Plan for App Deployment
Applies To: Windows 8.1
When you plan Windows Store apps deployment in education you can use the Windows Store or sideloading to deploy apps during or after operating system deployment, and you can choose your deployment method based on technical skill required, deployment lifecycle, infrastructure, and so on.
As the first step in deploying Windows Store apps, Amy and Mark review the methods available. Amy and Mark discover that they can deploy Windows Store apps by using the Windows Store, sideloading, or a combination of the two. Amy and Mark considered the information in the following sections when planning their app deployment.
Overview of user accounts used in Windows Store app deployment
Windows 8.1 supports a superset of the user accounts supported in the Windows 7 operating system. The following is a list of the user account types that Windows 8.1 supports:
- Windows account. This account is stored locally on the Windows 8.1 device (local Windows account) or in an on-premises Active Directory Domain Services (AD DS) domain. This account is identical to the user accounts Windows 7 uses. For domain-joined devices, you can centrally provision and manage Windows accounts by using on- or off-premises AD DS domains.
Note
You can use a Windows account to log on to a Windows 8.1 computer but not to access the Windows Store.
Microsoft account. This Internet-based account is used to access the Windows Store or other services that use Microsoft accounts (previously known as the Windows Live ID). This account is used to locate, install, and update Windows Store apps. You can associate a Microsoft account with an existing Windows account.
When users create a Microsoft account, they are asked to verify the account information. This process is done by sending an email to the account with a hyperlink to verify the information.
Users can also designate devices that are trusted by them. This allows users to specify specific devices that are available for performing administrative tasks, such as changing user information or their password.
Only one Microsoft account can be associated with a Windows account at a time, but you can change the Microsoft account associated with a Windows account at any time. You cannot centrally provision and manage Microsoft accounts. Instead, users will need to obtain their own Microsoft account.
Microsoft accounts cannot be centrally managed—that is, IT cannot create and manage them. Instead, each user is responsible for creating and managing their Microsoft account.
Microsoft accounts in the United States comply with the Children’s Online Privacy Protection Act (COPPA) regarding online account creation for children under 13 years of age. To verify that an adult is giving a child permission to create a new Microsoft account, COPPA requires that a small amount ($0.50) be charged to the adult’s credit card.
Note
You can use a Microsoft account to log on to a Windows 8 computer. A Microsoft account is also required to access the Windows Store.
- Windows Azure Active Directory account. This Internet-based account is stored in the Windows Azure AD service (which might have been migrated from or integrated with an on-premises AD DS infrastructure). Microsoft Office 365 and Windows Intune use the Windows Azure AD service to store credentials, and you can centrally provision and manage Windows Azure AD accounts.
Note
You cannot use a Windows Azure AD account to log on to a Windows 8.1 device. You can only use a Windows Azure AD account to access services, such as Office 365 and Windows Intune.
You can use the email address associated with a Windows Azure AD account (for example, an Office 365 email address) to create a Microsoft account, but associating the two accounts does not allow for synchronization of the credentials, as there are still two separate credential stores and the accounts remain separate and distinct.
Plan for Windows Store app deployment
The Windows Store is a digital distribution system. It is the primary distribution platform for the new types of applications available in Windows 8.1 and Windows RT called Windows Store apps. However, publishers can also use the Windows Store to provide listings for desktop applications certified to run on Windows 8.1 devices and can find links to the developer’s website for more information or to purchase the desktop application.
After you use your Microsoft account to purchase an app from the Windows Store, you can install it on up to 81 devices (for Windows 8, the limit was five devices). Users can open Your apps (acquired by the Microsoft account) in the Windows Store (as Figure 1 shows) to install apps from the Windows Store on other devices, view all of their apps, and see which apps are installed on their devices. Web apps and desktop applications are not displayed in Your apps.
.png)
Figure 1. Your apps in the Windows Store
Amy and Mark review the features and benefits, listed in Table 1, of using Windows Store for app deployment.
Table 1. Windows Store App Deployment Features and Benefits
| Feature | Description | ||
|---|---|---|---|
App installation |
|
||
App update |
After an app is installed, updates to the app are automatically detected and installed. This is a change in behavior from Windows 8, where the user was notified of the updates in the Store app, then installed the updated version of the app from the Windows Store. In Windows 8, the user initiated the installation, and there was no method to push app updates. As mentioned, Windows 8.1 updates apps automatically, ensuring that users run the latest versions. App updates can be installed regardless of whether the user has a Microsoft account. |
||
Microsoft account integration |
|
||
App purchase |
With Windows 8.1, the Windows Store makes the purchase of paid apps and in-app purchases more accessible. In the Windows Store, users are able to:
When users enter a redeemable code into their account, the specified amount is added to the stored value associated with the their Microsoft account. The users can then apply the credit to purchases on other Microsoft platforms, such as Windows Phone, that are accessed with the same account. When a user decides to purchase an app, the stored account value is treated as the default payment method, provided that the balance is not zero. If there are insufficient funds to complete the transaction, the Windows Store prompts the user to cover the remainder by using an alternative payment method.
