Embed Size (px)
Citation preview
Enterprise AppsJohn Vintzel
WIN-B351
App deployment in an enterpriseCommon app deployment workflows and featuresWindows and Windows Phone share a common workflow and set of enterprise features
Conceptually the same, mechanically differentConvergence across platforms is driving a convergence of enterprise features across Windows and Windows Phone, but we aren't there yet
Enterprise App Overview
Windows Desktop
Windows Phone
Wrap Up
Enterprise Apps
End to end workflow
Building and
Testing
Readying for
Deployment
Deploying Managing
Engage in real-time with your users for a delightful app experience
Notification Services for Enterprise apps
App Type/ ServiceWindows
Notification Service(WNS)
Microsoft Push Notification
(MPN)
Windows Runtime App (APPX)* 8.1 not supported
Windows Phone Silverlight App (XAP) 8.1 8.0/8.1
Windows Runtime Phone App (APPX on WP)*
not supported not supported
*Note: APPX files signed with a Symantec cert cannot use WNS
Readying apps for deploymentApp ingestion is owned by the enterpriseThe company is responsible for the quality of their apps and the impact to the user
LOB Apps offer increased developer flexibilityEnterprise line of business apps are not enforced by store policies (i.e. API checks) and give the developer more flexibility
Available Kits are an important step to evaluate the appsWACK & MPTK can be downloaded and perform similar checks that the Store would perform
Readying clients for deploymentEnroll users for managementUse OMA-DM to manage all versions of Windows 8.1 or Windows Phone 8.0 and 8.1
Use management tools to configure deviceOMA-DM management tools can push policies, required keys and necessary certificates to the device
Windows apps delivery in enterprise
Public WP8 AppsInternal LOB WP8 Apps
Install from Windows Store
Install from Windows Phone Store
Management ServerCompany Hub
Distribute LOB apps internally
Public W8 Apps
Internal LOB W8 Apps
Control access to the Store and Internet ExplorerBuilt-in device management policies can control access to the Store and restrict Internet Explorer
App policies can control access to appsUse app policies to control access to which apps a user can run
Managing app policies and restriction
Windows Desktop
Inter-process communication policy now only applies to apps deployed via the Windows Store.
There is no longer a restriction on inter-process communication for side-loaded Windows Runtime apps.
Increased Developer Flexibility
Interact with the desktopWindows 8.1 Update allows sideloaded apps to interact with the desktop through network loopback or through a brokered WinRT component
App ContainerWindow
s Runtime
App
Desktop .NET
FrameworkWin32
Local Service
App Container
Windows Runtime
App
Desktop .NET
Framework
Win32
BrokerManaged
WinRT Component
Brokered WinRT Component Local Loopback
Comparing approaches
Brokered WinRT Component Network Loopback
Requires Windows 8.1 Update Works on Windows 8 and 8.1
WinRT based programming model WCF or REST based programming model
Loads components on demand Requires service process to be always running
Supports callbacks that activate suspended apps
Network callbacks do not activate suspended apps
For more information, watch //build 2014 session 2-515, Respecting Your Investments: How to Leverage Your Existing Code In a New Windows Runtime LOB App
Device needs to be enabled for sideloadingDomain joined or Activated by license keyAnd ‘Allow all trusted apps to install’ policy enabled
Install the appropriate certificate rootA certificate root, for the certificate used to sign your apps, needs to be in the device’s Trusted Root Certification Authority
Readying client for deployment
Recent changes to sideloading keysKey availability is now more flexible!Keys not required for any domain joined device running Windows 8.1 Update!!
