Windows App Management

Introduction

Windows mobile devices and machines from the crux of corporate productivity, especially with more organizations using both mobile devices and machines, as a part of the corporate workforce. Installing and updating apps turns out to be one of the most tedious tasks for IT admins, as they need to manually distribute the app and have it installed. MDM fully eases this process, by letting you distribute the app to multiple devices through groups and have it installed silently without any user intervention. MDM lets you manage:

Managing MSI software applications

You can distribute and install software on Laptops, Desktops and Surface Pro tablets by adding the MSI package to MDM. You need to add the MSI package to MDM server and provide the relevant details. The added MSI package initiates software installation on the machines, after distribution. This is supported only for Windows 10.

Distributing MSI software to Laptops, Desktops and Surface Pro tablets

Follow the steps given below, to add an MSI package to the App Repository:

  1. On the MDM server, navigate to Device Mgmt and select App Repository.
  2. Click on Add App and select MSI Software. For MSI source, provide the software MSI package file on which the requisite details gets automatically pre-filled. If you're using MDM On-Premises, go directly to Step #4.
  3. In case you're using MDM Cloud, the requisite details are to be manually specified. To know information such as MSI Product Code, MSI version etc., you need to download this PowerShell script . Once downloaded, open Command Prompt and run the following command:
    Usage - PowerShell -ExecutionPolicy Bypass -NoLogo -noninteractive <path_to_the_downloaded_powershell_script> -Path <path_to_the_MSI_file> -Properties "ProductCode,ProductVersion,ProductName"
    Once the above command is run, you'll get a JSON file containing all the requisite details, which is then to be specified in MDM. You can also use third-party software Orca MSI editor to achieve the same.
  4. You can also optionally specify Command Line Args, which specifies the additional setup for the MSI installation. Assuming the package is to be installed as an Administrator, you can provide the Command Line Arg /a. To know more regarding Command Line Args, refer to this.
  5. After providing the other required details, click on Save. Now, this software has been added to the App Repository and is ready to be distributed to machines and it can be installed silently as explained here.

Managing Store Apps

MDM lets you distribute free Store apps, to Windows 10 mobile devices, laptops, desktops and Surface Pro tablets. You need to integrate the Windows Business Store with MDM, by adding your Azure domain account after which all the apps purchased using the particular account gets added to the MDM App Repository automatically.

Integrating Business Store with MDM

You need to integrate the Windows Business Store with MDM, for installing Store apps on managed devices through MDM. Follow the steps below for integration:

Automatic distribution/installation of ManageEngine MDM app

ManageEngine MDM app is required to be present on the devices to view distributed content, terms of use and the organization's privacy policies. The admin can choose to silently install the ManageEngine MDM app on devices or allow the user to install the app on the device as mentioned below.

If you are using MDM Cloud, ManageEngine MDM app can be installed in the devices only by integrating with Windows Business Store

Managing Enterprise Apps

In addition to Store apps, a lot of organization use enterprise apps, customized to suit their needs. These apps cannot be usually downloaded from the Business Store, thus making it difficult for the employees to download and/or update these apps. MDM eases this process by letting IT administrators install and update the enterprise apps silently on the devices. You can distribute enterprise apps, by adding App Enrollment Token(AET) or Code Signing Certificate(CSC). To test and deploy enterprise apps on Windows 10 devices seamlessly refer to this link.

Differences between AET and CSC

FEATURE APP ENROLLMENT TOKEN(AET) CODE SIGNING CERTIFICATE(CSC)
Supported OS Windows 8 or later versions Windows 10 or later versions
Cost Paid option Free option
Certificates used Symantec-signed certificate CA-signed/Self-signed certificate
Microsoft Developer Account Required Not Required

App Enrollment Token(AET)

App Enrollment Token is created for an enterprise. It provisions a certificate on the managed device, establishing a connection which facilitates Windows app management as the apps share a certificate with the AET.

Pre-requisites

Steps to generate AET

The Symantec mobile code signing certificate is used for generating AET. Follow the steps below to generate AET:

AETGenerator.exe <path_to_PFX_Certificate_File_given_by_Symantec> <private_key_provided_for_PFX_certificate>

This generates three files, out of which AET.aetx is to be uploaded on the MDM server to manage Windows apps. AET is valid only for an year after which it needs to be renewed using the same company account and uploaded back on MDM server. .

All apps must be signed using the AET, before uploading it to the App Repository.

Renewing AET

The process of renewing AET is similar to generating AET. Before renewing, ensure you are using the same Company ID used to generate AET uploaded on MDM server.

In case you use a different Company ID for obtaining the Symantec mobile code signing certificate, you need to use the new AET to re-sign all the apps, previously added to the App Repository and signed using the old AET. Only after re-signing can the apps be distributed to the managed devices. This however doesn't affect the previous installations of the app, where the app was signed with the old AET.

Code Signing Certificate(CSC)

In case you need to distribute apps only to Windows 10 devices, you can use third party CA-signed certificates or self-signed certificates to sign the app. In case you're using CA-signed certificates to sign the app, ensure you upload the CA root certificate on the MDM server. Self-signed certificates are auto-generated when building a Windows enterprise, using Visual Studio. You can navigate to the output location to obtain the certificate and upload it on MDM server.

Generating/Using CA-signed/self-signed certificates

To sign the enterprise app with either CA-signed certificate or self-signed certificate, follow the instructions given below:



Signing enterprise apps

Provide the following command on the command line, if you are signing xap file:

BuildMDILXap.ps1 -xapfilename <ME MDM app xap file> -pfxfilename <path_to_PFX_Certificate_File> -password <private_key_provided_for_PFX_certificate>

Provide the following command on the command line, if you are signing appx file:


BuildMDILAPPX.ps1 -appxfilename <ME MDM app appx file> -pfxfilename <path_to_PFX_Certificate_File> -password <private_key_provided_for_PFX_certificate>

Identifying Package Family Name

If you're adding .appx or .appxbundle files to the App Repository, you need to provide a package family name, which can be obtained as explained below:

Distributing enterprise apps

After adding AET or CSC, you can distribute enterprise apps as explained below:

App Configurations

App Configurations lets you customize the apps to suit the needs of the organization. You can also secure devices by restricting apps from accessing data and/or resources of the managed devices. The app developer provides a set of key and their value, that specifies the configurations, which have to be entered on the MDM server. These configurations are pushed automatically with the apps.The app developer must support app configurations for the app, to implement it using MDM.

Pushing app configurations based on user-specific/device-specific parameters such as E-mail, UDID etc., to different users can be a cumbersome task as the app configuration needs to be modified every time before it is pushed. However, MDM supports dynamic variables which ensures once the app configurations with user-specific/device-specific parameters are setup using dynamic varaiables, they needn't be configured again as the dynamic variables fetches all the required data from device/enrollment details.

Dynamic Variables

Here is the table of parameters for which MDM supports dynamic variables:

PARAMETER DYNAMIC VARIABLE
Device UDID %udid%
Device Name %devicename%
User Name %username%
E-mail %email%
Domain name %domainname%
Serial Number %serialnumber%
IMEI %imei%
Exchange ID %easid%
UPN %upn%
APN Username %apn_username%
APN Password %apn_password%

 

NOTE: The above mentioned configurations when pushed to the devices will fall under the app's container titled Managed.App.Settings.

See Also: Configure Mobile Device Manager Plus, Device Enrollment, Location Tracking,App Management,   Profile Management,  Asset Management, Security Management , Reports
Copyright © 2019, ZOHO Corp. All Rights Reserved.
ManageEngine