Windows Phone 8.1 for the Enterprise Developer

Windows Phone 8.1Building Apps for Windows Phone 8.1

Jump Start

2

Overview for Windows Phone 8.1 which is interesting for Enterprise Developer• Overview of the Enterprise enhancements for Windows

Phone 8.1• Why would you build Enterprise apps for Windows?• The Windows Phone 8.1 Converged Developer Platform• Security• Authentication• Company Portal• Deploying and distributing applications• Some other thoughts for Enterprise Developers

This module…

3

Windows Phone is even better for Businesses

Windows core and security architecture

Large choice of devices at the right cost

Anywhere productivity with familiar Office apps built-in

A converged app platform and familiar developer tools

Uncompromising security and management

Windows Phone is consistent and predictable

NOKIA LUMIA 925

NOKIALUMIA 920

NOKIALUMIA 625

NOKIALUMIA 720

NOKIALUMIA 620

NOKIA LUMIA 520

NOKIA LUMIA 1020

NOKIALUMIA 820

NOKIA LUMIA 1520

NOKIA LUMIA 1320

NOTE: Availability of particular products may vary by region and by service provider.

Nokia Lumia for BusinessDon’t compromise on Choice, Price, Consistency

New and Unique user scenarios

Your phone is with your employees all the timeSome sample scenarios areFinancial informationProduct CatalogCRM DataDashboardsWorkflow managementPeople finderHelper ApplicationsField employee systems

Demo

Sample Enterprise apps

SSL 3.0 with AES 128 and AES256

Code-signed chainof trustUEFI Secure Boot

TPM 2.0 – all phonesCertified hardware

App Containers Secure browser

IRM & SMIME built-inData protection API

Encryption based on BitLocker technologyDevice-Lock0101

1001

Single source updates

Developer platformDrivers

Fixes from MSRC

Security Networking Graphics

Servers and Cloud Services

Internal Storage

User Partition

OS Partition

Apps

Files and data

UEFI FirmwareHardware

Windows NT Kernel

Common Core + Layered Security Architecture

SECURITY FROM THE CORE TO THE

CLOUD

Putting IT in control

IT p

rofe

ssio

nals

Anywhere productivity

Busi

ness

use

rs

Included in Windows Phone 8.1• Mobile Device

Management (MDM)• Configuration

management• Certificate management • Application management• Secure Access• S/MIME

Windows Phone enterprise features

How do you build Enterprise apps

• Using Visual Studio and the Windows Phone SDK• It’s the same but not quite • Mobile is hot and everybody wants the silver

bullet• Is HTML5 the answer? Sometimes.

Building apps

• Storing and syncing data (SQL Lite)• Identity Management• Authentication and Authorisation• Push Notifications• Integration with cloud and backend services• Integration with enterprise systems• MDM, MAM, MCM etc• Distribution and testing• Monitoring

Enterprise features

Considerations

X-PlatformOffline Access Location

Sensors Search Telemetry

Touch Store Offline

Mobility

Battery Life

Roaming

Variable Displays

KeyboardMouse

Hardware

Legacy Code

NUISmall Factor

04/12/2023 14

Authentication

04/12/2023 15

• Basic• NTLM• Client Certificates• No Kerberos• SSO through VPN• ADFS• Oauth• Web Authentication Broker

Authentication supported in Windows Phone 8.1

App/location triggered with tunneling flexibilityIPsec (IKEv2) gateway support (in-box)SSL-VPN gateway support via Store (plug-in-model)Split tunnel or forced tunneling

Simplicity with SSO for intranet & auto-reconnect Apps declare “EnterpriseAuthentication” Capability

In-box authentication optionsEAP-MSCHAPv2, EAP-TLS, proprietary SSL-VPN auth

MDM provisioned or user configurable

VPN Support

04/12/2023 17

• App/location triggered with tunneling flexibility• IPsec (IKEv2) gateway support (in-box)• SSL-VPN gateway support via Store (plug-in-model)• Split tunnel or forced tunneling

• Simplicity with SSO for intranet & auto-reconnect• Apps declare “EnterpriseAuthentication” Capability