|
||
Privacy and protection |
The Windows Store shows content (such as screenshots or app descriptions) for apps that is appropriate for people 12 years of age and older. This means that users can browse apps for audiences 16 years of age and older in the Windows Store, but the content shown for the apps is approved for those 12 years of age and older. Note In some countries, the standards for considering content inappropriate vary. Check the regulations for a specific country to determine the level of appropriateness of content.
The Windows Store app certification process includes a step that scans the app for malware to help prevent uploading infected apps to the Windows Store. For details, see Certify your app. |
||
Discovery and information |
The Windows Store categorizes and catalogs apps by type. You can also find apps by searching the store. The Windows Store provides app previews and reviews, but there is no method for viewing the Windows Store through a web browser at this time. You also cannot filter apps by categories or types. Category and type metadata is for informational purposes only. |
.gif)
NoteAmy and Mark also review the high-level process for using the Windows Store to deploy an app:
- Sign up for a Microsoft account.
Note
There is a limit to the number of Microsoft accounts users can create from a specific IP address each day. Currently, that number is three Microsoft accounts. Contact Microsoft Support if you receive an error indicating that you cannot create more accounts at the IP Whitelist exception site.
Configure security appliances to support the Windows Store (such as firewalls or web proxies).
Associate the Microsoft account from step 1 with the appropriate Windows account.
Find apps in the Windows Store.
Purchase apps from the Windows Store.
Install apps from the Windows Store.
For details on how to use the Windows Store to deploy an app, see Use Only the Windows Store.
Plan for app sideloading
Sideloading is a process for installing Windows Store apps without using the Windows Store. To sideload an app, you must have access to the app installation files (.appx and related files), which you can obtain from the app developer (either internally or from an independent software vendor). You cannot obtain app installation files to be used for sideloading through the Windows Store.
For apps you install by sideloading, you are responsible for validating and signing them, as sideloading bypasses the validation requirements of the Windows Store. Also, you are responsible for deploying any app updates to their users.
IT pros often perform sideloading by using an enterprise app store. An enterprise app store provides similar features to the Windows Store but is exclusive to an organization. You can create such a store by using an electronic distribution system, such as Microsoft System Center 2012 R2 Configuration Manager or Windows Intune. An enterprise app store allows you to manage the app through the entire software life cycle, including deployment, updates, supersedence, and uninstallation.
Note
A Windows account can be a domain-based account or a local account. You can associate a Microsoft account with either type of Windows accounts.
Types of sideloading available include:
Deploy an app to all Windows accounts on a device. This method allows you to deploy the app to all Windows accounts on targeted devices when you want to include one or more apps as a standard part of the user experience on the device. Conceptually, these apps are similar to the Windows 8 built-in apps and are also known as provisioned apps. Only 24 provisioned apps can be installed in an image. This is a common scenario when multiple students or faculty members use a shared device. Use this method as a part of the image-creation process, not for the ongoing management of apps on an existing operating system.
Deploy an app to a specific Windows account on a device. This method allows you to selectively deploy apps to specific Windows accounts. Conceptually, these apps are similar to those obtained through the Windows Store and are also known as installed apps. The apps must be deployed to each Windows account on a device.
Amy and Mark review the types of sideloading in the previous list to identify which is best for their needs. Ultimately, they decide that a combination of both types is required. Amy and Mark also read that before they can sideload an app, they must make certain that the apps and Windows 8 devices are ready for sideloading. Amy and Mark reviewed the following app prerequisites:
Prerequisites for running a sideloaded app. Table 2 lists the prerequisites for running a sideloaded app.
Table 2. Prerequisites for Running a Sideloaded App
| Prerequisite | Description |
|---|---|
All devices |
Enable the Allow all trusted applications to install Group Policy setting. For more information how to enable this setting, see the To set Group Policy for sideloading section. |
Device that is not domain joined running Windows 8.1 Enterprise or devices running Windows 8.1 Pro or Windows RT 8.1 |
Activate a sideloading product key for each device:
You can upgrade an existing Windows 8 edition to Windows 8 Pro by purchasing the appropriate upgrade. Upgrades to Windows 8.1 Enterprise are available based on Microsoft Volume Licensing agreements. |
Running a sideloaded app. After you install a sideloaded app on a device, the app tile on the Start screen shows an X in the bottom right corner of the tile until the device meets all sideloading requirements. The X indicates that a problem is preventing the app from running.
