John Vintzel WINB351 App deployment in an enterprise Common app deployment workflows and features Windows and Windows Phone share a common workflow and set of enterprise features Conceptually the same mechanically different ID: 380679
Download Presentation The PPT/PDF document "Enterprise Apps" is the property of its rightful owner. Permission is granted to download and print the materials on this web site for personal, non-commercial use only, and to display it on your personal computer provided you do not modify the materials and that you retain all copyright notices contained in the materials. By downloading content from our website, you accept the terms of this agreement.
Slide1Slide2
Enterprise Apps
John Vintzel
WIN-B351Slide3
App deployment in an enterprise
Common app deployment workflows and features
Windows and Windows Phone share a common workflow and set of enterprise features
Conceptually the same, mechanically different
Convergence across platforms is driving a convergence of enterprise features across Windows and Windows Phone, but we aren't there
yetSlide4
Enterprise
App OverviewWindows Desktop
Windows
Phone
Wrap UpSlide5
Enterprise AppsSlide6
End to end workflowSlide7
Engage in real-time with your users for a delightful app experience
Notification
S
ervices for Enterprise apps
App Type/ Service
Windows Notification Service
(WNS)
Microsoft Push Notification
(MPN)
Windows Runtime App (APPX)*
8.1
not supported
Windows Phone Silverlight App (XAP)
8.18.0/8.1Windows Runtime Phone App (APPX on WP)*not supportednot supported
*Note:
APPX
files signed with a Symantec cert cannot use WNSSlide8
Readying apps for deployment
App ingestion is owned by the enterprise
The company is responsible for the quality of their apps and the impact to the user
LOB Apps offer increased developer flexibility
Enterprise line of business apps are not enforced by store policies (i.e. API checks) and give the developer more flexibility
Available Kits
are
an important step
to evaluate the apps
WACK & MPTK can be downloaded and perform similar checks that the Store would perform Slide9
Readying clients for deployment
Enroll users for management
Use OMA-DM to manage all versions of Windows 8.1 or Windows Phone 8.0 and 8.1
Use management tools to configure device
OMA-DM management tools can push policies, required keys and necessary certificates to the deviceSlide10
Windows apps
d
elivery
in
enterprise
Public WP8 Apps
Internal LOB WP8 Apps
Install from Windows Store
Install from Windows Phone Store
Management
Server
Company
Hub
Distribute LOB apps internally
Public W8 Apps
Internal LOB W8 AppsSlide11
Control access to the Store and Internet Explorer
Built-in device management policies can control access to the Store and restrict Internet Explorer
App policies can control access to apps
Use app policies to control access to which apps a user can run
Managing app policies and restrictionSlide12
Windows DesktopSlide13
Inter-process communication policy now only applies to apps deployed via the Windows Store.
There is no longer a restriction on inter-process communication for side-loaded Windows Runtime apps. Slide14
Increased Developer Flexibility
Interact with the desktop
Windows 8.1 Update allows
sideloaded
apps to interact with the desktop through network loopback or through a brokered
WinRT
component
App Container
Windows Runtime App
Desktop .NET Framework
Win32
Local Service
App Container
Windows Runtime AppDesktop .NET FrameworkWin32BrokerManaged WinRT ComponentBrokered WinRT ComponentLocal LoopbackSlide15
Comparing approaches
Brokered
WinRT
Component
Network Loopback
Requires Windows
8.1 Update
Works on Windows 8 and 8.1
WinRT
based programming
model
WCF or REST based programming model
Loads components on demandRequires service process to be always runningSupports callbacks that activate suspended appsNetwork callbacks do not activate suspended appsFor more information, watch //build 2014 session 2-515, Respecting Your Investments: How to Leverage Your Existing Code In a New Windows Runtime LOB AppSlide16
Device
needs to be enabled for
sideloading
Domain joined or Activated by license key
And ‘
Allow all trusted apps to install’
policy enabled
Install
the appropriate certificate root
A certificate
root,
for the certificate used to sign your
apps,
needs to be in the device’s Trusted Root Certification AuthorityReadying client for deploymentRecent changes to sideloading keysKey availability is now more flexible!Keys not required for any domain joined device running Windows 8.1 Update!!Slide17
Deployment Methods
Can be installed using:
PowerShell
cmdlets
MDM agent
in Windows 8.1 or later
Provision using
DISM for online or offline scenario
PowerShell
cmdlets
for online
Provisioning
Installation
Register the application for the user
Always per-user
Does not require administrator rights
Side load or from the Windows Store
Register application on the computer
Install automatically for each user
Side load only
Requires administrator
rights
Can be
sysprepped
into a custom imageSlide18
PowerShell support for
appx deployment
Add-
AppxPackage
Get-
AppxPackage
Remove-AppxPackage
Get-
AppxLastError
Get-
AppxLog
Get-
AppxPackageManifest
PowerShell support for appx provisioningAdd-AppxProvisonedPackageGet-AppxProvisionedPackageRemove-AppxProvisionedPackageDeploying with PowerShellSlide19
Demo
Deploying Apps on Windows 8.1 UpdateSlide20
Service pre-installed apps when the store is disabled
Update pre-install Windows Store Apps (Mail, Reader, etc..) within your enterprise without access to the Windows Store
Servicing uses typical enterprise tools
Updates
are
be
published
through WSUS for Windows 8 and
8.1
Servicing of pre-installed Windows apps
Now Available: One-time updates for all the pre-installed apps in Windows
8 and 8.1
http://support.microsoft.com/kb/2971128/en-US
Slide21
Use apps from the Store without custom packaging
Extend the URI list of apps acquired from the Windows Store to include URIs within your enterprise
IT Pro controls the URI list for the enterprise
IT Pros can manage a list of URI specific for the enterprise and target clients using group policy or other management tools.