• In-box authentication options• EAP-MSCHAPv2, EAP-TLS, proprietary SSL-VPN auth

• MDM provisioned or user configurable

VPN Support

04/12/2023 18

Web Authentication Broker

• Many apps connect to popular online services• Authentication is usually required• Identity providers typically implement OAuth

for authentication and authorization

Web authentication broker

Typical Oauth flow

Online Service1. Authorization Request (Start URL)

2. Login page

3. Credentials

4. A

utho

rizat

ion

page

5. U

ser d

ecisio

n

6. Authorization token (Redirect URL)

7. Data access

User

App

• No single sign-on• No credential isolation• Inconsistent user experience• Will not work in low memory situations

Problems

• Use WAB to authenticate to OAuth identity providers

• Benefits• Single sign-on• Simple API• Credential Isolation

• Windows.Security.Authentication.Web• API similar to Windows but optimized to handle

low memory situations

Web authentication broker

Example SSO with Facebook

User experience when using SSO with Facebook on Windows Phone

Example SSO with Facebook

app1

app3

app2

app4

facebook

Example SSO with Company portal

app1

app3

app2

app4

ADAzure

AD

login

login

login

login

VPN

04/12/2023 26

Demo WAB

04/12/2023 27

Security

• Use Credential Locker to securely store credentials and roam across the user’s trusted devices

• Windows.Security.Credentials• PasswordVault (and related) are supported• WebAccount* not supported on Phone

• Benefits• Roaming via Microsoft account• Secure Storage• Credential isolation (apps can only access their own credentials)

Storing credentials

Credential Locker sample code

void SaveCredential(string username, string password) { PasswordVault vault = new PasswordVault(); PasswordCredential cred = new PasswordCredential(“MyAppResource”, username, password); vault.Add(cred); }

IReadOnlyList<PasswordCredential> RetrieveCredential(string resource) { PasswordVault vault = new PasswordVault(); return vault.FindAllByResource(resource); }

• WinRT platform convergence• Support for the following namespaces

• Windows.Security.Cryptography• Windows.Security.Cryptography.Certificates• Windows.Security.Cryptography.Core• Windows.Security.Cryptography.DataProtection

• Major features enabled• Many common crypto algorithms supported by the platform• Client certificate authentication• Data protection API allows encrypting secrets in memory

Crypto and Certs

04/12/2023 31

Crypto Demo

• Enable hardware-based, two-factor authentication for S/MIME and Secure Browsing scenarios

• Keys are bound to the hardware and can only be accessed when user PIN is provided

• VSC is built on top of the Trusted Platform Module (TPM)

Virtual Smart Card

• No APIs, but app developers can opt-out through setting

• Encryption of app files on SD card (different keys for program and data folder)

• Access control for FAT (!) for additional isolation

Apps on SD

Certificates Demo

View list of available apps.View list of installed apps.Launch app.IT alerts and notifications.

Company Portal

04/12/2023 36

Building a company portalInstall Apps

result = InstallationManager.AddPackageAsync(selectedApp.Title, selectedApp.XapPath);result.Completed = InstallCompleted;result.Progress = InstallProgress;

Find AppsIEnumerable<Package> packages = InstallationManager.FindPackagesForCurrentPublisher();package.Launch(string.Empty);

Company portal APIs

API feature WP 8 WP 8.1

Enumerate apps Yes Yes

Launch apps Yes Yes

Install enterprise signed apps Yes Yes

Get enterprise metadata No Yes

Renew an enterprise enrollment No Yes

Unenroll from the current enterprise No Yes

Trigger enterprise phone home No Yes

NEW

NEW

NEW

NEW

Company portals must be Silverlight apps

Create a Windows Phone 8 Company Hub App MSDN article by Tony Champion - http://aka.ms/E7c6xc

How do you distribute apps to your users

App deployment options

Through the store (public distribution)beta appshidden apps with deeplinkpublic apps

Sideloading (private distribution)MDM like Intune, Airwatch, Mobile Iron etcWebsite or email