Certificate used for app signing. The devices running the app must trust the root certification authority (CA) for the certificate used for app signing. This trust is typically accomplished by signing the application with a certificate from a trusted CA or by adding the root CA to the trusted root in the certificate store on the targeted devices. The app developer is responsible for ensuring that the app is properly signed.
The following is a list of the technologies you can use to perform app sideloading:
Command line. Sideload apps by using Deployment Image Servicing and Management (DISM), the Add-AppxProvisionedPackage Windows PowerShell cmdlet, or the Add-AppxPackage Windows PowerShell cmdlet. To provision an app to:
All users on a device, use DISM or the Add-AppxProvisionedPackage cmdlet
A specific user on a device, use the Add-AppxPackage cmdlet
Microsoft Deployment Toolkit (MDT) 2013. MDT automates provisioning apps to all users on a device during the operating system deployment process. MDT allows you to create a list of applications that can be selected at the time of deployment and provides a unified console for managing apps during operating system deployment. It can integrate with System Center 2012 Configuration Manager to enhance operating system deployment.
System Center 2012 R2 Configuration Manager. System Center 2012 R2 Configuration Manager automates deploying apps to a user after the operating system deployment process. With it, you can create a list of applications for deployment through the Application Catalog. System Center 2012 R2 Configuration Manager provides a unified console for managing apps and can integrate with MDT to enhance operating system and app deployment.
Windows Intune. Windows Intune automates deploying apps to a user after the operating system deployment process. Windows Intune can integrate with System Center 2012 R2 Configuration Manager to provide a hybrid method of managing app deployment. Windows Intune supports a self-service model by using the Company Portal app.
Table 3 lists criteria for selecting technologies to performing app sideloading. You can use any combination of these technologies to sideload an app. For example, you may decide to use System Center 2012 R2 Configuration Manager with for institution-owned devices and Windows Intune for personally owned devices
Table 3. App Sideloading Technology Selection
| Command line | MDT | System Center 2012 R2 Configuration Manager | Windows Intune | |
|---|---|---|---|---|
Can be used by any electronic software distribution (ESD) or other methods (such as logon scripts) |
Yes |
No |
No |
No |
Device domain membership |
Domain joined or stand-alone |
Domain joined or stand-alone |
Domain joined or stand-alone (recommended to integrate with Windows Intune for stand-alone devices) |
Domain joined or stand-alone |
Provides a unified solution for the entire app life cycle, including installation, updates, supersedence, and removal |
No |
No |
Yes |
Yes |
Supports creation of an enterprise app store |
No |
No |
Yes |
Yes |
Provides highly automated deployment process |
No |
Yes |
Yes |
Yes |
Supports a push deployment model |
Yes |
Yes |
Yes |
No |
Supports a self-service deployment model |
No |
No |
Yes |
Yes |
Can be used for institution-owned devices |
Yes |
Yes |
Yes |
Yes |
Can be used for personally owned devices |
Yes |
Yes |
Yes |
Yes |
Infrastructure requirements |
None |
Managed network |
|
None |
Supports the use of stand-alone media (USB flash drive) |
Yes |
Yes |
Yes |
No |
Requires additional purchase |
No |
No |
Yes |
Yes (subscription model) |
Deploy an app during operating system deployment |
Yes |
Yes |
No |
No |
Users installing apps from the Windows Store require little or no IT help, but sideloading requires IT resources to prepare for the process. Amy recognizes that she and other IT pros at the institution will assume most of the effort required to meet the sideloading prerequisites. Amy and Mark also decide which apps will be provisioned to all users on a device and which apps will be deployed to specific users on a device.
Amy and Mark decide to use System Center 2012 R2 Configuration Manager and Windows Intune to perform sideloading, because this method allows them to create an enterprise app store. They also decide to use System Center 2012 R2 Configuration Manager to manage apps on intuition-owned devices and Windows Intune to manage apps on personally owned devices.
For details on how to use sideloading to deploy an app, see Use Only Sideloading.
Plan for when to deploy apps
Apps can be deployed:
During operating system deployment. Sideloading only; typically performed on institution-owned devices (not deploying operating systems to personally owned devices)
After operating system deployment. Windows Store, sideloading, or a combination of both; can be performed on any device (institution-owned or personally owned)
For each app in the portfolio, Amy and Mark determine whether it will be deployed during or after operating system deployment.
Select the right app deployment method
You can deploy apps by using the Windows Store, sideloading, or both, but how do you determine which method is best for a specific app? Table 4 lists the criteria for selecting the right app deployment method.