Enterprise Application Content URI RulesSlide22
Full Support for modern apps
Ability to create Allow or deny lists
A
single rule to control the all files in an
app
A
single rule to control installation and execution of an app
Easy manageability
Can me managed via group policy
PowerShell
cmdlets
available inbox!
Get-
AppLockerFileInformation Set-AppLockerPolicy Get-AppLockerPolicy New-AppLockerPolicy Test-AppLockerPolicy Restricting Apps with AppLockerSlide23
Demo
Managing Apps on Windows 8.1 UpdateSlide24
Windows PhoneSlide25
Must be a Company account
Publisher name displayed on phone
Company approval required
Private key, CSR, cert are local to PC
Acquiring a certificateSlide26
Enterprise certificate
Issuer
Validity period
Publisher name
Publisher ID
Enterprise apps EKUSlide27
Managed and unmanaged enrollment
Feature
Managed
Unmanaged
Enrollment method
Workplace app + MDM
Email/browser
Number of
e
nrollments
Limited to 1
Unlimited
Policy management
YesNoApp install methodMDM/company hubEmail/browser/company hubApp inventoryMDM/company hubCompany hubPush app installMDMNoPush app uninstallMDMNoPush app updatesMDMNoUnenrollRemote and localLocal
NEW
NEW
NEW
For more information on managed enrollments, watch
//build 2014 session
2-513, Windows Phone Enterprise ManagementSlide28
App enrollment token (AET) is generated once per year
Delivered
to
the phone over an authenticated channel via email, browser, or MDM
Validated for signature and expiration
App enrollment
2
1
Windows Phone 8
Email/Browser/MDM
2
Enterprise Service
AET
PublisherID
3Slide29
Company Hub APIs
API feature
WP 8
WP
8.1
Enumerate apps
Yes
Yes
Launch apps
Yes
Yes
Install enterprise signed apps
Yes
YesGet enterprise metadataNoYesRenew an enterprise enrollmentNoYesUnenroll from the current enterpriseNoYesTrigger enterprise phone homeNoYesNEW
NEW
NEW
NEW
Company hubs must be Silverlight apps
Create a Windows Phone 8 Company Hub App
MSDN article by Tony Champion -
http://aka.ms/E7c6xcSlide30
Manifest: Publisher
In order to sign
WinRT
apps, the manifest
Publisher
must match the certificate
Subject
<
Identity
Name="
Sample.Application
"
Version="1.0.0.0" Publisher="OID.0.9.2342.19200300.100.1.1=7755327, CN="Microsoft Inc. Windows Phone Enterprise Apps", OU="Microsoft Inc. Windows Phone Enterprise Apps"" />AppxManifest.xmlSlide31
Manifest:
PublisherID
In order to test Company Hub apps, the
PublisherID
in
WMAppManifest
and
AppxManifest
must match the certificate
<
App
ProductID
="{B316008A-141D-4A79-810F-8B764C4CFDFB}“ Title=“Sample.Application" RuntimeType="Silverlight" Version="1.0.0.0“ Genre="apps.normal" Author=“Sample author" Description="Sample description" Publisher="Contoso Publisher" PublisherID="{0076563F-0000-0000-0000-000000000000}">WMAppManifest.xml<mp:PhoneIdentity PhoneProductID="{B316008A-141D-4A79-810F-8B764C4CFDFB}" PublisherID="{0076563F-0000-0000-0000-000000000000}">AppxManifest.xmlSlide32
App is
packaged, signed, and published to the company’s store
Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub
Validated for
signature, an associated AET, and allowed capabilities
App deployment
Windows Phone 8
Email/Browser/MDM/
Company Hub
2
1
2
Enterprise Service
App
App
NEW
XAP
APPX
3Slide33
App ingestion and certification
App ingestion is owned exclusively by the enterprise
Apps are not submitted to Windows Phone Store
The company is responsible for the quality of their apps and the impact to the user
The Windows Phone Marketplace Test Kit is useful to evaluate apps
Images, capabilities, error handling, memory usage, API checks, startup
perf
, etc.
