Deploying and Managing Enterprise Apps on Windows and Windows PhoneMatthijs HoekstraSr. Product Marketing ManagerWindows Platform Developer ExperienceMatthijs.Hoekstra@Microsoft.com@mahoekst

WIN-B217

Enterprise Apps on Windows & WP

Windows

Windows Phone

Wrap Up

Agenda

Lets start with the basics

First, let’s agree on some termsWindows Store appsModern, full-screen applications written to the WinRT API that run on Windows 8, Windows RT and Windows Phone 8.1. Sometimes also called WinRT apps, modern apps, Windows 8 apps, and the “M” word.

Microsoft AccountAn online account, formerly called a Live ID.

Windows Store / Windows Phone StoreAn online store for acquiring Windows Store apps, and an application by the same name on Windows 8 and Windows RT for accessing the online store. Requires a Microsoft account to install new apps (but not to install updates on Windows).

First, let’s agree on some termsAppx filesA self-contained packaging format for Windows Store apps, effectively a zip file containing all the necessary components for the application, except for dependencies (which would also be Appx files).

XAP filesPackaging format for Windows Phone Silverlight apps, effectively a zip file containing all the necessary compontents for the application.

SideloadingThe process of installing or provisioning Windows Store apps without going through the Windows Store. There are specific requirements to enable this.

LOB AppsLine of business applications developed, developed and used by enterprises, although sometimes used as a substitute for “sideloaded app”.

App deployment in an enterprise

Common app deployment workflows and featuresWindows and Windows Phone share a common workflow and set of enterprise features

Conceptually the same, mechanically differentConvergence across platforms is driving a convergence of enterprise features across Windows and Windows Phone, but we aren't there yet

SSL 3.0 with AES 128 and AES256

Code-signed chainof trustUEFI Secure Boot

TPM 2.0 – all phonesCertified hardware

App Containers Secure browser

IRM & SMIME built-inData protection API

Encryption based on BitLocker technologyDevice-Lock0101

1001

Single source updates

Developer platformDrivers

Fixes from MSRC

Security Networking Graphics

Servers and Cloud Services

Internal Storage

User Partition

OS Partition

Apps

Files and data

UEFI FirmwareHardware

Windows NT Kernel

Common Core + Layered Security Architecture

Windows API Set

Graphics Audio Media

Networking File System Input

Commerce

Sensors

.NET CLRWindows Runtime

DirectX(C++)

Windows Phone Silverlight(C# | VB)

Windows XAML

(C# | VB | C++)

WinJS(HTML + JS)

App Model Services

Navigation

Packaging

Contracts

Background

Store(s)

Push

Roaming

Legend

Windows Phone Only

Windows OnlyWindows + Windows Phone

Windows Kernel

App Data Backup

Windows Unified Developer Platform

Enterprise Apps on Windows & WP

End to end workflow

Building and

Testing

Readying for

Deployment

Deploying Managing

Readying apps for deployment

App ingestion is owned by the enterpriseThe company is responsible for the quality of their apps and the impact to the user

LOB Apps offer increased developer flexibilityEnterprise line of business apps are not enforced by store policies (i.e. API checks) and give the developer more flexibility

Available Kits are an important step to evaluate the appsWACK & MPTK can be downloaded and perform similar checks that the Store would perform

Readying clients for deployment

Enroll users for managementUse OMA-DM to manage all versions of Windows 8.1 or Windows Phone 8.0 and 8.1

Use management tools to configure deviceOMA-DM management tools can push policies, required keys and necessary certificates to the device

Windows apps delivery in enterprise

Public WP AppsInternal LOB WP Apps

Install from Windows Store

Install from Windows Phone Store

Management ServerCompany Portal

Distribute LOB apps internally

Public Win Apps

Internal LOB Win Apps

Deploying Windows Store Apps

Windows Store apps

Install via an “Enterprise App Store” using:

