Deploying Metro style apps to businesses


In previous posts, we’ve walked through making your apps available directly to customers using the Windows Store. In this post, Arik Cohen, Lead Program Manager for our Commerce and Licensing team, describes how to build, deploy and manage Metro style apps for business customers.

–Antoine



As customers continue developing great Metro style apps that increase employee productivity, we want to take a few minutes to discuss how businesses can best deploy and manage Metro style apps. The information you find here should be helpful to you, whether you’re a developer writing an app targeting business users, or an IT admin responsible for deploying the app throughout your company.

When it comes to building a Metro style app for business users, the first thing you should consider—whether you are a developer or an IT admin—is how you’ll deploy the app. You have two options available:

  • Make the app available through the Windows Store, which means the app must adhere to the same certification policies and process required for all apps in the Store
  • Build the app internally or sell it directly to the enterprise, which means IT admins must distribute the app directly to end-users within the enterprise, without involving the Store.

Business targeted apps in the Windows Store

If you want to target the broadest set of customers, we recommend you list apps in the Store (presumably in the Business category). Business apps that you distribute through the Store get all of the benefits of any app in the Store. This includes technical and content certification of the app, discoverability of the app on the web, ease of updates to the users of the app, and telemetry and reporting on the acquisition of the apps. Examples of apps that might fall into this category are cloud backed CRM software, hosted inventory software or sales reporting and monitoring software.

You have two options for selling your app on the Store: you can offer your apps for sale directly to the business user, with each individual user making the purchase directly from the Store. Another option is to offer the app as a free download, then manage the sales and licensing directly with the business. Your app would then use authentication to bring specific functionality to each of your customer’s users.

If you want to enforce a volume licensing model based on user counts for business sales, you can use a signed receipt from the Windows Store. This option enables you to securely identify the user running the app. Receipts are a new feature available for apps that users acquire from the Windows Store.

Here is an example of the XML used to identify the app receipt.

<Receipt xmlns="http://schemas.microsoft.com/windows/2012/store/receipt" Version="1.0" 
ReceiptDate="2012-03-15T11:34:05-08:00" ReceiptDeviceId="b809e47cd0110a4db043b3f73e83acd917fe1336">
<AppReceipt
Id="182A6BB6-A7CE-4040-94E9-44AF572D7FD5"
AppId="contoso.SalesApp_5q2xcn1j1t576"
LicenseType="Full"
PurchaseDate="2012-03-14T15:48:12-08:00"/>
</Receipt>

The receipt is signed with a standard XML digital signature that you can validate to make sure it came from the Windows Store. The ID of each receipt element is unique per user and per device that acquires the app. You can validate the receipt along with the app’s own authentication model to keep track of how many machines have been activated for a particular business customer. This enables you to bill a business based on the number of “seats” that have run this app.

Direct distribution of a Metro style app

While the Windows Store will be a great way to deploy apps to business customers, there are apps that IT admins will want to distribute directly to the end-users. This option makes sense for custom and proprietary line-of-business (LOB) apps, or enterprise software purchased directly from an ISV.

So, as either a developer at a private corporation or as a commercial developer, if you decide to build a Metro style app for distribution outside of the Windows Store, you should:

  • Validate the technical compliance of the app. The Windows Store certification process helps to deliver trustworthy apps to users. We expect IT admins to demand the same level of quality with the apps that they distribute directly to their users. As mentioned in our previous post on submitting your app to the Windows Store, you can run the Windows App Certification Kit to run the technical certification tests the Windows Store uses, before you submit the app to the Store. It is critical that you run the Windows App Certification Kit on any app before it is distributed to customers. This helps ensure that the app meets the minimum technical expectations of a Metro style app, helps to define consistent experiences, and validates that the app will behave as expected on future versions of Windows. The Dev Center has more information on how to validate your Metro style app with the Windows App Certification Kit.
  • Sign the app. To deploy the package to end-users, your app must be appropriately signed by a Certificate Authority that is trusted by the target PCs. The Publisher Name in the package manifest must match the Publisher Name in the certificate that is used to sign the app. Again, check the Dev Center for additional details on signing the app via Visual Studio.

