common app deployment workflows and features windows and windows phone share a common workflow and...

Enterprise AppsJohn Vintzel

WIN-B351

App deployment in an enterpriseCommon app deployment workflows and featuresWindows and Windows Phone share a common workflow and set of enterprise features

Conceptually the same, mechanically differentConvergence across platforms is driving a convergence of enterprise features across Windows and Windows Phone, but we aren't there yet

Enterprise App Overview

Windows Desktop

Windows Phone

Wrap Up

Enterprise Apps

End to end workflow

Building and

Testing

Readying for

Deployment

Deploying Managing

Engage in real-time with your users for a delightful app experience

Notification Services for Enterprise apps

App Type/ ServiceWindows

Notification Service(WNS)

Microsoft Push Notification

(MPN)

Windows Runtime App (APPX)* 8.1 not supported

Windows Phone Silverlight App (XAP) 8.1 8.0/8.1

Windows Runtime Phone App (APPX on WP)*

not supported not supported

*Note: APPX files signed with a Symantec cert cannot use WNS

Readying apps for deploymentApp ingestion is owned by the enterpriseThe company is responsible for the quality of their apps and the impact to the user

LOB Apps offer increased developer flexibilityEnterprise line of business apps are not enforced by store policies (i.e. API checks) and give the developer more flexibility

Available Kits are an important step to evaluate the appsWACK & MPTK can be downloaded and perform similar checks that the Store would perform

Readying clients for deploymentEnroll users for managementUse OMA-DM to manage all versions of Windows 8.1 or Windows Phone 8.0 and 8.1

Use management tools to configure deviceOMA-DM management tools can push policies, required keys and necessary certificates to the device

Windows apps delivery in enterprise

Public WP8 AppsInternal LOB WP8 Apps

Install from Windows Store

Install from Windows Phone Store

Management ServerCompany Hub

Distribute LOB apps internally

Public W8 Apps

Internal LOB W8 Apps

Control access to the Store and Internet ExplorerBuilt-in device management policies can control access to the Store and restrict Internet Explorer

App policies can control access to appsUse app policies to control access to which apps a user can run

Managing app policies and restriction

Windows Desktop

Inter-process communication policy now only applies to apps deployed via the Windows Store.

There is no longer a restriction on inter-process communication for side-loaded Windows Runtime apps.

Increased Developer Flexibility

Interact with the desktopWindows 8.1 Update allows sideloaded apps to interact with the desktop through network loopback or through a brokered WinRT component

App ContainerWindow

s Runtime

App

Desktop .NET

FrameworkWin32

Local Service

App Container

Windows Runtime

App

Desktop .NET

Framework

Win32

BrokerManaged

WinRT Component

Brokered WinRT Component Local Loopback

Comparing approaches

Brokered WinRT Component Network Loopback

Requires Windows 8.1 Update Works on Windows 8 and 8.1

WinRT based programming model WCF or REST based programming model

Loads components on demand Requires service process to be always running

Supports callbacks that activate suspended apps

Network callbacks do not activate suspended apps

For more information, watch //build 2014 session 2-515, Respecting Your Investments: How to Leverage Your Existing Code In a New Windows Runtime LOB App

Device needs to be enabled for sideloadingDomain joined or Activated by license keyAnd ‘Allow all trusted apps to install’ policy enabled

Install the appropriate certificate rootA certificate root, for the certificate used to sign your apps, needs to be in the device’s Trusted Root Certification Authority

Readying client for deployment

Recent changes to sideloading keysKey availability is now more flexible!Keys not required for any domain joined device running Windows 8.1 Update!!