System Center 2012 Configuration Manager SP1Windows Intune

Provision using the Microsoft Deployment Toolkit 2012 or DISM

Include in sysprepped imageCustomize Start screen layout

ProvisioningInstallation

Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store

Register application on the computerInstall automatically for each userSide load onlyRequires administrator rights

Enterprise side loading requirements• Windows 8.1 domain joined or with a separate side load product key • Non domain joined (that includes Windows RT) with a separate side load product key

Demo

Doing it the manual (hard) way

The manual way: Things to RememberPrerequisites must be met:

Set the Allow All Trusted Apps policyImport any needed trusted root certificatesEnable sideloading (automatic with Windows 8 Enterprise when domain joined)

PowerShell and DISM commands do the workSee http://technet.microsoft.com/library/hh852635.aspx for more information

Demo

Deploying and managing apps with Configuration Manager

Using ConfigMgr: Things to RememberWindows Store apps install per user

Cannot be installed via a task sequenceNo native support for provisioning apps, but this can be done using standard software distribution and custom command linesUse the App Catalog web site or company portal app to enable self-service installation of Windows Store apps“Deep links” can be used, but the user must still log in with a Microsoft Account and click “Install”

Requires ConfigMgr 2012 SP1

Demo

Deploying and managing apps with Windows Intune

Using Windows Intune: Things to RememberEnables self-service app installation

Publish apps to the Company App Portal (Windows Store app)Users can “pull” apps from the cloud, but no IT-driven “push”Requires setting up DirSync, best with single sign-on

Using Other Solutions: Things to RememberAnyone can build an app store

WinRT APIs for installing and upgrading apps are fully supported and documentedSee http://companystore.codeplex.com/ for an example, created by Antoine Journaux Antoine.Journaux@microsoft.com (PFE)

Any software distribution tool can install and provision appsUsing PowerShell or DISM commandsRunning as the user, for installationRunning as admin, for provisioning

Windows Phone

App deployment optionsThrough the store (public distribution)

beta appshidden apps with deeplinkpublic apps

Sideloading (private distribution)MDM like Intune, Airwatch, Mobile Iron

etcWebsite or email

Managed and unmanaged enrollmentFeature Managed Unmanaged

Enrollment method Workplace app + MDM Email/browser

Number of enrollments Limited to 1 Unlimited

Policy management Yes No

App install method MDM/company hub Email/browser/company hub

App inventory MDM/company hub Company hub

Push app install MDM No

Push app uninstall MDM No

Push app updates MDM No

Unenroll Remote and local Local NEW

NEW

NEW

Acquiring a certificate

Must be a Company accountPublisher name displayed on phone

Company approval requiredPrivate key, CSR, cert are local to PC

App enrollment token (AET) is generated once per year

Delivered to the phone over an authenticated channel via email, browser, or MDM

Validated for signature and expiration

App enrollment

2

1

Windows Phone 8

Email/Browser/MDM

2Enterprise Service

AET

PublisherID

3

Company hub APIsAPI feature WP 8 WP 8.1

Enumerate apps Yes Yes

Launch apps Yes Yes

Install enterprise signed apps Yes Yes

Get enterprise metadata No Yes

Renew an enterprise enrollment No Yes

Unenroll from the current enterprise No Yes

Trigger enterprise phone home No Yes

NEW

NEW

NEW

NEW

Company hubs must be Silverlight apps

Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc

App is packaged, signed, and published to the company’s store

Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub

Validated for signature, an associated AET, and allowed capabilities

App deployment

Windows Phone 8

Email/Browser/MDM/

Company Hub

2

1

2Enterprise Service

AppApp

NEWXAPAPPX

3

User launches an enterprise app via the shell or an API

Publisher ID is extracted and used to find the associated AET

AET must be present and valid (not expired, revoked or disabled)

