Enterprise Application Distribution with Windows 8
Distributing the right applications and links to a user’s computer has always been a challenge. Login scripts tend to be fragile and tools that automatically install applications are often difficult to use. The increased use of personally owned computers and devices further complicates the story.
Microsoft is attempting to fix both issues with Windows 8 and the Self-Service Portal (SSP). This portal becomes active when a user self-registers their computer using their company email address and password. Once enabled, the Self-Service Portal offers four types of resources:
- Internally-developed Metro style apps that are not published in the Windows Store
- Apps produced by independent software vendors that are licensed to the organization for internal distribution
- Web links that launch websites and web-based apps directly in the browser
- Links to app listings in the Windows Store. This is a convenient way for IT to make users aware of useful business apps that are publicly available.
The Self-Service Portal is going to be especially important for Windows on Arm (WOA) tablets. While traditional computers and Intel-based Windows 8 tablets can install applications normally, the ARM-based tablets can only use applications offered by the Windows Store or a company’s Self-Service Portal.
Before a user can install company specific applications the machine needs to be secured. This is done by applying policies pushed to it through the companies “management infrastructure”. A given company’s management infrastructure is “in the cloud”, the details of which are not yet revealed. The polices look a lot of type of polices one would setup for normal computers attached to a Window’s domain.
It should be noted that a device can only be associated with a single management infrastructure at a time. This means you cannot use it as a back-door for distributing public applications without paying the Microsoft Store tax. Steven Sinofsky continues,
Although our new WOA management client can only connect with a single management infrastructure at a time, we may decide to add other policy sources before we release Windows 8 and so we’ve architected the policy system to handle this. In the case where more than one policy exists for the same Windows 8 device, the policies will be merged and the most restrictive configuration will be selected for each. This resultant policy will apply to every administrative user on the Windows 8 device and every standard user with an Exchange account configured. Standard users who do not have an Exchange account will not be subject to the policy, but Windows 8 already restricts those users from accessing data in other users’ profiles and from privileged locations, thereby automatically protecting your corporate data.
As a security measure, systems administrators can disconnect a device from the management infrastructure at any time. If they do so, all company specific applications are automatically disabled but not deleted.
Brandon Holt, Preston Briggs, Luis Ceze, Mark Oskin May 21, 2015
Kai Kreuzer, Olaf Weinmann May 21, 2015