The need for releasing Windows 8 applications to the users through Windows Marketplace is over. Windows has come up with a new methodology through which companies can now publish and distribute their apps directly to their employees and other users without having to wait in the long queue of Windows Marketplace.
Users can make use of (install) the apps published by the company only after enrolling their phones for app distribution from their company. For this to be done, the company has to generate AET – Application Enrollment Token.
Note: The following instructions guide is only for companies that need to provide company app distribution without making use of mobile device management (MDM) systems like Windows Intune and System Center 2012 Configuration Manager to manage their phones.
The following instructions provide an overview on company app distribution for companies that are not using the mobile device management (MDM) systems namely Windows Intune or System Center 2012 Configuration Manager to manage phones.
This entire process for a company to establish a company account, enroll devices and distribute apps is summarized in six sections for a better understanding. They are as follows.
- Registering a company account on Windows Phone Dev Center to acquire a enterprise certificate from Symantec
- Creating an application enrollment token (AET)
- Developing a Company Hub app
- Preparing the apps for distribution
- Enrollment of employees and other users for company app distribution
- Employees and other users installing the company apps by using the Company Hub app
Registering a company account on Windows Phone Dev Center to acquire an enterprise certificate from Symantec.
The first step in getting enterprise certificate is establishing a company account on Windows Phone Dev Center. As a part of this process, the company will be validated by Symantec after which the company account will be established.
After establishing a company account, the company must acquire an enterprise mobile code signing certificate from Symantec. This certificate will be used later to generate Application Enrollment Token (AET) and to sign company apps.
Steps to acquire the certificate:
A company must obtain the Publisher ID following the instructions provided on the company’s Dev Center account page.
The next step is to visit the Symantec Enterprise Mobile Code Signing Certificate website and follow the step by step instruction to get the certificate.
Upon request, mention your company’s Publisher ID generated by Dev Center. After the completion of this process, Symantec will generate a certificate that can be imported into the certificate store following the instructions given in the Symantec website under the How to install the Windows Phone Private Enterprise Root and Intermediate certificates section.
In the Certificates snap-in export the certificate in PFX format and ensure that you are exporting the certificate along with the private key. This PFX file will be used to generate the application enrollment token (AET)
Creating the application enrollment token (AET)
After acquiring the mobile code signing certificate from Symantec and exporting the PFX file from the certificate, the AETGenerator tool provided by the Windows Phone SDK 8.0 can be used to generate the application enrollment token (AET).
This tool is used to enroll phones (of employees and other users) into the company account which is a precondition to install the applications published by the company.
Developing the company hub app
A company, apart from developing company specific apps, will also create a company hub app which will serve as a portal to company specific experiences such as providing the current/upcoming events, news and alerts from IT department.
The minimum job of a Company Hub is that it should enable users to discover, install, and optionally run the apps created by the company. Employees and other users can also use this Company Hub app to discover, install and run other company apps using the APIs provided by the Windows SDK 8.0.
Getting the company apps ready for distribution
Before an app or a Company Hub app is distributed, few tasks should be carried out to get the apps ready for distribution. They are as follows:
- Precompile any managed assemblies that are included in the XAP into native code
- Sign the XAP with the PFX file that is exported from the enterprise certificate.
- Precompiling managed assemblies and signing apps can be done by running BuildMDILXap.ps1 PowerShell script that is included with Windows Phone SDK 8.0 or from the command line by using MSBuild (only if you are building the apps at the command prompt by using MSBuild and Visual Studio 2012 Update 2 or later).
- You can also perform these tasks individually by using MDILXapCompile and XapSignTool command-line tools.
- Once the company apps are prepared for distribution, they must be stored in a secured location which can be either a secured website that can be accessed by users through their phones or a server that provides access to the XAPs through a service.
- The Company Hub should be designed in such a way that it acts as a gateway to help users discover the apps in the secure location and install them from that location.
User enrollment for company app distribution
Once the app is ready for distribution users can enroll their phones to the apps in the following methods.
