As Windows 8 devices hit the shelves, developers want to take full advantage of the platform by building modern applications (aka. apps). The ideal choice is to deploy the app through the Windows Store. If you want to share your early builds within your organization or you are a Line of Business (LOB) application developer and you do not want your app available to the general public, the Windows Store is not a valid option. In these cases where you need (or want) to bypass the Windows Store, you can install your app on Windows 8 devices through a process called sideloading.
The Windows Intune cloud service enables you to centrally manage and secure PCs through a single web-based console so you can keep your computers, IT staff, and users operating at peak performance from virtually anywhere without compromising the essentials—cost, control, security, and compliance.
Last October Microsoft released an update to Windows Intune that let you deploy Windows 8 apps as well. Developers can install the fully immersive “Company Portal” app from the Windows Store and then install app made available by their company onto their devices. However in order to install apps from Windows Intune portal, devices must be enabled for sideloading.
To enable Windows 8 devices for sideloading, it is required to obtain sideloading product activation keys. You can purchase these keys through the Microsoft Volume Licensing program. After obtaining the keys, they must be added to the portal using the Intune administrative console. This process is outside the scope of this post, so I used an alternative way to deploy apps to Windows Intune without processing the licenses. This approach is only for example purposes and not meant for real scenarios.
As mentioned above, in order to install apps from the Windows Intune Portal, a device needs to be enrolled with the portal. Enrollment establishes a relationship between a provisioned user in Windows Intune and the user’s device.
Before you do the device enrollment, it is also required to set the mobile device authority. This defines who will perform device administrative tasks like retire, wipe, etc. You can either set the device authority to Windows Intune where you will manage the device using Intune administrative console or you set Microsoft System Center as the same where you will use system center configuration manager.
Therefore, two ways to set the authority can be listed as:
- Direct device management with Windows Intune administrative console
- Using Microsoft System Center 2012 (SP1+) configuration manager.
Note: The device authority can be set only once, so choose wisely.
For my device I selected Windows Intune as the device authority. However this does not change the deployment process of a sideloaded app. Whatever the method you choose the process of enrolling a device and then publishing an app remains the same which can be divided into following sections:
Enroll Your Device
In order to enroll your device first go to portal.manage.microsoft.com. This will take you through the Intune login process and once successful you will land at the following page:
Clicking on the “Apps” tile will show a message box that directs you to the Windows Store for installing the Company Portal app.
Once installed the app will guide you through the device enrollment process.
This installs a “Windows Intune Center” task bar item which is responsible for maintaining the partnership between the Intune portal and the user’s device.
Sign and Deploy Your App
I have created a tiny tool for the purpose of this article that will let me create a signed app package that will be uploaded to the Intune portal using the software publishing wizard.
The tool expects a content folder where your app output as well as its manifest should be located. To demonstrate the process, I created a sample To-do list WinJS app and moved it to the content folder then I typed the following command:
sideloadingHack.exe /make or double click make.bat
This takes output from content folder where the app bits are located and creates the signed appx package which I will upload next using the publisher wizard.
Now this will deploy the app to the Intune portal, however it will remain hidden. You must specify from the administrative console which group of users can install the app.
You can do this from “Manage Software” section of the portal where you will right click and choose manage deployment:
This will bring up the Deployment Action prompt where you select the group of users who will be able to install the app.
Install the Sideloaded App
Before you install the app from the company portal, you also need to confirm that your device is enabled for installing sideloaded apps. To do this, go to the search charm (Win + Q) on your device and type gpedit.msc. Execute the application and it will prompt you with the following dialog:
Make sure that “Allow all trusted apps to install” option is checked. Next, go to the admin command prompt and run the hack tool again with the following command:
This will push the necessary signing details to the device for the app installation to complete.
One issue with this flow (since I skipped the registering the activation keys) is that you still need a developer ready machine. You can register your device running the following command from PowerShell prompt:
This will take you through a dialog to install the free developer license.
Finally, go ahead and run the Company Portal app and you should be able to install the app from the Intune portal. This should give a notification as shown below that the app is installed successfully:
In this post, I showed you the basics of sideloading, how to establish a device association with the Intune portal and finally walked you through the process of installing the sideloaded app using the Company Portal app. Although I have used a separate command line tool to bypass the sideloading product activation keys flow, the basic concept remains the same.