Windows 2012 R2 / Windows 8.1 – Bring your own device with Workplace Join

With Windows 2012 R2 and Windows 8.1, Microsoft starts to simplify the BYOD – Bring Your Own Device.

Indeed, on Windows 8.1 (this is not available with Windows 8, so upgrade for free your Windows 8 device Smile), a new feature called Join Workspace allow end-users to connect and use corporate resources without being obliged to join the domain.

image 

Prerequisites

To be able to use this feature, the following is required:

  • Windows 8.1 client (off course) – all editions have this feature available
  • Windows Server 2012 R2; this will be needed to host the ADFS service with the new ADFS feature
  • DNS record that point to your ADFS server
  • Certificate for SSL using the DNS record as common name

ADFS Installation and Configuration

  • You must have a certificate available to configure ADFS – if you are using internal certificate authority you have to deployed as Trusted or Enterprise Trust the certificate of this CA. It is off course recommended to use a certificate issued by a public authority, like Digicert http://digicert.com/
    • You must define 2 entries for the certificate: adfs.corporatedomain.com and enterpriseregistration.corporatedomain.com – off course, replace corporatedomain.com by your own public domain as well as the host name (adfs or enterpriseregistration); I’m using these ones for better understanding
  • Deploy Windows Server 2012 R2 and enable ADFS – I would recommend to first enable the .Net Framework manually as you may have errors during the installation using Server Manager – see http://blog.hametbenoit.info/2012/03/10/windows-8-error-when-activating-.net-framework-feature/ to enable the .Net Framework
  • Enable ADFS

image 

  • Configure ADFS and follow the wizard

image 

  • As this server is the first ADFS server, I’m choosing Create the first federation server; off course if you already have ADFS server deployed on Windows Server 2012 R2 – always use the same version of ADFS across an ADFS farm, choose the second option Add federation to a federation farm

image 

  • Ensure the user account used for connecting to your AD has appropriate permission

image 

  • Select the certificate to use and define the display name – Federation name will be automatically field based on the name used when generating the certificate

image 

  • Define the managed service account to use for running ADFS – you can choose an existing one or create a new one. In my case, I already created an MSA with the PowerShell command below; you may want to create manually the managed service account, if so open a Windows PowerShell windows (always run as administrator) and execute the following commands
    • Add-KdsRootKey –EffectiveTime (Get-Date).AddHours(-10)
    • New-ADServiceAccount FsGmsa –DNSHostName <ADFS URL used when generating the certificate; same than the one defined in the wizard> -ServicePrincipalNames http/<ADFS URL used when generating the certificate; same than the one defined in the wizard>

image 

image 

  • Review the configuration summary to ensure you set all settings accordingly

image 

  • And after validating the configuration, finalize the process

imageimage 

Enable Device Registration

Once ADFS has been installed and configured, you must enable the feature called Device Registration.

To do so, open a Windows PowerShell window (run as administrator) and execute the following commands

  • Initialize-ADDeviceRegistration; when prompted enter the managed service account defined during the ADFS configuration step – here <your domain>\fsgmsa$

image 

  • Enab

Leave a Comment

Your email address will not be published. Required fields are marked *