Hi,

I get the message;We weren't able to set up this company account on your phone. when trying to sign in to Company Apps on my Lumia 920.

I have also tried to specify enterpriseenrollment-s.manage.microsoft.com as server with the same result.

  
What I have done:

I have added my own domain, my own domain user, and the DNS has been updated to support enrollment.

My domain user has already registered a Windows 8 Pro device, with both Intune and Company Portal (I can see the Windows App that I have added to Intune), so the login seems to work.
 

The Test Auto-Detection confirms that the domain is set up correctly.


I bought a Symantec Code signing certificate, which I installed and exported the private key as PFX, then I signed the Company Portal App(SSP.XAP) with the PFX.

 
I have uploaded the signed Company Portal App(NEW_SSP.XAP) along with the PFX-file, and made it available to install for all users.

 
What could I be missing?

 
Thanks,
Danny

Have you added your user to the Windows Intune User Group in the Account Portal (account.manage.microsoft.com)?  That's usually the error associated with the user not having permission to enroll devices in the service.  Each user has to be part of that group to enroll mobile devices into the service.

Thanks,

Jon L. - Microsoft

Hi Jon,

I started out by added my own domain user and assigned it to a custom security group in Account Portal.

When you say Windows Intune User Group does that mean that there should be a security group called that (which isn't the case for me), or just that the user should have been added in the Account Portal, and assigned to a custom group?

Another thing is that under Domains, the mydomain.onmicrosoft.com is marked as active, but my own domain is only verified.

Shouldn't my domain also be marked as active?

Regarding the Symantec Certificate (Symantec Enterprise Mobile CA for Microsoft), should it contain the following warnings:

Windows does not have enough information to verify this certificate

The issuer of this certificate could not be found

 

The certification path only contains my company name, which seems a little strange to me, but i dont know if that's normal for Code signing certificate.

Thanks,

Danny

The Windows Intune User Group is a setting on each individual user, open a user up in Account Portal and you can see if they are part of the group.  

Your public domain should show as Verified, not active, that is by design.

The certificate has to be imported and exported in a specific manner.  Did you follow the steps here: http://technet.microsoft.com/en-US/library/jj733640.aspx

Let me know,

Thanks,

Jon L. - MSFT

I checked and my user is already part of the Windows Intune user group.

I just tried to start from scratch.

So I followed these steps:

1. Downloaded the X.509 certificate from Symantec.
2. Open and install the certificate into the Personal certificate store.
3. Go into CertMgr, right-click and select All Tasks -> Export
4. Choose Yes, export the private key
5. Assign a password and save the PFX-file.
6. Download and install the WPSSP.msi from Intune.
7. Copy the Company Portal XAP file to the same location as the PFX-file.
8. Open Visual Studio Command Promt.
9. Use the commands:
   • set path=%path%;"%ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool"
     
   • XapSignTool.exe sign /f PFXFile /p Password XAPFile
     I get the message: XapSignTool Success: Successfully signed
     

10) Take the XAP file and upload it to Intune along with the PFX-file.

11) Go in and double-check that the new XAP file is available to my user.

 

But it still doesnt work.

 

Thanks,

Danny

 

I've noticed that the error message on the phone has changed to:

This account isn't permitted on this phone.

I went into Account Portal and the users Set sign-in status is Allowed and its still part of the Windows Intune user group.

I removed my exchange account from the phone (different domain), but it didn't change anything.

Hi Danny,

Assuming you have everything setup correctly, you shouldn't be having this issue.

I would recommend opening a support request so we can investigate.

Thanks,

Jon L. - MSFT

Hi Danny

I'm facing the same problem with my lumia 920. After signing and successfully uploading the portal app, the message This account isn't permitted on this phone. shows up too. I checked my user in the Account Portal - Intune Group is assigned and user sign-in status is allowed, the domain is validated. windows 8 intune clients are working with the credentials and the same user setup.

Have you found a solution?

Solved: You cannot have admin rights on the user you like to register the phone to. alright!

Linard can you elaborate on that?  Do you mean the user shouldn't be a domain admin?  or is some other sort of admin rights you are referring to?  thanks. 

>Do you mean the user shouldn't be a domain admin? 

Global Administrator (Azure AD)

The installation worked out after changing that..