Deployment Methods

Can be installed using:PowerShell cmdletsMDM agent in Windows 8.1 or later

Provision usingDISM for online or offline scenarioPowerShell cmdlets for online

ProvisioningInstallation

Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store

Register application on the computerInstall automatically for each userSide load onlyRequires administrator rightsCan be sysprepped into a custom image

PowerShell support for appx deploymentAdd-AppxPackageGet-AppxPackageRemove-AppxPackageGet-AppxLastErrorGet-AppxLogGet-AppxPackageManifest

PowerShell support for appx provisioningAdd-AppxProvisonedPackageGet-AppxProvisionedPackageRemove-AppxProvisionedPackage

Deploying with PowerShell

Demo

Deploying Apps on Windows 8.1 Update

Service pre-installed apps when the store is disabledUpdate pre-install Windows Store Apps (Mail, Reader, etc..) within your enterprise without access to the Windows Store

Servicing uses typical enterprise toolsUpdates are be published through WSUS for Windows 8 and 8.1

Servicing of pre-installed Windows apps

Now Available: One-time updates for all the pre-installed apps in Windows 8 and 8.1http://support.microsoft.com/kb/2971128/en-US

Use apps from the Store without custom packagingExtend the URI list of apps acquired from the Windows Store to include URIs within your enterprise

IT Pro controls the URI list for the enterpriseIT Pros can manage a list of URI specific for the enterprise and target clients using group policy or other management tools.

Enterprise Application Content URI Rules

Full Support for modern appsAbility to create Allow or deny listsA single rule to control the all files in an appA single rule to control installation and execution of an app

Easy manageabilityCan me managed via group policyPowerShell cmdlets available inbox!• Get-AppLockerFileInformation • Set-AppLockerPolicy • Get-AppLockerPolicy • New-AppLockerPolicy • Test-AppLockerPolicy

Restricting Apps with AppLocker

Demo

Managing Apps on Windows 8.1 Update

Windows Phone

Must be a Company accountPublisher name displayed on phone

Company approval requiredPrivate key, CSR, cert are local to PC

Acquiring a certificate

Enterprise certificate

Issuer

Validity period

Publisher name

Publisher ID

Enterprise apps EKU

Managed and unmanaged enrollmentFeature Managed Unmanaged

Enrollment method Workplace app + MDM Email/browser

Number of enrollments Limited to 1 Unlimited

Policy management Yes No

App install method MDM/company hub Email/browser/company hub

App inventory MDM/company hub Company hub

Push app install MDM No

Push app uninstall MDM No

Push app updates MDM No

Unenroll Remote and local Local NEW

NEW

NEW

For more information on managed enrollments, watch //build 2014 session 2-513, Windows Phone Enterprise Management

App enrollment token (AET) is generated once per year

Delivered to the phone over an authenticated channel via email, browser, or MDM

Validated for signature and expiration

App enrollment

2

1

Windows Phone 8

Email/Browser/MDM

2Enterprise Service

AET

PublisherID

3

Company Hub APIsAPI feature WP 8 WP 8.1

Enumerate apps Yes Yes

Launch apps Yes Yes

Install enterprise signed apps Yes Yes

Get enterprise metadata No Yes

Renew an enterprise enrollment No Yes

Unenroll from the current enterprise

No Yes

Trigger enterprise phone home No Yes

NEW

NEW

NEW

NEW

Company hubs must be Silverlight apps

Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc

Manifest: Publisher

In order to sign WinRT apps, the manifest Publisher must match the certificate Subject

<Identity Name="Sample.Application" Version="1.0.0.0" Publisher="OID.0.9.2342.19200300.100.1.1=7755327, CN=&quot;Microsoft Inc. Windows Phone Enterprise Apps&quot;, OU=&quot;Microsoft Inc. Windows Phone Enterprise Apps&quot;" />

AppxManifest.xml

Manifest: PublisherIDIn order to test Company Hub apps, the PublisherID in WMAppManifest and AppxManifest must match the certificate

<App ProductID="{B316008A-141D-4A79-810F-8B764C4CFDFB}“ Title=“Sample.Application" RuntimeType="Silverlight" Version="1.0.0.0“ Genre="apps.normal" Author=“Sample author" Description="Sample description" Publisher="Contoso Publisher" PublisherID="{0076563F-0000-0000-0000-000000000000}">

