Side Loading Deployment of Windows Store Apps in Enterprises – Step by Step
If you want to deploy Windows Store Apps in enterprises, Windows 8 provides a concept called “Side Loading”, which is described in this article, at least.
Basically, when preparing side loading, you will have to build the package, sign it and deploy it. Please note, there are several ways do side-load the app.
Right now, deployment can be done by executing power shell scripts, by using of SCOM or it can be distributed on the Windows image itself.
There are many articles which describe all of these procedures, but surprisingly all of them targets deployment with developer license key. That means, you will commonly run Visual Studio, create the package and finally run the auto-generated power shell script.
All this looks intuitive and very easy. Basically, you don’t have to do anything. Visual Studio will take care about everything. Period.
Unfortunately, described deployment helps to try side-loading. For this purpose the key called code signing key will be generated, which unfortunately cannot be used in the real production environment? This key will run under developer license. Developer license is usually valid 30 days if created by Visual Studio. However if it is created by using the store directly, it is valid 90 days.
In this article I will try to describe all required steps which are required for production environment.
To deploy your application in enterprise, you need to do following steps:
- Prepare your machine
- Create enterprise signing certificate
- Enroll Certificate
- Deploy the app
1. Prepare your machine
Before you deploy the app, you need to do some preparation of the machine where the app has to be installed. This procedure is exactly the same one as when deploying with self-signed key for testing purpose.
Side loading works in general on Windows Server 2012 and Windows 8 Enterprise editions if following is satisfied:
a) The machine is domain joined.
b) The group policy is set to Allow trusted apps to install.
To setup group policy open Group Policy editor setting located at
Local Computer Policy | Computer Configuration | Administrative Templates | Windows Components | App Package Deployment.
Navigate to Allow all trusted apps to install and enable it.
This can also be done by setting following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
For side loading to Windows 8 Pro, Windows RT, or Windows 8 Enterprise, you need to
a) Activate the product key.
b) Set the group policy to Allow trusted apps to install.
As you see side loading on Windows 8 Pro and Windows RT works only if the product key is activated.
Don’t be surprised, side loading on Windows 8 is supported either by Domain Joining or Key activation.
2. Create Enterprise Code Signing Key
One of most important steps which is in fact major prerequisites for side loading is creating of the code signing key. Unfortunately this step is most difficult one and it is not documented well (almost at all).
One possible solution would be to buy code signing key. Unfortunately the certificate with signing key for Windows Store Apps is slightly different than common code-signing certificate. More about this latter in this article.
Most articles which reference to side loading describe how to create Self Signing Key. In fact this key is automatically created by Visual Studio.
After lot of trying I found a way to make all this happen. It is not very easy and it includes multiple steps. I’m sorry for this. Please forgive me, it was not my idea to design it this way :)
To make code signing key (certificate which will envelope the key) you have to have installed corporate Certificate Authority (CA). This article does not cover installation of CA.
Once it is installed there is an old, very old ASP Web application, which is used to request certificates. Following three pictures show several steps in the certificate enrollment process.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/1565.z.png
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/7711.x.png
Go to Create and Submit certificate:
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3782.v.png
Unfortunately this application has few issues. First, it does not provide by default code signing template, which you will need to deploy the app. Second, it does not support Windows Server 2008 Enterprise certificate templates.
It can only deal with Windows Server 2003 Enterprise certificate templates.
Bu never mind. I decided to try 2003 certificate templates. Enrollment process worked fine, but unfortunately the app verification process during side load has failed over and over again.
For this reason I decided for me, “This application is not useful for issuing of code signing certificates for Windows Store Apps ”. If somebody knows how to make this working with this application, I would love to see comments here.
But, don’t wary, there is a better way to complete this story successfully.
Open the MMC and *add-in *called “Certificate Templates” as shown on the picture below.
Click on the node on the picture on the right side and the list of installed templates will appear.
|
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/8666.n.png |
As next, find Code Signing certificate template in the list of templates.
Unfortunately the Code Signing certificate template, which you see in the list in the picture below is not useful for Windows Store Apps. This template is probably used by other certificate authorities when you decide to purchase the certificate by third-party.
In other words, if you use default code signing template side loading will fail.
The reason for this is that certificate for Windows Store Apps requires few more attributes than default template used for code-signing.
To fix this issue, please select the template (right mouse click) and choose “Duplicate”, to create the copy of existing template. You guess, we will extend existing template.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/2860.m.pngm
In dialog on right, you need to select Windows Server 2008 enterprise as shown. In the next step, you have to make few changes in the template, which you have created from default one. Please be careful. Perform exactly described steps. |
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/6562.k.png |
If you make some mistake during making changes, it will be almost impossible (difficult) to figure out why side loading will not work. But, don’t wary. You cannot damage anything in the CA, because you are working with copy of the default template.