Deployment Methods
Can be installed using:PowerShell cmdletsMDM agent in Windows 8.1 or later
Provision usingDISM for online or offline scenarioPowerShell cmdlets for online
ProvisioningInstallation
Register the application for the userAlways per-userDoes not require administrator rightsSide load or from the Windows Store
Register application on the computerInstall automatically for each userSide load onlyRequires administrator rightsCan be sysprepped into a custom image
PowerShell support for appx deploymentAdd-AppxPackageGet-AppxPackageRemove-AppxPackageGet-AppxLastErrorGet-AppxLogGet-AppxPackageManifest
PowerShell support for appx provisioningAdd-AppxProvisonedPackageGet-AppxProvisionedPackageRemove-AppxProvisionedPackage
Deploying with PowerShell
Demo
Deploying Apps on Windows 8.1 Update
Service pre-installed apps when the store is disabledUpdate pre-install Windows Store Apps (Mail, Reader, etc..) within your enterprise without access to the Windows Store
Servicing uses typical enterprise toolsUpdates are be published through WSUS for Windows 8 and 8.1
Servicing of pre-installed Windows apps
Now Available: One-time updates for all the pre-installed apps in Windows 8 and 8.1http://support.microsoft.com/kb/2971128/en-US
Use apps from the Store without custom packagingExtend the URI list of apps acquired from the Windows Store to include URIs within your enterprise
IT Pro controls the URI list for the enterpriseIT Pros can manage a list of URI specific for the enterprise and target clients using group policy or other management tools.
Enterprise Application Content URI Rules
Full Support for modern appsAbility to create Allow or deny listsA single rule to control the all files in an appA single rule to control installation and execution of an app
Easy manageabilityCan me managed via group policyPowerShell cmdlets available inbox!• Get-AppLockerFileInformation • Set-AppLockerPolicy • Get-AppLockerPolicy • New-AppLockerPolicy • Test-AppLockerPolicy
Restricting Apps with AppLocker
Demo
Managing Apps on Windows 8.1 Update
Windows Phone
Must be a Company accountPublisher name displayed on phone
Company approval requiredPrivate key, CSR, cert are local to PC
Acquiring a certificate
Enterprise certificate
Issuer
Validity period
Publisher name
Publisher ID
Enterprise apps EKU
Managed and unmanaged enrollmentFeature Managed Unmanaged
Enrollment method Workplace app + MDM Email/browser
Number of enrollments Limited to 1 Unlimited
Policy management Yes No
App install method MDM/company hub Email/browser/company hub
App inventory MDM/company hub Company hub
Push app install MDM No
Push app uninstall MDM No
Push app updates MDM No
Unenroll Remote and local Local NEW
NEW
NEW
For more information on managed enrollments, watch //build 2014 session 2-513, Windows Phone Enterprise Management
App enrollment token (AET) is generated once per year
Delivered to the phone over an authenticated channel via email, browser, or MDM
Validated for signature and expiration
App enrollment
2
1
Windows Phone 8
Email/Browser/MDM
2Enterprise Service
AET
PublisherID
3
Company Hub APIsAPI feature WP 8 WP 8.1
Enumerate apps Yes Yes
Launch apps Yes Yes
Install enterprise signed apps Yes Yes
Get enterprise metadata No Yes
Renew an enterprise enrollment No Yes
Unenroll from the current enterprise
No Yes
Trigger enterprise phone home No Yes
NEW
NEW
NEW
NEW
Company hubs must be Silverlight apps
Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc
Manifest: Publisher
In order to sign WinRT apps, the manifest Publisher must match the certificate Subject
<Identity Name="Sample.Application" Version="1.0.0.0" Publisher="OID.0.9.2342.19200300.100.1.1=7755327, CN="Microsoft Inc. Windows Phone Enterprise Apps", OU="Microsoft Inc. Windows Phone Enterprise Apps"" />
AppxManifest.xml
Manifest: PublisherIDIn order to test Company Hub apps, the PublisherID in WMAppManifest and AppxManifest must match the certificate
<App ProductID="{B316008A-141D-4A79-810F-8B764C4CFDFB}“ Title=“Sample.Application" RuntimeType="Silverlight" Version="1.0.0.0“ Genre="apps.normal" Author=“Sample author" Description="Sample description" Publisher="Contoso Publisher" PublisherID="{0076563F-0000-0000-0000-000000000000}">
WMAppManifest.xml
<mp:PhoneIdentity PhoneProductID="{B316008A-141D-4A79-810F-8B764C4CFDFB}" PublisherID="{0076563F-0000-0000-0000-000000000000}">
AppxManifest.xml
App is packaged, signed, and published to the company’s store
Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub
Validated for signature, an associated AET, and allowed capabilities
App deployment
Windows Phone 8
Email/Browser/MDM/
Company Hub
2
1
2Enterprise Service
AppApp
NEWXAPAPPX
3
App ingestion and certificationApp ingestion is owned exclusively by the enterpriseApps are not submitted to Windows Phone StoreThe company is responsible for the quality of their apps and the impact to the user
The Windows Phone Marketplace Test Kit is useful to evaluate appsImages, capabilities, error handling, memory usage, API checks, startup perf, etc.