Table 4. Criteria for Selecting the Right App Deployment Method
| Selection criterion | Windows Store | Sideloading |
|---|---|---|
Technical skill required |
Low—Installation can be performed by a faculty member or student. Management of apps (by using AppLocker or other partner management products) requires IT pro skills. |
High for the IT pro skills to configure and perform sideloading (not easily performed by a typical information worker). Low for the users who will install the apps (in a self-service model). |
User age |
To comply with COPPA, Microsoft requires users younger than 13 years of age to have an adult help create the Microsoft account. To create a Microsoft account for someone younger than 13 years of age, the adult must provide a credit card, and a charge of $0.50 is applied to the card. You can control which Windows Store apps can be installed and run on devices by using AppLocker, which requires Windows 8 Enterprise. The Windows Store shows content (such as screenshots or app descriptions) for apps that is appropriate for people 12 years of age and older. |
Can provide flexibility to deploy apps to users under 13 years of age, but additional effort or software might be required (such as creating a targeted user collections based on age in System Center 2012 Configuration Manager or Windows Intune). |
Technical infrastructure required |
Low—Requires Internet connectivity and the IT infrastructure to support access to the Windows Store, such as Internet ingress and egress, firewalls, and web proxies. |
High—Might require additional infrastructure depending on the method selected for sideloading (for example, a System Center 2012 R2 Configuration Manager infrastructure or Windows Intune accounts). |
Deployment life cycle |
Apps can only be deployed after the operating system has been deployed. You can install Windows Store apps by using deep links in Windows Intune or System Center 2012 R2 Configuration Manager. |
Apps can be deployed both during and after the operating system has been deployed. However, only 24 apps can be provisioned in an operating system (such as during operating system deployment). |
App ownership model |
Personally owned—Each user owns and manages apps through their Microsoft account (as allowed by other institution management tools, such as AppLocker, for institution-owned devices). |
Institution-owned—The institution owns and manages the apps. |
App availability |
Apps that are in the Windows Store can be downloaded at any time. |
Must obtain the .appx installation package directly from the app developer. |
Shared device support |
App installation—Apps must be installed for each user on the device on a user-by-user basis. There is no limit to the number of users who can install apps on a device, but a specific app for a specific user can only be installed on up to five devices.When a user logs out of a device and another user with a different Microsoft account logs on to the same device, only the apps associated with the currently logged-on Microsoft account will be available. |
App provisioning—Apps can be provisioned to a device, and then all users can use the app on that device. You can install no more than 24 apps in an image before you receive an error message. |
Curated user experience |
You cannot control which apps in the Windows Store users can browse, but you can control which apps can be installed and run by using AppLocker and partner products. |
The institution fully controls user experience and selection of apps, but the institution must take responsibility for ensuring that the apps have been certified and are free from malware. Although not required for sideloaded apps, it is recommended that any apps that will be sideloaded have been tested by using the Windows App Certification Kit. |
Paid app distribution |
The user must purchase and install the app through their Microsoft account. |
The institution can purchase and install the app through an agreement between the app developer and the institution. |
Controlling app updates |
Users are notified of app updates through the Store app on the Start screen. Users must manually initiate app updates by using the Store app: The institution cannot push updates to the users and devices and also cannot choose which update are installed. There is no centralized app update management. |
The institution can provide app updates either as mandatory (pushed update) or at the user’s discretion (self-service model). The apps can be delivered to users and devices through existing software distribution products (such as System Center 2012 R2 Configuration Manager or Windows Intune). |
Obtaining apps |
Users obtain apps from the Windows Store by using their Microsoft account. Different types of apps can be obtained, including paid apps, free apps, and free apps with an in-app purchase option. |
Apps must be obtained directly from the app developer based on an agreement between the institution and the app developer. |
Identity infrastructure |
|
|
Device ownership |
Can be used for all device scenarios (institution-owned or personally owned devices). |
|
Deployment speed and flexibility? |
Flexible, as students and faculty can download a discovered app immediately. |
Less flexible, as IT would need to acquire an .appx package, license the offering, and sideload the app. |
Ultimately, you make the decision by prioritizing app deployment requirements, and then selecting the method that best meets the higher-priority requirements. Examples include:
If an app can only be obtained through the Windows Store (that is, the app cannot be obtained directly from the app developer), then you must use the Windows Store deployment method. In contrast, if the educational institution obtains the app installation files directly from the developer, then you must use the sideloading method.
If the institution owns a device, then apps can be deployed during operating system deployment by using sideloading. If a faculty member or student owns the device, then the app must be deployed after operating system deployment by using the Windows Store or sideloading.
Amy and Mark prioritized the criteria in Table 4 for each app, and then selected the best method based on their prioritization.
Additional resources
The following resource will help in planning app deployment:
Configure your enterprise PCs for sideloading using Group Policy
DISM App Package (.appx or .appxbundle) Servicing Command-Line Options