Enterprise App Developmentfor Windows Phone (finally!)Kelly WhitePresident – Silvertail Software IncMicrosoft MVP – Windows Phone Development

http://about.me/kelly.white/

Developing software since 1999Windows Phone Development since 2010Silvertail Software Inc.Microsoft MVP – Windows Phone Development

What does that even mean?

http://about.me/kelly.white

Click icon to add picture

About Me

Goals and overviewAccount creation and cert acqApp enrollment and deploymentApp launch and phone home

Agenda

Enterprise applications

Goals and overview

Companies control which phones may run their appsEnterprise apps may install and run only on phones that are enrolled with the associated enterprise

Companies control the lifecycle of their appsNo ongoing interaction from Microsoft

Companies control the deployment and distributionIt’s highly recommended to authenticate users prior to app enrollment and app deployment

Enable companies to deploy business applications to their employees privately and securely.

App enrollments and installs require user confirmationUpdates of existing apps can be done silently

Consumer and enterprise data are kept separateCompanies can inventory their own apps, but not marketplace apps

Enable end users to feel in control while preserving a company’s right to protect their data.

Overview

Company

MicrosoftSymantec

12

3 5

4 6

7

8

Enterprise applications

Account creation and cert acquisition

Must be a Company accountPublisher name displayed on phone

Company approval requiredPrivate key, CSR, cert are local to PC

Account creation and cert acquisition

Enterprise certificate

Issuer

Validity period

Publisher name

Publisher ID

Enterprise apps EKU

Enterprise applications

App enrollment and deployment

App enrollment and deploymentManaged vs. unmanaged enrollment

Feature Managed Unmanaged

Enrollment method Settings applet + MDM Email/browser

Policy management Yes No

Number of enrollments Limited to 1 Unlimited

App install method MDM/company hub Email/browser/company hub

App inventory MDM No

Silent app updates MDM No

Unenroll Remote and local No

Managed enrollment

App enrollment token (AET) is generated once per year

Delivered to the phone over an authenticated channel via email, browser, or MDM

Validated for signature and expiration

App enrollment

Enterprise Service

2

1AET

PublisherID

Windows Phone 8

Email/Browser/MDM

2

3

App ingestion and certificationApp ingestion is owned exclusively by the enterpriseApps are not submitted to Windows Phone StoreThe company is responsible for the quality of their apps and the impact to the user

The Windows Phone Marketplace Test Kit is useful to evaluate appsImages, capabilities, error handling, memory usage, API checks, startup perf, etc.

Capabilities are limited to the same as standard marketplace appsEnforced on the phone at app install time

Apps must specially handle ID_CAP_LOCATION usagePrompt for user approval and give the user an option to disable

App is NGEN’ed, signed, and published to the company’s store

Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub

Validated for signature, an associated AET, and allowed capabilities

App deployment

Enterprise Service

2

1

Windows Phone 8

Email/Browser/MDM/

Company Hub2

3

XAP

Enterprise applications

App launch and phone home

User launches an enterprise app via the shell or an API

Publisher ID is extracted and used to find the associated AET

AET must be present and valid (not expired, revoked or disabled)

App launch

Enterprise Service

Windows Phone 8

Execution Manager

2

3

1

Phone sends device ID, publisher IDs, and enterprise app IDs

Phone receives status for each enterprise

Apps of invalid enterprises are blocked from being installed or launched

Scheduled daily, plus each enrollment and app install

After 7 consecutive failed attempts, install of enterprise apps is blocked, but launch of installed apps still works

Phone homeWindows

Phone Services

1 2

Response

Request

Phone home – sample protocol

Signing appsGenerating tokensInstalling and querying appsLaunching apps

Building a Company Hub

Generating tokens

Generating tokens

Start with the .pfx file

Use AETGenerator%programfiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\AETGenerator\Aetgenerator.exe <<cert file name>> <<password>>

Generate an .aetx file

An AET needs to be generated once per year, when a new cert is acquired from Symantec

Signing apps

Signing apps

Everything with a PE header must be signedAs well as the .xap itself

XapSignToolLocated in the Windows Phone SDK directory %ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool

Wraps signtool.exe - so it must also be in the path, too %ProgramFiles(x86)%\Windows Kits\8.0\bin\x86

Protip: use BuildMDILXap.ps1 in a post-build step

Installing and querying apps

Installing apps

Installed apps can be enumerated with InstallationManager.AddPackageAsync()Returns an IAsyncOperationWithProgressAttach to the Completed and Progress handlersSix progress notifications• 0 Started• 5 Confirmation dialog is displayed• 10 User accepts install confirmation, download begins• 50 App is finished downloading• 55 App has begun installation• 100 App installation complete

Querying apps

Installed apps can be enumerated with InstallationManager.FindPackagersForCurrentPublisher()Retrieves all apps from the same publisher or signed with the same certificateIncluding the app making the query

Installing apps can be enumerated with InstallationManager.GetPendingPackageInstalls()

Protip: In the app manifest set your PublisherID to the certificates UID, e.g. {EE6B2808-0000-0000-0000-000000000000}

Launching apps

Launching apps

Apps can be launched with Package.Launch()

Find the package you want with FindPackagersForCurrentPublisher()Only apps from the same publisher, or signed with the same certificate can be launched

Enterprise applications

Wrap up

Wrap upCompanies with a Dev Center Company account may acquire enterprise certs from Symantec

Companies choose which phones are allowed to receive its apps via distribution of its AET

Companies own the quality and lifecycle of their apps

Apps can be distributed via email/browser/company hub/MDM

MDM servers can push both policy and applications

Questions?

Kelly Whitekelly@silvertailsoftware.com