When using a Windows RT 8.1 device to access enterprise resources, it is important to recognize that these devices may be used while connected to the corporate network or while connected to the Internet. In each case, it may be necessary to put in place specific configurations to enable these devices (or any BYOD devices) to access secured resources.
Directly Connected to the Corporate Network
Most Windows RT 8.1 devices will be able to connect to a corporate network with either wireless or wired networking. However, because these devices cannot be joined to Active Directory, there may be some additional configuration necessary, or restrictions put in place that prevent full network access, as explained below.
Because no group policies are processed by Windows RT 8.1, settings such as preconfigured wireless network SSIDs will not be available on these devices. This configuration can be performed manually though by providing instructions to the users telling them the SSID to which they need to connect, along with the security details for that connection. This is typically a one-time operation, as Windows RT 8.1 will remember the details for future connections.
Wired network access will also be supported by many Windows RT 8.1 devices because device manufacturers may optionally include a physical Ethernet port in their hardware designs. Windows RT 8.1 also includes support for InstantGo-certified USB Ethernet network adapters. Typically, configuration is not required for wired network connections, but in cases where this is needed the Control Panel or PowerShell can be used to configure the needed settings.
Again, because no group policies are processed by Windows RT 8.1, settings for proxy servers may need to be either configured manually or through other means. The simplest way to enable Windows RT to detect the presence of an internal proxy server that must be used when accessing the Internet is to enable the Web Proxy Autodiscovery Protocol (WPAD) on your corporate network. This involves configuring specific DHCP options, as well as a web server that can provide configuration details to each computer. For more information, consult the documentation provided by your web proxy product vendor. For Forefront TMG, see
About implementing WPAD.
IPSec Domain Isolation
If using IPSec for domain isolation, devices that are not joined to an Active Directory domain (such as Windows RT devices) may not be able to access some network servers. If access to these is required, they may need to be excluded from default IPSec isolation rules, which turns them into boundary servers. This can be done selectively to allow access to a limited number of servers. Alternatively, a Remote Desktop Gateway could be leveraged to provide “proxy” access to these isolated systems.
When Windows RT 8.1 devices are connected to the Internet, they may need to connect to enterprise resources. This is often done by establishing a virtual private network (VPN) connection into the corporate network. Once connected through VPN, the Windows RT device behaves like it is directly connected to the corporate network, which allows access to internal applications and servers as appropriate.
The Microsoft VPN client supports Windows Server 2012 VPN servers, as well as additional third-party VPN servers through the supported PPTP, L2TP, and IKEv2 protocols with a variety of authentication methods as described in the
Windows 8 and Server 2012 VPN Compatibility and Interoperability documentation.
As previously mentioned, Windows RT 8.1 includes a class driver that enables printing directly to thousands of different printer models. See the
Windows RT Compatibility Center for more details. Note that some devices may require firmware updates to support this capability.