Windows Mobile, the discontinued predecessor of today's Windows Phone, had a strong position in the field of enterprise development.
Not only were companies able to manage devices comfortably, it also had all sorts of valuable additional business features available. Development options were rich, ranging from native development in C++ to managed code using the .NET Compact Framework, to various other development environments provided by third parties. With Windows Phone, Microsoft took a bold move into the direction of consumer satisfaction and focused a lot on end-user features. Although great for average users, it implicated a lot of simplifications and dropped features for the enterprise world, for which it hence was considered a step backwards by a lot of people with focus on business software. In fact, a lot of companies dogded Windows Phone 7 and kept using Windows Mobile as their preferred platform for internal applications. With Windows Phone 8, Microsoft now has put a lot of effort into offering sufficient choices and features for that target audience too. In this article, we'll cover the most important ones of these.
What is Enterprise Development?
To understand why Windows Phone 7 was a bit of a problem for businesses, we first have to understand what enterprise applications actually are and how they are different from the Average Joe app that you can buy or download for free from the Phone Store.
Enterprises often have a demand for software that is custom tailored to their specific needs and processes, to support their organization's inner workings. There are several standard software packages out there that also can be customized, but it's quite common to still have a custom application developed for very particular needs, to improve productivity and efficiency even more, or simply because for very special use cases no suitable standard software exists. Typical scenarios are business functions like order processing, production management or customer relationship management. But there are hundreds of additional topics that range from very technical aspects, like handling particular machines and devices, to support topics like ticket management systems, to things like fleet tracking or custom messaging systems. So the first obvious difference is that instead of trying to attract as much people as possible by targeting popular topics, enterprise software has a very limited target audience – usually only the own staff.
This in turn has additional implications. Typically, security is more a concern than with other software. Not only do companies want to protect their data by applying the usual authentication and authorization strategies, they are also interested in keeping the software itself private – after all, the code reflects their processes and whole business mechanics, something they don't want to expose to potential attack vectors like reverse engineering. And of course, a lot of money is invested into custom software that is not accessible to the open market off the shelf. Protecting intellectual property hence also is quite an issue.
With mobile devices, additional points of interest arise. Compared with stationary computers, those devices are lost or stolen more easily, so additional security features like remote data purging become relevant. Also, management of these devices is important especially when employees are allowed to bring their own devices and use them for work ("BYOD" – bring your own device).
All of these requirements were somewhat problematic when Windows Phone 7 came around, because it was not possible…
- to manage devices in a centralized way
- to publish apps to a private set of users only
- to have full control over how and when apps are deployed to users
- to protect your data and intellectual property appropriately
- to access hardware or system details in a way that may be required for the business
- to easily bring over legacy code to the new platform
Some of these issues were addressed in small areas in later updates of version 7, but the real deal for enterprises is Windows Phone 8 which has solutions to all of these points. The possibility to reuse existing, native code was already covered in a previous article [1], and the increased options for developers to access hardware and system details will be part of future articles of this series. But let's see what new features you have at your disposal for the other points, and what you need to do to benefit from them.
What You Need To Do First…
To prepare your developer account to use the new enterprise targeted features, you have to follow a few steps first. To begin with, you need to have a "Company" account registered with Microsoft. Individuals (like personal or student accounts) do not qualify for any of what is to follow. You can check the status of your account in the developer center [2].
You will notice that your account also contains a so-called "Symantec Id". This id is needed to obtain a code signing certificate from Symantec [3], who is Microsoft's partner for the company validation process (you may have gotten messages from them upon registering your company account already). By the time of writing, the cost for this certificate is 299 US-$ per year. This certificate is later used for two things:
- Signing company apps
- Generating an Application Enrollment Token (AET)
If you are a bit familar with the involved concepts, the first part should be clear: signing an app makes sure that it indeed originates from your company, and also that it hasn't been tampered with upon delivery, for example. The second part listed above may not be as clear: an Application Enrollment Token makes it possible to enroll specific phones in your company's account. Only phones that are enrolled will be able to install and run your applications. So this is the part that makes sure nobody outside your company is able to use software should they get access to it. The process of creating the enrollment token is described in Microsoft's documentation [4].
The critical part is delivering the resulting token file (.aetx) to your users. Typically, this will be done using a secure website or through other secured channels (can be e-mail, for example). For the user, the enrollment is very simple: they simply tap on the .aetx file and by that enroll the phone in your company account. Alternate enrollment options involve special management software and make the process even simpler for the user (see below).
From that moment on, users are able to install and use applications signed by your Symantec certificate. The token is used on a regular basis (periodically and during certain actions) to make sure the company account is still valid. More information and details on the process and concepts can be found in the MSDN documentation [5].
