ADFS 3 Device Registration SSL SAN required with Workplace Join

I came across an interesting issue when deploying Workplace Join as part of a migration to ADFS 3. ADFS had been tested as working correctly with the Device Registration service initialized and enabled, but I could not register Windows devices.

After running the lab (which used different different host names!) and checking many settings I decided to go back to the beginning (always a good place to start) and review the Device Registration requirements listed on TechNet. Surprise, I had missed something really obvious in my clients choice of a wildcard SSL certificate - something I normally dig my heels in over.

Solution: You must add enterpriseregistration. (i.e. enterpriseregistration.noak.es where dan@noak.es is the UPN) to the certificate used for Device Registration as a SAN for each UPN suffix in use.

Straight from the horse's mouth, "AD FS must be configured with a server SSL certificate that includes the well-known Device Registration server names" and this is followed by an example, "enterpriseregistration.".

Ah, that explains it, but then somewhat confusingly TechNet states:

"You can satisfy this requirement in two ways. You can use a wildcard certificate that covers all of the possible names used at your company or you can add the additional names as subject alternative names."

Important: The first way above is not true, at least for now, either that or the Device Registration service is not implemented as designed with all devices in mind.

Office 365 IE8 support ends 8 April 2014

If you use IE8 with Office 365 it is now time to upgrade or deploy an alternate browser. I see this as a huge step forward, enabling new and the best experience in the browser for users... on any device!

You can deploy a newer version of IE,  best to use IE10 or IE11. The latest version of Chrome, Firefox and Safari (on Mac) supported by the vendor are also designed to work with Office 365.

TechNet: Office 365 System Requirements:
http://technet.microsoft.com/en-us/library/office-365-system-requirements.aspx

Office 365 is designed to work with the current or immediately previous version of Internet Explorer. We recommend that you upgrade to the latest version of Internet Explorer after it is released. Office 365 might continue to work with versions of Internet Explorer other than the current and immediately previous versions for some time after the release of a new version of Internet Explorer, but Office 365 can’t provide any guarantees.

When accessing Office 365 from older versions of Internet Explorer, users may experience known issues and limitations depending on the versions of Internet Explorer, including:

• Internet Explorer 9   Office 365 does not offer code fixes to resolve problems you encounter when using the service with Internet Explorer 9. You should expect the quality of the user experience to diminish over time, and that many new Office 365 experiences might not work at all.
• Internet Explorer 8   The user experience sending and receiving email with Outlook Web App and Internet Explorer 8 might be substantially diminished, especially when used on Windows XP or with low memory devices. Office 365 does not offer code fixes to resolve problems you encounter when using the service with Internet Explorer 8, and new Office 365 experiences might not work at all. You should also expect the quality of the user experience with Internet Explorer 8 to diminish further in the near future. After April 8, 2014, Internet Explorer 8 will only display Outlook Web App Light.