How To: Deploy modern apps for Windows 8 and Windows RT with Configuration Manager
At first glance you could be forgiven for thinking that deploying a Windows 8 to a bunch of enterprise devices is hard, complex or time consuming. The reality is that Windows 8 apps are actually quite easy to deploy once you understand the basic requirements and methods for deployment. The nomenclature that we use here has changed a little since the source of our apps has changed with the Windows Store. Deeplinking is the process of deploying an advertisement through a company portal that an app is available (or recommended you could say) for installation by your company, the application package remains in the store. Sideloading is the process of taking the application package provided to you by your in house Line of Business (LoB) developers or a 3rd party software vendor (ISV). Let’s take a look at both more carefully.
Requirements for modern UI apps
Before we look too deeply (pun intended) at Deeplinking and Sideloading lets look at the requirements for successful installation of a Windows 8 app.
- First you need the appx package files – for store apps these are provided through the Windows Store.
- Second your device needs to trust the signer of the code signing certificate that was used to sign the package, this helps prevents the package from being interfered with, in the case of an app obtained from the Windows Store the Windows Store signs the app and this is trusted by default on all Windows 8 / Windows RT devices.
- Finally any dependancies need to be available, apps created using WinJS, i.e. those created with HTML5 more commonly have the WinJS dependency included with them.
- To install from the Windows Store you need to have a Microsoft account registered with the Windows Store app (note you don’t have to have it linked to your domain account, which is different).
With that understood lets take a look at how we install an app on a device. Typically a user finds the app in the Windows Store and taps Install or Buy, both of which start the app installation although Buy obviously also completes a purchase transaction with the Windows Store. The key thing though is that installing and buying an app are essentially the same process – essentially the user is consenting to the install, and more importantly they are consenting to the association of the app with their personal Microsoft account.
Deeplinking
Now lets consider the Deeplinking process. Deeplinking can be performed using either System Center Configuration Manager 2012 SP1 or Windows Intune for Windows 8 devices. For Windows RT devices System Center Configuration Manager 2012 SP1 can be linked up with Windows Intune to support deeplinking. The two products can also be linked to support Windows 8 clients if you want to centralise management too. I’ve created a series of videos, The Deployment Sessions, that explain how to make the links required and how do the deployments.
Once you’ve decided upon your deployment targets and your deployment method it’s time to build your deployment. The first thing you’ll need to do is to designate a device as your reference device, just as you would for any other type of applications packaging. In this case though you won’t need to run a monitor app to capture what the app is doing. Simply go to the Windows Store and install the app. Now go to a Configuration Manager console and create an application in the Software Library making sure to select Windows app package (in the Windows Store) . You’ll then be asked to specify the location which you do by connecting to your reference computer by name (you’ll need to have run winrm quickconfig on the reference machine first). The wizard will return a list of all the apps installed on the device, then simply select the app you need, complete the Wizard and deploy just like you would any other (msi or App-V) application. Whilst completing the deployment wizard you’ll be able to say if the app should be available or required, normally a required app will be installed for the user and an available app will just appear in the Configuration Manager Application Catalog. However with deeplinked apps this isn’t the case.
When deeplinking in Config Manager 2012 SP1 a required installation will still need user interaction, the store will open for them to the right app but they will have to click / tap Install. This is because the app is being added to their personal Microsoft account so they need to consent. Required then becomes a constant reminder to the user to install the app, and arguably this looses it’s value. Most users are today comfortable with the idea of a store, the device in their pocket almost certainly has one, so self service should be a key consideration in your deployment plan.
Deeplinking with Windows Intune differs from the above in that you don’t need to install the app onto the reference device, you simply need to get the URL for the app from the Windows Store. There are a couple of ways to achieve this, but I commonly email the app to myself using the Share charm. You will also notice that available is the only option within Windows Intune for a deeplinked app.
The only other thing to mention on deeplinking is that it’s available on platforms other than Windows. Deeplinking works for Windows 8, Windows RT, Windows Phone 8 and also for Android from Google Play and for iOS devices from the Apple App Store.
Sideloading
Lets take a look at the Sideloading process. Sideloading is the business of taking an Appx Package which is generated from Visual Studio at build time and installing that package onto a target device. The appx package is signed at the time of building the app by the developer, usually with a certificate issued by your enterprise CA but a certificate issued by any trusted CA can be used. This type of deployment is most commonly used for Line of Business (LoB) apps. As with Deeplinking both Windows Intune and System Center Configuration Manager 2012 Sp1 can be used but also PowerShell can be used.
The first step to Sideloading is to obtain the appx package and to place it on a share that you can access from Configuration Manager or from Windows Intune. The second step is to add the app into the Configuration Manager console and create an application in the Software Library making sure to select Windows app package (appx file) . You’ll then be asked to specify the location of the appx file and specify details about the app. You’ll then need to deploy the app to a collection of users that you want to have access to it. If you want you can also add the app to any Task Sequences you use to deploy your operating systems.
If you’ve chosen to do your deployment to a Windows RT device using Windows Intune and you’re using an enterprise CA to sign the Appx package you’ll need to provide that certificate to your Windows RT devices since they cannot join your domain. Windows Intune takes care of this for you and if you’ve got your Windows Intune account linked to Configuration Manager you can add the certificate you’ll use to sign your apps through the Windows RT tab of your Windows Intune subscription in the Hierarchy Configuration node of the Administration Workspace. Once provided this certificate will be automatically added to your Windows RT device. You’ll also need to provide a Sideloading Product Key which is available from the Volume Licensing Portal in the same place and again Windows Intune will allocate a key and enable sideloading on any enrolled Windows RT devices.
I’ve created an ongoing series of videos on my blog entitled The Deployment Sessions that will walk you through most of the permutations of deployment of Windows 8 apps, using Configuration Manager 2012 Sp1 and Windows Intune.