App launch

Windows Phone 8

Execution Manager

2

1

Enterprise Service

3

Phone sends device ID, publisher IDs, and enterprise app IDs

Phone receives status for each enterprise

Apps of invalid enterprises are blocked from being installed or launched

Scheduled daily, plus each enrollment

After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works

Phone homeWindows

Phone Services

1 2

Phone home – sample protocol

Response

Request

Demo managed enrollment

Demo unmanaged enrollment

Precompile and sign Store company app

PS C:\Program Files (x86)\Microsoft SDKs\WindowsPhoneApp\v8.1\Tools\MDILXAPCompile>

.\BuildMDILAPPX.ps1 -appxfilename C:\temp\fabk.appx -pfxfilename "C:\temp\cer 02.pfx“-password mypassword

fabk.appx

Company IT developed

app

IL code

Code signing certificate

Combined precompile+sign

script

What else?

Capabilities for sideloaded apps

Enterprise AuthenticationShared User Certificates

You cannot use data roaming for side loaded apps

Engage in real-time with your users for a delightful app experience

Notification Services for LOB apps

App Type/ Service

Windows Notification

Service(WNS)

Microsoft Push Notification

(MPN)

Windows Runtime App (AppX)* 8.1 not supported

Windows Phone Silverlight App (XAP) 8.1 8.0/8.1

Windows Runtime Phone App (AppX on WP)*

not supported not supported

*Note: Appx files signed with a Symantec cert cannot use WNS

Distribution methods summarized

Platform Beta Hidden Store Sideload

Windows Phone Supported Supported Supported Supported

Windows Not supported Not supported Supported Supported

Ad platfor

m

Game engine

File 1 File 2

File 3 File 4

Shared files

Ad platfor

m

Game engine

Ad platfor

m

File 8

File 5 File 6

File 7Game engine

File 8

File 5 File 6

File 7Game engine

Game engine

Store app installStore app update

Comparison by feature by package format

Feature XAP Phone XAP 8.1 Phone AppX Phone AppX Windows

Platform Targeting 7.x and later 8.1 and later 8.1 and later 8.0 and later

Package Encryption Yes Yes No, not yet. No, not yet.

Package Bundling No No Yes Yes

Debug Package Signing No No No Yes

Differential Download/Update No No Yes Yes

Application File Single Instancing No No Yes Yes

Formal Versioning Requirements No Yes Yes Yes

External Volume (SD) App Installation Yes on 8.1 Yes Yes No, not yet.

Wrap Up

Convergence for LOB app deploymentCerts, Enrollment, OMA-DM protocol, WNS, …

App management of Store appsBetter LOB app and data protectionSupport more customer scenarios

More secure/isolated environments, flexible cert management, …

More policies/settings to push to LOB app

Looking forward

Windows Enterprise windows.com/enterprise windowsphone.com/business  

Windows Track Resources

Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)

microsoft.com/mdop Windows To Go microsoft.com/windows/wtg

Windows Phone Developer developer.windowsphone.com

Breakout SessionsWIN-B332 What’s new in Windows 8.1 Deployment

WIN-B323 Deploying Windows 8.1 in the Enterprise

WIN-B220 New Security Features for Windows Phone 8.1

WIN-B221 Windows Phone Enterprise Overview

WIN-B214 Windows Phone 8.1 Early Deployment Experience in the Enterprise

WIN-B364 Mobile Device Management overview for Windows Phone 8.1

WIN-B357 Windows Phone 8.1 Security and Management

WIN-B316 Managing Windows 8.1 and Windows RT 8.1 using Mobile Device Management

Find Me Later At the booth.

Related content Required Slide*delete this box when your slide is finalized

Speakers, please list the Breakout Sessions, Labs, Microsoft Solutions Experience Location and Certification Exams that relate to your session. Also indicate when they can find you staffing in the MSE.

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

msdn

Resources for Developers

http://microsoft.com/msdn

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Complete an evaluation and enter to win!

Evaluate this session

Scan this QR code to evaluate this session.

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.