Capabilities are limited to the same as standard marketplace appsEnforced on the phone at app install time
Apps must specially handle ID_CAP_LOCATION usagePrompt for user approval and give the user an option to disable
User launches an enterprise app via the shell or an API
Publisher ID is extracted and used to find the associated AET
AET must be present and valid (not expired, revoked or disabled)
App launch
Windows Phone 8
Execution Manager
2
1
Enterprise Service
3
Phone sends device ID, publisher IDs, and enterprise app IDs
Phone receives status for each enterprise
Apps of invalid enterprises are blocked from being installed or launched
Scheduled daily, plus each enrollment
After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works
Phone homeWindows
Phone Services
1 2
Demo
Unmanaged App deployment on Windows Phone 8.1
Response
Request
Phone home – sample protocol
Create allow or deny lists to manage app on your Windows PhonesUse app deny lists when you know the list of apps that you want to deny (block) and want to allow all other appsUse app allow lists when you know the list of apps that you want to allow and want to deny all other apps
Restricting Apps with Allow/Deny Lists
<?xml version="1.0" encoding="utf-8"?><AppPolicy Version="1" xmlns="http://schemas.microsoft.com/phone/2013/policy"> <Deny> <App ProductId="{619c483b-ba14-432c-8611-dd6a6aa08888}" /><!-- Games App --> <App ProductId="{deedfbce-0ecf-410d-ab0e-5d9fa1253786}" /><!-- Sports App --> <App ProductId="{92381d1f-6b8a-455a-94d9-0f41d2d97cd0}" /><!-- Social Media app --> <Publisher PublisherName=“Contoso"> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1150}" /><!-- Expense app --> <AllowApp ProductId="{b112e297-eb89-4618-8ff7-b452037e1155}" /><!-- Audio app --> </Publisher> </Deny></AppPolicy>
Allow/Deny List - Sample
Wrap Up
Convergence for LOB app deploymentCerts, Enrollment, OMA-DM protocol, WNS, …
App management of Store appsBetter LOB app and data protectionSupport more customer scenariosMore secure/isolated environments, flexible cert management, …
More policies/settings to push to LOB app
Looking forward…
Thank You!
Windows 10http://aka.ms/trywin10
Stop by the Windows Booth to sign up for the Windows Insider Program to get a FREE Windows 10 T-shirt, whiles supplies last!
Windows Springboardwindows.com/itpro
Windows Enterprisewindows.com/enterprise
Windows ResourcesMicrosoft Desktop Optimization Package (MDOP)microsoft.com/mdop
Desktop Virtualization (DV)microsoft.com/dv
Windows To Gomicrosoft.com/windows/wtg
Internet Explorer TechNet http://technet.microsoft.com/ie
Resources
Learning
Microsoft Certification & Training Resources
www.microsoft.com/learning
Developer Network
http://developer.microsoft.com
TechNet
Resources for IT Professionals
http://microsoft.com/technet
Sessions on Demand
http://channel9.msdn.com/Events/TechEd
Windows ClientWindows Sideloading: http://aka.ms/lanmepAppLocker Step-by-Step Guide: http://aka.ms/X21isiNotification Services: http://aka.ms/Iqqonk
Windows PhoneCompany app distribution: http://aka.ms/wp8companyhubCreate a Company Hub App blog: http://aka.ms/E7c6xcMDM whitepaper: http://aka.ms/V0h3v6
Resources
Please Complete An Evaluation FormYour input is important!TechEd Schedule Builder CommNet station or PC
TechEd Mobile appPhone or Tablet
QR code
Evaluate this session
© 2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.
