Prepare - Corporate Connected Guide

Infrastructure Essentials

For both personal and corporate deployment scenarios, a Mobile Device Management (MDM) system is the essential infrastructure required to deploy and manage Windows 10 devices, especially the HoloLens 2. An Microsoft Entra ID P1 or P2 subscription is recommended as an identity provider and required to support certain capabilities.

Note

Although the HoloLens 2 is deployed and managed like a mobile device, it is generally used as a shared device between many users.

Microsoft Entra ID

Microsoft Entra ID is a cloud-based directory service that provides identity and access management. Organizations that use Microsoft Office 365 or Intune are already using Microsoft Entra ID, which has three editions: Free, Premium P1, and Premium P2 (see Microsoft Entra editions). All editions support Microsoft Entra device registration, but Premium P1 is required to enable MDM auto-enrollment which we'll be using in this guide later.

Important

It is essential to have a Microsoft Entra tenant as HoloLens devices do not support on-premises AD join. If you don't already have a Microsoft Entra tenant set up, follow the instructions to get started and Create a new tenant in Microsoft Entra.

Identity Management

In this guide, the Identity used will be Microsoft Entra accounts. There are several benefits to Microsoft Entra accounts, such as:

Warning

Employees can use only one account to initialize a device so it's imperative that your organization controls which account is enabled first. The account chosen will determine who controls the device and influence your management capabilities.

Mobile Device Management

Microsoft Intune, part of Enterprise Mobility + Security, is a cloud-based MDM system that manages devices connected to your tenant. Like Office 365, Intune uses Microsoft Entra ID for identity management, so employees use the same credentials to enroll devices in Intune that they use to sign into Office 365. Intune also supports devices that run other operating systems, such as iOS and Android, to provide a complete MDM solution. For the purposes of this guide, we'll be focusing on using Intune for enabling a deployment to your internal network with HoloLens 2.

Important

It is essential to have Mobile Device Management. If you don't already have it set up, follow this guide and Get started with Intune.

Important

In order to use Guides, a Microsoft Entra account is required.

Note

Multiple MDM systems support Windows 10 and most support personal and corporate device deployment scenarios. MDM providers that support Windows 10 Holographic include: AirWatch, MobileIron, and others. Most industry-leading MDM vendors already support integration with Microsoft Entra ID. You can find the most current list of MDM vendors that support Microsoft Entra ID in Azure Marketplace.

Network Access

Dynamics 365 Guides is a cloud-based application. If your network admin has an approve list, they may need to add IP addresses and/or endpoints that are required to connect to the Dynamics 365 servers. Learn more about unblocking IP addresses and URLs.

Certificates

Certificates help improve security by providing account authentication, Wi-Fi authentication, VPN encryption, and SSL encryption of web content. Although administrators can manage certificates on devices manually through provisioning packages, it’s a best practice to use your MDM system to manage those certificates throughout their entire lifecycle – from enrollment through renewal and revocation.

Your MDM system can automatically deploy these certificates to the devices’ certificate stores after you enroll them (as long as your MDM system supports the Simple Certificate Enrollment Protocol (SCEP) or Public Key Cryptography Standards #12 (PKCS#12)). Learn about certificate types and profiles you use with Microsoft Intune. MDM can also query and delete enrolled client certificates or trigger a new enrollment request before the current certificate is expired.

If your MDM systems is already configured for certificates, reference Prepare certificates and network profiles for HoloLens 2 to start deploying certificates and profiles for your HoloLens 2 devices.

SCEP

The following services are required for SCEP deployment, except for the Web Application Proxy Server.

You must also publish your NDES URL external to your corporate network using Microsoft Entra application proxy or Web Access Proxy. You can also use another reverse proxy of your choice.

SCEP data flow.

If your network doesn't already support SCEP, or you're unsure if your network is correctly set up for SCEP with Intune, reference Configure infrastructure to support SCEP with Intune.

If your infrastructure already supports SCEP, you'll need to create a profile for each SCEP certificate that the HoloLens 2 will use. If you're having issues with SCEP, use Troubleshoot use of SCEP certificate profiles to provision certificates with Microsoft Intune.

PKCS

Intune also supports the use of private and public key pair (PKCS) certificates. Reference Use private and public key certificates in Microsoft Intune for more information.

Proxy

Most corporate intranet networks apply a proxy to manage external traffic. With HoloLens 2 you can configure a proxy server for ethernet, Wi-Fi and VPN connections.

There are a few different types of proxy and ways to configure proxy. For the purposes of this guide, we're opting to choose Wi-Fi proxy, set via PAC URL, and deployed via MDM. This comes with the advantages of being deployed via MDM automatically, being able to update the PAC file instead of using a server:port configuration, and finally using Wi-Fi proxy to configure proxy to only apply to a single Wi-Fi connection allowing the devices to be used still if connected in another location.

For more information on proxy settings for Windows 10, see Create a Wi-Fi profile for devices in Microsoft Intune - Azure.

Line of Business Apps

While several apps can be installed via the Microsoft Store, it's likely you have your own custom app that you have created specifically to use in mixed reality. These custom apps distributed throughout your organization for your business are called Line of Business (LOB) apps.

There are multiple ways to deploy applications to HoloLens 2 devices. Apps can be deployed directly through MDM, the Microsoft Store for Business(MSfB), or sideloaded through a Provisioning Package. For the sake of this guide, we'll be deploying apps via MDM, by using required app install. This will allow for your LOB apps to be automatically downloaded to your HoloLens devices once they finish enrollment.

For those of you who don't have your own LOB, we'll provide a sample app to test this deployment flow. This app will be the MRTK Examples app, and has already been prebuilt and packaged to test for proof of concept.

More details regarding app deployment can be found at App Management: Overview.

Note

HoloLens 2 supports running of UWP ARM64 apps only.

Guides Playbook

Guides uses a Microsoft Dataverse environment as the datastore for your Guides apps. It’s important to understand the bigger picture of how your Dataverse environment interacts with your Guides apps and your tenant. We won’t be covering how to manage your dataverse in this guide, but review Basic concepts for deploying Dynamics 365 Guides - Dynamics 365 Mixed Reality.

Next step