We recommend that you get your app packages signed with a certificate purchased from a Trusted Authority, and Windows trusts many Certificate Authorities without any additional configuration. If the certificate is from one of these already trusted authorities, you don’t need to deploy and manage additional certificates to the targeted Windows 8 PCs. You also can use your company’s internal Certificate Authority to sign the app. If you choose this option, your IT admins need to ensure that the CA certificate is installed in the Windows images of targeted PCs.

Visual Studio provides a self-signing test certificate that you can use for testing apps internally. We recommend you use these certificates ONLY for internal testing and not for broad deployment through the enterprise.

Handing the Metro style app off to an IT Admin

After you make the decision to deliver your Metro style app directly within a corporation (and not through the Store), you need to provide your IT admins the following items to deploy and manage the app:

  • The signed app package(s). There may be different packages for different processor architectures (x86, x64, and/or ARM).
  • The packages for any of the dependencies of your app (for example, Microsoft Windows Library for JavaScript)

IT admins should also check the Windows App Certification Kit results to validate that the app passed the technical requirements of a Metro style app. This will help keep the quality and experience high for the end-users the apps are deployed to.

Preparing target PCs for deployment

IT admins need to make sure that they prepare the PCs where they are going to install the Metro style app. This involves procedures that are slightly different depending on the edition of Windows installed, since the management capabilities vary in each edition.

Preparing PCs for sideloading apps on enterprise PCs

Currently, the Consumer Preview and Windows Server 8 Beta are classified as “enterprise sideloading enabled.” This means that when a PC is domain joined, it can be configured to accept non-Windows Store apps from their IT admin. Moving forward, this functionality to install non-Windows Store Metro style apps will be available for Windows 8 Enterprise Edition and Windows 8 Server editions.

On an enterprise sideloading enabled edition, the IT admins needs to verify:

  • The PC is domain joined.
  • The group policy is set to “Allow all trusted apps to install”.
  • The app is signed by a CA that is trusted on the target PCs

Preparing other PCs

Some business users might not use a PC that supports enterprise sideloading. Common reasons for this are that the edition of Windows that their enterprise uses doesn’t support this, or the IT admins do not manage the PC. This scenario is becoming increasingly common with the growing trend of personal devices used for work.

To enable sideloading of a Metro style app onto a PC:

  • Set Group Policy for “Allow all trusted apps to install”. If you cannot use Group Policy, then you can set this through the following setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
  • Verify that the app is signed by a CA that is trusted on the target machines
  • Activate a special product key by using a script on the target machine to enable sideloading. We’ll go into more detail about how the IT admin will acquire the product keys in an upcoming blog post. The product key only needs to be install and activated once on the PC.

Deploying the app

After confirming that the targeted machines meet the requirements, IT admins can deploy Metro style apps to their users. The admins need to decide if they want to deploy the Metro style apps along with the initial Windows image (and be preinstalled for all users) or install them at runtime. If the admins automate the deployment by using a standard Windows management solution (like System Center), then they can automate both the preparation and the installation at runtime. Windows management solutions can either use the native API’s for installing Metro style apps on systems, or they can use the native PowerShell cmdlets supported by Metro style apps.

Deploying the app via the Windows image

IT admins can stage the app by using the App provisioning commands. This allows admins to install the app for every user of the Windows installation when they first sign in. Note that the app will not run until the target computers have been prepared as described above. IT admins can add the apps to a Windows image by:

  • Ensuring the Group Policy or registry key to allow all trusted apps has been set. You can set this by using the following setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
  • Use the Deployment Image Servicing and Management (DISM) command-line tool. For example, to install the package into the offline image, open an elevated command prompt and type:

    DISM /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense

The app will be installed when any new user signs in to the system at the “Preparing your system” screen.

Deploying the app at runtime

IT admins can also decide to deploy the app during runtime using the appropriate PowerShell cmdlet. This can be done just using PowerShell on its own, or by using any management tool that supports executing PowerShell scripts or cmdlets. For example, from a Windows PowerShell command prompt, type:

add-appxpackage C:\ContosoApp\ExpenseApp.appx

This will install the app only for the current user.