- The AET (AET.aetx file) and the Company Hub app XAP are distributed by the company through Email or a secure website which users can access from their phones. If a company uses Email as its means of distribution, Microsoft recommends companies to apply IRM protection to the mail. Moreover, Microsoft also insists that the AET file should be renamed appropriately in such a way that the purpose of the file is clear to the users.
- The AET or the link to the AET can be tapped by the users to enroll their phone for company app distribution.
- The Company Hub app XAP can be tapped to install the Company Hub.
- After launching the Company Hub app, users can make use of it to discover, install, and launch company apps.
Note:Users can enroll their phone in multiple company accounts by installing different AETs as Windows Phones are not restricted to a single company account.
Understanding Company app enrollment
After the user enrollment is done, the AET is installed to a secure data store on the phone. Once in a day the Publisher ID from the AET is sent by the phone to a Microsoft service that confirms the company account for its validity.
The AET validation is done automatically under the following circumstances
- While enrolling initially (for the first time)
- Before installing an app published and signed by the company
- Before starting a company app that is installed on the phone
- When the phone checks for the company account validity by contacting the Microsoft service
- The AET validation includes validation on signature, a certificate chain validation to a specific root certificate and a validity period (date) check on the certificate. If the AET validation is failed during any of these scenarios, the task associated with the scenario fails.
- Once a user enrolls a phone manually to a company app distribution (by tapping an AET.aetx file on their phone), it remains automatically enrolled till the validity period of the certificate (one year) and users cannot cancel their enrollment by using the phone UI after enrolling through this process.
The private key which protects the enterprise certificate should be stored securely.IRM protection should be applied if the AET or Company Hub XAP is distributed to users of unmanaged phones via email.
Interesting information! For most company developed windows phone app, approval from windows stores matters a lot. Here I found an information which treats to proceed without waiting for app approval from app store. Thanks it been explained clearly.
Thanks SChris! Hope this post was helpful.Stay stunned here for more updates
Its very effective to all app developers especially the companies that focused on windows Phone apps development.The apps that deployed usually got approved from
windows market place, but here read an informative post. Will be sharing among my fellow developers.
Thanks for your comments @Sudhanthira!
Very interesting and informative blog. Before reading this blog, even I was not aware that the windows phone 8 apps can be applied without Queuing!
Now, I learnt it! Thanks Ramanathan.
Thanks @Sarmano! That the post was helpful for you to learn!
Really very nice blog post on windows development and hope it will be useful to all….
This is first time , I came to learn a new thing about windows phone app release needs no approval,I read the blog entirely and find a fruitful information also I understand well that only company who have enrolled for their Phones with company account can proceed to install the apps published by the company.That’s great!
Thanks for the post.
Thanks for your comment Ramprabhu. We are happy that the post was helpful to you.
Great Post. Looking forward for more unique post like this.
Great post! This gives an information more about windows phone 8 app release, creating hub and releasing an official app is now so easy! Thanks for the post!
You are so awesome! I don’t believe I have read through something like that before. So great to discover somebody with unique thoughts on windows phone 8. Really many thanks for starting this up. This web site is something that is needed on the internet, someone with a little originality!
Very nice write-up. I absolutely appreciate this site.
Thanks for the great info. but I have a question. How do I validate if the AET.aetx file is working properly? because this is my problem for almost a months now,Our company give me an AET.aetx file and instruct me to install it on my windows phone device via our company portal after i installed it, My next action is to install the application (appx) via accessing it through our company portal but the device prompt a toast message such as “Can’t install company app there’s a problem with this company app. Contact your company’s support person for help”.
Please help me. thanks.
Hi thanks for your appreciation. For the AET.aetx file validation we would suggest you to go for generating a new AET.aetx (Application Enrollment Token). Else, as per the instruction you get, contact your company’s support person for it.
We have listed the scenarios under which the AET will validated automatically. Kindly check it out as well for clarifications.
Thanks Ramanathan. Is there a free or trial Symantec mobile certificate (pfx) for me to try and create an aet file and follow the above procedures? because I already emailed the support group of our company regarding on this matter but until now no fruitful response yet and I was too willing to try it on my own but I can’t afford the price in Symantec certification.