WMAppManifest.xml

<mp:PhoneIdentity PhoneProductID="{B316008A-141D-4A79-810F-8B764C4CFDFB}" PublisherID="{0076563F-0000-0000-0000-000000000000}">

AppxManifest.xml

App is packaged, signed, and published to the company’s store

Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub

Validated for signature, an associated AET, and allowed capabilities

App deployment

Windows Phone 8

Email/Browser/MDM/

Company Hub

2

1

2Enterprise Service

AppApp

NEWXAPAPPX

3

App ingestion and certificationApp ingestion is owned exclusively by the enterpriseApps are not submitted to Windows Phone StoreThe company is responsible for the quality of their apps and the impact to the user

The Windows Phone Marketplace Test Kit is useful to evaluate appsImages, capabilities, error handling, memory usage, API checks, startup perf, etc.

Capabilities are limited to the same as standard marketplace appsEnforced on the phone at app install time

Apps must specially handle ID_CAP_LOCATION usagePrompt for user approval and give the user an option to disable

User launches an enterprise app via the shell or an API

Publisher ID is extracted and used to find the associated AET

AET must be present and valid (not expired, revoked or disabled)

App launch

Windows Phone 8

Execution Manager

2

1

Enterprise Service

3

Phone sends device ID, publisher IDs, and enterprise app IDs

Phone receives status for each enterprise

Apps of invalid enterprises are blocked from being installed or launched

Scheduled daily, plus each enrollment

After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works

Phone homeWindows

Phone Services

1 2

Demo

Unmanaged App deployment on Windows Phone 8.1

Response

Request

Phone home – sample protocol

Create allow or deny lists to manage app on your Windows PhonesUse app deny lists when you know the list of apps that you want to deny (block) and want to allow all other appsUse app allow lists when you know the list of apps that you want to allow and want to deny all other apps

Restricting Apps with Allow/Deny Lists

<?xml version="1.0" encoding="utf-8"?><AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"> <Deny> <App ProductId="{619c483b-ba14-432c-8611-dd6a6aa08888}" /><!-- Games App --> <App ProductId="{deedfbce-0ecf-410d-ab0e-5d9fa1253786}" /><!-- Sports App --> <App ProductId="{92381d1f-6b8a-455a-94d9-0f41d2d97cd0}" /><!-- Social Media app --> <Publisher PublisherName=“Contoso"> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1150}" /><!-- Expense app --> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1155}" /><!-- Audio app --> </Publisher> </Deny></AppPolicy>

Allow/Deny List - Sample

Wrap Up

Convergence for LOB app deploymentCerts, Enrollment, OMA-DM protocol, WNS, …

App management of Store appsBetter LOB app and data protectionSupport more customer scenariosMore secure/isolated environments, flexible cert management, …

More policies/settings to push to LOB app

Looking forward…

Thank You!

Windows 10http://aka.ms/trywin10

Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last!

Windows Springboardwindows.com/itpro

Windows Enterprisewindows.com/enterprise

Windows ResourcesMicrosoft Desktop Optimization Package (MDOP)microsoft.com/mdop

Desktop Virtualization (DV)microsoft.com/dv

Windows To Gomicrosoft.com/windows/wtg

Internet Explorer TechNet http://technet.microsoft.com/ie

Resources

Learning

Microsoft Certification & Training Resources

www.microsoft.com/learning

Developer Network

http://developer.microsoft.com

TechNet

Resources for IT Professionals

http://microsoft.com/technet

Sessions on Demand

http://channel9.msdn.com/Events/TechEd

Windows ClientWindows Sideloading: http://aka.ms/lanmepAppLocker Step-by-Step Guide: http://aka.ms/X21isiNotification Services: http://aka.ms/Iqqonk

Windows PhoneCompany app distribution: http://aka.ms/wp8companyhubCreate a Company Hub App blog: http://aka.ms/E7c6xcMDM whitepaper: http://aka.ms/V0h3v6

Resources

Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC

TechEd Mobile appPhone or Tablet

QR code

Evaluate this session

© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.