… And What You Can Do Then
After you have established the eco system for your company and enrolled devices in your account, you can start using all the new goodies designed around enterprise requirements. One of the main features from a software development point of view is that you are not bound to Microsoft's deployment mechanism for your own apps anymore. This means that your enterprise apps do not have to go through the Store certification process and can be deployed directly to your users (side-loading). To do this, you have to:
- Precompile the code to MDIL using a tool named MDILXAPCompile from the SDK. If you want to learn more about MDIL and precompilation, you can read my detailed article on it here on SilverlightShow [6].
- Sign the XAP file with the XapSignTool from the SDK. For this you need the corresponding PFX file obtained from the above mentioned enterprise certificate.
This process also is covered in detail on MSDN [7]. Particularly useful is a TechNet link that describes how you can export the required PSX file [8], something that's probably not obvious to most developers.
Company Hubs
To make it easier for users to discover all apps of your company, as well as launch and maintain them from a central place, Microsoft introduces the concept of Company Hubs. Technically, a Company Hub is nothing else but a normal Windows Phone app that uses some special APIs to maintain and launch other apps. In addition, you can of course place any other logic and content into such an app that you like, for example company news. Microsoft gives an idea of a Company Hub using their typical "Contoso" sample on the Windows Phone web site [9]:
As you can see, Microsoft's vision is to have a one-place stop for all company related info, not only the company apps, but also with news, alerts, maybe an embedded ticket system and management possibilities for your company account profile or other social features.
The Company Hub app is usually distributed together with the Application Enrollment Token mentioned above. The intended workflow is for the user to obtain both the .aetx file and the XAP file for the Company Hub simultaneously, and then use that Company Hub as the central tool to manage all the other company apps.
For us developers, two important new classes for this have been added to the Windows Phone Runtime: InstallationManager [10] and Package [11]. When you take a look at the first one, you will see that it not only allows you to get information on currently installed packages for the current publisher, but also the option to add new packages by url. This allows you to host the apps e.g. on some internal network and give users some custom, comfortable UI options for the installation process, including progress reporting. The Package class on the other hand allows you to launch the corresponding app directly, and to obtain basic information like the thumbnail image so you can display it nicely integrated in your Company Hub.
The IT Side of Things
Administrators will be pleased to learn that with Windows Phone 8, it's now possible to use similar options like we had with Windows Mobile, and more. To give you a more detailed view on what was missing from Windows Phone 7 compared to e.g. Windows Mobile 6.5, you can take a look at this very informative Wiki page [12] on TechNet that lists all the Exchange ActiveSync supported (and unsupported) features on both platforms. This makes it more understandable why some administrators were a bit shocked and perceived version 7 of the platform as a huge step backwards. The Wiki page does not yet list Windows Phone 8, but a paper has been published with details on the supported ActiveSync features for the new version [13]. You will find that not all of the old options have been added back in (more on that below), but some very important ones for companies are now supported, for example drive encryption.
Management tools that are compatible with Windows Phone include both System Center 2012 as well as the cloud-based management features of Windows Intune. These tools make it significantly easier to handle enrollments and distributions of apps. Once set up, the user can then for example comfortably add a certain company account using the phone's "Company Apps" settings dialog that is part of the system itself:
The download and installation of the Company Hub app that you defined in Intune is then initiated automatically (with user consent of course), so there's no need to manually direct them to secured web sites or use similar manual distribution methods. All the phone management details are accessible from a dedicated web site [14] for those interested. If you are looking for more information on the new security features, including how device encryption and the details on protecting intellectual property work, you can find a white paper on these topics on another web site [15].
A Word on Privacy and Control Over Devices
When users read about how companies are able to manage devices, remotely wipe content and apply policies, they get easily concerned especially when they are using their private phones for work (nobody wants to give their company full control over their private data, do they?). To allay those fears Microsoft emphasizes the involved concepts a lot whenever possible: there are very few "global" switches, one of them being device encryption. Instead, Microsoft is trying to find a balance between company data protection and end user control. This means that for example consumer and company data is being kept separated, and remote company data wipe is different from the user-initiated remote wipe that we previously had already on Windows Phone 7. You also do not have to fear that e.g. you won't be able to install custom apps from the Store anymore – companies are only able to maintain and restrict their own apps, for example to tightly control who is able to actually use them. Also, while silent updates of company apps can be performed, the user has to confirm new installs explicitly.
These details are not only in place to somewhat protect the user and their data, it also enables other scenarios. For example, by this you are able to enroll your device in multiple company accounts without having policies conflict or contradict each other. This is something that's interesting e.g. for consultants or free lancers who have to work with multiple companies at the same time, including their own of course.
Conclusion
I think the new enterprise features of Windows Phone 8 will quickly lead to an increased adoption of the new platform in the business world, especially since it's starting to become harder and harder for companies to get replacements for e.g. broken Windows Mobile devices from carriers. I'm already in the process of developing enterprise apps on Windows Phone 8, something that our customers were quite reluctant with before. With the good balance between management features, developer options and user data protection and separation, all sides can benefit and acceptance for Windows Phone should be much better among all involved parties in typical enterprise scenarios.