Deploying Metro style apps to businesses

In previous posts, we’ve walked through making your apps available directly to customers using the Windows Store. In this post, Arik Cohen, Lead Program Manager for our Commerce and Licensing team, describes how to build, deploy and manage Metro style apps for business customers.


As customers continue developing great Metro style apps that increase employee productivity, we want to take a few minutes to discuss how businesses can best deploy and manage Metro style apps. The information you find here should be helpful to you, whether you're a developer writing an app targeting business users, or an IT admin responsible for deploying the app throughout your company.

When it comes to building a Metro style app for business users, the first thing you should consider—whether you are a developer or an IT admin—is how you'll deploy the app. You have two options available:

  • Make the app available through the Windows Store, which means the app must adhere to the same certification policies and process required for all apps in the Store
  • Build the app internally or sell it directly to the enterprise, which means IT admins must distribute the app directly to end-users within the enterprise, without involving the Store.

Business targeted apps in the Windows Store

If you want to target the broadest set of customers, we recommend you list apps in the Store (presumably in the Business category). Business apps that you distribute through the Store get all of the benefits of any app in the Store. This includes technical and content certification of the app, discoverability of the app on the web, ease of updates to the users of the app, and telemetry and reporting on the acquisition of the apps. Examples of apps that might fall into this category are cloud backed CRM software, hosted inventory software or sales reporting and monitoring software.

You have two options for selling your app on the Store: you can offer your apps for sale directly to the business user, with each individual user making the purchase directly from the Store. Another option is to offer the app as a free download, then manage the sales and licensing directly with the business. Your app would then use authentication to bring specific functionality to each of your customer’s users.

If you want to enforce a volume licensing model based on user counts for business sales, you can use a signed receipt from the Windows Store. This option enables you to securely identify the user running the app. Receipts are a new feature available for apps that users acquire from the Windows Store.

Here is an example of the XML used to identify the app receipt.

 <Receipt xmlns="" Version="1.0" 
ReceiptDate="2012-03-15T11:34:05-08:00" ReceiptDeviceId="b809e47cd0110a4db043b3f73e83acd917fe1336">

The receipt is signed with a standard XML digital signature that you can validate to make sure it came from the Windows Store. The ID of each receipt element is unique per user and per device that acquires the app. You can validate the receipt along with the app’s own authentication model to keep track of how many machines have been activated for a particular business customer. This enables you to bill a business based on the number of “seats” that have run this app.

Direct distribution of a Metro style app

While the Windows Store will be a great way to deploy apps to business customers, there are apps that IT admins will want to distribute directly to the end-users. This option makes sense for custom and proprietary line-of-business (LOB) apps, or enterprise software purchased directly from an ISV.

So, as either a developer at a private corporation or as a commercial developer, if you decide to build a Metro style app for distribution outside of the Windows Store, you should:

  • Validate the technical compliance of the app. The Windows Store certification process helps to deliver trustworthy apps to users. We expect IT admins to demand the same level of quality with the apps that they distribute directly to their users. As mentioned in our previous post on submitting your app to the Windows Store, you can run the Windows App Certification Kit to run the technical certification tests the Windows Store uses, before you submit the app to the Store. It is critical that you run the Windows App Certification Kit on any app before it is distributed to customers. This helps ensure that the app meets the minimum technical expectations of a Metro style app, helps to define consistent experiences, and validates that the app will behave as expected on future versions of Windows. The Dev Center has more information on how to validate your Metro style app with the Windows App Certification Kit.
  • Sign the app. To deploy the package to end-users, your app must be appropriately signed by a Certificate Authority that is trusted by the target PCs. The Publisher Name in the package manifest must match the Publisher Name in the certificate that is used to sign the app. Again, check the Dev Center for additional details on signing the app via Visual Studio.

We recommend that you get your app packages signed with a certificate purchased from a Trusted Authority, and Windows trusts many Certificate Authorities without any additional configuration. If the certificate is from one of these already trusted authorities, you don’t need to deploy and manage additional certificates to the targeted Windows 8 PCs. You also can use your company's internal Certificate Authority to sign the app. If you choose this option, your IT admins need to ensure that the CA certificate is installed in the Windows images of targeted PCs.

Visual Studio provides a self-signing test certificate that you can use for testing apps internally. We recommend you use these certificates ONLY for internal testing and not for broad deployment through the enterprise.

Handing the Metro style app off to an IT Admin

After you make the decision to deliver your Metro style app directly within a corporation (and not through the Store), you need to provide your IT admins the following items to deploy and manage the app:

  • The signed app package(s). There may be different packages for different processor architectures (x86, x64, and/or ARM).
  • The packages for any of the dependencies of your app (for example, Microsoft Windows Library for JavaScript)

IT admins should also check the Windows App Certification Kit results to validate that the app passed the technical requirements of a Metro style app. This will help keep the quality and experience high for the end-users the apps are deployed to.

Preparing target PCs for deployment

IT admins need to make sure that they prepare the PCs where they are going to install the Metro style app. This involves procedures that are slightly different depending on the edition of Windows installed, since the management capabilities vary in each edition.

