First, let’s agree on some terms SSL 3.0 with AES 128 and AES256 Code-signed chain of trust UEFI...
-
Upload
alexia-chapman -
Category
Documents
-
view
215 -
download
1
Transcript of First, let’s agree on some terms SSL 3.0 with AES 128 and AES256 Code-signed chain of trust UEFI...
Deploying and Managing Enterprise Apps on Windows and Windows PhoneMatthijs HoekstraSr. Product Marketing ManagerWindows Platform Developer [email protected]@mahoekst
WIN-B217
Enterprise Apps on Windows & WP
Windows
Windows Phone
Wrap Up
Agenda
Lets start with the basics
First, let’s agree on some termsWindows Store appsModern, full-screen applications written to the WinRT API that run on Windows 8, Windows RT and Windows Phone 8.1. Sometimes also called WinRT apps, modern apps, Windows 8 apps, and the “M” word.
Microsoft AccountAn online account, formerly called a Live ID.
Windows Store / Windows Phone StoreAn online store for acquiring Windows Store apps, and an application by the same name on Windows 8 and Windows RT for accessing the online store. Requires a Microsoft account to install new apps (but not to install updates on Windows).
First, let’s agree on some termsAppx filesA self-contained packaging format for Windows Store apps, effectively a zip file containing all the necessary components for the application, except for dependencies (which would also be Appx files).
XAP filesPackaging format for Windows Phone Silverlight apps, effectively a zip file containing all the necessary compontents for the application.
SideloadingThe process of installing or provisioning Windows Store apps without going through the Windows Store. There are specific requirements to enable this.
LOB AppsLine of business applications developed, developed and used by enterprises, although sometimes used as a substitute for “sideloaded app”.
App deployment in an enterprise
Common app deployment workflows and featuresWindows and Windows Phone share a common workflow and set of enterprise features
Conceptually the same, mechanically differentConvergence across platforms is driving a convergence of enterprise features across Windows and Windows Phone, but we aren't there yet
SSL 3.0 with AES 128 and AES256
Code-signed chainof trustUEFI Secure Boot
TPM 2.0 – all phonesCertified hardware
App Containers Secure browser
IRM & SMIME built-inData protection API
Encryption based on BitLocker technologyDevice-Lock0101
1001
Single source updates
Developer platformDrivers
Fixes from MSRC
Security Networking Graphics
Servers and Cloud Services
Internal Storage
User Partition
OS Partition
Apps
Files and data
UEFI FirmwareHardware
Windows NT Kernel
Common Core + Layered Security Architecture
Windows API Set
Graphics Audio Media
Networking File System Input
Commerce
Sensors
.NET CLRWindows Runtime
DirectX(C++)
Windows Phone Silverlight(C# | VB)
Windows XAML
(C# | VB | C++)
WinJS(HTML + JS)
App Model Services
Navigation
Packaging
Contracts
Background
Store(s)
Push
Roaming
Legend
Windows Phone Only
Windows OnlyWindows + Windows Phone
Windows Kernel
App Data Backup
Windows Unified Developer Platform
Enterprise Apps on Windows & WP
End to end workflow
Building and
Testing
Readying for
Deployment
Deploying Managing
Readying apps for deployment
App ingestion is owned by the enterpriseThe company is responsible for the quality of their apps and the impact to the user
LOB Apps offer increased developer flexibilityEnterprise line of business apps are not enforced by store policies (i.e. API checks) and give the developer more flexibility
Available Kits are an important step to evaluate the appsWACK & MPTK can be downloaded and perform similar checks that the Store would perform
Readying clients for deployment
Enroll users for managementUse OMA-DM to manage all versions of Windows 8.1 or Windows Phone 8.0 and 8.1
Use management tools to configure deviceOMA-DM management tools can push policies, required keys and necessary certificates to the device
Windows apps delivery in enterprise
Public WP AppsInternal LOB WP Apps
Install from Windows Store
Install from Windows Phone Store
Management ServerCompany Portal
Distribute LOB apps internally
Public Win Apps
Internal LOB Win Apps
Deploying Windows Store Apps
Windows Store apps
Install via an “Enterprise App Store” using:
System Center 2012 Configuration Manager SP1Windows Intune
Provision using the Microsoft Deployment Toolkit 2012 or DISM
Include in sysprepped imageCustomize Start screen layout
ProvisioningInstallation
Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store
