The need for releasing Windows 8 applications to the users through Windows Marketplace is over. Windows has come up with a new methodology through which companies can now publish and distribute their apps directly to their employees and other users without having to wait in the long queue of Windows Marketplace.
Users can make use of (install) the apps published by the company only after enrolling their phones for app distribution from their company. For this to be done, the company has to generate AET – Application Enrollment Token.
Note: The following instructions guide is only for companies that need to provide company app distribution without making use of mobile device management (MDM) systems like Windows Intune and System Center 2012 Configuration Manager to manage their phones.
The following instructions provide an overview on company app distribution for companies that are not using the mobile device management (MDM) systems namely Windows Intune or System Center 2012 Configuration Manager to manage phones.
This entire process for a company to establish a company account, enroll devices and distribute apps is summarized in six sections for a better understanding. They are as follows.
- Registering a company account on Windows Phone Dev Center to acquire a enterprise certificate from Symantec
- Creating an application enrollment token (AET)
- Developing a Company Hub app
- Preparing the apps for distribution
- Enrollment of employees and other users for company app distribution
- Employees and other users installing the company apps by using the Company Hub app
Registering a company account on Windows Phone Dev Center to acquire an enterprise certificate from Symantec.
The first step in getting enterprise certificate is establishing a company account on Windows Phone Dev Center. As a part of this process, the company will be validated by Symantec after which the company account will be established.
After establishing a company account, the company must acquire an enterprise mobile code signing certificate from Symantec. This certificate will be used later to generate Application Enrollment Token (AET) and to sign company apps.
Steps to acquire the certificate:
A company must obtain the Publisher ID following the instructions provided on the company’s Dev Center account page.
The next step is to visit the Symantec Enterprise Mobile Code Signing Certificate website and follow the step by step instruction to get the certificate.
Upon request, mention your company’s Publisher ID generated by Dev Center. After the completion of this process, Symantec will generate a certificate that can be imported into the certificate store following the instructions given in the Symantec website under the How to install the Windows Phone Private Enterprise Root and Intermediate certificates section.
In the Certificates snap-in export the certificate in PFX format and ensure that you are exporting the certificate along with the private key. This PFX file will be used to generate the application enrollment token (AET)
Creating the application enrollment token (AET)
After acquiring the mobile code signing certificate from Symantec and exporting the PFX file from the certificate, the AETGenerator tool provided by the Windows Phone SDK 8.0 can be used to generate the application enrollment token (AET).
This tool is used to enroll phones (of employees and other users) into the company account which is a precondition to install the applications published by the company.
Developing the company hub app
A company, apart from developing company specific apps, will also create a company hub app which will serve as a portal to company specific experiences such as providing the current/upcoming events, news and alerts from IT department.
The minimum job of a Company Hub is that it should enable users to discover, install, and optionally run the apps created by the company. Employees and other users can also use this Company Hub app to discover, install and run other company apps using the APIs provided by the Windows SDK 8.0.
Getting the company apps ready for distribution
Before an app or a Company Hub app is distributed, few tasks should be carried out to get the apps ready for distribution. They are as follows:
- Precompile any managed assemblies that are included in the XAP into native code
- Sign the XAP with the PFX file that is exported from the enterprise certificate.
- Precompiling managed assemblies and signing apps can be done by running BuildMDILXap.ps1 PowerShell script that is included with Windows Phone SDK 8.0 or from the command line by using MSBuild (only if you are building the apps at the command prompt by using MSBuild and Visual Studio 2012 Update 2 or later).
- You can also perform these tasks individually by using MDILXapCompile and XapSignTool command-line tools.
- Once the company apps are prepared for distribution, they must be stored in a secured location which can be either a secured website that can be accessed by users through their phones or a server that provides access to the XAPs through a service.
- The Company Hub should be designed in such a way that it acts as a gateway to help users discover the apps in the secure location and install them from that location.
User enrollment for company app distribution
Once the app is ready for distribution users can enroll their phones to the apps in the following methods.
- The AET (AET.aetx file) and the Company Hub app XAP are distributed by the company through Email or a secure website which users can access from their phones. If a company uses Email as its means of distribution, Microsoft recommends companies to apply IRM protection to the mail. Moreover, Microsoft also insists that the AET file should be renamed appropriately in such a way that the purpose of the file is clear to the users.
- The AET or the link to the AET can be tapped by the users to enroll their phone for company app distribution.
- The Company Hub app XAP can be tapped to install the Company Hub.
- After launching the Company Hub app, users can make use of it to discover, install, and launch company apps.
Note:Users can enroll their phone in multiple company accounts by installing different AETs as Windows Phones are not restricted to a single company account.
Understanding Company app enrollment
After the user enrollment is done, the AET is installed to a secure data store on the phone. Once in a day the Publisher ID from the AET is sent by the phone to a Microsoft service that confirms the company account for its validity.
The AET validation is done automatically under the following circumstances
- While enrolling initially (for the first time)
- Before installing an app published and signed by the company
- Before starting a company app that is installed on the phone
- When the phone checks for the company account validity by contacting the Microsoft service
- The AET validation includes validation on signature, a certificate chain validation to a specific root certificate and a validity period (date) check on the certificate. If the AET validation is failed during any of these scenarios, the task associated with the scenario fails.
- Once a user enrolls a phone manually to a company app distribution (by tapping an AET.aetx file on their phone), it remains automatically enrolled till the validity period of the certificate (one year) and users cannot cancel their enrollment by using the phone UI after enrolling through this process.
The private key which protects the enterprise certificate should be stored securely.IRM protection should be applied if the AET or Company Hub XAP is distributed to users of unmanaged phones via email.