Company app distribution for Windows Phone
August 19, 2014
Windows Phone enables companies to publish and distribute Windows Phone apps directly to their employees or other users, bypassing the Windows Phone Store. Users can install apps published by their company only after they enroll their phones for app distribution from their company, and only users that are enrolled for app distribution from the company can install the company apps.
For more information about all the aspects of using Windows Phone in your company, see Windows Phone for business.
This section of the documentation provides guidance about company app distribution for companies that are not using Windows Intune or System Center 2012 Configuration Manager to manage phones. Companies that use one of these mobile device management (MDM) systems should refer to the following articles for guidance about company app distribution:
There are some general steps that companies must follow to establish a company account, enroll devices, and distribute apps to their enrolled devices. The following sections provide an overview of this process:
The company registers a company account on Windows Phone Dev Center and acquires an enterprise certificate from Symantec.
The company creates an application enrollment token (AET).
The company develops a Company Hub app.
The company prepares their apps for distribution.
Employees (or other users) enroll for company app distribution on their phones and install the company apps by using the Company Hub app.
Registering on Windows Phone Dev Center and acquiring the enterprise certificate
To begin, the company must establish a company account on Windows Phone Dev Center. As part of establishing the account, the company is validated by Symantec. For more information about registering for a Dev Center account, see Registration info. For more information about how a company account is verified, see Validation of company accounts.
After a company account is established, the company must acquire an enterprise mobile code signing certificate from Symantec. The company needs this certificate to generate an Application Enrollment Token (AET) and sign company apps. To acquire the certificate:
Obtain the Publisher ID for the company as provided on the company’s Dev Center account page.
Visit the Symantec Enterprise Mobile Code Signing Certificate Web site, and complete the required steps to acquire an enterprise mobile code signing certificate. When requested, specify the Publisher ID provided by Dev Center for your company. When this process is complete, Symantec will deliver a certificate that can be imported into the certificate store on a computer. For instructions to import the certificate, see How to install the Windows Phone Private Enterprise Root and Intermediate certificates on the Symantec Web site.
In the Certificates snap-in on the computer where the certificate is imported, export the certificate in PFX format. Be sure to export the private key with the certificate. The PFX file will be used to generate an application enrollment token (AET) and sign company apps. For more information about exporting the certificate in PFX format, see Export a Certificate with the Private Key.
Creating the application enrollment token (AET)
After the company acquires an enterprise mobile code signing certificate from Symantec and exports a PFX file from the certificate, the company uses the AETGenerator tool provided by the Windows Phone development tools to generate an application enrollment token (AET). The AET is used to enroll phones in the company account, which is a prerequisite for installing apps published by the company.
For more information about creating the AET, see How to generate an application enrollment token for Windows Phone.
Developing the Company Hub
In addition to developing company-specific apps that will be installed and used by employees or other users, the company typically also develops a Company Hub app: an app that acts a portal to company-specific experiences on the phone.
At a minimum, a Company Hub should enable users to discover, install, and optionally run the apps created by the company. Company Hubs can also provide other company-specific experiences or features, such as displaying current company news, upcoming company events, and alerts from the IT department.
The Windows Phone development tools provide APIs that you can use to discover, install, and run other company apps from a Company Hub app. For more information, see Developing a Company Hub app for Windows Phone.
Preparing company apps for distribution
Before distributing an app or a Company Hub app to users, companies must prepare the app for distribution by performing the following tasks:
Precompile any managed assemblies that are included in the XAP into native code.
Sign the XAP with the PFX file that is exported from the enterprise certificate.
The Windows Phone development tools provide command-line tools that you can use to perform either of these tasks separately, and it also provides a Windows PowerShell script that can optionally be used to automate both of these tasks. For more information, see Preparing company apps for distribution for Windows Phone.
After preparing company apps for distribution, the company should store the apps in a secure location, such as a secure web site that users can access from their phones or a server that provides access to the XAPs through a service. The Company Hub should be designed to discover the apps in the secure location and install apps from that location.
Enrolling users for company app distribution
After the company apps are ready for distribution, users can enroll their phones for company app distribution and install the apps:
The company distributes the AET (AET.aetx file) and the Company Hub app XAP to users via email or a secure web site that users can access from their phones. If the company uses email to distribute the XAP, Microsoft recommends that the company apply IRM protection to the email. Microsoft recommends that companies rename the AET file to make the purpose of the file clearer to users (for example, ContosoAppEnrollment.aetx).
Users tap the AET (or the link to the AET) from their phone to enroll their phone for company app distribution.
Windows Phones are not restricted to a single company account. Users can enroll a phone in multiple company accounts by installing different AETs.
Users tap the Company Hub app XAP to install the Company Hub.
Users launch the Company Hub and use it to discover, install, and launch company apps.
After a user enrolls a phone for company app distribution, the AET is installed to a secure data store on the phone. Once a day, the phone sends the Publisher ID from the AET to a Microsoft service that confirms that the company account is still valid.
During the following scenarios, the phone automatically attempts to validate the AET:
During the initial enrollment process.
Before an attempt to install an app published and signed by the company.
Before an attempt to start a company app that is installed on the phone.
When the phone contacts the Microsoft service to determine whether the company account is still valid.
The validation of the AET includes a signature validation, a certificate chain validation to a specific root certificate, and a date check on the validity period of the certificate. If the AET fails to validate during any of these scenarios, the task associated with the scenario fails.
After a user manually enrolls a phone for company app distribution by tapping an AET.aetx file on their phone, the phone is automatically enrolled for as long as the certificate is valid (one year). After enrolling for company app distribution by this process, users cannot unenroll their phone by using the phone UI.
Microsoft recommends that companies adhere to the following guidelines:
If the enterprise certificate is protected with a private key, store the private key securely.
Windows Phone does not currently support using an HSM (hardware security module) for storing the private key.
If the AET or Company Hub XAP is distributed to users of unmanaged phones via email, apply IRM protection to the email.