Tucked away under the Network options in Windows 8.1 is the Workplace, which the more adventurous 8.1 users have discovered without really seeing what it is capable of delivering. There are two different pieces here, the first is the Workplace join, which gives many of the benefits of joining a domain without needing to join a domain, and the second it taking advantage of Windows 8.1s ability to be managed as a mobile device rather than as a traditional PC. Let’s take a look at the Workplace join first

Many of us have joined our own personal devices to our corporate domains to deal with annoying password prompts and access denied messages, but with Workplace join capabilities provided with Windows 8.1 and Windows Server 2012 R2. Improvements in Active Directory in Windows Server 2012 R2 allow devices to register themselves with Active Directory, part of Microsoft’s approach to enhancing BYOD scenarios, and Windows 8.1 exposes that functionality very simply. However, once we combine this capability with the web proxy capabilities of Windows Server 2012 R2 we get an enhanced ability to control access to data, not just based on the user identity, but also the device and whether you are inside or outside of the network. Let’s start with an example.

Here is a SharePoint site I am trying to access via the web proxy that has been set up. So far so good, I can get access to the sign in page.

However, once I go to sign in, I’m alerted that my device doesn’t have the correct permissions, and in this case I need to configure Windows 8.1 to join the Workplace.


Once we go to PC settings, we select Network.

 

From here we select Workplace.

 

And finally we need to enter the Workplace credentials.

Once the user ID is entered we click join.

And now I am being prompted to provide my password, in this case it is via ADFS.

Just to ensure I am who I say I am, Multi-Factor Authentication can be used, which in this case calls my mobile to confirm my identity.

Once that is confirmed, you can see that I have successfully joined.

Now if I go back to that SharePoint site I originally couldn’t access, I try my credentials again.

And this time I’m successfully logged in to SharePoint.

But there was another option under Workplace, let’s go back and take a look.

Now I can choose to Turn On device management, which in this case allows Windows Intune to manage by Windows 8.1 device as a mobile device.

There is a prompt for credentials, which I allow.

I have to log in with my organizational account again.

I’m then prompted to Allow apps and services from IT.

And now I