Managed and unmanaged enrollment

Feature Managed Unmanaged

Enrollment method Workplace app + MDM Email/browser

Number of enrollments Limited to 1 Unlimited

Policy management Yes No

App install method MDM/company hub Email/browser/company hub

App inventory MDM/company hub Company hub

Push app install MDM No

Push app uninstall MDM No

Push app updates MDM No

Unenroll Remote and local Local NEW

NEW

NEW

Public apps versus Private apps

SimilaritiesStandard WP appsSame API SetSame app security modelFamiliar tools (C#, XAML, Visual Studio)

DifferencesCreate by and for companyAvailable only for company employeesNot distributed via the storeNot certified by Microsoft

Overview

Company 12

3 5

4 6

8

Symantec

7

Microsoft

Windows Phone Dev Center

Account creation and cert acquisition

Must be a Company accountPublisher name displayed on phone

Company approval requiredPrivate key, CSR, cert are local to PC

Enterprise certificate

Issuer

Validity period

Publisher name

Publisher ID

Enterprise apps EKU

Creating the certificate .pfx file

1. Install two Symantec CA certs

2. Export with complete cert chain

Application Enrollment Token (AET)

Secure data storage

.aetx

.aet

MDM SERVER

Code signing certificate

.aetx

Distribute through email or secure website

AET cannot be deleted through phone UI

Distribute during enrollment

Upload

AETGENERATOR TOOL

C:\temp2>"c:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\AETGenerator\AETGenerator.exe"

c:\temp\Cert.pfx password

The Enterprise Id is XXXXXXXAET.xml, AET.aet and AET.aetx file generated

Generating an AET

Code signing certificate

AET.aetx

Publisher ID

AET on the phone

.aetxPublisher ID

.xap.appx

Publisher ID

.xap.appx

AET allows all apps from the same publisher to be installed and run on the phone

.aetx12 months

AET is valid for one year and must be renewed after expiration

App is packaged, signed, and published to the company’s store

Delivered to the phone over an authenticated channel via email, browser, MDM, or company hub

Validated for signature, an associated AET, and allowed capabilities

App deployment

Windows Phone 8

Email/Browser/MDM/

Company Hub

2

1

2Enterprise Service

AppApp

NEWXAPAPPX

3

User launches an enterprise app via the shell or an API

Publisher ID is extracted and used to find the associated AET

AET must be present and valid (not expired, revoked or disabled)

App launch

Windows Phone 8

Execution Manager

2

1

Enterprise Service

3

Phone home• Phone sends device ID,

publisher IDs, and enterprise app IDs

• Phone receives status for each enterprise

• Apps of invalid enterprises are blocked from being installed or launched

• Scheduled daily, plus each enrollment and app install

• After 7 consecutive failed attempts, the install of enterprise apps is blocked, but the launch of installed apps still works

Windows Phone

Services

1 2

Phone home – sample protocol

Response

Request

App signing – Store vs. private

Store

.xap.appxMicrosoft

signed

.xap.appx

Enterprise signed

Verify with Microsoft certificates

Verify with Application Enrollment Token (AET).aetx

MDM and Unmanaged

SSP.xap

fabk.xap fabk.xap1 MDIL compile

Company developed

hub

IL code

Automatic MDIL compile

Microsoft signature

2 Sign

MDIL code

MDM Company

Portal

SSP.xap1 Sign

MDIL code

MDIL code

Preparing company apps

Machine-dependent Intermediate Language (MDIL)

Precompile and sign Silverlight 8.0 company app

PS C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.0\Tools\MDILXAPCompile>

.\BuildMDILXap.ps1 -xapfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypasswordfabk.xap

Company IT developed

app

IL code

Code signing certificate

Combined precompile+sign

script

Precompile and sign Silverlight 8.1 company app

PS C:\Program Files (x86)\Microsoft SDKs\Windows Phone\v8.1\Tools\MDILXAPCompile>

.\BuildMDILXap.ps1 -xapfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypasswordfabk.xap

Company IT developed

app

IL code

Code signing certificate

Combined precompile+sign

script

Precompile and sign Store company app

PS C:\Program Files (x86)\Microsoft SDKs\WindowsPhoneApp\v8.1\Tools\MDILXAPCompile>

