Enterprise Development

Enterprise DevelopmentCliff Strom and Shawn HenryProgram ManagersWindows Phone2-014

Goals and overviewAccount creation and cert acqApp enrollment and deploymentApp launch and phone home

Agenda

Enterprise applications

Goals and overview

Companies control which phones may run their appsEnterprise apps may install and run only on phones that are enrolled with the associated enterprise

Companies control the lifecycle of their appsNo ongoing interaction from Microsoft

Companies control the deployment and distributionIt’s highly recommended to authenticate users prior to app enrollment and app deployment

Enable companies to deploy business applications to their employees privately and securely.

App enrollments and installs require user confirmationUpdates of existing apps can be done silently

Consumer and enterprise data are kept separateCompanies can inventory their own apps, but not marketplace apps

Enable end users to feel in control while preserving a company’s right to protect their data.

Overview

Company

MicrosoftSymantec

123 5

4 6

7

8

Enterprise applications

Account creation and cert acquisition

Must be a Company accountPublisher name displayed on phoneCompany approval requiredPrivate key, CSR, cert are local to PC

Account creation and cert acquisition

Enterprise certificate

IssuerValidity period

Publisher namePublisher ID

Enterprise apps EKU

Enterprise applications

App enrollment and deployment

App enrollment and deploymentManaged vs. unmanaged enrollment

Feature Managed UnmanagedEnrollment method Settings applet + MDM Email/browserPolicy management Yes NoNumber of enrollments Limited to 1 UnlimitedApp install method MDM/company hub Email/browser/company hubApp inventory MDM NoSilent app updates MDM NoUnenroll Remote and local No

Managed enrollment

App enrollment token (AET) is generated once per yearDelivered to the phone over an authenticated channel via email, browser, or MDMValidated for signature and expiration

App enrollment

Enterprise Service

2

1AET

PublisherID

Windows Phone 8

Email/Browser/MDM2

3

App ingestion and certificationApp ingestion is owned exclusively by the enterpriseApps are not submitted to Windows Phone StoreThe company is responsible for the quality of their apps and the impact to the user

The Windows Phone Marketplace Test Kit is useful to evaluate appsImages, capabilities, error handling, memory usage, API checks, startup perf, etc.

Capabilities are limited to the same as standard marketplace appsEnforced on the phone at app install time

Apps must specially handle ID_CAP_LOCATION usagePrompt for user approval and give the user an option to disable

App is NGEN’ed, signed, and published to the company’s storeDelivered to the phone over an authenticated channel via email, browser, MDM, or company hubValidated for signature, an associated AET, and allowed capabilities

App deployment

Enterprise Service

2

1

Windows Phone 8

Email/Browser/MDM/

Company Hub23

XAP

Enterprise applications

App launch and phone home

User launches an enterprise app via the shell or an APIPublisher ID is extracted and used to find the associated AETAET must be present and valid (not expired, revoked or disabled)

App launch

Enterprise Service

Windows Phone 8

Execution Manager2

3

1

Phone sends device ID, publisher IDs, and enterprise app IDsPhone receives status for each enterpriseApps of invalid enterprises are blocked from being installed or launchedScheduled daily, plus each enrollment and app installAfter 7 consecutive failed attempts, install of enterprise apps is blocked, but launch of installed apps still works

Phone homeWindows

Phone Services

1 2

Response

Request

Phone home – sample protocol

Enterprise Development

Cliff Strom and Shawn HenryProgram ManagersWindows Phone

Signing appsGenerating tokensInstalling and querying appsLaunching apps

Building a Company Hub

Generating tokens

Generating tokens

Start with the .pfx file

Use AETGenerator%programfiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\AETGenerator\Aetgenerator.exe <<cert file name>> <<password>>

Generate an .aetx file

An AET needs to be generated once per year, when a new cert is acquired from Symantec

Signing apps

Signing apps

Everything with a PE header must be signedAs well as the .xap itself

XapSignToolLocated in the Windows Phone SDK directory %ProgramFiles(x86)%\Microsoft SDKs\Windows Phone\v8.0\Tools\XapSignTool

Wraps signtool.exe - so it must also be in the path, too %ProgramFiles(x86)%\Windows Kits\8.0\bin\x86

Protip: use BuildMDILXap.ps1 in a post-build step

Installing and querying apps

Installing apps

Installed apps can be enumerated with InstallationManager.AddPackageAsync()Returns an IAsyncOperationWithProgressAttach to the Completed and Progress handlersSix progress notifications• 0 Started• 5 Confirmation dialog is displayed• 10 User accepts install confirmation, download begins• 50 App is finished downloading• 55 App has begun installation• 100 App installation complete

Querying apps

Installed apps can be enumerated with InstallationManager.FindPackagersForCurrentPublisher()Retrieves all apps from the same publisher or signed with the same certificateIncluding the app making the query

Installing apps can be enumerated with InstallationManager.GetPendingPackageInstalls()

Protip: In the app manifest set your PublisherID to the certificates UID, e.g. {EE6B2808-0000-0000-0000-000000000000}

Launching apps

Launching apps

Apps can be launched with Package.Launch()

Find the package you want with FindPackagersForCurrentPublisher()Only apps from the same publisher, or signed with the same certificate can be launched

Enterprise applications

Wrap up

Wrap upCompanies with a Dev Center Company account may acquire enterprise certs from SymantecCompanies choose which phones are allowed to receive its apps via distribution of its AETCompanies own the quality and lifecycle of their appsApps can be distributed via email/browser/company hub/MDMMDM servers can push both policy and applications

© 2012 Microsoft Corporation. All rights reserved. Microsoft, Windows, Windows Vista and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries.The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.