Register application on the computerInstall automatically for each userSide load onlyRequires administrator rights
Enterprise side loading requirements• Windows 8.1 domain joined or with a separate side load product key • Non domain joined (that includes Windows RT) with a separate side load product key
Demo
Doing it the manual (hard) way
The manual way: Things to RememberPrerequisites must be met:
Set the Allow All Trusted Apps policyImport any needed trusted root certificatesEnable sideloading (automatic with Windows 8 Enterprise when domain joined)
PowerShell and DISM commands do the workSee http://technet.microsoft.com/library/hh852635.aspx for more information
Demo
Deploying and managing apps with Configuration Manager
Using ConfigMgr: Things to RememberWindows Store apps install per user
Cannot be installed via a task sequenceNo native support for provisioning apps, but this can be done using standard software distribution and custom command linesUse the App Catalog web site or company portal app to enable self-service installation of Windows Store apps“Deep links” can be used, but the user must still log in with a Microsoft Account and click “Install”
Requires ConfigMgr 2012 SP1
Demo
Deploying and managing apps with Windows Intune
Using Windows Intune: Things to RememberEnables self-service app installation
Publish apps to the Company App Portal (Windows Store app)Users can “pull” apps from the cloud, but no IT-driven “push”Requires setting up DirSync, best with single sign-on
Using Other Solutions: Things to RememberAnyone can build an app store
WinRT APIs for installing and upgrading apps are fully supported and documentedSee http://companystore.codeplex.com/ for an example, created by Antoine Journaux [email protected] (PFE)
Any software distribution tool can install and provision appsUsing PowerShell or DISM commandsRunning as the user, for installationRunning as admin, for provisioning
Windows Phone
App deployment optionsThrough the store (public distribution)
beta appshidden apps with deeplinkpublic apps
Sideloading (private distribution)MDM like Intune, Airwatch, Mobile Iron
etcWebsite or email
Managed and unmanaged enrollmentFeature Managed Unmanaged
Enrollment method Workplace app + MDM Email/browser
Number of enrollments Limited to 1 Unlimited
Policy management Yes No
App install method MDM/company hub Email/browser/company hub
App inventory MDM/company hub Company hub
Push app install MDM No
Push app uninstall MDM No
Push app updates MDM No
Unenroll Remote and local Local NEW
NEW
NEW
Acquiring a certificate
Must be a Company accountPublisher name displayed on phone
Company approval requiredPrivate key, CSR, cert are local to PC
App enrollment token (AET) is generated once per year
Delivered to the phone over an authenticated channel via email, browser, or MDM
Validated for signature and expiration
App enrollment
2
1
Windows Phone 8
Email/Browser/MDM
2Enterprise Service
AET
PublisherID
3
Company hub APIsAPI feature WP 8 WP 8.1
Enumerate apps Yes Yes
Launch apps Yes Yes
Install enterprise signed apps Yes Yes
Get enterprise metadata No Yes
Renew an enterprise enrollment No Yes
Unenroll from the current enterprise No Yes
Trigger enterprise phone home No Yes
NEW
NEW
NEW
NEW
Company hubs must be Silverlight apps
Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc
App is packaged, signed, and published to the company’s store
Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub
Validated for signature, an associated AET, and allowed capabilities
App deployment
Windows Phone 8
Email/Browser/MDM/
Company Hub
2
1
2Enterprise Service
AppApp
NEWXAPAPPX
3
User launches an enterprise app via the shell or an API
Publisher ID is extracted and used to find the associated AET
AET must be present and valid (not expired, revoked or disabled)
App launch
Windows Phone 8
Execution Manager
2
1
Enterprise Service
3
Phone sends device ID, publisher IDs, and enterprise app IDs
Phone receives status for each enterprise
Apps of invalid enterprises are blocked from being installed or launched
Scheduled daily, plus each enrollment
After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works
Phone homeWindows
Phone Services
1 2
Phone home – sample protocol
Response
Request
Demo managed enrollment
Demo unmanaged enrollment
Precompile and sign Store company app
PS C:\Program Files (x86)\Microsoft SDKs\WindowsPhoneApp\v8.1\Tools\MDILXAPCompile>
.\BuildMDILAPPX.ps1 -appxfilename C:\temp\fabk.appx -pfxfilename "C:\temp\cer 02.pfx“-password mypassword
fabk.appx
Company IT developed
app
IL code
Code signing certificate
Combined precompile+sign
script
What else?
