 2014


DoubleTree by Hilton Hotel Bristol City Centre, Redcliffe Way, Bristol, BS1 6NJ

19 November 2014


Radisson Blu Hotel, 12 Holloway Circus Queensway, Birmingham, B1 1BT

2 December 2014


Cardinal Place, 80-100 Victoria Street, London, SW1E 5JL

22 January 2015


DoubleTree by Hilton Hotel Aberdeen City Centre, Beach Boulevard, Aberdeen, AB24 5EF

29 January 2015


Radisson Blu Edwardian Manchester, Free Trade Hall, Peter Street, Manchester, M2 5GP

4 February 2015


Park Plaza Cardiff, Greyfriars Road, Cardiff, CF10 3AL

11 February 2015


Liverpool Marriott Hotel City Centre, One Queen Square, Liverpool, L1 1RH

10 March 2015


Microsoft Campus, Thames Valley Park, Reading, RG6 1WG

17 March 2015


Waverley Gate, 2-4 Waterloo Place, Edinburgh, EH1 3EG

22 April 2015


DoubleTree by Hilton Hotel Leeds City Centre, Granary Wharf, 2 Wharf Approach, Leeds, LS1 4BR

28 April 2015


Cardinal Place, 80-100 Victoria Street, London, SW1E 5JL

13 May 2015


DoubleTree by Hilton Hotel Bristol City Centre, Redcliffe Way, Bristol, BS1 6NJ

20 May 2015


Radisson Blu Hotel, 12 Holloway Circus Queensway, Birmingham, B1 1BT