Preparing PCs for sideloading apps on enterprise PCs

Currently, the Consumer Preview and Windows Server 8 Beta are classified as “enterprise sideloading enabled.” This means that when a PC is domain joined, it can be configured to accept non-Windows Store apps from their IT admin. Moving forward, this functionality to install non-Windows Store Metro style apps will be available for Windows 8 Enterprise Edition and Windows 8 Server editions.

On an enterprise sideloading enabled edition, the IT admins needs to verify:

  • The PC is domain joined.
  • The group policy is set to “Allow all trusted apps to install”.
  • The app is signed by a CA that is trusted on the target PCs

Preparing other PCs

Some business users might not use a PC that supports enterprise sideloading. Common reasons for this are that the edition of Windows that their enterprise uses doesn’t support this, or the IT admins do not manage the PC. This scenario is becoming increasingly common with the growing trend of personal devices used for work.

To enable sideloading of a Metro style app onto a PC:

  • Set Group Policy for “Allow all trusted apps to install”. If you cannot use Group Policy, then you can set this through the following setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1
  • Verify that the app is signed by a CA that is trusted on the target machines
  • Activate a special product key by using a script on the target machine to enable sideloading. We'll go into more detail about how the IT admin will acquire the product keys in an upcoming blog post. The product key only needs to be install and activated once on the PC.

Deploying the app

After confirming that the targeted machines meet the requirements, IT admins can deploy Metro style apps to their users. The admins need to decide if they want to deploy the Metro style apps along with the initial Windows image (and be preinstalled for all users) or install them at runtime. If the admins automate the deployment by using a standard Windows management solution (like System Center), then they can automate both the preparation and the installation at runtime. Windows management solutions can either use the native API’s for installing Metro style apps on systems, or they can use the native PowerShell cmdlets supported by Metro style apps.

Deploying the app via the Windows image

IT admins can stage the app by using the App provisioning commands. This allows admins to install the app for every user of the Windows installation when they first sign in. Note that the app will not run until the target computers have been prepared as described above. IT admins can add the apps to a Windows image by:

  • Ensuring the Group Policy or registry key to allow all trusted apps has been set. You can set this by using the following setting: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Appx\AllowAllTrustedApps = 1

  • Use the Deployment Image Servicing and Management (DISM) command-line tool. For example, to install the package into the offline image, open an elevated command prompt and type:

    DISM /Add-ProvisionedAppxPackage /PackagePath:C:\App1.appx /SkipLicense

The app will be installed when any new user signs in to the system at the “Preparing your system” screen.

Deploying the app at runtime

IT admins can also decide to deploy the app during runtime using the appropriate PowerShell cmdlet. This can be done just using PowerShell on its own, or by using any management tool that supports executing PowerShell scripts or cmdlets. For example, from a Windows PowerShell command prompt, type:

add-appxpackage C:\ContosoApp\ExpenseApp.appx

This will install the app only for the current user.

For more information on how an IT admin can manage the apps on Consumer Preview, see How to Add and Remove Apps.

Deploying updates

Deploying updates to the app is done in the same way as deploying an app at runtime. The updates need to be installed per user for each user on a machine. IT admins can detect if the appropriate version of the app is already installed by using the Get-AppXPackage PowerShell cmdlet.

IT admins can force an app update by using this command in a PowerShell command window:

add-appxpackage \\fileserver\ContosoApp\v1.1\ExpenseApp.appx

Apps that the IT admin directly deployed are also updated directly. There is no standard way for the end-user to detect and acquire updates for these apps.

Deploying to Windows RT devices

For Windows RT, we have integrated a new management client that can communicate with a management infrastructure to deliver Metro style apps to users. It provides a more streamlined experience to prepare the machine for enterprise sideloading and enables the user to easily acquire the apps that their IT admins have made available to them. More information about managing your Windows RT PC can be found at the Building Windows 8 blog.

Management of Metro style apps from the Windows Store

Because there will be a rich selection of business related apps in the Windows Store, IT administrators will want to make sure they can enable the Store for their end-users, manage apps delivered from the Store, and help their users better find their business apps.

The Store is enabled by default for Windows 8. To access the store, all the end-user needs is a Microsoft account. IT admins can use familiar tools like AppLocker to allow or restrict apps from the Windows Store. This way, their users get access to the rich variety of apps in the Windows Store, but IT admins can restrict access as needed.

In a tightly managed enterprise, there might be specific situations where IT admins do not want to allow user access to the Windows Store. In this case they can use a group policy to turn off access to the store for those users and/or PCs.

For more information, see Managing the Windows Store.

Flexibility of deployment and management

As you build Metro style apps targeting businesses, you have options on how to make these apps available. You can use the Windows Store to distribute your app, or you can sell directly to a business and allow their IT admins to deploy it. In addition, IT admins have a set of tools and capabilities that enable them to get these apps to the PCs that need them. We look forward to seeing your apps bring about new levels of employee productivity.

-- Arik Cohen