Capabilities are limited to the same as standard marketplace apps
Enforced on the phone at app install time
Apps must specially handle ID_CAP_LOCATION usage
Prompt for user approval and give the user an option to disableSlide34
User launches an enterprise app via the shell or an API
Publisher ID is extracted and used to find the associated AET
AET must be present and valid (not expired, revoked or disabled)
App launch
Windows Phone 8
Execution Manager
2
1
Enterprise Service
3Slide35
Phone sends device ID,
p
ublisher IDs, and enterprise app IDs
Phone receives status for each enterprise
Apps of invalid enterprises are blocked from being installed or launched
Scheduled daily,
plus
each enrollment
After
7
consecutive failed
attempts,
the install
of enterprise apps is blocked, but the launch of installed apps still worksPhone homeWindows Phone Services12Slide36
Demo
Unmanaged App deployment on Windows Phone 8.1Slide37
Response
Request
Phone home – sample protocolSlide38
Create allow or deny lists to manage app on your Windows Phones
Use
app deny lists when you know the list of apps that you want to deny (block) and want to allow all other
apps
Use app allow lists when you know the list of apps that you want to allow and want to deny all other apps
Restricting Apps with Allow/Deny ListsSlide39
<?xml version="1.0" encoding="utf-8"?>
<
AppPolicy
Version="1"
xmlns
="http://schemas.microsoft.com/phone/2013/policy">
<Deny>
<App
ProductId
="{619c483b-ba14-432c-8611-dd6a6aa08888}"
/><!-- Games App -->
<App
ProductId
="{deedfbce-0ecf-410d-ab0e-5d9fa1253786}" /><!-- Sports App --> <App ProductId="{92381d1f-6b8a-455a-94d9-0f41d2d97cd0}" /><!-- Social Media app --> <Publisher PublisherName=“Contoso"> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1150}" /><!-- Expense app --> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1155}" /><!-- Audio app --> </Publisher> </Deny></AppPolicy>Allow/Deny List - SampleSlide40
Wrap UpSlide41
Convergence for LOB app
deployment
Certs, Enrollment, OMA-DM protocol, WNS, …
App management of Store apps
Better LOB app and data protection
Support more customer
scenarios
More secure/isolated environments, flexible cert management, …
More policies/settings to push to LOB app
Looking forward…Slide42
Thank You!Slide43
Windows 10
http://aka.ms/trywin10
Stop by the Windows Booth to sign up for the Windows Insider Program to
get a FREE Windows 10 T-shirt, whiles supplies last!
Windows Springboard
windows.com/
itpro
Windows Enterprise
windows.com/enterprise
Windows Resources
Microsoft Desktop Optimization Package (MDOP)
microsoft.com/mdopDesktop Virtualization (DV)microsoft.com/dvWindows To Gomicrosoft.com/windows/wtgInternet Explorer TechNet http://technet.microsoft.com/ieSlide44
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http
://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEdSlide45
Windows Client
Windows
Sideloading
:
http://aka.ms/lanmep
AppLocker
Step-by-Step Guide:
http://aka.ms/X21isi
Notification Services:
http://
aka.ms/Iqqonk
Windows Phone
Company app distribution:
http://aka.ms/wp8companyhubCreate a Company Hub App blog: http://aka.ms/E7c6xcMDM whitepaper: http://aka.ms/V0h3v6ResourcesSlide46
Please Complete An Evaluation Form
Your input is important!
TechEd Schedule Builder
CommNet
station
or PC
TechEd Mobile
app
Phone or Tablet
QR codeSlide47
Evaluate this sessionSlide48
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.
The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.