Many organizations want to directly control and manage access to their internal LOB apps. It’s also necessary to find a way for rolling out the app binaries to the clients.
In this post, let’s have a look how it works.
I think publishing their LOB apps to the public Windows Store doesn’t make sense for many companies. There is no reason to broadcast their applications to others or to have their application deployment managed through the Windows Store process.
For WOA, Microsoft have integrated a new management client that can communicate with a management infrastructure in the cloud to deliver LOB apps to users.
There are actually two parts to the WOA management client: the built-in system component (called agent) and a Windows 8 app (called self-service portal or SSP ) that the consumer uses to browse for and install LOB apps made available to them.
The agent handles:
- client configuration to communicate with the organization’s management infrastructure
- periodically synchronization with the management infrastructure to check for any updated LOB apps
- actual download handling and installation of any LOB apps that the user wants to install
- after removing the device from infrastructure (by user or administrator), it clears the configuration of the agent itself and disables any LOB apps the user installed from the SSP
How to – Step1 – Active Directory:
IT admin specifies the group of Active Directory (AD) domain users who are authorized to connect devices into the service. The admin also has the option to specify the maximum number of devices allowed per user.
How to – Step2 – Installing/Setup:
Connecting the client to the managing infrastructure (for example System Center Configuration Manager or Windows Intune). The user enters company email address and password. The agent then performs a service lookup to locate the organization’s management infrastructure based on the user’s email address.
After sucessful user authentification and authorization (by the admin), the service issues a user certificate (for communication agent <-> infrastructure). Now the user is directed to install the SSP (self Service Portal).
(http://blogs NULL.tieto NULL.com/mobileworld/files/2012/08/entername1 NULL.png)
(http://blogs NULL.tieto NULL.com/mobileworld/files/2012/08/conn11 NULL.png)
(http://blogs NULL.tieto NULL.com/mobileworld/files/2012/08/conn2 NULL.png)
After completing the registration process(using the user certificate to authenticate, using SSL Mutual Authentication), the service supplies some basic device information such as the make and model, the OS version, device capabilities, and other hardware information (for IT admin monitoring).
Now the agent initiates communication with the management infrastructure:
- First, as a maintenance task that runs daily at a time that the user can configure on the client. The activities performed during these maintenance sessions focus on reporting updated hardware information to the management infrastructure, applying changes to the settings policies for the device, reporting compliance back to the management infrastructure, and applying app updates to LOB apps, or retrying any previously failed LOB app installations initiated from the SSP.
- Secondly, the agent will communicate with the management infrastructure anytime the user initiates an app installation from the SSP. These user-initiated sessions are solely focused on app installation and do not perform the maintenance and management activities described in the first case.
How to – Step3 – policy management:
The IT admin is able to configure a set of policies (from the management infrastructure):
- Allow Convenience Logon
- Maximum Failed Password Attempts
- Maximum Inactivity Time Lock
- Minimum Device Password Complex Characters
- Minimum Password Length
- Password Enabled
- Password Expiration
- Password History
The agent can monitor and report:
- Drive Encryption Status
- Auto Update Status
- Antivirus Status
- AntiSpyWare Status
How to – Step4 – LOB app management:
There are four types of apps that IT can publish for users in the SSP:
- Internally-developed Windows 8 apps that are not published in the Windows Store
- Apps produced by independent software vendors that are licensed to the organization for internal distribution
- Web links that launch websites and web-based apps directly in the browser
- Links to app listings in the Windows Store. This is a convenient way for IT to make users aware of useful business apps that are publicly available.
After the setup the IT admin can then specify which apps are published (for each user), based on the user’s AD domain user account, or as a member of AD user groups. As a result, the user only sees those apps that are applicable to them in the SSP.
(http://blogs NULL.tieto NULL.com/mobileworld/files/2012/08/apps NULL.png)
(http://blogs NULL.tieto NULL.com/mobileworld/files/2012/08/install NULL.png)
Before installing the app there are two things that happen on the client:
- activation key is issued by the management infrastructure and applied to the WOA device to allow the agent to install apps
- certificates used to sign the LOB apps must be added to the certificate store on the device
When the user chooses to install an app from the SSP, the request is sent to the management infrastructure and a download link is provided to the agent. The agent then downloads the app, verifies the validity of the content, checks the signature, and installs the app. The agent will report which apps are installed to the management infrastructure so the IT admin can effectively manage their LOB apps. Only Windows 8 apps that were installed via the SSP and the management client are included in this inventory from a WOA device.
Anytime the IT admin publishes an update for an app that has been installed on a WOA device, the agent will automatically download and install the update during its next regular maintenance session.
Disconnecting from the management infrastructure
During disconnection, the agent does the following:
- Removes the activation key that allowed the agent to install LOB apps. Once removed, any Windows 8 apps that were installed via the SSP and management client are deactivated. Note, however, that the apps are not automatically removed from the device, but they can no longer be launched and the user is no longer able to install additional LOB apps.
- Removes any certificates that the agent has provisioned.
- Ceases enforcement of the settings policies that the management infrastructure has applied.
- Reports successful deactivation to the management infrastructure if the admin initiated the process.
- Removes the agent configuration, including the scheduled maintenance task. Once completed, the agent remains dormant unless the user reconnects it to the management infrastructure.
I think this post gives an overview for LOB-app deployment and security. More information (and my source) you can find at the article Managing “BYO” PCs in the enterprise (including WOA) (http://blogs NULL.msdn NULL.com/b/b8/archive/2012/04/19/managing-quot-byo-quot-pcs-in-the-enterprise-including-woa NULL.aspx).
In my next post I will tell you something about app management of Windows Phone 8.