Capabilities for sideloaded apps
Enterprise AuthenticationShared User Certificates
You cannot use data roaming for side loaded apps
Engage in real-time with your users for a delightful app experience
Notification Services for LOB apps
App Type/ Service
Windows Notification
Service(WNS)
Microsoft Push Notification
(MPN)
Windows Runtime App (AppX)* 8.1 not supported
Windows Phone Silverlight App (XAP) 8.1 8.0/8.1
Windows Runtime Phone App (AppX on WP)*
not supported not supported
*Note: Appx files signed with a Symantec cert cannot use WNS
Distribution methods summarized
Platform Beta Hidden Store Sideload
Windows Phone Supported Supported Supported Supported
Windows Not supported Not supported Supported Supported
Ad platfor
m
Game engine
File 1 File 2
File 3 File 4
Shared files
Ad platfor
m
Game engine
Ad platfor
m
File 8
File 5 File 6
File 7Game engine
File 8
File 5 File 6
File 7Game engine
Game engine
Store app installStore app update
Comparison by feature by package format
Feature XAP Phone XAP 8.1 Phone AppX Phone AppX Windows
Platform Targeting 7.x and later 8.1 and later 8.1 and later 8.0 and later
Package Encryption Yes Yes No, not yet. No, not yet.
Package Bundling No No Yes Yes
Debug Package Signing No No No Yes
Differential Download/Update No No Yes Yes
Application File Single Instancing No No Yes Yes
Formal Versioning Requirements No Yes Yes Yes
External Volume (SD) App Installation Yes on 8.1 Yes Yes No, not yet.
Wrap Up
Convergence for LOB app deploymentCerts, Enrollment, OMA-DM protocol, WNS, …
App management of Store appsBetter LOB app and data protectionSupport more customer scenarios
More secure/isolated environments, flexible cert management, …
More policies/settings to push to LOB app
Looking forward
Windows Enterprise windows.com/enterprise windowsphone.com/business
Windows Track Resources
Windows Springboard microsoft.com/springboardMicrosoft Desktop Optimization Package (MDOP)
microsoft.com/mdop Windows To Go microsoft.com/windows/wtg
Windows Phone Developer developer.windowsphone.com
Breakout SessionsWIN-B332 What’s new in Windows 8.1 Deployment
WIN-B323 Deploying Windows 8.1 in the Enterprise
WIN-B220 New Security Features for Windows Phone 8.1
WIN-B221 Windows Phone Enterprise Overview
WIN-B214 Windows Phone 8.1 Early Deployment Experience in the Enterprise
WIN-B364 Mobile Device Management overview for Windows Phone 8.1
WIN-B357 Windows Phone 8.1 Security and Management
WIN-B316 Managing Windows 8.1 and Windows RT 8.1 using Mobile Device Management
Find Me Later At the booth.
Related content Required Slide*delete this box when your slide is finalized
Speakers, please list the Breakout Sessions, Labs, Microsoft Solutions Experience Location and Certification Exams that relate to your session. Also indicate when they can find you staffing in the MSE.
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
msdn
Resources for Developers
http://microsoft.com/msdn
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Complete an evaluation and enter to win!
Evaluate this session
Scan this QR code to evaluate this session.
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.