For more information on how an IT admin can manage the apps on Consumer Preview, see How to Add and Remove Apps.

Deploying updates

Deploying updates to the app is done in the same way as deploying an app at runtime. The updates need to be installed per user for each user on a machine. IT admins can detect if the appropriate version of the app is already installed by using the Get-AppXPackage PowerShell cmdlet.

IT admins can force an app update by using this command in a PowerShell command window:

add-appxpackage \\fileserver\ContosoApp\v1.1\ExpenseApp.appx

Apps that the IT admin directly deployed are also updated directly. There is no standard way for the end-user to detect and acquire updates for these apps.

Deploying to Windows RT devices

For Windows RT, we have integrated a new management client that can communicate with a management infrastructure to deliver Metro style apps to users. It provides a more streamlined experience to prepare the machine for enterprise sideloading and enables the user to easily acquire the apps that their IT admins have made available to them. More information about managing your Windows RT PC can be found at the Building Windows 8 blog.

Management of Metro style apps from the Windows Store

Because there will be a rich selection of business related apps in the Windows Store, IT administrators will want to make sure they can enable the Store for their end-users, manage apps delivered from the Store, and help their users better find their business apps.

The Store is enabled by default for Windows 8. To access the store, all the end-user needs is a Microsoft account. IT admins can use familiar tools like AppLocker to allow or restrict apps from the Windows Store. This way, their users get access to the rich variety of apps in the Windows Store, but IT admins can restrict access as needed.

In a tightly managed enterprise, there might be specific situations where IT admins do not want to allow user access to the Windows Store. In this case they can use a group policy to turn off access to the store for those users and/or PCs.

For more information, see Managing the Windows Store.

Flexibility of deployment and management

As you build Metro style apps targeting businesses, you have options on how to make these apps available. You can use the Windows Store to distribute your app, or you can sell directly to a business and allow their IT admins to deploy it. In addition, IT admins have a set of tools and capabilities that enable them to get these apps to the PCs that need them. We look forward to seeing your apps bring about new levels of employee productivity.

— Arik Cohen

Comments (16)

  1. commongenius says:

    How do we deploy apps outside of the Windows Store without using group policy or needing the PC to be domain joined?

  2. Atul Gupta says:

    Most of this discussion is around Metro apps only. Since Windows 8 is expected to support regular LOB (non metro) apps as well, how do we install them? Can we go to desktop mode and directly run the setup.exe?

  3. Tim Anderson says:

    If the SSP for Windows RT also works on x86, why not use that instead of the mechanism outlined here?

    Is there any auto-update for apps deployed via SSP?

    Tim

  4. davis says:

    No declarative group policy deployment? I mean PowerShell isn't difficult, but its against the spirit of GP and GP Policy Extensions…

  5. Aroush says:

    Finally!!

    My questions are answered!

    Whoehoe!  🙂

    I'm VERY pleased!

    Great job guys!

  6. Finally…it is SOOO good to see that you're supporting side loading. This feature needs to be extended to WP7/WP8 as well. I belong to an organization that creates member-only software, but doesn't run a central IT department to manage member's machines. Right now they've only released Windows, Linux, and Windows Mobile versions of their software. While I'm not privy to the details, the lack of side-load-ability is probably something that is delaying (prohibiting) releases for other platforms.

  7. AwesomePossumPie! says:

    I am so glad you made side-loading of metro apps so simple and straightforward. It's point-click-and-shipable! Now I no longer control what and when my apps get installed. I must bow to my IT department that they will take the time out to lookup the convaluted steps in this process and perform them. And if I'm a smaller business that doesn't use Windows 8 Enterprise Edition and want to load my in-house-built app (because I'm a hobbiest and build productivity apps on the side) I can't unless I put them in the app store. Congradulations! You've taken "you're holding it wrong" to a whole new level!

