Deploying enterprise apps
Enterprise apps usually fall into one of two categories: apps you deploy to users outside of your company (including customers and business partners), and apps you deploy only to users within your company.
If you want to make your app available to people outside of your company, your best option is to list the app in the Windows Store. In that case, you can follow the regular process for submitting an app.
If you’re writing a proprietary line-of-business app, it’s likely that you want to deploy it yourself within your company—a process called enterprise sideloading. Sideloaded apps do not need to be published to the Windows Store, and they can be developed without using a registered Windows Store developer account.
Here are the steps you follow to deploy apps through enterprise sideloading.
Before deploying an app within your enterprise, verify that it:
- Meets the base technical expectations that are validated by the Windows App Certification Kit. For information on running the certification kit, see Using the Windows App Certification Kit.
- Meets all guidelines specific to deploying the app within your enterprise. It is important to remember that these apps will not have been certified by Microsoft.
- Is signed by a certification authority that is trusted on your PCs. This certificate does not have to be rooted to a trusted certification authority; it just has to be trusted by your PCs. The Publisher Name in the package manifest must match the Publisher Name in the certificate that is used to sign the app package. Windows trusts many Certificate Authorities without any additional configuration. If the certificate is from one of these already trusted authorities, you don’t need to deploy and manage additional certificates to the targeted PCs. You also can use your company's internal Certificate Authority to sign the app, as long as you ensure that the CA certificate is installed in the Windows images of the targeted PCs.
Windows Server 2012 and Windows 8 Enterprise editions are classified as "enterprise sideloading enabled." This means that the PCs are ready to receive the apps that you deploy outside of the Windows Store. To make sure a PC is ready, verify that:
- The PC is domain joined.
- The group policy is set to Allow trusted apps to install.
If you are deploying apps to Windows 8 Pro, Windows RT, or Windows 8 Enterprise, you can configure them for sideloading apps by:
- Activating the product key for enterprise sideloading on each PC.
- Setting the group policy to Allow trusted apps to install.
You can deploy an app to prepared PCs either by using the Windows image or at run time. Deploying the app via the image makes it available to all existing and future users who access the machine, while deploying at run time makes it available only to the current user.
To deploy the app through the Windows image:
Ensure the Group Policy or registry key to allow all trusted apps has been set. You can do this by using the following setting:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
Use the Deployment Image Servicing and Management (DISM) command-line tool. For example, to install the package into the offline image, open an elevated command prompt and type:
DISM /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense
To deploy the app at run time, use the appropriate Windows PowerShell cmdlet. You can do this by using PowerShell or any management tool that supports executing PowerShell scripts or cmdlets. For example, from a PowerShell command prompt, type:
You deploy updates for an app in the same way that you deploy the app at run time. The updates must be installed per user for each user on a machine.