As next select Subject Name tab and click “Supply in Request”. This will enforce developer to provide the subject name of the certificate, when certificate is added in the Visual Studio solution.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3872.j.png
The subject which is enforced in the last step will became Common Name attribute known also known CN, which should match to the publisher of the app.
As you might know, publisher can/should be associated with the store, where usually the app will be uploaded. This is shown at the picture on right side. The Common Name (Subject) must equal Publisher Name shown in package manifest. |
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/5466.h.png |
Next picture shows where in certificate will publisher name appear.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/0020.g.png
Note, you don’t have to associate your app with the store account, to make side loading happen. But it is good practice to do this even if you don’t want to publish application
through the store.
It is good to do it, because Publisher will be set on your publicly known organization name, if the app is associated with your public account.
If you do not associate it with the store account the package will contain your user name as a publisher like shown at the next picture.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3718.p.png
Such kind of certificate would not look very professionally when doing roll-outs in big enterprises. This is why it is better to setup organizational account. Even if you use store account
and associate your app with organizational store account, side loading process will remain as it is. No any additional step or tweaks have to be done.
As next you need to enable private key to be exported. If you don’t do this you will not be able to move PFX (code signing certificate) with private key.
|
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/2146.o.png |
In the next step you should give some descriptive name of the template.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/1172.i.png
Later, after certificate is created the template name will appear in the certificate as shown at the picture below on right.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/4810.u.png
Optionally you can set expiration date. Default is one year. Now, you have to enable Basic Constraints Extension. This is what most code signing certificates do not include (at least at time of writing of this article). |
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/0564.y.png |
After applying of this template will appear in the list of all templates.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3660.t.png
As next, refresh the list and select your new template.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/5826.r.png
Finally select it an choose “enable”
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/5775.e.png
This is all what you need to do to create the certificate template. Now, we can finally start with enrollment.
3. Certificate Enrollment
As next, you have to enroll certificate for you app. To do that open certificate management tool on any machine joined to domain. (MMC with user certificate management)
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/0044.w.png
In the MMC you have to select the “Request New Certificate”
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3362.q.png
On the following dialog click “Next”.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/4405.99.png
As next, expand the list of available templates:
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3443.98.png
Select the certificate template to be used for your new certificate.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/4666.97.png
The yellow warning is not an issue. Remember we have chosen for Subject Name “Supply in the Request”. This is what the message above is trying to explain. Ignore this and proceed with “Enroll”.
As next, you can select a friendly name for your certificate.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/4380.96.png
The certificate Friendly Name and Description are attribute which will become consisted part of your certificate after it is enrolled:
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/5850.95.png
As almost last step, you have to enter the Subject Name of the certificate. This name should be the name copied from the App-Package as
I already described above.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3007.94.png
You will probably not believe me, but this is almost all you need to do for enrollment. Sorry :(
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/6237.93.png
The last step is to export certificate with private key. Select your certificate and click “Export”. Then select YES Export Private Key.
This is important, because without private key, certificate can only be used for verification of signature, but not for creating of signature.
Then select PFX format and enter protection password. This should not be a weak password.
When you later select certificate in the app, you will have to enter the password.
Huuhhh. That’s all for enrollment.
3. Deploy the App
The last required step is to deploy the app. This step is exactly as it should be: “simple”. Visual Studio will do all magic.
Open Package Manifest (Package.appmanifest), click on button “Choose Certificate”, browse for certificate file which you have exported in last enrollment step.
Note that after you select certificate, the password has to be entered, which will unlock the key.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/8228.85.png
Once you have entered the password, you will not be asked anymore to do that.
You can simply continue with development and deployment. Right mouse click on App-project,
select store and then “Create App Packages”.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/3157.84.png
In the next dialog choose “NO”, which means you are not going to publish the App in the store.
You just want to create the signed package.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/0676.83.png
Now, select the destination folder of the package and architecture. If you don’t know how to choose proper architecture select “Neutral”. It will work on all architectures.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/4628.82.png
The package is now created in previously specified folder.
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/8304.81.png
Click on URL and notice following files:
http://blogs.msdn.com/resized-image.ashx/__size/550x0/__key/communityserver-blogs-components-weblogfiles/00-00-01-15-70/0044.80.png
If you execute (open) Add-AppDevPackage.ps1 the app will be installed.
Recap
That’s it. I hope this article will help to understand side-load deployment process, which is obviously not easy. In my opinion this process can and must be improved and simplified.
Deploying of an app must not be more complex than development of the app. Right now, I can imagine lot of simple apps made with App-Studio or similar, which are easier to build than to deploy. Of course you don’t have to perform all described steps every time. Deployment itself is easy process.
On the other hand, Store-Concept is great example of simplicity. Unfortunately, deploying an app through store requires integrating of your enterprise concept in the deployment process of Microsoft Store Apps via store. In the real world this does not work, because every enterprise must be process owner of its own deployment process without dependency to any other organization.
Finally, many steps described in this article do not have to be done by every developer or developer at all. Once you have certificate template and certificate deployment is very easy.