  8. Metro Apps have no use and wont work in Business Environment and this is coming from a guy who is 25 years in IT. Real world business world is much different than what Microsoft Guide Book says. Naturally every new change of Windows UI was a step forward since Windows 1.0. However with Metro Microsoft is back to where they started with Windows releases. There is no multitasking concept with Metro, everything has to run in full screen which is terrible. Windows 8 fails every usability test. You cannot apply world of Tablets and Smart Phones to Desktop and Server environment. Windows 8 brings unnecessary duplications. Metro Start Screen gets in a way of what user is trying to accomplish. Metro Start Screen looks plain ugly and boring. Scaling is broken with it. It beats the purpose of having high resolution monitors, bigger doesn't mean easier to access. It feels clunky with mouse and keyboard. Idea of touch screens in Desktop environment is quite stupid. Sounds great on paper but unusable compared to the mouse which is the best device for such things. Touch would only apply to environment where no Monitor exist, virtual reality or in small devices such as Tablets and Smart Phones.

    Applications Business worlds runs are much more complex and they are not written using HTML 5 with Javascript and some C#.

    Metro IE does not provide better and richer experience compared to Desktop IE for running web sites so as such it is just duplication. Yes it exists on Smart Phone because that is only thing available there but no need to bring such mess to Desktop which is already application rich platform. Bottom line stick with Windows 7 until MS decides to get Metro out of Windows Desktop/Server.

    Just to update definition for Microsoft and many others -> PC is not a Tablet or Smart Phone. Tablets and Smartphones belong to category called PM -> Personal Mobile.

  9. bnm says:

    only 8 comments after all this time?!!! don't you realise it's a failure before launch?

  10. Aroush says:

    @red77star

    Congratulations, you're victim nr 4562365987 of the Apple propaganda machine, making you believe that a tablet is some "third category device".  I hope you realise one day that the ONLY reason apple calls it that is because they still want you to buy imacs and macbooks.

    It's ironic that the company that gloats every time it coins the term "post-pc device", is the same company that markets a tablet incapable of actually replacing PC's.

    Windows 8 is exactly that: an OS that enables a tablet to actually replace your clunky desktop or laptop.

    Your 25 years of experience is actually more of a sign that you are stuck in your old ways.  Humans are habit-animals.  They don't like change.  But you have no choice.  The new generation of Homo Sapiens that is currently in high-school looks at your clunky desktop and thinks "that is sooooo yesterday" while holding a tablet.

    These are the people you will be hiring tomorrow.

    @bnm: more people are actively using win8 beta then there were people actively using win7 beta.  If that is any indication at all, it is that win8 will blow away any tablet currently on the market.  Failure before launch you say?  Let's talk again in April 2013.

  11. Tony says:

    Hi Arik

    I'm just wondering about developers that are subscribed to the phone store.  I assume that at some point these stores will be merged but will you need subscriptions for both stores or one unified subscription?

  12. Chriswin says:

    Its proven fact that app development does not make money (arstechnica.com/…/ios-app-success-is-a-lottery-and-60-of-developers-dont-break-even.ars). The potential is still there but platform owners like apple, MSFT etc are not being very innovative or engaging to help developers monetize and continue make money, and make windows ecosystem more compelling.

    Please add the following features to the store:

    1. Demo Videos within the screen shot and description section. Animation ads have higher click through rate online and prove to be far more compelling.

    2. Increase app pricing to allow developers to break even quicker and hedge against monetary inflation also allow flexible prising model to fight against currency falcuations/risks by allowing a range for increasing and decreasing prices based on anticipated currency falctions.

    3. Have dedicated windows store magazine app or website, filled with articles relative to the software development, from consumer, business, IT and NPA/NGP/government specific apps. or revamp "radmond magazine"/"visual studio magazine" to allow engagement between users and software producers.

    4. Discount by 5% for use of microsoft advertising to promote apps. help developers market their products, offer a paid short course if you have too.

    5. Publish problems on the magazine app from society, business, governments etc that need a software solution, this will function like a 'think tank' where user post the problems and seeking solutions, any developer that solves this gets rewarded from purchases. Remember products (including software products) solve problems in society that’s how to make money, not some massaging app that no one needs or solve any problem.

    6. offer a paid course on how to design apps and make money, and how to manage design projects, maintain and further develop apps, consumer relationship management, ethics, international commercial law topics such as copyrighting, patents, sale/licensing contracts etc. this very very important since it seems most app developers lack a lot of professionalism and its visible through the products they come up with and how the engage with the end user.