.\BuildMDILAPPX.ps1 -appxfilename C:\temp\fabk.xap -pfxfilename "C:\temp\cer 02.pfx“-password mypassword

fabk.appx

Company IT developed

app

IL code

Code signing certificate

Combined precompile+sign

script

Managed deploymentMDM Server

1. Enroll phone to MDM

.aetx MDM provides AET

.xap MDM installs Company Portal

2. Use Company Portal to install and view installed company apps

Unmanaged deployment1. Install AET (email, web page)

2. Install Company Hub (email, web page)

3. Use Company Hub to view and install company apps

Managed vs. UnmanagedManaged

• Purchase ready made MDM solution

• Automatic AET and Company Hub delivery

• Full MDM capabilities

• Un-enrollment through management client

• Can enroll only to one MDM system at a time

• Automatic app updates

• Built-in private app inventory

Unmanaged

• Distribute from Intranet Server

• Manual AET and Company Hub delivery

• Only app distribution + EAS

• Un-enrollment through phone reset

• Can enroll to multiple companies simultaneously

• Manual app updates

• No automatic private app inventory

• Restrict UX using Allow List• Applications Settings

Notifications Search button re-map

• Reinforce Brand Identity • Start Layout Lockscreen

Background Custom Theme

Enterprise Lockdown

• Read/Write NDEF • Format!• 3rd party API to read and write NFC cards

through APDU (ISO 7816-4) command set is supported.• MiFare Ultralight, MiFare Classic, MiFare DesFire and Felica are supported for low level

access.

Trusted NFC apps!

NFC

• Windows & Windows Phone automatically adjust screen brightness to help maximize readability

• Windows Phone 8.1 allows apps to get ambient light readings (in LUX)

Light Sensor

IE11 web platform across Windows form factorsCSS 2D Transforms

CSS 3D Transforms

CSS Animations

CSS Backgrounds & Borders

CSS Border-Image

CSS Color

CSS Device Adaptation*

CSS Device Fixed Position*

CSS Flexbox (unprefixed)

CSS Fonts

CSS Grid*

CSS Image Values (Gradients)

CSS Media Queries

CSS Multi-Column Layout*

CSS Namespaces

CSS OM Views

CSS Regions And Exclusions*

CSS Selectors

CSS Transitions

CSS Values And Units

Custom Data Attributes

Data URI

devicepixelratio

DOM Element Traversal

DOM Level 3 Core

DOM Level 3 Events

DOM Style

DOM Traversal And Range

DOMParser And XMLSerializer

Dynamic TextTrack

ECMAScript 5

ECMAScript 6 (partial)

HTML5 Application Cache

HTML5 Async Scripts

HTML5 BlobBuilder

HTML5 Canvas

HTML5 Canvas 2D

HTML5 Device Orientation

HTML5 Drag And Drop

HTML5 Forms And

Validation

HTML5 Full Screen API*

HTML5 Geolocation

HTML5 History API

HTML5 Parser

HTML5 Sandbox

HTML5 Screen Orientation*

HTML5 Selection

HTML5 Semantic Elements

HTML5 Video And Audio

JavaScript Typed Array

ICC Color Profiles

IndexedDB

Input Method Editor API*

Internationalization API

Lazyload attribute

Media Source Extensions

MPEG-DASH

Mutation Observers

Page Visibility

Pointer Events (unprefixed)

Prefetch

Prerender

RequestAnimationFrame

Navigation Timing 2

Selectors API Level 2

SPDY/3

SVG Filter Effects

SVG, Standalone And In HTML

Tracking Preference Exp.

TTML Simple Delivery Prof.

WebCrypto API*

WebGL

Web Messaging

Web Sockets

Web Workers

XHTML/XML

XHR (Level 2) + CORS

XHR Stream Control*

©2014 Microsoft Corporation. All rights reserved. Microsoft, Windows, Office, Azure, System Center, Dynamics and other product names are or may be registered trademarks and/or trademarks in the U.S. and/or other countries. The information herein is for informational purposes only and represents the current view of Microsoft Corporation as of the date of this presentation. Because Microsoft must respond to changing market conditions, it should not be interpreted to be a commitment on the part of Microsoft, and Microsoft cannot guarantee the accuracy of any information provided after the date of this presentation. MICROSOFT MAKES NO WARRANTIES, EXPRESS, IMPLIED OR STATUTORY, AS TO THE INFORMATION IN THIS PRESENTATION.