Enterprise Enrollment of HoloLens Devices in MAC address restricted Wi-Fi Environment
Article
Applies to:
HoloLens 2
This document will describe a common scenario we have identified within customer environments where the Wi-Fi is restricted by MAC addresses, or certificates are required to join Wireless networks.
Example Scenario
Many customers in secure environments have restrictions on their Wireless or wired networks that will only allow approved devices (based on MAC Addresses) to connect successfully. This may be enforced through MAC Address filtering on a Wireless Access Point or through a DHCP server. Additionally, some Wireless networks can be protected with PEAP, which requires that a certificate be applied to the device prior to authenticating on the Wireless network.
In this scenario, two key requirements may introduce delays or require manual intervention when joining HoloLens devices to the network:
The Wireless PEAP certificate must be applied to the device prior to the device successfully joining the wireless network.
The MAC Address of the HoloLens Wi-Fi adaptor must be registered.
The core challenges with the requirements above are:
The MAC Address can currently only be identified from the Settings app on the device, or from Intune after a successful enrollment.
Without the MAC address, the device cannot join the Wi-Fi Network to begin enrollment.
Manual workarounds to these challenges require a technician to interact with the device.
Solutions
There are many ways to improve this situation, depending on the infrastructure available within the environment.
Solution
Benefits
Requirements
Provisioning Package with Ethernet Adaptor
Improves OOBE experience and allows for a quicker technician experience.
HoloLens compatible USB-C Hub + Ethernet adaptor, and technician will still need to interact with the device for MAC capture and OOBE finalization
Autopilot with Intune Registration over Ethernet
This is a single-step connection and registration of the device to the customer environment. MAC capture can be completed without needing to interact with the device
Intune enabled for the customer Microsoft Entra tenant and a HoloLens compatible USB-C Ethernet adaptor
Automated reporting of MAC Addresses
When devices are registered with the Intune tenant, a script can report the MAC address to the technician.
Intune PowerShell cmdlets
Provisioning Package with Ethernet Adaptor
Note
If the wired network is also subject to MAC restrictions, then the MAC address of the USB-C Hub + Ethernet adaptor will also need to be pre-approved. Care should be taken with this adapter as it will allow access to the network from other devices.
Requirements
Wired network port with access to the customer network
HoloLens Compatible USB-C Hub with Ethernet adaptor — Any adapter that doesn't require any additional drivers or application installs should be suitable.
Provisioning Package containing:
Containing Wireless Network information and Certificate
Optionally containing enrollment information for the Organization's Microsoft Entra ID
Containing any other required provisioning settings
Process
The Process may vary depending on the software level of the device. If the device has the May 2004 update, follow the steps below.
Place the provisioning package onto the root of a USB stick, and plug into the Hub.
Connect Ethernet cable to the Hub + Ethernet adapter.
Connect USB-C Hub to HoloLens device.
Turn on the HoloLens and put on the device.
Press the Volume Down and Power button to apply the Provisioning Package.
The technician can now follow OOBE, and when complete, open the Settings App to retrieve the MAC Address of the device.
If the device has an OS build before the May 2004 update, follow the steps below.
Turn on the HoloLens and plug the device into a PC.
The device should show up on the PC as a file storage device.
Copy the Provisioning Package to the Device
Connect Ethernet cable to the hub.
Connect USB-C Hub to HoloLens device.
Put on the HoloLens
Press the Volume Down and Power button to apply the Provisioning Package.
The technician can now follow OOBE, and when complete, open the Settings App to retrieve the MAC Address of the device.
Create the HoloLens policies to replace the Provisioning Package within Intune.
Create the HoloLens Intune Policies.
Assign the devices to the correct group.
Process
Connect the ethernet cable to the adapter and plug the adapter into the USB-C port on the HoloLens 2 device.
Turn on the HoloLens.
The device should automatically connect to the internet during OOBE via the Ethernet adaptor. It should detect the Autopilot configuration and automatically register with Microsoft Entra ID and Intune.
The Device will apply the required Wi-Fi Certificates and other configuration as needed via Intune.
When complete, the technician can load the Intune (Endpoint Manager) Portal and drill into the device properties page at Home -> Devices -> DeviceName -> Hardware.
The Wi-Fi MAC address will be visible within the Intune Portal.
The technician will add this MAC address as an allowed device.
Benefits
This will allow a "Heads off" deployment experience for the Technician, with the device being able to go from the box to enrolled in Microsoft Entra ID and Intune without the technician having to wear the device or manually interact with the HoloLens environment.
Reporting of MAC addresses to the Technician
Requirements
Authorization of the "Intune Graph PowerShell" against the customer Tenant
Installation of the Intune Graph PowerShell on the technicians machine.
Read access to the "Managed Devices" elements of Intune. (Help Desk Operator or above, or a custom role)
At present, there is no "simple" way to trigger an automation command based on the enrollment of a new device within Intune. Therefore, this command will provide the technician a simple way to retrieve the MAC address without needing to log onto the portal and manually retrieve it.
This module teaches education partners how to enroll devices with Intune for Education and Autopilot. This module is part of the Partner Success Series.
Plan and execute an endpoint deployment strategy, using essential elements of modern management, co-management approaches, and Microsoft Intune integration.