    7. Increase the number of payment methods, have ISP carrier billing (broadband cell phone companies using cell phone call credits), many developing country users don’t have access to credit cards, and therefore wont be able to buy any thing from the store, else have a direct cash bank deposit to an account in that country. Do what ever it takes to have anyone in any country pay for the app they need else all your efforts will be fruitless.

    8. Allow desktop apps in the store too, but use the affiliate commission model so MSFT can earn for each purchase. The reason so many desktop developers are moving from windows to iOS and android is because they where not making money because there was no central store even though Vista was suppose to have including windows 7 but it never came to pass, which drove developers away, so please have desktop apps in the store too, and have a blog on how to update old desktop apps for new windows and hardware (dual core etc) they have invested a lot of time and money on, allow them get a return on previous windows investments. Along the way they start creating metro apps too.

    9. 'Click to compare' features are also very important, in this case user can only compare apps in the same catagory e.g () one way to achieve autometically is by allowing developers fill in an app feature form. this wll then be comapered to other similar apps under the same category.

    10. 4 rating stars should be 1. MSFT technical rating (how well it fits into your criteria of how an app should be using a technical percpective) 2. consumer rating 3. techcominity rating (other developers in the windows store can rate it) 4. avagerage of the three above.

    11. the ability to sell budle apps at descount price and option to sell individualally

  13. Konstantinos says:

    I don't know where to post this so here you go:

    I want to ask you to implement some features in Win8. First of all, I have a fear that removing the start button is NOT a good move (especially when I see no real need to remove it).

    Then, I want you to evolve the keyboard layout system by allowing Windows to accept keyboard layout DLLs that export "KbdLayerDescriptor" (old type DLLs) and a new type of DLL that will export a function that accepts the key code and the modifiers and outputs a string. This new type of DLL is NEEDED to create keyboard layouts with chained dead keys that also allow processsing on the (past and present) user's input (e.g. elimination of chained dead keys order importance), provide flexible output, allow implementaion of keyboard state memory, etc. The way keyboard layouts work today, writing in ancient greek, latin, etc requires superhuman memory to remember countless dead keys. A sample Visual Studio project implemeting the new type of keyboard layout DLL would be nice too.

    IE9 and later has been greatly improved in the UI, but I think you need to improve more the performance and the delay when opening and closing tabs (e.g. add more parallelism, hide the closing tab first and then shut it down in the background). Also, I have noticed that IE9 changes the rendering of some HTML content when the user selects it. I think this is a big bug.I also think that it would be nice for IE to be able to load .NET or native addons and you to provide samples on how to write an addon (I know there is addon support for IE but judging from the number and quality of the existing addons, I don't think the current interface or documentation is good enough).

    Next, I want you to improve the CHM reader (hh.exe) and the CHM compiler (hhc.exe of HTML Help Workshop) in Windows. CHM files are WIDELY used today and your OS has problems dealing with them. First of all, when a CHM file is located in a path that contains the '#' character the reader fails to read the HTML pages inside it. Also, the reader uses an older version of IE (as far as I have understood) and does not render corectly the HTML pages, does not support Javascript and generates REALLY annoying error messages when javascript code tries to execute. Also the compiler (hhc.exe) has MANY problems, as well as the HTML Workshop itself. I have bothered writing an app that replaces HTML Help Workshop and uses hcc.exe to compile the CHM but the bugs in hcc.exe were more that I thought. Can you please fix any of these ?

    Also, it would be nice if you made the Windows "snipping tool" able to record video from the screen.

  14. Konstantinos says:

    "Also, I have noticed that IE9 changes the rendering of some HTML content when the user selects it."

    ON that, here is what you need to reproduce the bug:

    netload.in/…/Desktop.rar.htm

  15. michael says:

    again – no answers!

    By the way, certificates are a rip-off. MS should provide them free of charge.

  16. gmax@ngs.ru says:

    Is Release Preview classified as “enterprise sideloading enabled”?

    We can't run an applications anymore.

    And what is the product key? How to create it and sign the application?

    Thanks!